GithubHelp home page GithubHelp logo

turbot / steampipe-mod-kubernetes-compliance Goto Github PK

View Code? Open in Web Editor NEW
30.0 13.0 3.0 5.56 MB

Run individual controls or full compliance benchmarks for NSA CISA Kubernetes Hardening Guidance across all of your Kubernetes clusters using Powerpipe and Steampipe.

Home Page: https://hub.powerpipe.io/mods/turbot/kubernetes_compliance

License: Apache License 2.0

HCL 100.00%
security compliance steampipe steampipe-mod kubernetes k8s kubernetes-api hacktoberfest powerpipe powerpipe-mod

steampipe-mod-kubernetes-compliance's Introduction

Kubernetes Compliance Mod for Powerpipe

Important

Powerpipe is now the preferred way to run this mod! Migrating from Steampipe →

All v0.x versions of this mod will work in both Steampipe and Powerpipe, but v1.0.0 onwards will be in Powerpipe format only.

Multiple checks covering industry defined security best practices for Kubernetes. The mod supports parsing and analyzing Kubernetes manifest files, allowing you to assess compliance directly on your configuration files before deployment. Includes support for CIS, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity technical report for Kubernetes hardening.

Run checks in a dashboard: image

Or in a terminal: image

Documentation

Getting Started

Installation

Install Powerpipe (https://powerpipe.io/downloads), or use Brew:

brew install turbot/tap/powerpipe

This mod also requires Steampipe with the Kubernetes plugin as the data source. Install Steampipe (https://steampipe.io/downloads), or use Brew:

brew install turbot/tap/steampipe
steampipe plugin install kubernetes

Steampipe will automatically use your default Kubernetes credentials. Optionally, you can setup multiple context connections or customize Kubernetes credentials.

Finally, install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance

Browsing Dashboards

Start Steampipe as the data source:

steampipe service start

Start the dashboard server:

powerpipe server

Browse and view your dashboards at http://localhost:9033.

Running Checks in Your Terminal

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the powerpipe benchmark command:

List available benchmarks:

powerpipe benchmark list

Run a benchmark:

powerpipe benchmark run kubernetes_compliance.benchmark.cis_v170

Different output formats are also available, for more information please see Output Formats.

Common and Tag Dimensions

The benchmark queries use common properties (like connection_name, context_name, namespace, path and source_type) and tags that are defined in the form of a default list of strings in the variables.sp file. These properties can be overwritten in several ways:

It's easiest to setup your vars file, starting with the sample:

cp steampipe.spvars.example steampipe.spvars
vi steampipe.spvars

Alternatively you can pass variables on the command line:

powerpipe benchmark run kubernetes_compliance.benchmark.cis_v170 --var 'tag_dimensions=["Environment", "Owner"]'

Or through environment variables:

export PP_VAR_common_dimensions='["connection_name", "context_name", "namespace", "path", "source_type"]'
export PP_VAR_tag_dimensions='["Environment", "Owner"]'
powerpipe benchmark run kubernetes_compliance.benchmark.cis_v170

Open Source & Contributing

This repository is published under the Apache 2.0 license. Please see our code of conduct. We look forward to collaborating with you!

Steampipe and Powerpipe are products produced from this open source software, exclusively by Turbot HQ, Inc. They are distributed under our commercial terms. Others are allowed to make their own distribution of the software, but cannot use any of the Turbot trademarks, cloud services, etc. You can learn more in our Open Source FAQ.

Get Involved

Join #powerpipe on Slack →

Want to help but don't know where to start? Pick up one of the help wanted issues:

steampipe-mod-kubernetes-compliance's People

Contributors

aniketh-varma avatar bigdatasourav avatar cbruno10 avatar karanpopat avatar khushboo9024 avatar madhushreeray30 avatar misraved avatar rajlearner17 avatar shivani1982 avatar subhajit97 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

hammy00612 cheahengsoon aniketh-varma

steampipe-mod-kubernetes-compliance's Issues

Fix - Few Controls fails to query tags & _ctx

Describe the bug
A clear and concise description of what the bug is.

