New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(gcp): add 3 new checks for GKE CIS #3440
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3440 +/- ##
==========================================
+ Coverage 85.71% 85.75% +0.04%
==========================================
Files 637 658 +21
Lines 20070 20539 +469
==========================================
+ Hits 17202 17613 +411
- Misses 2868 2926 +58 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great checks @sergargar !!
Please check my comments and the deprecation of GCR because maybe makes no sense to add that check or we need to review other service instead.
"ResourceType": "Service", | ||
"Description": "Scan images stored in Google Container Registry (GCR) for vulnerabilities using GCR Container Analysis or a third-party provider. This helps identify and mitigate security risks associated with known vulnerabilities in container images.", | ||
"Risk": "Without image vulnerability scanning, container images stored in GCR may contain known vulnerabilities, increasing the risk of exploitation by malicious actors.", | ||
"RelatedUrl": "https://cloud.google.com/container-registry/docs/container-analysis", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this article Google says that GCR is deprecated after May 15, 2024 https://cloud.google.com/container-registry/docs/container-analysis
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch!
We will have to add a new check for AR Container Scanning then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check artifacts_container_analysis_enabled
added!
}, | ||
"Recommendation": { | ||
"Text": "Enable vulnerability scanning for images stored in GCR using GCR Container Analysis or a third-party provider.", | ||
"Url": "https://console.cloud.google.com/gcr" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not a public link, please add documentation here better.
}, | ||
"Recommendation": { | ||
"Text": "Create and use minimally privileged service accounts for GKE cluster nodes instead of using the Compute Engine default service account.", | ||
"Url": "https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Url": "https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account" | |
"Url": "https://cloud.google.com/compute/docs/access/service-accounts#default_service_account" |
"ResourceType": "Service", | ||
"Description": "Ensure GKE clusters are not running using the Compute Engine default service account. Create and use minimally privileged service accounts for GKE cluster nodes instead of using the Compute Engine default service account to minimize unnecessary permissions.", | ||
"Risk": "Using the Compute Engine default service account for GKE cluster nodes may grant excessive permissions, increasing the risk of unauthorized access or compromise if a node is compromised.", | ||
"RelatedUrl": "https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"RelatedUrl": "https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account", | |
"RelatedUrl": "https://cloud.google.com/compute/docs/access/service-accounts#default_service_account", |
super().__init__("container", audit_info, api_version="v1beta1") | ||
self.locations = [] | ||
self.__get_locations__() | ||
self.clusters = [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use a map here.
|
||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert search( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't use search here.
|
||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert search( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't use search here.
f"GKE cluster {cluster.name} is using the Compute Engine default service account.", | ||
result[0].status_extended, | ||
) | ||
assert result[0].resource_id == cluster.id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please assert the rest of values.
f"GKE cluster {cluster.name} is not using the Compute Engine default service account.", | ||
result[0].status_extended, | ||
) | ||
assert result[0].resource_id == cluster.id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please assert the rest of values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove the search here too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great one!! Thanks @sergargar 🏅
Context
In order to cover the CIS GKE Benchmark we need to create the checks that are specified for the cloud provider of GCP.
Description
Create missing automated checks from CIS GKE Benchmark:
5.1.1 Ensure Image Vulnerability Scanning using GCR Container Analysis or a third party provider ->
artifacts_container_analysis_enabled
andgcr_container_scanning_enabled
.5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account ->
gke_cluster_no_default_service_account
Also, relocate
iam_cloud_asset_inventory_enabled
check to IAM.License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.