Run individual controls or full compliance benchmarks for NSA CISA Kubernetes Hardening Guidance across all of your Kubernetes clusters using Powerpipe and Steampipe.
Home Page: https://hub.powerpipe.io/mods/turbot/kubernetes_compliance
License: Apache License 2.0
Describe the bug
A clear and concise description of what the bug is.
Steampipe version (steampipe -v)
Example: v0.3.0
Plugin version (steampipe plugin list)
Example: v0.5.0
To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).
Expected behavior
A clear and concise description of what you expected to happen.
Additional context
Add any other context about the problem here.
Is your feature request related to a problem? Please describe.
When using manifest or helm charts, it's helpful to know what files each resource is from.
Describe the solution you'd like
The common_dimensions variable should include path by default to make it easier to use OOTB.
Describe alternatives you've considered
Set the variable before running the mod
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
CIS Reference
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Describe the bug
A clear and concise description of what the bug is.
Some of the controls are not rendering,
https://hub.steampipe.io/mods/turbot/kubernetes_compliance/queries/cronjob_default_seccomp_profile_enabled
Steampipe version (steampipe -v)
Example: v0.3.0
Plugin version (steampipe plugin list)
Example: v0.5.0
To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).
Expected behavior
A clear and concise description of what you expected to happen.
Additional context
Add any other context about the problem here.
Describe the bug
A clear and concise description of what the bug is.
5.1.3 Minimize wildcard use in Roles and ClusterRoles ............................................................................................................... 1 / 1 [= ]
| | |
| | | ERROR: column "kubernetes_cluster_role.tags" must appear in the GROUP BY clause or be used in an aggregate function (SQLSTATE 42803)
Steampipe version (steampipe -v)
Example: v0.3.0
Plugin version (steampipe plugin list)
Example: v0.5.0
To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).
Execute steampipe check control.cis_v170_5_1_3
Expected behavior
A clear and concise description of what you expected to happen.
Additional context
Add any other context about the problem here.
The solution is to add tags and _ctx to the group by clause
select
coalesce(uid, concat(path, ':', start_line)) as resource,
case
when rule ->> 'apiGroups' like '%*%'
or rule ->> 'resources' like '%*%'
or rule ->> 'verbs' like '%*%' then 'alarm'
else 'ok'
end as status,
case
when rule ->> 'apiGroups' like '%*%' then name || ' api groups use wildcards.'
when rule ->> 'resources' like '%*%' then name || ' resources use wildcards.'
when rule ->> 'verbs' like '%*%' then name || ' actions use wildcards.'
else name || ' uses no wildcard.'
end as reason,
name as role_name
${local.tag_dimensions_sql}
${local.common_dimensions_non_namespace_sql}
from
kubernetes_cluster_role,
jsonb_array_elements(rules) rule
where
name not like '%system%'
group by
uid,
status,
reason,
role_name,
path,
start_line,
end_line,
source_type,
context_name,
tags,
_ctx;
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Common & tag dimensions will allow the end user with options to render compliance output based on tags key, connection name, subscription name & region.
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
CIS Reference
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Describe the bug
A clear and concise description of what the bug is.
Replication Controller containers argument request timeout should be set as appropriate
ERROR: column "_ctx" does not exist (SQLSTATE 42703)
StatefulSet containers should have kubelet terminated pod gc threshold configured appropriatel
ERROR: column "tags" does not exist (SQLSTATE 42703)
Steampipe version (steampipe -v)
Example: v0.21.0
Plugin version (steampipe plugin list)
Example: v0.25.1
To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).
Expected behavior
A clear and concise description of what you expected to happen.
Additional context
Add any other context about the problem here.
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Describe the bug
Report doesn't show the relevant pod so i cannot know which pod is alarm or ok.
Steampipe version (steampipe -v)
steampipe version 0.16.1
Plugin version (steampipe plugin list)
+-------------------------------------------------------------------+
| |
| A new version of Steampipe is available! 0.16.1 โ 0.16.4 |
| You can update by downloading from https://steampipe.io/downloads |
| |
| |
| Updated versions of the following plugins are available: |
| |
| turbot/gcp @ latest 0.26.0 โ 0.28.0 |
| |
| You can update by running steampipe plugin update --all |
| |
+-------------------------------------------------------------------+
+---------------------------------------------------+---------+-------------+
| Name | Version | Connections |
+---------------------------------------------------+---------+-------------+
| hub.steampipe.io/plugins/turbot/gcp@latest | 0.26.0 | gcp |
| hub.steampipe.io/plugins/turbot/kubernetes@latest | 0.12.0 | kubernetes |
+---------------------------------------------------+---------+-------------+
To reproduce
steampipe check kubernetes_compliance.benchmark.cis_kube_v120 --export html
Expected behavior
The report need to show the name of resource or name of the pod.
Is your feature request related to a problem? Please describe.
In Kubernetes mods we do not have any compliance available for Node, Storage and system cluster role.
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Describe the bug
The current version of the mod returns a warning due to using the deprecated option version instead of min_version for the kubernetes plugin.
This issue can be trivially resolved by updating
require {
plugin "kubernetes" {
version = "0.23.0"
}
}
to
require {
plugin "kubernetes" {
min_version = "0.23.0"
}
}
Steampipe version (steampipe -v)
Example: v0.3.0
Plugin version (steampipe plugin list)
Example: v0.5.0
To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).
Expected behavior
A clear and concise description of what you expected to happen.
Additional context
Add any other context about the problem here.
Describe the bug
We seem to be linking to the NSA/CISA Technical Security Report (https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF) in a couple of places but this link is now broken.
Steampipe version (steampipe -v)
NA
Plugin version (steampipe plugin list)
NA
To reproduce
We link to the document on these pages:
Correct link: https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
CIS Reference
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
It's simpler in code and readability to reference queries using the query = attribute rather than the sql = attribute.
This occurs throughout the mod, but as a specific example:
steampipe-mod-kubernetes-compliance/cis_kube_v120/cis_kube_v120_v100.sp
Lines 188 to 200 in c535281
Could be changed from:
sql = query.pod_security_policy_container_privilege_escalation_disabled.sql
to:
query = query.pod_security_policy_container_privilege_escalation_disabled
Is your feature request related to a problem? Please describe.
The current set of compliance controls has resource types such as Deployment, DaemonSet, Job, ReplicaSet, ReplicationController
Below are some other recommended resource types for inclusions to the current set of controls
Benchmarks will be using the above controls
Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Describe the bug
Getting the error column namespace not found while running the kubernetes_compliance.benchmark.nsa_cisa_v1_network_hardening_cpu_limit benchmark
Steampipe version (steampipe -v)
v0.20.11
Plugin version (steampipe plugin list)
Kubernetes Plugin = v0.22.1
To reproduce
1 - Clone the steampipe-mod-kubernetes-compliance repo and CD into it
2 - run "steampipe check kubernetes_compliance.benchmark.nsa_cisa_v1_network_hardening_cpu_limit"
Expected behavior
It should look for appropriate columns
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.