Replication Controller containers argument request timeout should be set as appropriate 
ERROR: column "_ctx" does not exist (SQLSTATE 42703)

StatefulSet containers should have kubelet terminated pod gc threshold configured appropriatel
ERROR: column "tags" does not exist (SQLSTATE 42703)

Steampipe version (steampipe -v)
Example: v0.21.0

Plugin version (steampipe plugin list)
Example: v0.25.1

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Update mod.sp to address deprecation warning

Describe the bug
The current version of the mod returns a warning due to using the deprecated option version instead of min_version for the kubernetes plugin.

This issue can be trivially resolved by updating

  require {
    plugin "kubernetes" {
      version = "0.23.0"
    }
  }

to

  require {
    plugin "kubernetes" {
      min_version = "0.23.0"
    }
  }

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Add Controls for CronJob, StatefulSet, ConfigMap, Ingress, Role, RoleBinding resource types

Is your feature request related to a problem? Please describe.
The current set of compliance controls has resource types such as Deployment, DaemonSet, Job, ReplicaSet, ReplicationController

Below are some other recommended resource types for inclusions to the current set of controls

  • CronJob
  • StatefulSet
  • ConfigMap
  • Ingress
  • Role
  • Role Binding
  • Secret

Benchmarks will be using the above controls

  1. NSA-CISA
  2. CIS

Include `paths` in common dimensions by default

Is your feature request related to a problem? Please describe.
When using manifest or helm charts, it's helpful to know what files each resource is from.

Describe the solution you'd like
The common_dimensions variable should include path by default to make it easier to use OOTB.

Describe alternatives you've considered
Set the variable before running the mod

Additional context
Add any other context or screenshots about the feature request here.

Update benchmark and control tags for compatibility with dashboard page Closes

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Query fails for role_with_wildcards_used

Describe the bug
A clear and concise description of what the bug is.

5.1.3 Minimize wildcard use in Roles and ClusterRoles ...............................................................................................................     1 /     1 [=         ]
|   | | 
|   | | ERROR: column "kubernetes_cluster_role.tags" must appear in the GROUP BY clause or be used in an aggregate function (SQLSTATE 42803)

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Execute steampipe check control.cis_v170_5_1_3

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

The solution is to add tags and _ctx to the group by clause

    select
      coalesce(uid, concat(path, ':', start_line)) as resource,
      case
        when rule ->> 'apiGroups' like '%*%'
          or rule ->> 'resources' like '%*%'
          or rule ->> 'verbs' like '%*%' then 'alarm'
        else 'ok'
      end as status,
      case
        when rule ->> 'apiGroups' like '%*%' then name || ' api groups use wildcards.'
        when rule ->> 'resources' like '%*%' then name || ' resources use wildcards.'
        when rule ->> 'verbs' like '%*%' then name || ' actions use wildcards.'
        else name || ' uses no wildcard.'
      end as reason,
      name as role_name
      ${local.tag_dimensions_sql}
      ${local.common_dimensions_non_namespace_sql}
    from
      kubernetes_cluster_role,
      jsonb_array_elements(rules) rule
    where
      name not like '%system%'
    group by
      uid,
      status,
      reason,
      role_name,
      path,
      start_line,
      end_line,
      source_type,
      context_name,
      tags,
      _ctx;

Add additional checks

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add CIS Kubernetes Foundations Benchmark v1.7.0 - (03-20-2023)

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

CIS Reference

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

ERROR: column n.namespace does not exist (SQLSTATE 42703)

Describe the bug
Getting the error column namespace not found while running the kubernetes_compliance.benchmark.nsa_cisa_v1_network_hardening_cpu_limit benchmark

