From d288099439f102564b209435b786e56efeebac39 Mon Sep 17 00:00:00 2001 From: OlleLarsson Date: Wed, 29 Jan 2025 13:57:32 +0100 Subject: [PATCH] apps: helm/trivy-operator 0.25.0 The helm chart defaults to trivy-operator version v0.23.0 --- .../aquasecurity/trivy-operator/Chart.yaml | 4 +- .../aquasecurity/trivy-operator/README.md | 39 +- ...ty.github.io_clustercompliancereports.yaml | 18 + ...github.io_clustervulnerabilityreports.yaml | 6 + ...curity.github.io_vulnerabilityreports.yaml | 6 + .../templates/configmaps/operator.yaml | 1 + .../templates/configmaps/policies.yaml | 2 + .../templates/specs/cis-1.23.yaml | 825 ---------------- .../templates/specs/eks-cis-1.4.yaml | 508 ++++++++++ .../templates/specs/k8s-cis-1.23.yaml | 914 +++++++++++++++++ .../templates/specs/k8s-nsa-1.0.yaml | 192 ++++ ...aseline.yaml => k8s-pss-baseline-0.1.yaml} | 63 +- ...icted.yaml => k8s-pss-restricted-0.1.yaml} | 83 +- .../templates/specs/nsa-1.0.yaml | 184 ---- .../templates/specs/rke2-cis-1.24.yaml | 915 ++++++++++++++++++ .../templates/trivy-server/statefulset.yaml | 8 + .../aquasecurity/trivy-operator/values.yaml | 58 +- helmfile.d/upstream/index.yaml | 2 +- 18 files changed, 2711 insertions(+), 1117 deletions(-) delete mode 100644 helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/cis-1.23.yaml create mode 100644 helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/eks-cis-1.4.yaml create mode 100644 helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-cis-1.23.yaml create mode 100644 helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-nsa-1.0.yaml rename helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/{pss-baseline.yaml => k8s-pss-baseline-0.1.yaml} (78%) rename helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/{pss-restricted.yaml => k8s-pss-restricted-0.1.yaml} (80%) delete mode 100644 helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/nsa-1.0.yaml create mode 100644 helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/rke2-cis-1.24.yaml diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/Chart.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/Chart.yaml index d4885cf33..d3da7e0f5 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/Chart.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.21.3 +appVersion: 0.23.0 description: Keeps security report resources updated keywords: - aquasecurity @@ -9,4 +9,4 @@ name: trivy-operator sources: - https://github.com/aquasecurity/trivy-operator type: application -version: 0.23.3 +version: 0.25.0 diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/README.md b/helmfile.d/upstream/aquasecurity/trivy-operator/README.md index 7c852b46b..c94bbcf6c 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/README.md +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/README.md @@ -1,6 +1,6 @@ # trivy-operator -![Version: 0.23.3](https://img.shields.io/badge/Version-0.23.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.21.3](https://img.shields.io/badge/AppVersion-0.21.3-informational?style=flat-square) +![Version: 0.25.0](https://img.shields.io/badge/Version-0.25.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.23.0](https://img.shields.io/badge/AppVersion-0.23.0-informational?style=flat-square) Keeps security report resources updated @@ -15,15 +15,16 @@ Keeps security report resources updated | affinity | object | `{}` | affinity set the operator affinity | | automountServiceAccountToken | bool | `true` | automountServiceAccountToken the flag to enable automount for service account token | | compliance.cron | string | `"0 */6 * * *"` | cron this flag control the cron interval for compliance report generation | -| compliance.failEntriesLimit | int | `10` | failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report | +| compliance.failEntriesLimit | int | `10` | failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report this limit is for preventing the report from being too large per control checks | | compliance.reportType | string | `"summary"` | reportType this flag control the type of report generated (summary or all) | +| compliance.specs | list | `["k8s-cis-1.23","k8s-nsa-1.0","k8s-pss-baseline-0.1","k8s-pss-restricted-0.1"]` | specs is a list of compliance specs to be used by the cluster compliance scanner - k8s-cis-1.23 - k8s-nsa-1.0 - k8s-pss-baseline-0.1 - k8s-pss-restricted-0.1 - eks-cis-1.4 - rke2-cis-1.24 | | excludeNamespaces | string | `""` | excludeNamespaces is a comma separated list of namespaces (or glob patterns) to be excluded from scanning. Only applicable in the all namespaces install mode, i.e. when the targetNamespaces values is a blank string. | | fullnameOverride | string | `""` | fullnameOverride override operator full name | | global | object | `{"image":{"registry":""}}` | global values provide a centralized configuration for 'image.registry', reducing the potential for errors. If left blank, the chart will default to the individually set 'image.registry' values | | image.pullPolicy | string | `"IfNotPresent"` | pullPolicy set the operator pullPolicy | | image.pullSecrets | list | `[]` | pullSecrets set the operator pullSecrets | -| image.registry | string | `"ghcr.io"` | | -| image.repository | string | `"aquasecurity/trivy-operator"` | | +| image.registry | string | `"mirror.gcr.io"` | | +| image.repository | string | `"aquasec/trivy-operator"` | | | image.tag | string | `""` | tag is an override of the image tag, which is by default set by the appVersion field in Chart.yaml. | | managedBy | string | `"Helm"` | managedBy is similar to .Release.Service but allows to overwrite the value | | nameOverride | string | `""` | nameOverride override operator name | @@ -31,7 +32,7 @@ Keeps security report resources updated | nodeCollector.imagePullSecret | string | `nil` | imagePullSecret is the secret name to be used when pulling node-collector image from private registries example : reg-secret It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace | | nodeCollector.registry | string | `"ghcr.io"` | registry of the node-collector image | | nodeCollector.repository | string | `"aquasecurity/node-collector"` | repository of the node-collector image | -| nodeCollector.tag | string | `"0.2.1"` | tag version of the node-collector image | +| nodeCollector.tag | string | `"0.3.1"` | tag version of the node-collector image | | nodeCollector.tolerations | list | `[]` | tolerations to be applied to the node-collector so that they can run on nodes with matching taints | | nodeCollector.useNodeSelector | bool | `true` | useNodeSelector determine if to use nodeSelector (by auto detecting node name) with node-collector scan job | | nodeCollector.volumeMounts | list | `[{"mountPath":"/var/lib/etcd","name":"var-lib-etcd","readOnly":true},{"mountPath":"/var/lib/kubelet","name":"var-lib-kubelet","readOnly":true},{"mountPath":"/var/lib/kube-scheduler","name":"var-lib-kube-scheduler","readOnly":true},{"mountPath":"/var/lib/kube-controller-manager","name":"var-lib-kube-controller-manager","readOnly":true},{"mountPath":"/etc/systemd","name":"etc-systemd","readOnly":true},{"mountPath":"/lib/systemd/","name":"lib-systemd","readOnly":true},{"mountPath":"/etc/kubernetes","name":"etc-kubernetes","readOnly":true},{"mountPath":"/etc/cni/net.d/","name":"etc-cni-netd","readOnly":true}]` | node-collector pod volume mounts definition for collecting config files information | @@ -94,11 +95,11 @@ Keeps security report resources updated | podSecurityContext | object | `{}` | | | policiesBundle.existingSecret | bool | `false` | existingSecret if a secret containing registry credentials that have been created outside the chart (e.g external-secrets, sops, etc...). Keys must be at least one of the following: policies.bundle.oci.user, policies.bundle.oci.password Overrides policiesBundle.registryUser, policiesBundle.registryPassword values. Note: The secret has to be named "trivy-operator". | | policiesBundle.insecure | bool | `false` | insecure is the flag to enable insecure connection to the policy bundle registry | -| policiesBundle.registry | string | `"ghcr.io"` | registry of the policies bundle | +| policiesBundle.registry | string | `"mirror.gcr.io"` | registry of the policies bundle | | policiesBundle.registryPassword | string | `nil` | registryPassword is the password for the registry | | policiesBundle.registryUser | string | `nil` | registryUser is the user for the registry | -| policiesBundle.repository | string | `"aquasecurity/trivy-checks"` | repository of the policies bundle | -| policiesBundle.tag | int | `0` | tag version of the policies bundle | +| policiesBundle.repository | string | `"aquasec/trivy-checks"` | repository of the policies bundle | +| policiesBundle.tag | int | `1` | tag version of the policies bundle | | priorityClassName | string | `""` | priorityClassName set the operator priorityClassName | | rbac.create | bool | `true` | | | resources | object | `{}` | | @@ -127,12 +128,13 @@ Keeps security report resources updated | trivy.clientServerSkipUpdate | bool | `false` | clientServerSkipUpdate is the flag to enable skip databases update for Trivy client. Only applicable in ClientServer mode. | | trivy.command | string | `"image"` | command. One of `image`, `filesystem` or `rootfs` scanning, depending on the target type required for the scan. For 'filesystem' and `rootfs` scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured to run as the root user (runAsUser = 0). | | trivy.createConfig | bool | `true` | createConfig indicates whether to create config objects | -| trivy.dbRegistry | string | `"ghcr.io"` | | -| trivy.dbRepository | string | `"aquasecurity/trivy-db"` | | +| trivy.dbRegistry | string | `"mirror.gcr.io"` | | +| trivy.dbRepository | string | `"aquasec/trivy-db"` | | | trivy.dbRepositoryInsecure | string | `"false"` | The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env) | | trivy.dbRepositoryPassword | string | `nil` | The password for dbRepository authentication | | trivy.dbRepositoryUsername | string | `nil` | The username for dbRepository authentication | | trivy.debug | bool | `false` | debug One of `true` or `false`. Enables debug mode. | +| trivy.externalRegoPoliciesEnabled | bool | `false` | The Flag to enable the usage of external rego policies config-map, this should be used when the user wants to use their own rego policies | | trivy.filesystemScanCacheDir | string | `"/var/trivyoperator/trivy-db"` | filesystemScanCacheDir the flag to set custom path for trivy filesystem scan `cache-dir` parameter. Only applicable in filesystem scan mode. | | trivy.githubToken | string | `nil` | githubToken is the GitHub access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable in Standalone mode. | | trivy.httpProxy | string | `nil` | httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. | @@ -141,14 +143,14 @@ Keeps security report resources updated | trivy.ignoreUnfixed | bool | `false` | ignoreUnfixed is the flag to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to true to enable it. | | trivy.image.imagePullSecret | string | `nil` | imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace | | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) | -| trivy.image.registry | string | `"ghcr.io"` | registry of the Trivy image | -| trivy.image.repository | string | `"aquasecurity/trivy"` | repository of the Trivy image | -| trivy.image.tag | string | `"0.52.0"` | tag version of the Trivy image | +| trivy.image.registry | string | `"mirror.gcr.io"` | registry of the Trivy image | +| trivy.image.repository | string | `"aquasec/trivy"` | repository of the Trivy image | +| trivy.image.tag | string | `"0.57.1"` | tag version of the Trivy image | | trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. | | trivy.includeDevDeps | bool | `false` | includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false) note: this flag is only applicable when trivy.command is set to filesystem | | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. | -| trivy.javaDbRegistry | string | `"ghcr.io"` | javaDbRegistry is the registry for the Java vulnerability database. | -| trivy.javaDbRepository | string | `"aquasecurity/trivy-java-db"` | | +| trivy.javaDbRegistry | string | `"mirror.gcr.io"` | javaDbRegistry is the registry for the Java vulnerability database. | +| trivy.javaDbRepository | string | `"aquasec/trivy-java-db"` | | | trivy.labels | object | `{}` | labels is the extra labels to be used for trivy server statefulset | | trivy.mode | string | `"Standalone"` | mode is the Trivy client mode. Either Standalone or ClientServer. Depending on the active mode other settings might be applicable or required. | | trivy.noProxy | string | `nil` | noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings. | @@ -181,8 +183,10 @@ Keeps security report resources updated | trivy.storageSize | string | `"5Gi"` | storageSize is the size of the trivy server PVC | | trivy.supportedConfigAuditKinds | string | `"Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"` | The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner | | trivy.timeout | string | `"5m0s"` | timeout is the duration to wait for scan completion. | -| trivy.useBuiltinRegoPolicies | string | `"true"` | The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from ghcr.io/aquasecurity/trivy-checks | -| trivy.useEmbeddedRegoPolicies | string | `"false"` | To enable the usage of embedded rego policies, set the flag useEmbeddedRegoPolicies. This should serve as a fallback for air-gapped environments. When useEmbeddedRegoPolicies is set to true, useBuiltinRegoPolicies should be set to false. | +| trivy.useBuiltinRegoPolicies | string | `"false"` | The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from mirror.gcr.io/aquasec/trivy-checks | +| trivy.useEmbeddedRegoPolicies | string | `"true"` | To enable the usage of embedded rego policies, set the flag useEmbeddedRegoPolicies. This should serve as a fallback for air-gapped environments. When useEmbeddedRegoPolicies is set to true, useBuiltinRegoPolicies should be set to false. | +| trivy.valuesFromConfigMap | string | `""` | vaulesFromConfigMap name of a ConfigMap to apply TRIVY_* environment variables. Will override Helm values. | +| trivy.valuesFromSecret | string | `""` | valuesFromSecret name of a Secret to apply TRIVY_* environment variables. Will override Helm AND ConfigMap values. | | trivy.vulnType | string | `nil` | vulnType can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os) | | trivyOperator.additionalReportLabels | string | `""` | additionalReportLabels comma-separated representation of the labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage` | | trivyOperator.configAuditReportsPlugin | string | `"Trivy"` | configAuditReportsPlugin the name of the plugin that generates config audit reports. | @@ -205,6 +209,7 @@ Keeps security report resources updated | trivyOperator.scanJobTolerations | list | `[]` | scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints | | trivyOperator.skipInitContainers | bool | `false` | skipInitContainers when this flag is set to true, the initContainers will be skipped for the scanner and node collector pods | | trivyOperator.skipResourceByLabels | string | `""` | skipResourceByLabels comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels | +| trivyOperator.useGCRServiceAccount | bool | `true` | useGCRServiceAccount the flag to enable the usage of GCR service account for scanning images in GCR | | trivyOperator.vulnerabilityReportsPlugin | string | `"Trivy"` | vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports `Trivy` | | volumeMounts[0].mountPath | string | `"/tmp"` | | | volumeMounts[0].name | string | `"cache-policies"` | | diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_clustercompliancereports.