New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(azure): Azure new checks related with AKS #3476
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3476 +/- ##
==========================================
+ Coverage 85.83% 85.93% +0.10%
==========================================
Files 662 670 +8
Lines 20643 20790 +147
==========================================
+ Hits 17719 17866 +147
Misses 2924 2924 ☔ View full report in Codecov by Sentry. |
check that ensure clusters created with private nodes
for check to ensure public access is disabled
for check to ensure if a network policy is enabled
for check to ensure if rbac is enabled in the cluster
poetry.lock
Outdated
@@ -1,4 +1,4 @@ | |||
# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand. | |||
# This file is automatically @generated by Poetry 1.7.0 and should not be changed by hand. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# This file is automatically @generated by Poetry 1.7.0 and should not be changed by hand. | |
# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand. |
from prowler.providers.azure.lib.audit_info.audit_info import azure_audit_info | ||
from prowler.providers.azure.services.aks.aks_service import Aks | ||
|
||
aks_client = Aks(azure_audit_info) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aks_client = Aks(azure_audit_info) | |
aks_client = AKS(azure_audit_info) |
report.subscription = subscription_name | ||
report.resource_name = cluster.name | ||
report.resource_id = cluster_id | ||
report.status_extended = f"Network policy enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
report.status_extended = f"Network policy enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." | |
report.status_extended = f"Network policy is enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add the Network Policy name here, please?
|
||
if not getattr(cluster, "network_policy", False): | ||
report.status = "FAIL" | ||
report.status_extended = f"Network policy not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
report.status_extended = f"Network policy not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." | |
report.status_extended = f"Network policy is not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." |
@@ -0,0 +1,30 @@ | |||
{ | |||
"Provider": "azure", | |||
"CheckID": "aks_rbac_enabled", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"CheckID": "aks_rbac_enabled", | |
"CheckID": "aks_cluster_rbac_enabled", |
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AKS/enable-role-based-access-control-for-kubernetes-service.html#", | ||
"Terraform": "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Terraform": "" | |
"Terraform": "https://docs.bridgecrew.io/docs/bc_azr_kubernetes_2#terraform" |
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Terraform": "" | |
"Terraform": "https://docs.bridgecrew.io/docs/bc_azr_kubernetes_4#terraform" |
report.subscription = subscription_name | ||
report.resource_name = cluster.name | ||
report.resource_id = cluster_id | ||
report.status_extended = f"RBAC enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
report.status_extended = f"RBAC enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." | |
report.status_extended = f"RBAC is enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." |
|
||
if not cluster.rbac_enabled: | ||
report.status = "FAIL" | ||
report.status_extended = f"RBAC not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
report.status_extended = f"RBAC not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." | |
report.status_extended = f"RBAC is not enabled for cluster '{cluster.name}' in subscription '{subscription_name}'." |
clusters.update({subscription_name: {}}) | ||
|
||
for cluster in clusters_list: | ||
if getattr(cluster, "kubernetes_version", ""): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if getattr(cluster, "kubernetes_version", ""): | |
if getattr(cluster, "kubernetes_version", None): |
!= "Unhealthy" | ||
): | ||
report.status = "PASS" | ||
report.status_extended = f"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) is enabled in subscription '{subscription_name}'." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
report.status_extended = f"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) is enabled in subscription '{subscription_name}'." | |
report.status_extended = f"Azure running container images do not have unresolved vulnerabilities in subscription '{subscription_name}'." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This metadata is for the new check defender_container_images_scan_enabled
if not pricings["Containers"].extensions[ | ||
"ContainerRegistriesVulnerabilityAssessments" | ||
]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if not pricings["Containers"].extensions[ | |
"ContainerRegistriesVulnerabilityAssessments" | |
]: | |
if not pricings["Containers"].extensions.get( | |
"ContainerRegistriesVulnerabilityAssessments" | |
): |
"Containers" in pricings | ||
and "ContainerRegistriesVulnerabilityAssessments" | ||
in pricings["Containers"].extensions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Containers" in pricings | |
and "ContainerRegistriesVulnerabilityAssessments" | |
in pricings["Containers"].extensions | |
"Containers" in pricings |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, review it carefully.
now the description and risk fit better with the check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome job!! 🚀
Context
Add new checks for Azure that are related with AKS.
Description
Add this checks with his respective unit tests:
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.