Steampipe version (steampipe -v)
v0.20.11

Plugin version (steampipe plugin list)
Kubernetes Plugin = v0.22.1

To reproduce
1 - Clone the steampipe-mod-kubernetes-compliance repo and CD into it
2 - run "steampipe check kubernetes_compliance.benchmark.nsa_cisa_v1_network_hardening_cpu_limit"

Expected behavior
It should look for appropriate columns

Report doesn't show the relevant pod

Describe the bug
Report doesn't show the relevant pod so i cannot know which pod is alarm or ok.
Screen Shot 2022-10-30 at 3 09 58 PM

Screen Shot 2022-10-30 at 3 11 43 PM

Steampipe version (steampipe -v)
steampipe version 0.16.1

Plugin version (steampipe plugin list)

+-------------------------------------------------------------------+
| |
| A new version of Steampipe is available! 0.16.1 → 0.16.4 |
| You can update by downloading from https://steampipe.io/downloads |
| |
| |
| Updated versions of the following plugins are available: |
| |
| turbot/gcp @ latest 0.26.0 → 0.28.0 |
| |
| You can update by running steampipe plugin update --all |
| |
+-------------------------------------------------------------------+

+---------------------------------------------------+---------+-------------+
| Name | Version | Connections |
+---------------------------------------------------+---------+-------------+
| hub.steampipe.io/plugins/turbot/gcp@latest | 0.26.0 | gcp |
| hub.steampipe.io/plugins/turbot/kubernetes@latest | 0.12.0 | kubernetes |
+---------------------------------------------------+---------+-------------+

To reproduce
steampipe check kubernetes_compliance.benchmark.cis_kube_v120 --export html

Expected behavior
The report need to show the name of resource or name of the pod.

Add CIS Kubernetes Foundations Benchmark v1.8.0-(10-05-2023)

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
CIS Reference
Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add/Update NSA and CISA Kubernetes Hardening Guidance v1.2

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Reference

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add CIS Kubernetes Foundations Benchmark v1.7.1- (06-06-2023)

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

CIS Reference
Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

The named query for the control breaks in hub site

Describe the bug
A clear and concise description of what the bug is.

Some of the controls are not rendering,
https://hub.steampipe.io/mods/turbot/kubernetes_compliance/queries/cronjob_default_seccomp_profile_enabled

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Add common and tag dimensions across compliance queries

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Common & tag dimensions will allow the end user with options to render compliance output based on tags key, connection name, subscription name & region.

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Link to NSA/CISA technical security report (pdf) is broken.

Describe the bug
We seem to be linking to the NSA/CISA Technical Security Report (https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF) in a couple of places but this link is now broken.

Steampipe version (steampipe -v)
NA

Plugin version (steampipe plugin list)
NA

To reproduce
We link to the document on these pages:

Correct link: https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

Controls should reference their query using `query =` rather than `sql =`

It's simpler in code and readability to reference queries using the query = attribute rather than the sql = attribute.

This occurs throughout the mod, but as a specific example:

steampipe-mod-kubernetes-compliance/cis_kube_v120/cis_kube_v120_v100.sp

Lines 188 to 200 in c535281

control "cis_kube_v120_v100_5_2_5" {
title = "5.2.5 Minimize the admission of containers with allowPrivilegeEscalation"
description = "A container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run."
sql = query.pod_security_policy_container_privilege_escalation_disabled.sql
documentation = file("./cis_kube_v120/docs/cis_kube_v120_v100_5_2_5.md")
tags = merge(local.cis_kube_v120_v100_5_common_tags, {
cis_level = "1"
cis_item_id = "5.2.5"
cis_type = "automated"
service = "Kubernetes/PodSecurityPolicy"
})
}

Could be changed from:

  sql           = query.pod_security_policy_container_privilege_escalation_disabled.sql

to:

  query         = query.pod_security_policy_container_privilege_escalation_disabled

Update CIS control display order

Describe the bug
A clear and concise description of what the bug is.

image

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.