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_clustercompliancereports.yaml index 4c3d9f26d..f687fed52 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_clustercompliancereports.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_clustercompliancereports.yaml @@ -79,6 +79,18 @@ spec: - id type: object type: array + commands: + items: + description: Commands represent the commands to be executed + by the node-collector + properties: + id: + description: id define the commands id + type: string + required: + - id + type: object + type: array defaultStatus: description: define the default value for check status in case resource not found @@ -113,20 +125,26 @@ spec: type: string id: type: string + platform: + type: string relatedResources: items: type: string type: array title: type: string + type: + type: string version: type: string required: - controls - description - id + - platform - relatedResources - title + - type - version type: object cron: diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml index b598808ad..670e1ae68 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml @@ -208,6 +208,10 @@ spec: type: number V3Vector: type: string + V40Score: + type: number + V40Vector: + type: string type: object type: object cvsssource: @@ -230,6 +234,8 @@ spec: items: type: string type: array + packagePURL: + type: string packagePath: type: string packageType: diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_vulnerabilityreports.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_vulnerabilityreports.yaml index 25a319409..642e9fcb0 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_vulnerabilityreports.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/crds/aquasecurity.github.io_vulnerabilityreports.yaml @@ -209,6 +209,10 @@ spec: type: number V3Vector: type: string + V40Score: + type: number + V40Vector: + type: string type: object type: object cvsssource: @@ -231,6 +235,8 @@ spec: items: type: string type: array + packagePURL: + type: string packagePath: type: string packageType: diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/operator.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/operator.yaml index 4684a34d8..9b4754952 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/operator.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/operator.yaml @@ -33,6 +33,7 @@ data: {{- with .Values.trivyOperator.scanJobAutomountServiceAccountToken }} scanJob.automountServiceAccountToken: {{ . | quote }} {{- end }} + scanJob.useGCRServiceAccount: {{ .Values.trivyOperator.useGCRServiceAccount | quote }} {{- with .Values.trivyOperator.skipInitContainers }} scanJob.skipInitContainers: {{ . | quote }} {{- end }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/policies.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/policies.yaml index 9f7a45d06..2a665fb97 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/policies.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/configmaps/policies.yaml @@ -1,3 +1,4 @@ +{{- if .Values.trivy.externalRegoPoliciesEnabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -7,3 +8,4 @@ metadata: {{- include "trivy-operator.labels" . | nindent 4 }} data: {{- .Values.trivyOperator.policiesConfig | nindent 2 }} +{{- end }} \ No newline at end of file diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/cis-1.23.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/cis-1.23.yaml deleted file mode 100644 index aa56e9cb3..000000000 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/cis-1.23.yaml +++ /dev/null @@ -1,825 +0,0 @@ -{{- if .Values.operator.clusterComplianceEnabled }} -apiVersion: aquasecurity.github.io/v1alpha1 -kind: ClusterComplianceReport -metadata: - name: cis - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.21.3 - app.kubernetes.io/managed-by: kubectl -spec: - cron: {{ .Values.compliance.cron | quote}} - reportType: {{ .Values.compliance.reportType | quote}} - compliance: - id: cis - title: CIS Kubernetes Benchmarks v1.23 - description: CIS Kubernetes Benchmarks - relatedResources: - - https://www.cisecurity.org/benchmark/kubernetes - version: "1.0" - controls: - - id: 1.1.1 - name: Ensure that the API server pod specification file permissions are set to - 600 or more restrictive - description: Ensure that the API server pod specification file has permissions - of 600 or more restrictive - checks: - - id: AVD-KCV-0048 - severity: HIGH - - id: 1.1.2 - name: Ensure that the API server pod specification file ownership is set to - root:root - description: Ensure that the API server pod specification file ownership is set - to root:root - checks: - - id: AVD-KCV-0049 - severity: HIGH - - id: 1.1.3 - name: Ensure that the controller manager pod specification file permissions are - set to 600 or more restrictive - description: Ensure that the controller manager pod specification file has - permissions of 600 or more restrictive - checks: - - id: AVD-KCV-0050 - severity: HIGH - - id: 1.1.4 - name: Ensure that the controller manager pod specification file ownership is set - to root:root - description: Ensure that the controller manager pod specification file ownership - is set to root:root - checks: - - id: AVD-KCV-0051 - severity: HIGH - - id: 1.1.5 - name: Ensure that the scheduler pod specification file permissions are set to - 600 or more restrictive - description: Ensure that the scheduler pod specification file has permissions of - 600 or more restrictive - checks: - - id: AVD-KCV-0052 - severity: HIGH - - id: 1.1.6 - name: Ensure that the scheduler pod specification file ownership is set to - root:root - description: Ensure that the scheduler pod specification file ownership is set - to root:root - checks: - - id: AVD-KCV-0053 - severity: HIGH - - id: 1.1.7 - name: Ensure that the etcd pod specification file permissions are set to 600 or - more restrictive - description: Ensure that the etcd pod specification file has permissions of 600 - or more restrictive - checks: - - id: AVD-KCV-0054 - severity: HIGH - - id: 1.1.8 - name: Ensure that the etcd pod specification file ownership is set to root:root - description: Ensure that the etcd pod specification file ownership is set to - root:root. - checks: - - id: AVD-KCV-0055 - severity: HIGH - - id: 1.1.9 - name: Ensure that the Container Network Interface file permissions are set to - 600 or more restrictive - description: Ensure that the Container Network Interface files have permissions - of 600 or more restrictive - checks: - - id: AVD-KCV-0056 - severity: HIGH - - id: 1.1.10 - name: Ensure that the Container Network Interface file ownership is set to - root:root - description: Ensure that the Container Network Interface files have ownership - set to root:root - checks: - - id: AVD-KCV-0057 - severity: HIGH - - id: 1.1.11 - name: Ensure that the etcd data directory permissions are set to 700 or more - restrictive - description: Ensure that the etcd data directory has permissions of 700 or more - restrictive - checks: - - id: AVD-KCV-0058 - severity: HIGH - - id: 1.1.12 - name: Ensure that the etcd data directory ownership is set to etcd:etcd - description: Ensure that the etcd data directory ownership is set to etcd:etcd - checks: - - id: AVD-KCV-0059 - severity: LOW - - id: 1.1.13 - name: Ensure that the admin.conf file permissions are set to 600 - description: Ensure that the admin.conf file has permissions of 600 - checks: - - id: AVD-KCV-0060 - severity: CRITICAL - - id: 1.1.14 - name: Ensure that the admin.conf file ownership is set to root:root - description: Ensure that the admin.conf file ownership is set to root:root - checks: - - id: AVD-KCV-0061 - severity: CRITICAL - - id: 1.1.15 - name: Ensure that the scheduler.conf file permissions are set to 600 or more - restrictive - description: Ensure that the scheduler.conf file has permissions of 600 or more - restrictive - checks: - - id: AVD-KCV-0062 - severity: HIGH - - id: 1.1.16 - name: Ensure that the scheduler.conf file ownership is set to root:root - description: Ensure that the scheduler.conf file ownership is set to root:root - checks: - - id: AVD-KCV-0063 - severity: HIGH - - id: 1.1.17 - name: Ensure that the controller-manager.conf file permissions are set to 600 or - more restrictive - description: Ensure that the controller-manager.conf file has permissions of 600 - or more restrictive - checks: - - id: AVD-KCV-0064 - severity: HIGH - - id: 1.1.18 - name: Ensure that the controller-manager.conf file ownership is set to root:root - description: Ensure that the controller-manager.conf file ownership is set to - root:root. - checks: - - id: AVD-KCV-0065 - severity: HIGH - - id: 1.1.19 - name: Ensure that the Kubernetes PKI directory and file ownership is set to - root:root - description: Ensure that the Kubernetes PKI directory and file ownership is set - to root:root - checks: - - id: AVD-KCV-0066 - severity: CRITICAL - - id: 1.1.20 - name: Ensure that the Kubernetes PKI certificate file permissions are set to 600 - or more restrictive - description: Ensure that Kubernetes PKI certificate files have permissions of - 600 or more restrictive - checks: - - id: AVD-KCV-0068 - severity: CRITICAL - - id: 1.1.21 - name: Ensure that the Kubernetes PKI key file permissions are set to 600 - description: Ensure that Kubernetes PKI key files have permissions of 600 - checks: - - id: AVD-KCV-0067 - severity: CRITICAL - - id: 1.2.1 - name: Ensure that the --anonymous-auth argument is set to false - description: Disable anonymous requests to the API server - checks: - - id: AVD-KCV-0001 - severity: MEDIUM - - id: 1.2.2 - name: Ensure that the --token-auth-file parameter is not set - description: Do not use token based authentication - checks: - - id: AVD-KCV-0002 - severity: LOW - - id: 1.2.3 - name: Ensure that the --DenyServiceExternalIPs is not set - description: This admission controller rejects all net-new usage of the Service - field externalIPs - checks: - - id: AVD-KCV-0003 - severity: LOW - - id: 1.2.4 - name: Ensure that the --kubelet-https argument is set to true - description: Use https for kubelet connections - checks: - - id: AVD-KCV-0004 - severity: LOW - - id: 1.2.5 - name: Ensure that the --kubelet-client-certificate and --kubelet-client-key - arguments are set as appropriate - description: Enable certificate based kubelet authentication - checks: - - id: AVD-KCV-0005 - severity: HIGH - - id: 1.2.6 - name: Ensure that the --kubelet-certificate-authority argument is set as - appropriate - description: Verify kubelets certificate before establishing connection - checks: - - id: AVD-KCV-0006 - severity: HIGH - - id: 1.2.7 - name: Ensure that the --authorization-mode argument is not set to AlwaysAllow - description: Do not always authorize all requests - checks: - - id: AVD-KCV-0007 - severity: LOW - - id: 1.2.8 - name: Ensure that the --authorization-mode argument includes Node - description: Restrict kubelet nodes to reading only objects associated with them - checks: - - id: AVD-KCV-0008 - severity: HIGH - - id: 1.2.9 - name: Ensure that the --authorization-mode argument includes RBAC - description: Turn on Role Based Access Control - checks: - - id: AVD-KCV-0009 - severity: HIGH - - id: 1.2.10 - name: Ensure that the admission control plugin EventRateLimit is set - description: Limit the rate at which the API server accepts requests - checks: - - id: AVD-KCV-0010 - severity: HIGH - - id: 1.2.11 - name: Ensure that the admission control plugin AlwaysAdmit is not set - description: Do not allow all requests - checks: - - id: AVD-KCV-0011 - severity: LOW - - id: 1.2.12 - name: Ensure that the admission control plugin AlwaysPullImages is set - description: Always pull images - checks: - - id: AVD-KCV-0012 - severity: MEDIUM - - id: 1.2.13 - name: Ensure that the admission control plugin SecurityContextDeny is set if - PodSecurityPolicy is not used - description: The SecurityContextDeny admission controller can be used to deny - pods which make use of some SecurityContext fields which could allow - for privilege escalation in the cluster. This should be used where - PodSecurityPolicy is not in place within the cluster - checks: - - id: AVD-KCV-0013 - severity: MEDIUM - - id: 1.2.14 - name: Ensure that the admission control plugin ServiceAccount is set - description: Automate service accounts management - checks: - - id: AVD-KCV-0014 - severity: LOW - - id: 1.2.15 - name: Ensure that the admission control plugin NamespaceLifecycle is set - description: Reject creating objects