feat(core): add 13 checks of Kubernetes Core service #3315

sergargar · 2024-01-23T15:53:29Z

Description

Add 13 checks of Kubernetes Core service:

[core_minimize_admission_hostport_containers] Minimize the admission of containers which use HostPorts - Core [high]
[core_minimize_admission_windows_hostprocess_containers] Minimize the admission of Windows HostProcess Containers - Core [high]
[core_minimize_allowPrivilegeEscalation_containers] Minimize the admission of containers with allowPrivilegeEscalation - Core [high]
[core_minimize_containers_added_capabilities] Minimize the admission of containers with added capabilities - Core [high]
[core_minimize_containers_capabilities_assigned] Minimize the admission of containers with capabilities assigned - Core [high]
[core_minimize_hostIPC_containers] Minimize the admission of containers wishing to share the host IPC namespace - Core [high]
[core_minimize_hostNetwork_containers] Minimize the admission of containers wishing to share the host network namespace - Core [high]
[core_minimize_hostPID_containers] Minimize the admission of containers wishing to share the host process ID namespace - Core [high]
[core_minimize_net_raw_capability_admission] Minimize the admission of containers with the NET_RAW capability - Core [high]
[core_minimize_privileged_containers] Minimize the admission of privileged containers - Core [high]
[core_minimize_root_containers_admission] Minimize the admission of root containers - Core [high]
[core_no_secrets_envs] Prefer using secrets as files over secrets as environment variables - Core [medium]
[core_seccomp_profile_docker_default] Ensure that the seccomp profile is set to docker/default in your pod definitions - Core [high]

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

jfagoagas

Great job @sergargar !!

Please review all the checks here https://docs.bridgecrew.io/docs/kubernetes-policy-index to add it to the metadata files in the IaC section.

...ion_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py

...mize_admission_hostport_containers/core_minimize_admission_hostport_containers.metadata.json

..._hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.metadata.json

...ivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.metadata.json

...mize_containers_added_capabilities/core_minimize_containers_added_capabilities.metadata.json

...nimize_net_raw_capability_admission/core_minimize_net_raw_capability_admission.metadata.json

...s/core/core_minimize_privileged_containers/core_minimize_privileged_containers.metadata.json

...ore_minimize_root_containers_admission/core_minimize_root_containers_admission.metadata.json

...r/providers/kubernetes/services/core/core_no_secrets_envs/core_no_secrets_envs.metadata.json

...s/core/core_seccomp_profile_docker_default/core_seccomp_profile_docker_default.metadata.json

...ion_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py

...ivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.metadata.json

...ize_allowPrivilegeEscalation_containers/core_minimize_allowPrivilegeEscalation_containers.py

..._minimize_containers_capabilities_assigned/core_minimize_containers_capabilities_assigned.py

...ore/core_minimize_net_raw_capability_admission/core_minimize_net_raw_capability_admission.py

prowler/providers/kubernetes/services/core/core_service.py

Co-authored-by: Pepe Fagoaga <pepe@prowler.com>

...ion_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py

jfagoagas

Another one ready to be merged!!

Thanks for the effort @sergargar 🏅

sergargar and others added 16 commits January 9, 2024 12:41

add etcd and controllermanager services

5a40b07

add rbac service

cc76a42

add apiserver checks

3632aaf

add apiserver checks part 2

8294284

add apiserver checks part 3

86e12bf

change check names

2b5d78e

improve checks logic

7bb9c5e

improve checks logic

f743551

Merge branch 'prowler-4.0-dev' into k8s-services

718ca84

feat(controllermanager): add checks for Kubernetes Controller Manager

ed394ca

feat(etcd): add checks for Kubernetes etcd

0ce5cdc

feat(kubelet): add 10 checks of Kubernetes Kubelet service

30c10d3

feat(kubelet): add 9 checks of Kubernetes RBAC service

6db4d3a

feat(core): add 11 checks of Kubernetes Core service

7f79a93

add 2 more checks

845e9b2

fix core service names

faabdf0

sergargar requested a review from a team as a code owner January 23, 2024 15:53

sergargar added prowler-4.0 provider/kubernetes Issues/PRs related with the Kubernetes provider labels Jan 23, 2024

sergargar and others added 6 commits February 22, 2024 16:46

Merge branch 'prowler-4.0-dev' into core-checks

9d48306

Merge branch 'prowler-4.0-dev' into core-checks

29ae035

Merge branch 'prowler-4.0-dev' into core-checks

ae477e1

improve checks logic

76e7049

Update outputs.py

17885d5

Update outputs.py

2336964

jfagoagas requested changes Feb 28, 2024

View reviewed changes

fix metadata

26832d8

jfagoagas self-requested a review February 28, 2024 09:59

jfagoagas requested changes Feb 28, 2024

View reviewed changes

Apply suggestions from code review

ff95017

Co-authored-by: Pepe Fagoaga <pepe@prowler.com>

fix core logic

235e0ea

sergargar requested a review from jfagoagas February 28, 2024 11:38

Delete mypod.yaml

492626c

jfagoagas reviewed Feb 28, 2024

View reviewed changes

...ion_windows_hostprocess_containers/core_minimize_admission_windows_hostprocess_containers.py Outdated Show resolved Hide resolved

fix: typo

c31c0fd

jfagoagas approved these changes Feb 28, 2024

View reviewed changes

jfagoagas merged commit 3c4e5a1 into prowler-4.0-dev Feb 28, 2024
3 of 7 checks passed

jfagoagas deleted the core-checks branch February 28, 2024 12:21

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(core): add 13 checks of Kubernetes Core service #3315

feat(core): add 13 checks of Kubernetes Core service #3315

sergargar commented Jan 23, 2024

jfagoagas left a comment

jfagoagas left a comment

feat(core): add 13 checks of Kubernetes Core service #3315

feat(core): add 13 checks of Kubernetes Core service #3315

Conversation

sergargar commented Jan 23, 2024

Description

License

jfagoagas left a comment

Choose a reason for hiding this comment

jfagoagas left a comment

Choose a reason for hiding this comment