feat(gcp): add 3 new checks for GKE CIS #3440
Conversation
github-actions
bot
added
the
provider/gcp
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3440 +/- ##
==========================================
+ Coverage 85.71% 85.75% +0.04%
==========================================
Files 637 658 +21
Lines 20070 20539 +469
==========================================
+ Hits 17202 17613 +411
- Misses 2868 2926 +58 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Great checks @sergargar !!
Please check my comments and the deprecation of GCR because maybe makes no sense to add that check or we need to review other service instead.
| "ResourceType": "Service", | ||
| "Description": "Scan images stored in Google Container Registry (GCR) for vulnerabilities using GCR Container Analysis or a third-party provider. This helps identify and mitigate security risks associated with known vulnerabilities in container images.", | ||
| "Risk": "Without image vulnerability scanning, container images stored in GCR may contain known vulnerabilities, increasing the risk of exploitation by malicious actors.", | ||
| "RelatedUrl": "https://cloud.google.com/container-registry/docs/container-analysis", |
There was a problem hiding this comment.
In this article Google says that GCR is deprecated after May 15, 2024 https://cloud.google.com/container-registry/docs/container-analysis
There was a problem hiding this comment.
Good catch!
We will have to add a new check for AR Container Scanning then.
There was a problem hiding this comment.
Check artifacts_container_analysis_enabled added!
| }, | ||
| "Recommendation": { | ||
| "Text": "Enable vulnerability scanning for images stored in GCR using GCR Container Analysis or a third-party provider.", | ||
| "Url": "https://console.cloud.google.com/gcr" |
There was a problem hiding this comment.
This is not a public link, please add documentation here better.
| }, | ||
| "Recommendation": { | ||
| "Text": "Create and use minimally privileged service accounts for GKE cluster nodes instead of using the Compute Engine default service account.", | ||
| "Url": "https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account" |
There was a problem hiding this comment.
| "Url": "https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account" | |
| "Url": "https://cloud.google.com/compute/docs/access/service-accounts#default_service_account" |
| "ResourceType": "Service", | ||
| "Description": "Ensure GKE clusters are not running using the Compute Engine default service account. Create and use minimally privileged service accounts for GKE cluster nodes instead of using the Compute Engine default service account to minimize unnecessary permissions.", | ||
| "Risk": "Using the Compute Engine default service account for GKE cluster nodes may grant excessive permissions, increasing the risk of unauthorized access or compromise if a node is compromised.", | ||
| "RelatedUrl": "https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account", |
There was a problem hiding this comment.
| "RelatedUrl": "https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account", | |
| "RelatedUrl": "https://cloud.google.com/compute/docs/access/service-accounts#default_service_account", |
| super().__init__("container", audit_info, api_version="v1beta1") | ||
| self.locations = [] | ||
| self.__get_locations__() | ||
| self.clusters = [] |
|
|
||
| assert len(result) == 1 | ||
| assert result[0].status == "FAIL" | ||
| assert search( |
There was a problem hiding this comment.
Please don't use search here.
|
|
||
| assert len(result) == 1 | ||
| assert result[0].status == "PASS" | ||
| assert search( |
There was a problem hiding this comment.
Please don't use search here.
| f"GKE cluster {cluster.name} is using the Compute Engine default service account.", | ||
| result[0].status_extended, | ||
| ) | ||
| assert result[0].resource_id == cluster.id |
There was a problem hiding this comment.
Please assert the rest of values.
| f"GKE cluster {cluster.name} is not using the Compute Engine default service account.", | ||
| result[0].status_extended, | ||
| ) | ||
| assert result[0].resource_id == cluster.id |
There was a problem hiding this comment.
Please assert the rest of values.
sergargar
changed the title
Context
In order to cover the CIS GKE Benchmark we need to create the checks that are specified for the cloud provider of GCP.
Description
Create missing automated checks from CIS GKE Benchmark:
5.1.1 Ensure Image Vulnerability Scanning using GCR Container Analysis or a third party provider ->
artifacts_container_analysis_enabledandgcr_container_scanning_enabled.5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account ->
gke_cluster_no_default_service_accountAlso, relocate
iam_cloud_asset_inventory_enabledcheck to IAM.License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.