in a namespace that is undergoing termination - checks: - - id: AVD-KCV-0015 - severity: LOW - - id: 1.2.16 - name: Ensure that the admission control plugin NodeRestriction is set - description: Limit the Node and Pod objects that a kubelet could modify - checks: - - id: AVD-KCV-0016 - severity: LOW - - id: 1.2.17 - name: Ensure that the --secure-port argument is not set to 0 - description: Do not disable the secure port - checks: - - id: AVD-KCV-0017 - severity: HIGH - - id: 1.2.18 - name: Ensure that the --profiling argument is set to false - description: Disable profiling, if not needed - checks: - - id: AVD-KCV-0018 - severity: LOW - - id: 1.2.19 - name: Ensure that the --audit-log-path argument is set - description: Enable auditing on the Kubernetes API Server and set the desired - audit log path. - checks: - - id: AVD-KCV-0019 - severity: LOW - - id: 1.2.20 - name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate - description: Retain the logs for at least 30 days or as appropriate - checks: - - id: AVD-KCV-0020 - severity: LOW - - id: 1.2.21 - name: Ensure that the --audit-log-maxbackup argument is set to 10 or as - appropriate - description: Retain 10 or an appropriate number of old log file - checks: - - id: AVD-KCV-0021 - severity: LOW - - id: 1.2.22 - name: Ensure that the --audit-log-maxsize argument is set to 100 or as - appropriate - description: Rotate log files on reaching 100 MB or as appropriate - checks: - - id: AVD-KCV-0022 - severity: LOW - - id: 1.2.24 - name: Ensure that the --service-account-lookup argument is set to true - description: Validate service account before validating token - checks: - - id: AVD-KCV-0024 - severity: LOW - - id: 1.2.25 - name: Ensure that the --service-account-key-file argument is set as appropriate - description: Explicitly set a service account public key file for service - accounts on the apiserver - checks: - - id: AVD-KCV-0025 - severity: LOW - - id: 1.2.26 - name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as - appropriate - description: etcd should be configured to make use of TLS encryption for client - connections - checks: - - id: AVD-KCV-0026 - severity: LOW - - id: 1.2.27 - name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are - set as appropriate - description: Setup TLS connection on the API server - checks: - - id: AVD-KCV-0027 - severity: MEDIUM - - id: 1.2.28 - name: Ensure that the --client-ca-file argument is set appropriate - description: Setup TLS connection on the API server - checks: - - id: AVD-KCV-0028 - severity: LOW - - id: 1.2.29 - name: Ensure that the --etcd-cafile argument is set as appropriate - description: etcd should be configured to make use of TLS encryption for client - connections. - checks: - - id: AVD-KCV-0029 - severity: LOW - - id: 1.2.30 - name: Ensure that the --encryption-provider-config argument is set as - appropriate - description: Encrypt etcd key-value store - checks: - - id: AVD-KCV-0030 - severity: LOW - - id: 1.3.1 - name: Ensure that the --terminated-pod-gc-threshold argument is set as - appropriate - description: Activate garbage collector on pod termination, as appropriate - checks: - - id: AVD-KCV-0033 - severity: MEDIUM - - id: 1.3.3 - name: Ensure that the --use-service-account-credentials argument is set to true - description: Use individual service account credentials for each controller - checks: - - id: AVD-KCV-0035 - severity: MEDIUM - - id: 1.3.4 - name: Ensure that the --service-account-private-key-file argument is set as - appropriate - description: Explicitly set a service account private key file for service - accounts on the controller manager - checks: - - id: AVD-KCV-0036 - severity: MEDIUM - - id: 1.3.5 - name: Ensure that the --root-ca-file argument is set as appropriate - description: Allow pods to verify the API servers serving certificate before - establishing connections - checks: - - id: AVD-KCV-0037 - severity: MEDIUM - - id: 1.3.6 - name: Ensure that the RotateKubeletServerCertificate argument is set to true - description: Enable kubelet server certificate rotation on controller-manager - checks: - - id: AVD-KCV-0038 - severity: MEDIUM - - id: 1.3.7 - name: Ensure that the --bind-address argument is set to 127.0.0.1 - description: Do not bind the scheduler service to non-loopback insecure addresses - checks: - - id: AVD-KCV-0039 - severity: LOW - - id: 1.4.1 - name: Ensure that the --profiling argument is set to false - description: Disable profiling, if not needed - checks: - - id: AVD-KCV-0034 - severity: MEDIUM - - id: 1.4.2 - name: Ensure that the --bind-address argument is set to 127.0.0.1 - description: Do not bind the scheduler service to non-loopback insecure addresses - checks: - - id: AVD-KCV-0041 - severity: CRITICAL - - id: "2.1" - name: Ensure that the --cert-file and --key-file arguments are set as - appropriate - description: Configure TLS encryption for the etcd service - checks: - - id: AVD-KCV-0042 - severity: MEDIUM - - id: "2.2" - name: Ensure that the --client-cert-auth argument is set to true - description: Enable client authentication on etcd service - checks: - - id: AVD-KCV-0043 - severity: CRITICAL - - id: "2.3" - name: Ensure that the --auto-tls argument is not set to true - description: Do not use self-signed certificates for TLS - checks: - - id: AVD-KCV-0044 - severity: CRITICAL - - id: "2.4" - name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as - appropriate - description: etcd should be configured to make use of TLS encryption for peer - connections. - checks: - - id: AVD-KCV-0045 - severity: CRITICAL - - id: "2.5" - name: Ensure that the --peer-client-cert-auth argument is set to true - description: etcd should be configured for peer authentication - checks: - - id: AVD-KCV-0046 - severity: CRITICAL - - id: "2.6" - name: Ensure that the --peer-auto-tls argument is not set to true - description: Do not use self-signed certificates for TLS - checks: - - id: AVD-KCV-0047 - severity: HIGH - - id: 3.1.1 - name: Client certificate authentication should not be used for users (Manual) - description: Kubernetes provides the option to use client certificates for user - authentication. However as there is no way to revoke these - certificates when a user leaves an organization or loses their - credential, they are not suitable for this purpose - severity: HIGH - - id: 3.2.1 - name: Ensure that a minimal audit policy is created (Manual) - description: Kubernetes can audit the details of requests made to the API - server. The --audit- policy-file flag must be set for this logging to - be enabled. - severity: HIGH - - id: 3.2.2 - name: Ensure that the audit policy covers key security concerns (Manual) - description: Ensure that the audit policy created for the cluster covers key - security concerns - severity: HIGH - - id: 4.1.1 - name: Ensure that the kubelet service file permissions are set to 600 or more - restrictive - description: Ensure that the kubelet service file has permissions of 600 or more - restrictive. - checks: - - id: AVD-KCV-0069 - severity: HIGH - - id: 4.1.2 - name: Ensure that the kubelet service file ownership is set to root:root - description: Ensure that the kubelet service file ownership is set to root:root - checks: - - id: AVD-KCV-0070 - severity: HIGH - - id: 4.1.3 - name: If proxy kubeconfig file exists ensure permissions are set to 600 or more - restrictive - description: If kube-proxy is running, and if it is using a file-based - kubeconfig file, ensure that the proxy kubeconfig file has permissions - of 600 or more restrictive - checks: - - id: AVD-KCV-0071 - severity: HIGH - - id: 4.1.4 - name: If proxy kubeconfig file exists ensure ownership is set to root:root - description: If kube-proxy is running, ensure that the file ownership of its - kubeconfig file is set to root:root - checks: - - id: AVD-KCV-0072 - severity: HIGH - - id: 4.1.5 - name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 - or more restrictive - description: Ensure that the kubelet.conf file has permissions of 600 or more - restrictive - checks: - - id: AVD-KCV-0073 - severity: HIGH - - id: 4.1.6 - name: Ensure that the --kubeconfig kubelet.conf file ownership is set to - root:root - description: Ensure that the kubelet.conf file ownership is set to root:root - checks: - - id: AVD-KCV-0074 - severity: HIGH - - id: 4.1.7 - name: Ensure that the certificate authorities file permissions are set to 600 or - more restrictive - description: Ensure that the certificate authorities file has permissions of 600 - or more restrictive - checks: - - id: AVD-KCV-0075 - severity: CRITICAL - - id: 4.1.8 - name: Ensure that the client certificate authorities file ownership is set to - root:root - description: Ensure that the certificate authorities file ownership is set to - root:root - checks: - - id: AVD-KCV-0076 - severity: CRITICAL - - id: 4.1.9 - name: If the kubelet config.yaml configuration file is being used validate - permissions set to 600 or more restrictive - description: Ensure that if the kubelet refers to a configuration file with the - --config argument, that file has permissions of 600 or more - restrictive - checks: - - id: AVD-KCV-0077 - severity: HIGH - - id: 4.1.10 - name: If the kubelet config.yaml configuration file is being used validate file - ownership is set to root:root - description: Ensure that if the kubelet refers to a configuration file with the - --config argument, that file is owned by root:root - checks: - - id: AVD-KCV-0078 - severity: HIGH - - id: 4.2.1 - name: Ensure that the --anonymous-auth argument is set to false - description: Disable anonymous requests to the Kubelet server - checks: - - id: AVD-KCV-0079 - severity: CRITICAL - - id: 4.2.2 - name: Ensure that the --authorization-mode argument is not set to AlwaysAllow - description: Do not allow all requests. Enable explicit authorization - checks: - - id: AVD-KCV-0080 - severity: CRITICAL - - id: 4.2.3 - name: Ensure that the --client-ca-file argument is set as appropriate - description: Enable Kubelet authentication using certificates - checks: - - id: AVD-KCV-0081 - severity: CRITICAL - - id: 4.2.4 - name: Verify that the --read-only-port argument is set to 0 - description: Disable the read-only port - checks: - - id: AVD-KCV-0082 - severity: HIGH - - id: 4.2.5 - name: Ensure that the --streaming-connection-idle-timeout argument is not set to - 0 - description: Do not disable timeouts on streaming connections - checks: - - id: AVD-KCV-0085 - severity: HIGH - - id: 4.2.6 - name: Ensure that the --protect-kernel-defaults argument is set to true - description: Protect tuned kernel parameters from overriding kubelet default - kernel parameter values - checks: - - id: AVD-KCV-0083 - severity: HIGH - - id: 4.2.7 - name: Ensure that the --make-iptables-util-chains argument is set to true - description: Allow Kubelet to manage iptables - checks: - - id: AVD-KCV-0084 - severity: HIGH - - id: 4.2.8 - name: Ensure that the --hostname-override argument is not set - description: Do not override node hostnames - checks: - - id: AVD-KCV-0086 - severity: HIGH - - id: 4.2.9 - name: Ensure that the --event-qps argument is set to 0 or a level which ensures - appropriate event capture - description: Security relevant information should be captured. The --event-qps - flag on the Kubelet can be used to limit the rate at which events are - gathered - checks: - - id: AVD-KCV-0087 - severity: HIGH - - id: 4.2.10 - name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are - set as appropriate - description: Setup TLS connection on the Kubelets - checks: - - id: AVD-KCV-0088 - - id: AVD-KCV-0089 - severity: CRITICAL - - id: 4.2.11 - name: Ensure that the --rotate-certificates argument is not set to false - description: Enable kubelet client certificate rotation - checks: - - id: AVD-KCV-0090 - severity: CRITICAL - - id: 4.2.12 - name: Verify that the RotateKubeletServerCertificate argument is set to true - description: Enable kubelet server certificate rotation - checks: - - id: AVD-KCV-0091 - severity: CRITICAL - - id: 4.2.13 - name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers - description: Ensure that the Kubelet is configured to only use strong - cryptographic ciphers - checks: - - id: AVD-KCV-0092 - severity: CRITICAL - - id: 5.1.1 - name: Ensure that the cluster-admin role is only used where required - description: The RBAC role cluster-admin provides wide-ranging powers over the - environment and should be used only where and when needed - checks: - - id: AVD-KSV-0111 - severity: HIGH - - id: 5.1.2 - name: Minimize access to secrets - description: The Kubernetes API stores secrets, which may be service account - tokens for the Kubernetes API or credentials used by workloads in the - cluster - checks: - - id: AVD-KSV-0041 - severity: HIGH - - id: 5.1.3 - name: Minimize wildcard use in Roles and ClusterRoles - description: Kubernetes Roles and ClusterRoles provide access to resources based - on sets of objects and actions that can be taken on those objects. It - is possible to set either of these to be the wildcard "*" which - matches all items - checks: - - id: AVD-KSV-0044 - - id: AVD-KSV-0045 - - id: AVD-KSV-0046 - severity: HIGH - - id: 5.1.6 - name: Ensure that Service Account Tokens are only mounted where necessary - description: Service accounts tokens should not be mounted in pods except where - the workload running in the pod explicitly needs to communicate with - the API server - checks: - - id: AVD-KSV-0036 - severity: HIGH - - id: 5.1.8 - name: Limit use of the Bind, Impersonate and Escalate permissions in the - Kubernetes cluster - description: Cluster roles and roles with the impersonate, bind or escalate - permissions should not be granted unless strictly required - checks: - - id: AVD-KSV-0043 - severity: HIGH - - id: 5.2.2 - name: Minimize the admission of privileged containers - description: Do not generally permit containers to be run with the - securityContext.privileged flag set to true - checks: - - id: AVD-KSV-0017 - severity: HIGH - - id: 5.2.3 - name: Minimize the admission of containers wishing to share the host process ID - namespace - description: Do not generally permit containers to be run with the hostPID flag - set to true. - checks: - - id: AVD-KSV-0010 - severity: HIGH - - id: 5.2.4 - name: Minimize the admission of containers wishing to share the host IPC - namespace - description: Do not generally permit containers to be run with the hostIPC flag - set to true - checks: - - id: AVD-KSV-0008 - severity: HIGH - - id: 5.2.5 - name: Minimize the admission of containers wishing to share the host network - namespace - description: Do not generally permit containers to be run with the hostNetwork - flag set to true - checks: - - id: AVD-KSV-0009 - severity: HIGH - - id: 5.2.6 - name: Minimize the admission of containers with allowPrivilegeEscalation - description: Do not generally permit containers to be run with the - allowPrivilegeEscalation flag set to true - checks: - - id: AVD-KSV-0001 - severity: HIGH - - id: 5.2.7 - name: Minimize the admission of root containers - description: Do not generally permit containers to be run as the root user - checks: - - id: AVD-KSV-0012 - severity: MEDIUM - - id: 5.2.8 - name: Minimize the admission of containers with the NET_RAW capability - description: Do not generally permit containers with the potentially dangerous - NET_RAW capability - checks: - - id: AVD-KSV-0022 - severity: MEDIUM - - id: 5.2.9 - name: Minimize the admission of containers with added capabilities - description: Do not generally permit containers with capabilities assigned - beyond the default set - checks: - - id: AVD-KSV-0004 - severity: LOW - - id: 5.2.10 - name: Minimize the admission of containers with capabilities assigned - description: Do not generally permit containers with capabilities - checks: - - id: AVD-KSV-0003 - severity: LOW - - id: 5.2.11 - name: Minimize the admission of containers with capabilities assigned - description: Do not generally permit containers with capabilities - checks: - - id: AVD-KSV-0103 - severity: MEDIUM - - id: 5.2.12 - name: Minimize the admission of HostPath volumes - description: Do not generally admit containers which make use of hostPath volumes - checks: - - id: AVD-KSV-0023 - severity: MEDIUM - - id: 5.2.13 - name: Minimize the admission of containers which use HostPorts - description: Do not generally permit containers which require the use of HostPorts - checks: - - id: AVD-KSV-0024 - severity: MEDIUM - - id: 5.3.1 - name: Ensure that the CNI in use supports Network Policies (Manual) - description: There are a variety of CNI plugins available for Kubernetes. If the - CNI in use does not support Network Policies it may not be possible to - effectively restrict traffic in the cluster - severity: MEDIUM - - id: 5.3.2 - name: Ensure that all Namespaces have Network Policies defined - description: Use network policies to isolate traffic in your cluster network - checks: - - id: AVD-KSV-0038 - severity: MEDIUM - - id: 5.4.1 - name: Prefer using secrets as files over secrets as environment variables - (Manual) - description: Kubernetes supports mounting secrets as data volumes or as - environment variables. Minimize the use of environment variable - secrets - severity: MEDIUM - - id: 5.4.2 - name: Consider external secret storage (Manual) - description: Consider the use of an external secrets storage and management - system, instead of using Kubernetes Secrets directly, if you have more - complex secret management needs - severity: MEDIUM - - id: 5.5.1 - name: Configure Image Provenance using ImagePolicyWebhook admission controller - (Manual) - description: Configure Image Provenance for your deployment - severity: MEDIUM - - id: 5.7.1 - name: Create administrative boundaries between resources using namespaces - (Manual) - description: Use namespaces to isolate your Kubernetes objects - severity: MEDIUM - - id: 5.7.2 - name: Ensure that the seccomp profile is set to docker/default in your pod - definitions - description: Enable docker/default seccomp profile in your pod definitions - checks: - - id: AVD-KSV-0104 - severity: MEDIUM - - id: 5.7.3 - name: Apply Security Context to Your Pods and Containers - description: Apply Security Context to Your Pods and Containers - checks: - - id: AVD-KSV-0021 - - id: AVD-KSV-0020 - - id: AVD-KSV-0005 - - id: AVD-KSV-0025 - - id: AVD-KSV-0104 - - id: AVD-KSV-0030 - severity: HIGH - - id: 5.7.4 - name: The default namespace should not be used - description: Kubernetes provides a default namespace, where objects are placed - if no namespace is specified for them - checks: - - id: AVD-KSV-0110 - severity: MEDIUM -{{- end }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/eks-cis-1.4.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/eks-cis-1.4.yaml new file mode 100644 index 000000000..7da6d3fdb --- /dev/null +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/eks-cis-1.4.yaml @@ -0,0 +1,508 @@ +{{- if .Values.compliance.specs | has "eks-cis-1.4"}} +apiVersion: aquasecurity.github.io/v1alpha1 +kind: ClusterComplianceReport +metadata: + name: eks-cis-1.4 + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/managed-by: kubectl +spec: + cron: {{ .Values.compliance.cron | quote }} + reportType: {{ .Values.compliance.reportType | quote }} + compliance: + id: eks-cis-1.4 + title: AWS EKS CIS Foundations v1.4 + platform: eks + type: cis + description: AWS EKS CIS Foundations + relatedResources: + - https://www.cisecurity.org/benchmark/kubernetes + version: "1.4" + controls: + - id: 2.1.1 + name: Enable audit Logs (Manual) + description: > + Control plane logs provide visibility into operation of the EKS + Control plane components systems. + + The API server audit logs record all accepted and rejected requests in the cluster. + + When enabled via EKS configuration the control plane logs for a cluster are exported to a CloudWatch + + Log Group for persistence. + severity: MEDIUM + - id: 3.1.1 + name: Ensure that the kubeconfig file permissions are set to 644 or more + restrictive (Manual) + description: > + If kubelet is running, and if it is configured by a kubeconfig + file, ensure that the proxy kubeconfig + + file has permissions of 644 or more restrictive + + + Check with the following command: + + > sudo systemctl status kubelet + checks: + - id: AVD-KCV-0071 + commands: + - id: CMD-0024 + severity: HIGH + - id: 3.1.2 + name: Ensure that the kubelet service file ownership is set to root:root + (Automated) + description: Ensure that the kubelet service file ownership is set to root:root + checks: + - id: AVD-KCV-0070 + commands: + - id: CMD-0023 + severity: HIGH + - id: 3.1.3 + name: Ensure that the kubelet configuration file has permissions set to 644 or + more restrictive (Automated) + description: > + Ensure that if the kubelet refers to a configuration file with the + + --config argument, that file has permissions of 600 or more restrictive + checks: + - id: AVD-KCV-0077 + commands: + - id: CMD-0030 + severity: HIGH + - id: 3.1.4 + name: Ensure that the kubelet configuration file ownership is set to root:root + (Automated) + description: | + Ensure that if the kubelet refers to a configuration file with the + --config argument, that file is owned by root:root + checks: + - id: AVD-KCV-0078 + commands: + - id: CMD-0031 + severity: HIGH + - id: 3.2.1 + name: Ensure that the Anonymous Auth is Not Enabled (Automated) + description: Disable anonymous requests to the Kubelet server. + checks: + - id: AVD-KCV-0079 + commands: + - id: CMD-0032 + severity: CRITICAL + - id: 3.2.2 + name: Ensure that the --authorization-mode argument is not set to AlwaysAllow + (Automated) + description: Do not allow all requests. Enable explicit authorization. + checks: + - id: AVD-KCV-0007 + severity: LOW + - id: 3.2.3 + name: Ensure that a Client CA File is Configured (Automated) + description: Enable Kubelet authentication using certificates. + checks: + - id: AVD-KCV-0081 + commands: + - id: CMD-0034 + severity: CRITICAL + - id: 3.2.4 + name: Ensure that the --read-only-port is disabled (Automated) + description: > + The Kubelet process provides a read-only API in addition to the + main Kubelet API. + + Unauthenticated access is provided to this read-only API which could possibly retrieve + + potentially sensitive information about the cluster. + checks: + - id: AVD-KCV-0082 + commands: + - id: CMD-0035 + severity: HIGH + - id: 3.2.5 + name: Ensure that the --streaming-connection-idle-timeout argument is not set to + 0 (Automated) + description: Do not disable timeouts on streaming connections. + checks: + - id: AVD-KCV-0085 + commands: + - id: CMD-0036 + severity: HIGH + - id: 3.2.6 + name: Ensure that the --make-iptables-util-chains argument is set to true + (Automated) + description: Allow Kubelet to manage iptables. + checks: + - id: AVD-KCV-0084 + commands: + - id: CMD-0038 + severity: HIGH + - id: 3.2.7 + name: Ensure that the --eventRecordQPS argument is set to 0 or a level which + ensures appropriate event capture (Manual) + description: > + Security relevant information should be captured. The + eventRecordQPS on the Kubelet + + configuration can be used to limit the rate at which events are gathered and sets the + + maximum event creations per second. Setting this too low could result in relevant + + events not being logged, however the unlimited setting of 0 could result in a denial of + + service on the kubelet. + severity: HIGH + - id: 3.2.8 + name: Ensure that the --rotate-certificates argument is not present or is set to + true (Automated) + description: Enable kubelet client certificate rotation. + checks: + - id: AVD-KCV-0090 + commands: + - id: CMD-0043 + severity: CRITICAL + - id: 3.2.9 + name: Ensure that the RotateKubeletServerCertificate argument is set to true + (Automated) + description: Enable kubelet server certificate rotation. + checks: + - id: AVD-KCV-0091 + - id: AVD-KCV-0038 + commands: + - id: CMD-0044 + severity: CRITICAL + - id: 3.3.1 + name: Prefer using a container-optimized OS when possible (Manual) + description: > + If a container-optimized OS is required examine the nodes in EC2 + and click on their AMI + + to ensure that it is a container-optimized OS like Amazon Bottlerocket; or connect to the + + worker node and check its OS. + severity: HIGH + - id: 4.1.1 + name: Ensure that the cluster-admin role is only used where required (Automated) + description: > + The RBAC role cluster-admin provides wide-ranging powers over the + environment and + + should be used only where and when needed. + checks: + - id: AVD-KSV-0111 + severity: HIGH + - id: 4.1.2 + name: Minimize access to secrets (Automated) + description: > + The Kubernetes API stores secrets, which may be service account + tokens for the + + Kubernetes API or credentials used by workloads in the cluster. Access to these secrets + + should be restricted to the smallest possible group of users to reduce the risk of + + privilege escalation. + checks: + - id: AVD-KSV-0041 + severity: HIGH + - id: 4.1.3 + name: Minimize wildcard use in Roles and ClusterRoles (Automated) + description: > + Kubernetes Roles and ClusterRoles provide access to resources based + on sets of + + objects and actions that can be taken on those objects. It is possible to set either of + + these to be the wildcard "*" which matches all items. + + Use of wildcards is not optimal from a security perspective as it may allow for + + inadvertent access to be granted when new resources are added to the Kubernetes API + + either as CRDs or in later versions of the product. + checks: + - id: AVD-KSV-0044 + - id: AVD-KSV-0045 + - id: AVD-KSV-0046 + severity: HIGH + - id: 4.1.4 + name: Minimize access to create pods (Manual) + description: > + The ability to create pods in a namespace can provide a number of + opportunities for + + privilege escalation, such as assigning privileged service accounts to these pods or + + mounting hostPaths with access to sensitive data (unless Pod Security Policies are + + implemented to restrict this access) + + As such, access to create new pods should be restricted to the smallest possible group + + of users. + severity: HIGH + - id: 4.1.5 + name: Ensure that default service accounts are not actively used. (Manual) + description: The default service account should not be used to ensure that + rights granted to applications can be more easily audited and + reviewed. + severity: HIGH + - id: 4.1.6 + name: Ensure that Service Account Tokens are only mounted where necessary + (Manual) + description: > + Service accounts tokens should not be mounted in pods except where + the workload + + running in the pod explicitly needs to communicate with the API server + severity: HIGH + - id: 4.1.7 + name: Avoid use of system:masters group (Manual) + description: > + The special group system:masters should not be used to grant + permissions to any user + + or service account, except where strictly necessary (e.g. bootstrapping access prior to + + RBAC being fully available) + severity: CRITICAL + - id: 4.1.8 + name: Limit use of the Bind, Impersonate and Escalate permissions in the + Kubernetes cluster + description: > + The special group system:masters should not be used to grant + permissions to any user + + or service account, except where strictly necessary (e.g. bootstrapping access prior to + + RBAC being fully available) + checks: + - id: AVD-KSV-0123 + severity: CRITICAL + - id: 4.2.1 + name: Minimize the admission of privileged containers (Automated) + description: Do not generally permit containers to be run with the + securityContext.privileged flag set to true. + checks: + - id: AVD-KSV-0017 + severity: HIGH + - id: 4.2.2 + name: Minimize the admission of containers wishing to share the host process ID + namespace (Automated) + description: Do not generally permit containers to be run with the hostPID flag + set to true. + checks: + - id: AVD-KSV-0010 + severity: HIGH + - id: 4.2.3 + name: Minimize the admission of containers wishing to share the host IPC + namespace (Automated) + description: Do not generally permit containers to be run with the hostIPC flag + set to true. + checks: + - id: AVD-KSV-0008 + severity: HIGH + - id: 4.2.4 + name: Minimize the admission of containers wishing to share the host network + namespace (Automated) + description: Do not generally permit containers to be run with the hostNetwork + flag set to true. + checks: + - id: AVD-KSV-0009 + severity: HIGH + - id: 4.2.5 + name: Minimize the admission of containers with allowPrivilegeEscalation + (Automated) + description: > + Do not generally permit containers to be run with the + allowPrivilegeEscalation flag set + + to true. Allowing this right can lead to a process running a container getting more rights + + than it started with. + checks: + - id: AVD-KSV-0001 + severity: HIGH + - id: 4.2.6 + name: Minimize the admission of root containers (Automated) + description: Do not generally permit containers to be run as the root user. + checks: + - id: AVD-KSV-0012 + severity: MEDIUM + - id: 4.2.7 + name: Minimize the admission of containers with added capabilities (Automated) + description: Do not generally permit containers with capabilities assigned + beyond the default set. + checks: + - id: AVD-KSV-0004 + severity: LOW + - id: 4.2.8 + name: Minimize the admission of containers with capabilities assigned + (Automated) + description: Do not generally permit containers with capabilities + checks: + - id: AVD-KSV-0103 + - id: AVD-KSV-0003 + severity: MEDIUM + - id: 4.3.1 + name: Ensure CNI plugin supports network policies (Manual) + description: > + There are a variety of CNI plugins available for Kubernetes. If the + CNI in use does not + + support Network Policies it may not be possible to effectively restrict traffic in the + + cluster + severity: MEDIUM + - id: 4.3.2 + name: Ensure that all Namespaces have Network Policies defined (Automated) + description: Use network policies to isolate traffic in your cluster network. + checks: + - id: AVD-KSV-0038 + severity: MEDIUM + - id: 4.4.1 + name: Prefer using secrets as files over secrets as environment variables + (Manual) + description: > + Kubernetes supports mounting secrets as data volumes or as + environment variables. + + Minimize the use of environment variable secrets. + severity: MEDIUM + - id: 4.4.2 + name: Consider external secret storage (Manual) + description: > + Consider the use of an external secrets storage and management + system, instead of + + using Kubernetes Secrets directly, if you have more complex secret management + + needs. Ensure the solution requires authentication to access secrets, has auditing of + + access to and use of secrets, and encrypts secrets. Some solutions also make it easier + + to rotate secrets + severity: MEDIUM + - id: 4.5.1 + name: Create administrative boundaries between resources using namespaces + (Manual) + description: Use namespaces to isolate your Kubernetes objects. + severity: MEDIUM + - id: 4.5.2 + name: Apply Security Context to Your Pods and Containers (Automated) + description: Apply Security Context to Your Pods and Containers + checks: + - id: AVD-KSV-0021 + - id: AVD-KSV-0020 + - id: AVD-KSV-0005 + - id: AVD-KSV-0025 + - id: AVD-KSV-0104 + - id: AVD-KSV-0030 + severity: HIGH + - id: 4.5.3 + name: The default namespace should not be used (Automated) + description: > + Kubernetes provides a default namespace, where objects are placed + if no namespace + + is specified for them. Placing objects in this namespace makes application of RBAC and + + other controls more difficult. + checks: + - id: AVD-KSV-0110 + severity: MEDIUM + - id: 5.1.1 + name: Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a + third party provider (Automated) + description: Scan images being deployed to Amazon EKS for vulnerabilities. + severity: MEDIUM + - id: 5.1.2 + name: Minimize user access to Amazon ECR (Manual) + description: Restrict user access to Amazon ECR, limiting interaction with build + images to only authorized personnel and service accounts. + severity: MEDIUM + - id: 5.1.3 + name: Minimize cluster access to read-only for Amazon ECR (Manual) + description: > + Configure the Cluster Service Account with Storage Object Viewer + Role to only allow + + read-only access to Amazon ECR + severity: MEDIUM + - id: 5.1.4 + name: Minimize Container Registries to only those approved (Manual) + description: Use approved container registries. + severity: MEDIUM + - id: 5.2.1 + name: Prefer using dedicated EKS Service Accounts (Manual) + description: > + Kubernetes workloads should not use cluster node service accounts + to authenticate to + + Amazon EKS APIs. Each Kubernetes workload that needs to authenticate to other AWS + + services using AWS IAM should be provisioned with a dedicated Service account. + severity: MEDIUM + - id: 5.3.1 + name: Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) + managed in AWS KMS (Manual) + description: Encrypt Kubernetes secrets, stored in etcd, using secrets + encryption feature during Amazon EKS cluster creation. + severity: MEDIUM + - id: 5.4.1 + name: Restrict Access to the Control Plane Endpoint (Manual) + description: Enable Endpoint Private Access to restrict access to the cluster's + control plane to only an allowlist of authorized IPs + severity: MEDIUM + - id: 5.4.2 + name: Ensure clusters are created with Private Endpoint Enabled and Public + Access Disabled (Manual) + description: Disable access to the Kubernetes API from outside the node network + if it is not required. + severity: MEDIUM + - id: 5.4.3 + name: Ensure clusters are created with Private Nodes (Manual) + description: Disable public IP addresses for cluster nodes, so that they only + have private IP addresses. Private Nodes are nodes with no public IP + addresses. + severity: MEDIUM + - id: 5.4.4 + name: Ensure Network Policy is Enabled and set as appropriate (Manual) + description: > + Amazon EKS provides two ways to implement network policy. You + choose a network + + policy option when you create an EKS cluster. The policy option can't be changed after the cluster is created: + + Calico Network Policies, an open-source network and network + + security solution founded by Tigera. Both implementations use Linux IPTables to + + enforce the specified policies. Policies are translated into sets of allowed and disallowed + + IP pairs. These pairs are then programmed as IPTable filter rules + severity: MEDIUM + - id: 5.4.5 + name: Encrypt traffic to HTTPS load balancers with TLS certificates (Manual) + description: Encrypt traffic to HTTPS load balancers using TLS certificates. + severity: MEDIUM + - id: 5.5.1 + name: Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or + Upgrade to AWS CLI v1.16.156 or greater (Manual) + description: > + Amazon EKS uses IAM to provide authentication to your Kubernetes + cluster through the + + AWS IAM Authenticator for Kubernetes. You can configure the stock kubectl client to + + work with Amazon EKS by installing the AWS IAM Authenticator for Kubernetes and + + modifying your kubectl configuration file to use it for authentication + severity: MEDIUM + - id: 5.6.1 + name: Consider Fargate for running untrusted workloads (Manual) + description: It is Best Practice to restrict or fence untrusted workloads when + running in a multi-tenant environment. + severity: MEDIUM +{{- end }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-cis-1.23.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-cis-1.23.yaml new file mode 100644 index 000000000..a3c68b638 --- /dev/null +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-cis-1.23.yaml @@ -0,0 +1,914 @@ +{{- if .Values.compliance.specs | has "k8s-cis-1.23"}} +apiVersion: aquasecurity.github.io/v1alpha1 +kind: ClusterComplianceReport +metadata: + name: k8s-cis-1.23 + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/managed-by: kubectl +spec: + cron: {{ .Values.compliance.cron | quote }} + reportType: {{ .Values.compliance.reportType | quote }} + compliance: + id: k8s-cis-1.23 + title: CIS Kubernetes Benchmarks v1.23 + description: CIS Kubernetes Benchmarks + platform: k8s + type: cis + relatedResources: + - https://www.cisecurity.org/benchmark/kubernetes + version: "1.23" + controls: + - id: 1.1.1 + name: Ensure that the API server pod specification file permissions are set to + 600 or more restrictive + description: Ensure that the API server pod specification file has permissions + of 600 or more restrictive + checks: + - id: AVD-KCV-0048 + commands: + - id: CMD-0001 + severity: HIGH + - id: 1.1.2 + name: Ensure that the API server pod specification file ownership is set to + root:root + description: Ensure that the API server pod specification file ownership is set + to root:root + checks: + - id: AVD-KCV-0049 + commands: + - id: CMD-0002 + severity: HIGH + - id: 1.1.3 + name: Ensure that the controller manager pod specification file permissions are + set to 600 or more restrictive + description: Ensure that the controller manager pod specification file has + permissions of 600 or more restrictive + checks: + - id: AVD-KCV-0050 + commands: + - id: CMD-0003 + severity: HIGH + - id: 1.1.4 + name: Ensure that the controller manager pod specification file ownership is set + to root:root + description: Ensure that the controller manager pod specification file ownership + is set to root:root + checks: + - id: AVD-KCV-0051 + commands: + - id: CMD-0004 + severity: HIGH + - id: 1.1.5 + name: Ensure that the scheduler pod specification file permissions are set to + 600 or more restrictive + description: Ensure that the scheduler pod specification file has permissions of + 600 or more restrictive + checks: + - id: AVD-KCV-0052 + commands: + - id: CMD-0005 + severity: HIGH + - id: 1.1.6 + name: Ensure that the scheduler pod specification file ownership is set to + root:root + description: Ensure that the scheduler pod specification file ownership is set + to root:root + checks: + - id: AVD-KCV-0053 + commands: + - id: CMD-0006 + severity: HIGH + - id: 1.1.7 + name: Ensure that the etcd pod specification file permissions are set to 600 or + more restrictive + description: Ensure that the etcd pod specification file has permissions of 600 + or more restrictive + checks: + - id: AVD-KCV-0054 + commands: + - id: CMD-0007 + severity: HIGH + - id: 1.1.8 + name: Ensure that the etcd pod specification file ownership is set to root:root + description: Ensure that the etcd pod specification file ownership is set to + root:root. + checks: + - id: AVD-KCV-0055 + commands: + - id: CMD-0008 + severity: HIGH + - id: 1.1.9 + name: Ensure that the Container Network Interface file permissions are set to + 600 or more restrictive + description: Ensure that the Container Network Interface files have permissions + of 600 or more restrictive + checks: + - id: AVD-KCV-0056 + commands: + - id: CMD-0009 + severity: HIGH + - id: 1.1.10 + name: Ensure that the Container Network Interface file ownership is set to + root:root + description: Ensure that the Container Network Interface files have ownership + set to root:root + checks: + - id: AVD-KCV-0057 + commands: + - id: CMD-0010 + severity: HIGH + - id: 1.1.11 + name: Ensure that the etcd data directory permissions are set to 700 or more + restrictive + description: Ensure that the etcd data directory has permissions of 700 or more + restrictive + checks: + - id: AVD-KCV-0058 + commands: + - id: CMD-0011 + severity: HIGH + - id: 1.1.12 + name: Ensure that the etcd data directory ownership is set to etcd:etcd + description: Ensure that the etcd data directory ownership is set to etcd:etcd + checks: + - id: AVD-KCV-0059 + commands: + - id: CMD-0012 + severity: LOW + - id: 1.1.13 + name: Ensure that the admin.conf file permissions are set to 600 + description: Ensure that the admin.conf file has permissions of 600 + checks: + - id: AVD-KCV-0060 + commands: + - id: CMD-0013 + severity: CRITICAL + - id: 1.1.14 + name: Ensure that the admin.conf file ownership is set to root:root + description: Ensure that the admin.conf file ownership is set to root:root + checks: + - id: AVD-KCV-0061 + commands: + - id: CMD-0014 + severity: CRITICAL + - id: 1.1.15 + name: Ensure that the scheduler.conf file permissions are set to 600 or more + restrictive + description: Ensure that the scheduler.conf file has permissions of 600 or more + restrictive + checks: + - id: AVD-KCV-0062 + commands: + - id: CMD-0015 + severity: HIGH + - id: 1.1.16 + name: Ensure that the scheduler.conf file ownership is set to root:root + description: Ensure that the scheduler.conf file ownership is set to root:root + checks: + - id: AVD-KCV-0063 + commands: + - id: CMD-0016 + severity: HIGH + - id: 1.1.17 + name: Ensure that the controller-manager.conf file permissions are set to 600 or + more restrictive + description: Ensure that the controller-manager.conf file has permissions of 600 + or more restrictive + checks: + - id: AVD-KCV-0064 + commands: + - id: CMD-0017 + severity: HIGH + - id: 1.1.18 + name: Ensure that the controller-manager.conf file ownership is set to root:root + description: Ensure that the controller-manager.conf file ownership is set to + root:root. + checks: + - id: AVD-KCV-0065 + commands: + - id: CMD-0018 + severity: HIGH + - id: 1.1.19 + name: Ensure that the Kubernetes PKI directory and file ownership is set to + root:root + description: Ensure that the Kubernetes PKI directory and file ownership is set + to root:root + checks: + - id: AVD-KCV-0066 + commands: + - id: CMD-0019 + severity: CRITICAL + - id: 1.1.20 + name: Ensure that the Kubernetes PKI certificate file permissions are set to 600 + or more restrictive + description: Ensure that Kubernetes PKI certificate files have permissions of + 600 or more restrictive + checks: + - id: AVD-KCV-0068 + commands: + - id: CMD-0020 + severity: CRITICAL + - id: 1.1.21 + name: Ensure that the Kubernetes PKI key file permissions are set to 600 + description: Ensure that Kubernetes PKI key files have permissions of 600 + checks: + - id: AVD-KCV-0067 + commands: + - id: CMD-0021 + severity: CRITICAL + - id: 1.2.1 + name: Ensure that the --anonymous-auth argument is set to false + description: Disable anonymous requests to the API server + checks: + - id: AVD-KCV-0001 + severity: MEDIUM + - id: 1.2.2 + name: Ensure that the --token-auth-file parameter is not set + description: Do not use token based authentication + checks: + - id: AVD-KCV-0002 + severity: LOW + - id: 1.2.3 + name: Ensure that the --DenyServiceExternalIPs is not set + description: This admission controller rejects all net-new usage of the Service + field externalIPs + checks: + - id: AVD-KCV-0003 + severity: LOW + - id: 1.2.4 + name: Ensure that the --kubelet-https argument is set to true + description: Use https for kubelet connections + checks: + - id: AVD-KCV-0004 + severity: LOW + - id: 1.2.5 + name: Ensure that the --kubelet-client-certificate and --kubelet-client-key + arguments are set as appropriate + description: Enable certificate based kubelet authentication + checks: + - id: AVD-KCV-0005 + severity: HIGH + - id: 1.2.6 + name: Ensure that the --kubelet-certificate-authority argument is set as + appropriate + description: Verify kubelets certificate before establishing connection + checks: + - id: AVD-KCV-0006 + severity: HIGH + - id: 1.2.7 + name: Ensure that the --authorization-mode argument is not set to AlwaysAllow + description: Do not always authorize all requests + checks: + - id: AVD-KCV-0007 + severity: LOW + - id: 1.2.8 + name: Ensure that the --authorization-mode argument includes Node + description: Restrict kubelet nodes to reading only objects associated with them + checks: + - id: AVD-KCV-0008 + severity: HIGH + - id: 1.2.9 + name: Ensure that the --authorization-mode argument includes RBAC + description: Turn on Role Based Access Control + checks: + - id: AVD-KCV-0009 + severity: HIGH + - id: 1.2.10 + name: Ensure that the admission control plugin EventRateLimit is set + description: Limit the rate at which the API server accepts requests + checks: + - id: AVD-KCV-0010 + severity: HIGH + - id: 1.2.11 + name: Ensure that the admission control plugin AlwaysAdmit is not set + description: Do not allow all requests + checks: + - id: AVD-KCV-0011 + severity: LOW + - id: 1.2.12 + name: Ensure that the admission control plugin AlwaysPullImages is set + description: Always pull images + checks: + - id: AVD-KCV-0012 + severity: MEDIUM + - id: 1.2.13 + name: Ensure that the admission control plugin SecurityContextDeny is set if + PodSecurityPolicy is not used + description: The SecurityContextDeny admission controller can be used to deny + pods which make use of some SecurityContext fields which could allow for + privilege escalation in the cluster. This should be used where + PodSecurityPolicy is not in place within the cluster + checks: + - id: AVD-KCV-0013 + severity: MEDIUM + - id: 1.2.14 + name: Ensure that the admission control plugin ServiceAccount is set + description: Automate service accounts management + checks: + - id: AVD-KCV-0014 + severity: LOW + - id: 1.2.15 + name: Ensure that the admission control plugin NamespaceLifecycle is set + description: Reject creating objects in a namespace that is undergoing termination + checks: + - id: AVD-KCV-0015 + severity: LOW + - id: 1.2.16 + name: Ensure that the admission control plugin NodeRestriction is set + description: Limit the Node and Pod objects that a kubelet could modify + checks: + - id: AVD-KCV-0016 + severity: LOW + - id: 1.2.17 + name: Ensure that the --secure-port argument is not set to 0 + description: Do not disable the secure port + checks: + - id: AVD-KCV-0017 + severity: HIGH + - id: 1.2.18 + name: Ensure that the --profiling argument is set to false + description: Disable profiling, if not needed + checks: + - id: AVD-KCV-0018 + severity: LOW + - id: 1.2.19 + name: Ensure that the --audit-log-path argument is set + description: Enable auditing on the Kubernetes API Server and set the desired + audit log path. + checks: + - id: AVD-KCV-0019 + severity: LOW + - id: 1.2.20 + name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate + description: Retain the logs for at least 30 days or as appropriate + checks: + - id: AVD-KCV-0020 + severity: LOW + - id: 1.2.21 + name: Ensure that the --audit-log-maxbackup argument is set to 10 or as + appropriate + description: Retain 10 or an appropriate number of old log file + checks: + - id: AVD-KCV-0021 + severity: LOW + - id: 1.2.22 + name: Ensure that the --audit-log-maxsize argument is set to 100 or as + appropriate + description: Rotate log files on reaching 100 MB or as appropriate + checks: + - id: AVD-KCV-0022 + severity: LOW + - id: 1.2.24 + name: Ensure that the --service-account-lookup argument is set to true + description: Validate service account before validating token + checks: + - id: AVD-KCV-0024 + severity: LOW + - id: 1.2.25 + name: Ensure that the --service-account-key-file argument is set as appropriate + description: Explicitly set a service account public key file for service + accounts on the apiserver + checks: + - id: AVD-KCV-0025 + severity: LOW + - id: 1.2.26 + name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as + appropriate + description: etcd should be configured to make use of TLS encryption for client + connections + checks: + - id: AVD-KCV-0026 + severity: LOW + - id: 1.2.27 + name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are + set as appropriate + description: Setup TLS connection on the API server + checks: + - id: AVD-KCV-0027 + severity: MEDIUM + - id: 1.2.28 + name: Ensure that the --client-ca-file argument is set appropriate + description: Setup TLS connection on the API server + checks: + - id: AVD-KCV-0028 + severity: LOW + - id: 1.2.29 + name: Ensure that the --etcd-cafile argument is set as appropriate + description: etcd should be configured to make use of TLS encryption for client + connections. + checks: + - id: AVD-KCV-0029 + severity: LOW + - id: 1.2.30 + name: Ensure that the --encryption-provider-config argument is set as + appropriate + description: Encrypt etcd key-value store + checks: + - id: AVD-KCV-0030 + severity: LOW + - id: 1.3.1 + name: Ensure that the --terminated-pod-gc-threshold argument is set as + appropriate + description: Activate garbage collector on pod termination, as appropriate + checks: + - id: AVD-KCV-0033 + severity: MEDIUM + - id: 1.3.3 + name: Ensure that the --use-service-account-credentials argument is set to true + description: Use individual service account credentials for each controller + checks: + - id: AVD-KCV-0035 + severity: MEDIUM + - id: 1.3.4 + name: Ensure that the --service-account-private-key-file argument is set as + appropriate + description: Explicitly set a service account private key file for service + accounts on the controller manager + checks: + - id: AVD-KCV-0036 + severity: MEDIUM + - id: 1.3.5 + name: Ensure that the --root-ca-file argument is set as appropriate + description: Allow pods to verify the API servers serving certificate before + establishing connections + checks: + - id: AVD-KCV-0037 + severity: MEDIUM + - id: 1.3.6 + name: Ensure that the RotateKubeletServerCertificate argument is set to true + description: Enable kubelet server certificate rotation on controller-manager + checks: + - id: AVD-KCV-0038 + severity: MEDIUM + - id: 1.3.7 + name: Ensure that the --bind-address argument is set to 127.0.0.1 + description: Do not bind the scheduler service to non-loopback insecure addresses + checks: + - id: AVD-KCV-0039 + severity: LOW + - id: 1.4.1 + name: Ensure that the --profiling argument is set to false + description: Disable profiling, if not needed + checks: + - id: AVD-KCV-0034 + severity: MEDIUM + - id: 1.4.2 + name: Ensure that the --bind-address argument is set to 127.0.0.1 + description: Do not bind the scheduler service to non-loopback insecure addresses + checks: + - id: AVD-KCV-0041 + severity: CRITICAL + - id: "2.1" + name: Ensure that the --cert-file and --key-file arguments are set as + appropriate + description: Configure TLS encryption for the etcd service + checks: + - id: AVD-KCV-0042 + severity: MEDIUM + - id: "2.2" + name: Ensure that the --client-cert-auth argument is set to true + description: Enable client authentication on etcd service + checks: + - id: AVD-KCV-0043 + severity: CRITICAL + - id: "2.3" + name: Ensure that the --auto-tls argument is not set to true + description: Do not use self-signed certificates for TLS + checks: + - id: AVD-KCV-0044 + severity: CRITICAL + - id: "2.4" + name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as + appropriate + description: etcd should be configured to make use of TLS encryption for peer + connections. + checks: + - id: AVD-KCV-0045 + severity: CRITICAL + - id: "2.5" + name: Ensure that the --peer-client-cert-auth argument is set to true + description: etcd should be configured for peer authentication + checks: + - id: AVD-KCV-0046 + severity: CRITICAL + - id: "2.6" + name: Ensure that the --peer-auto-tls argument is not set to true + description: Do not use self-signed certificates for TLS + checks: + - id: AVD-KCV-0047 + severity: HIGH + - id: 3.1.1 + name: Client certificate authentication should not be used for users (Manual) + description: Kubernetes provides the option to use client certificates for user + authentication. However as there is no way to revoke these certificates + when a user leaves an organization or loses their credential, they are + not suitable for this purpose + severity: HIGH + - id: 3.2.1 + name: Ensure that a minimal audit policy is created (Manual) + description: Kubernetes can audit the details of requests made to the API + server. The --audit- policy-file flag must be set for this logging to be + enabled. + severity: HIGH + - id: 3.2.2 + name: Ensure that the audit policy covers key security concerns (Manual) + description: Ensure that the audit policy created for the cluster covers key + security concerns + severity: HIGH + - id: 4.1.1 + name: Ensure that the kubelet service file permissions are set to 600 or more + restrictive + description: Ensure that the kubelet service file has permissions of 600 or more + restrictive. + checks: + - id: AVD-KCV-0069 + commands: + - id: CMD-0022 + severity: HIGH + - id: 4.1.2 + name: Ensure that the kubelet service file ownership is set to root:root + description: Ensure that the kubelet service file ownership is set to root:root + checks: + - id: AVD-KCV-0070 + commands: + - id: CMD-0023 + severity: HIGH + - id: 4.1.3 + name: If proxy kubeconfig file exists ensure permissions are set to 600 or more + restrictive + description: If kube-proxy is running, and if it is using a file-based + kubeconfig file, ensure that the proxy kubeconfig file has permissions + of 600 or more restrictive + checks: + - id: AVD-KCV-0071 + commands: + - id: CMD-0024 + severity: HIGH + - id: 4.1.4 + name: If proxy kubeconfig file exists ensure ownership is set to root:root + description: If kube-proxy is running, ensure that the file ownership of its + kubeconfig file is set to root:root + checks: + - id: AVD-KCV-0072 + commands: + - id: CMD-0025 + severity: HIGH + - id: 4.1.5 + name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 + or more restrictive + description: Ensure that the kubelet.conf file has permissions of 600 or more + restrictive + checks: + - id: AVD-KCV-0073 + commands: + - id: CMD-0026 + severity: HIGH + - id: 4.1.6 + name: Ensure that the --kubeconfig kubelet.conf file ownership is set to + root:root + description: Ensure that the kubelet.conf file ownership is set to root:root + checks: + - id: AVD-KCV-0074 + commands: + - id: CMD-0027 + severity: HIGH + - id: 4.1.7 + name: Ensure that the certificate authorities file permissions are set to 600 or + more restrictive + description: Ensure that the certificate authorities file has permissions of 600 + or more restrictive + checks: + - id: AVD-KCV-0075 + commands: + - id: CMD-0028 + severity: CRITICAL + - id: 4.1.8 + name: Ensure that the client certificate authorities file ownership is set to + root:root + description: Ensure that the certificate authorities file ownership is set to + root:root + checks: + - id: AVD-KCV-0076 + commands: + - id: CMD-0029 + severity: CRITICAL + - id: 4.1.9 + name: If the kubelet config.yaml configuration file is being used validate + permissions set to 600 or more restrictive + description: Ensure that if the kubelet refers to a configuration file with the + --config argument, that file has permissions of 600 or more restrictive + checks: + - id: AVD-KCV-0077 + commands: + - id: CMD-0030 + severity: HIGH + - id: 4.1.10 + name: If the kubelet config.yaml configuration file is being used validate file + ownership is set to root:root + description: Ensure that if the kubelet refers to a configuration file with the + --config argument, that file is owned by root:root + checks: + - id: AVD-KCV-0078 + commands: + - id: CMD-0031 + severity: HIGH + - id: 4.2.1 + name: Ensure that the --anonymous-auth argument is set to false + description: Disable anonymous requests to the Kubelet server + checks: + - id: AVD-KCV-0079 + commands: + - id: CMD-0032 + severity: CRITICAL + - id: 4.2.2 + name: Ensure that the --authorization-mode argument is not set to AlwaysAllow + description: Do not allow all requests. Enable explicit authorization + checks: + - id: AVD-KCV-0080 + commands: + - id: CMD-0033 + severity: CRITICAL + - id: 4.2.3 + name: Ensure that the --client-ca-file argument is set as appropriate + description: Enable Kubelet authentication using certificates + checks: + - id: AVD-KCV-0081 + commands: + - id: CMD-0034 + severity: CRITICAL + - id: 4.2.4 + name: Verify that the --read-only-port argument is set to 0 + description: Disable the read-only port + checks: + - id: AVD-KCV-0082 + commands: + - id: CMD-0035 + severity: HIGH + - id: 4.2.5 + name: Ensure that the --streaming-connection-idle-timeout argument is not set to + 0 + description: Do not disable timeouts on streaming connections + checks: + - id: AVD-KCV-0085 + commands: + - id: CMD-0036 + severity: HIGH + - id: 4.2.6 + name: Ensure that the --protect-kernel-defaults argument is set to true + description: Protect tuned kernel parameters from overriding kubelet default + kernel parameter values + checks: + - id: AVD-KCV-0083 + commands: + - id: CMD-0037 + severity: HIGH + - id: 4.2.7 + name: Ensure that the --make-iptables-util-chains argument is set to true + description: Allow Kubelet to manage iptables + checks: + - id: AVD-KCV-0084 + commands: + - id: CMD-0038 + severity: HIGH + - id: 4.2.8 + name: Ensure that the --hostname-override argument is not set + description: Do not override node hostnames + checks: + - id: AVD-KCV-0086 + commands: + - id: CMD-0039 + severity: HIGH + - id: 4.2.9 + name: Ensure that the --event-qps argument is set to 0 or a level which ensures + appropriate event capture + description: Security relevant information should be captured. The --event-qps + flag on the Kubelet can be used to limit the rate at which events are + gathered + checks: + - id: AVD-KCV-0087 + commands: + - id: CMD-0040 + severity: HIGH + - id: 4.2.10 + name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are + set as appropriate + description: Setup TLS connection on the Kubelets + checks: + - id: AVD-KCV-0088 + - id: AVD-KCV-0089 + commands: + - id: CMD-0041 + - id: CMD-0042 + severity: CRITICAL + - id: 4.2.11 + name: Ensure that the --rotate-certificates argument is not set to false + description: Enable kubelet client certificate rotation + checks: + - id: AVD-KCV-0090 + commands: + - id: CMD-0043 + severity: CRITICAL + - id: 4.2.12 + name: Verify that the RotateKubeletServerCertificate argument is set to true + description: Enable kubelet server certificate rotation + checks: + - id: AVD-KCV-0091 + commands: + - id: CMD-0044 + severity: CRITICAL + - id: 4.2.13 + name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers + description: Ensure that the Kubelet is configured to only use strong + cryptographic ciphers + checks: + - id: AVD-KCV-0092 + commands: + - id: CMD-0045 + severity: CRITICAL + - id: 5.1.1 + name: Ensure that the cluster-admin role is only used where required + description: The RBAC role cluster-admin provides wide-ranging powers over the + environment and should be used only where and when needed + checks: + - id: AVD-KSV-0111 + severity: HIGH + - id: 5.1.2 + name: Minimize access to secrets + description: The Kubernetes API stores secrets, which may be service account + tokens for the Kubernetes API or credentials used by workloads in the + cluster + checks: + - id: AVD-KSV-0041 + severity: HIGH + - id: 5.1.3 + name: Minimize wildcard use in Roles and ClusterRoles + description: Kubernetes Roles and ClusterRoles provide access to resources based + on sets of objects and actions that can be taken on those objects. It is + possible to set either of these to be the wildcard "*" which matches all + items + checks: + - id: AVD-KSV-0044 + - id: AVD-KSV-0045 + - id: AVD-KSV-0046 + severity: HIGH + - id: 5.1.6 + name: Ensure that Service Account Tokens are only mounted where necessary + description: Service accounts tokens should not be mounted in pods except where + the workload running in the pod explicitly needs to communicate with the + API server + checks: + - id: AVD-KSV-0036 + severity: HIGH + - id: 5.1.8 + name: Limit use of the Bind, Impersonate and Escalate permissions in the + Kubernetes cluster + description: Cluster roles and roles with the impersonate, bind or escalate + permissions should not be granted unless strictly required + checks: + - id: AVD-KSV-0043 + severity: HIGH + - id: 5.2.2 + name: Minimize the admission of privileged containers + description: Do not generally permit containers to be run with the + securityContext.privileged flag set to true + checks: + - id: AVD-KSV-0017 + severity: HIGH + - id: 5.2.3 + name: Minimize the admission of containers wishing to share the host process ID + namespace + description: Do not generally permit containers to be run with the hostPID flag + set to true. + checks: + - id: AVD-KSV-0010 + severity: HIGH + - id: 5.2.4 + name: Minimize the admission of containers wishing to share the host IPC + namespace + description: Do not generally permit containers to be run with the hostIPC flag + set to true + checks: + - id: AVD-KSV-0008 + severity: HIGH + - id: 5.2.5 + name: Minimize the admission of containers wishing to share the host network + namespace + description: Do not generally permit containers to be run with the hostNetwork + flag set to true + checks: + - id: AVD-KSV-0009 + severity: HIGH + - id: 5.2.6 + name: Minimize the admission of containers with allowPrivilegeEscalation + description: Do not generally permit containers to be run with the + allowPrivilegeEscalation flag set to true + checks: + - id: AVD-KSV-0001 + severity: HIGH + - id: 5.2.7 + name: Minimize the admission of root containers + description: Do not generally permit containers to be run as the root user + checks: + - id: AVD-KSV-0012 + severity: MEDIUM + - id: 5.2.8 + name: Minimize the admission of containers with the NET_RAW capability + description: Do not generally permit containers with the potentially dangerous + NET_RAW capability + checks: + - id: AVD-KSV-0022 + severity: MEDIUM + - id: 5.2.9 + name: Minimize the admission of containers with added capabilities + description: Do not generally permit containers with capabilities assigned + beyond the default set + checks: + - id: AVD-KSV-0004 + severity: LOW + - id: 5.2.10 + name: Minimize the admission of containers with capabilities assigned + description: Do not generally permit containers with capabilities + checks: + - id: AVD-KSV-0003 + severity: LOW + - id: 5.2.11 + name: Minimize the admission of containers with capabilities assigned + description: Do not generally permit containers with capabilities + checks: + - id: AVD-KSV-0103 + severity: MEDIUM + - id: 5.2.12 + name: Minimize the admission of HostPath volumes + description: Do not generally admit containers which make use of hostPath volumes + checks: + - id: AVD-KSV-0023 + severity: MEDIUM + - id: 5.2.13 + name: Minimize the admission of containers which use HostPorts + description: Do not generally permit containers which require the use of HostPorts + checks: + - id: AVD-KSV-0024 + severity: MEDIUM + - id: 5.3.1 + name: Ensure that the CNI in use supports Network Policies (Manual) + description: There are a variety of CNI plugins available for Kubernetes. If the + CNI in use does not support Network Policies it may not be possible to + effectively restrict traffic in the cluster + severity: MEDIUM + - id: 5.3.2 + name: Ensure that all Namespaces have Network Policies defined + description: Use network policies to isolate traffic in your cluster network + checks: + - id: AVD-KSV-0038 + severity: MEDIUM + - id: 5.4.1 + name: Prefer using secrets as files over secrets as environment variables + (Manual) + description: Kubernetes supports mounting secrets as data volumes or as + environment variables. Minimize the use of environment variable secrets + severity: MEDIUM + - id: 5.4.2 + name: Consider external secret storage (Manual) + description: Consider the use of an external secrets storage and management + system, instead of using Kubernetes Secrets directly, if you have more + complex secret management needs + severity: MEDIUM + - id: 5.5.1 + name: Configure Image Provenance using ImagePolicyWebhook admission controller + (Manual) + description: Configure Image Provenance for your deployment + severity: MEDIUM + - id: 5.7.1 + name: Create administrative boundaries between resources using namespaces + (Manual) + description: Use namespaces to isolate your Kubernetes objects + severity: MEDIUM + - id: 5.7.2 + name: Ensure that the seccomp profile is set to docker/default in your pod + definitions + description: Enable docker/default seccomp profile in your pod definitions + checks: + - id: AVD-KSV-0104 + severity: MEDIUM + - id: 5.7.3 + name: Apply Security Context to Your Pods and Containers + description: Apply Security Context to Your Pods and Containers + checks: + - id: AVD-KSV-0021 + - id: AVD-KSV-0020 + - id: AVD-KSV-0005 + - id: AVD-KSV-0025 + - id: AVD-KSV-0104 + - id: AVD-KSV-0030 + severity: HIGH + - id: 5.7.4 + name: The default namespace should not be used + description: Kubernetes provides a default namespace, where objects are placed + if no namespace is specified for them + checks: + - id: AVD-KSV-0110 + severity: MEDIUM +{{- end }} \ No newline at end of file diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-nsa-1.0.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-nsa-1.0.yaml new file mode 100644 index 000000000..9798749f7 --- /dev/null +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-nsa-1.0.yaml @@ -0,0 +1,192 @@ +{{- if .Values.compliance.specs | has "k8s-nsa-1.0"}} +--- +apiVersion: aquasecurity.github.io/v1alpha1 +kind: ClusterComplianceReport +metadata: + name: k8s-nsa-1.0 + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/managed-by: kubectl +spec: + cron: {{ .Values.compliance.cron | quote}} + reportType: {{ .Values.compliance.reportType | quote}} + compliance: + id: k8s-nsa-1.0 + platform: k8s + type: nsa + title: National Security Agency - Kubernetes Hardening Guidance v1.0 + description: National Security Agency - Kubernetes Hardening Guidance + relatedResources: + - https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/ + version: "1.0" + controls: + - name: Non-root containers + description: Check that container is not running as root + id: "1.0" + checks: + - id: AVD-KSV-0012 + severity: MEDIUM + - name: Immutable container file systems + description: Check that container root file system is immutable + id: "1.1" + checks: + - id: AVD-KSV-0014 + severity: LOW + - name: Preventing privileged containers + description: Controls whether Pods can run privileged containers + id: "1.2" + checks: + - id: AVD-KSV-0017 + severity: HIGH + - name: Share containers process namespaces + description: Controls whether containers can share process namespaces + id: "1.3" + checks: + - id: AVD-KSV-0008 + severity: HIGH + - name: Share host process namespaces + description: Controls whether share host process namespaces + id: "1.4" + checks: + - id: AVD-KSV-0009 + severity: HIGH + - name: Use the host network + description: Controls whether containers can use the host network + id: "1.5" + checks: + - id: AVD-KSV-0010 + severity: HIGH + - name: Run with root privileges or with root group membership + description: Controls whether container applications can run with root + privileges or with root group membership + id: "1.6" + checks: + - id: AVD-KSV-0029 + severity: LOW + - name: Restricts escalation to root privileges + description: Control check restrictions escalation to root privileges + id: "1.7" + checks: + - id: AVD-KSV-0001 + severity: MEDIUM + - name: Sets the SELinux context of the container + description: Control checks if pod sets the SELinux context of the container + id: "1.8" + checks: + - id: AVD-KSV-0002 + severity: MEDIUM + - name: Restrict a container's access to resources with AppArmor + description: Control checks the restriction of containers access to resources + with AppArmor + id: "1.9" + checks: + - id: AVD-KSV-0030 + severity: MEDIUM + - name: Sets the seccomp profile used to sandbox containers. + description: Control checks the sets the seccomp profile used to sandbox containers + id: "1.10" + checks: + - id: AVD-KSV-0030 + severity: LOW + - name: Protecting Pod service account tokens + description: "Control check whether disable secret token been mount + ,automountServiceAccountToken: false" + id: "1.11" + checks: + - id: AVD-KSV-0036 + severity: MEDIUM + - name: Namespace kube-system should not be used by users + description: Control check whether Namespace kube-system is not be used by users + id: "1.12" + defaultStatus: FAIL + checks: + - id: AVD-KSV-0037 + severity: MEDIUM + - name: Pod and/or namespace Selectors usage + description: Control check validate the pod and/or namespace Selectors usage + id: "2.0" + defaultStatus: FAIL + checks: + - id: AVD-KSV-0038 + severity: MEDIUM + - name: Use CNI plugin that supports NetworkPolicy API (Manual) + description: Control check whether check cni plugin installed + id: "3.0" + defaultStatus: FAIL + severity: CRITICAL + - name: Use ResourceQuota policies to limit resources + description: Control check the use of ResourceQuota policy to limit aggregate + resource usage within namespace + id: "4.0" + defaultStatus: FAIL + checks: + - id: AVD-KSV-0040 + severity: MEDIUM + - name: Use LimitRange policies to limit resources + description: Control check the use of LimitRange policy limit resource usage for + namespaces or nodes + id: "4.1" + defaultStatus: FAIL + checks: + - id: AVD-KSV-0039 + severity: MEDIUM + - name: Control plan disable insecure port (Manual) + description: Control check whether control plan disable insecure port + id: "5.0" + defaultStatus: FAIL + severity: CRITICAL + - name: Encrypt etcd communication + description: Control check whether etcd communication is encrypted + id: "5.1" + checks: + - id: AVD-KCV-0030 + severity: CRITICAL + - name: Ensure kube config file permission (Manual) + description: Control check whether kube config file permissions + id: "6.0" + defaultStatus: FAIL + severity: CRITICAL + - name: Check that encryption resource has been set + description: Control checks whether encryption resource has been set + id: "6.1" + checks: + - id: AVD-KCV-0029 + severity: CRITICAL + - name: Check encryption provider + description: Control checks whether encryption provider has been set + id: "6.2" + checks: + - id: AVD-KCV-0004 + severity: CRITICAL + - name: Make sure anonymous-auth is unset + description: Control checks whether anonymous-auth is unset + id: "7.0" + checks: + - id: AVD-KCV-0001 + severity: CRITICAL + - name: Make sure -authorization-mode=RBAC + description: Control check whether RBAC permission is in use + id: "7.1" + checks: + - id: AVD-KCV-0008 + severity: CRITICAL + - name: Audit policy is configure (Manual) + description: Control check whether audit policy is configure + id: "8.0" + defaultStatus: FAIL + severity: HIGH + - name: Audit log path is configure + description: Control check whether audit log path is configure + id: "8.1" + checks: + - id: AVD-KCV-0019 + severity: MEDIUM + - name: Audit log aging + description: Control check whether audit log aging is configure + id: "8.2" + checks: + - id: AVD-KCV-0020 + severity: MEDIUM +{{- end }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/pss-baseline.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml similarity index 78% rename from helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/pss-baseline.yaml rename to helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml index de78d71bf..36624e481 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/pss-baseline.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml @@ -1,102 +1,105 @@ -{{- if .Values.operator.clusterComplianceEnabled }} +{{- if .Values.compliance.specs | has "k8s-pss-baseline-0.1"}} +--- apiVersion: aquasecurity.github.io/v1alpha1 kind: ClusterComplianceReport metadata: - name: pss-baseline + name: k8s-pss-baseline-0.1 labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.21.3 + app.kubernetes.io/version: 0.23.0 app.kubernetes.io/managed-by: kubectl spec: - cron: {{ .Values.compliance.cron | quote }} - reportType: {{ .Values.compliance.reportType | quote }} + cron: {{ .Values.compliance.cron | quote}} + reportType: {{ .Values.compliance.reportType | quote}} compliance: - id: pss-baseline + id: k8s-pss-baseline-0.1 + platform: eks + type: pss-baseline title: Kubernetes Pod Security Standards - Baseline description: Kubernetes Pod Security Standards - Baseline relatedResources: - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline - version: '0.1' + version: "0.1" controls: - name: HostProcess description: Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy - id: '1' + id: "1" checks: - id: AVD-KSV-0103 - severity: 'HIGH' + severity: HIGH - name: Host Namespaces description: Sharing the host namespaces must be disallowed. - id: '2' + id: "2" checks: - id: AVD-KSV-0008 - severity: 'HIGH' + severity: HIGH - name: Privileged Containers description: Privileged Pods disable most security mechanisms and must be disallowed. - id: '3' + id: "3" checks: - id: AVD-KSV-0017 - severity: 'HIGH' + severity: HIGH - name: Capabilities description: Adding additional capabilities beyond those listed below must be disallowed. - id: '4' + id: "4" checks: - id: AVD-KSV-0022 - severity: 'MEDIUM' + severity: MEDIUM - name: HostPath Volumes description: HostPath volumes must be forbidden. - id: '5' + id: "5" checks: - - id: 'AVD-KSV-0023' - severity: 'MEDIUM' + - id: AVD-KSV-0023 + severity: MEDIUM - name: host ports description: hostports should be disallowed, or at minimum restricted to a known list. - id: '6' + id: "6" checks: - id: avd-ksv-0024 - severity: 'HIGH' + severity: HIGH - name: AppArmor description: On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles. - id: '7' + id: "7" checks: - id: avd-ksv-0002 - severity: 'HIGH' + severity: HIGH - name: SELinux description: Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden. - id: '8' + id: "8" checks: - id: avd-ksv-0025 - severity: 'MEDIUM' + severity: MEDIUM - name: /proc Mount Type description: The default /proc masks are set up to reduce attack surface, and should be required. - id: '9' + id: "9" checks: - id: avd-ksv-0027 - severity: 'MEDIUM' + severity: MEDIUM - name: Seccomp description: Seccomp profile must not be explicitly set to Unconfined. - id: '10' + id: "10" checks: - id: avd-ksv-0104 - severity: 'MEDIUM' + severity: MEDIUM - name: Sysctls description: Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. - id: '11' + id: "11" checks: - id: avd-ksv-0026 - severity: 'MEDIUM' + severity: MEDIUM {{- end }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/pss-restricted.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml similarity index 80% rename from helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/pss-restricted.yaml rename to helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml index 82063c44e..3f263ea9d 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/pss-restricted.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml @@ -1,142 +1,145 @@ -{{- if .Values.operator.clusterComplianceEnabled }} +{{- if .Values.compliance.specs | has "k8s-pss-restricted-0.1"}} +--- apiVersion: aquasecurity.github.io/v1alpha1 kind: ClusterComplianceReport metadata: - name: pss-restricted + name: k8s-pss-restricted-0.1 labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.21.3 + app.kubernetes.io/version: 0.23.0 app.kubernetes.io/managed-by: kubectl spec: - cron: {{ .Values.compliance.cron | quote }} - reportType: {{ .Values.compliance.reportType | quote }} + cron: {{ .Values.compliance.cron | quote}} + reportType: {{ .Values.compliance.reportType | quote}} compliance: - id: pss-restricted + id: k8s-pss-restricted-0.1 + platform: k8s + type: pss-restricted title: Kubernetes Pod Security Standards - Restricted description: Kubernetes Pod Security Standards - Restricted relatedResources: - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - version: '0.1' + version: "0.1" controls: - name: HostProcess description: Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy - id: '1' + id: "1" checks: - id: AVD-KSV-0103 - severity: 'HIGH' + severity: HIGH - name: Host Namespaces description: Sharing the host namespaces must be disallowed. - id: '2' + id: "2" checks: - id: AVD-KSV-0008 - severity: 'HIGH' + severity: HIGH - name: Privileged Containers description: Privileged Pods disable most security mechanisms and must be disallowed. - id: '3' + id: "3" checks: - id: AVD-KSV-0017 - severity: 'HIGH' + severity: HIGH - name: Capabilities description: Adding additional capabilities beyond those listed below must be disallowed. - id: '4' + id: "4" checks: - id: AVD-KSV-0022 - severity: 'MEDIUM' + severity: MEDIUM - name: HostPath Volumes description: HostPath volumes must be forbidden. - id: '5' + id: "5" checks: - id: AVD-KSV-0023 - severity: 'MEDIUM' + severity: MEDIUM - name: host ports description: hostports should be disallowed, or at minimum restricted to a known list. - id: '6' + id: "6" checks: - id: avd-ksv-0024 - severity: 'HIGH' + severity: HIGH - name: AppArmor description: On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles. - id: '7' + id: "7" checks: - id: avd-ksv-0002 - severity: 'HIGH' + severity: HIGH - name: SELinux description: Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden. - id: '8' + id: "8" checks: - id: avd-ksv-0025 - severity: 'MEDIUM' + severity: MEDIUM - name: /proc Mount Type description: The default /proc masks are set up to reduce attack surface, and should be required. - id: '9' + id: "9" checks: - id: avd-ksv-0027 - severity: 'MEDIUM' + severity: MEDIUM - name: Seccomp description: Seccomp profile must not be explicitly set to Unconfined. - id: '10' + id: "10" checks: - id: avd-ksv-0104 - severity: 'MEDIUM' + severity: MEDIUM - name: Sysctls description: Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. - id: '11' + id: "11" checks: - id: avd-ksv-0026 - severity: 'MEDIUM' + severity: MEDIUM - name: Volume Types description: The restricted policy only permits specific volume types. - id: '12' + id: "12" checks: - id: avd-ksv-0028 severity: LOW - name: Privilege Escalation description: Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed. - id: '13' + id: "13" checks: - id: avd-ksv-0001 - severity: 'MEDIUM' + severity: MEDIUM - name: Running as Non-root description: Containers must be required to run as non-root users. - id: '14' + id: "14" checks: - id: avd-ksv-0012 - severity: 'MEDIUM' + severity: MEDIUM - name: Running as Non-root user description: Containers must not set runAsUser to 0 - id: '15' + id: "15" checks: - id: avd-ksv-0105 - severity: 'LOW' + severity: LOW - name: Seccomp description: Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited - id: '16' + id: "16" checks: - id: avd-ksv-0030 - severity: 'LOW' + severity: LOW - name: Capabilities description: Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability. - id: '17' + id: "17" checks: - id: avd-ksv-0106 - severity: 'LOW' + severity: LOW {{- end }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/nsa-1.0.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/nsa-1.0.yaml deleted file mode 100644 index a5aa7b9e3..000000000 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/nsa-1.0.yaml +++ /dev/null @@ -1,184 +0,0 @@ -{{- if .Values.operator.clusterComplianceEnabled }} -apiVersion: aquasecurity.github.io/v1alpha1 -kind: ClusterComplianceReport -metadata: - name: nsa - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.21.3" - app.kubernetes.io/managed-by: kubectl -spec: - cron: {{ .Values.compliance.cron | quote }} - reportType: {{ .Values.compliance.reportType | quote }} - compliance: - id: nsa - title: National Security Agency - Kubernetes Hardening Guidance v1.0 - description: National Security Agency - Kubernetes Hardening Guidance - relatedResources : - - https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/ - version: "1.0" - controls: - - name: Non-root containers - description: 'Check that container is not running as root' - id: '1.0' - checks: - - id: AVD-KSV-0012 - severity: 'MEDIUM' - - name: Immutable container file systems - description: 'Check that container root file system is immutable' - id: '1.1' - checks: - - id: AVD-KSV-0014 - severity: 'LOW' - - name: Preventing privileged containers - description: 'Controls whether Pods can run privileged containers' - id: '1.2' - checks: - - id: AVD-KSV-0017 - severity: 'HIGH' - - name: Share containers process namespaces - description: 'Controls whether containers can share process namespaces' - id: '1.3' - checks: - - id: AVD-KSV-0008 - severity: 'HIGH' - - name: Share host process namespaces - description: 'Controls whether share host process namespaces' - id: '1.4' - checks: - - id: AVD-KSV-0009 - severity: 'HIGH' - - name: Use the host network - description: 'Controls whether containers can use the host network' - id: '1.5' - checks: - - id: AVD-KSV-0010 - severity: 'HIGH' - - name: Run with root privileges or with root group membership - description: 'Controls whether container applications can run with root privileges or with root group membership' - id: '1.6' - checks: - - id: AVD-KSV-0029 - severity: 'LOW' - - name: Restricts escalation to root privileges - description: 'Control check restrictions escalation to root privileges' - id: '1.7' - checks: - - id: AVD-KSV-0001 - severity: 'MEDIUM' - - name: Sets the SELinux context of the container - description: 'Control checks if pod sets the SELinux context of the container' - id: '1.8' - checks: - - id: AVD-KSV-0002 - severity: 'MEDIUM' - - name: Restrict a container's access to resources with AppArmor - description: 'Control checks the restriction of containers access to resources with AppArmor' - id: '1.9' - checks: - - id: AVD-KSV-0030 - severity: 'MEDIUM' - - name: Sets the seccomp profile used to sandbox containers. - description: 'Control checks the sets the seccomp profile used to sandbox containers' - id: '1.10' - checks: - - id: AVD-KSV-0030 - severity: 'LOW' - - name: Protecting Pod service account tokens - description: 'Control check whether disable secret token been mount ,automountServiceAccountToken: false' - id: '1.11' - checks: - - id: AVD-KSV-0036 - severity: 'MEDIUM' - - name: Namespace kube-system should not be used by users - description: 'Control check whether Namespace kube-system is not be used by users' - id: '1.12' - defaultStatus: 'FAIL' - checks: - - id: AVD-KSV-0037 - severity: 'MEDIUM' - - name: Pod and/or namespace Selectors usage - description: 'Control check validate the pod and/or namespace Selectors usage' - id: '2.0' - defaultStatus: 'FAIL' - checks: - - id: AVD-KSV-0038 - severity: 'MEDIUM' - - name: Use CNI plugin that supports NetworkPolicy API (Manual) - description: 'Control check whether check cni plugin installed' - id: '3.0' - defaultStatus: 'FAIL' - severity: 'CRITICAL' - - name: Use ResourceQuota policies to limit resources - description: 'Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace' - id: '4.0' - defaultStatus: 'FAIL' - checks: - - id: AVD-KSV-0040 - severity: 'MEDIUM' - - name: Use LimitRange policies to limit resources - description: 'Control check the use of LimitRange policy limit resource usage for namespaces or nodes' - id: '4.1' - defaultStatus: 'FAIL' - checks: - - id: AVD-KSV-0039 - severity: 'MEDIUM' - - name: Control plan disable insecure port (Manual) - description: 'Control check whether control plan disable insecure port' - id: '5.0' - defaultStatus: 'FAIL' - severity: 'CRITICAL' - - name: Encrypt etcd communication - description: 'Control check whether etcd communication is encrypted' - id: '5.1' - checks: - - id: AVD-KCV-0030 - severity: 'CRITICAL' - - name: Ensure kube config file permission (Manual) - description: 'Control check whether kube config file permissions' - id: '6.0' - defaultStatus: 'FAIL' - severity: 'CRITICAL' - - name: Check that encryption resource has been set - description: 'Control checks whether encryption resource has been set' - id: '6.1' - checks: - - id: AVD-KCV-0029 - severity: 'CRITICAL' - - name: Check encryption provider - description: 'Control checks whether encryption provider has been set' - id: '6.2' - checks: - - id: AVD-KCV-0004 - severity: 'CRITICAL' - - name: Make sure anonymous-auth is unset - description: 'Control checks whether anonymous-auth is unset' - id: '7.0' - checks: - - id: AVD-KCV-0001 - severity: 'CRITICAL' - - name: Make sure -authorization-mode=RBAC - description: 'Control check whether RBAC permission is in use' - id: '7.1' - checks: - - id: AVD-KCV-0008 - severity: 'CRITICAL' - - name: Audit policy is configure (Manual) - description: 'Control check whether audit policy is configure' - id: '8.0' - defaultStatus: 'FAIL' - severity: 'HIGH' - - name: Audit log path is configure - description: 'Control check whether audit log path is configure' - id: '8.1' - checks: - - id: AVD-KCV-0019 - severity: 'MEDIUM' - - name: Audit log aging - description: 'Control check whether audit log aging is configure' - id: '8.2' - checks: - - id: AVD-KCV-0020 - severity: 'MEDIUM' -{{- end }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/rke2-cis-1.24.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/rke2-cis-1.24.yaml new file mode 100644 index 000000000..0ad2a959a --- /dev/null +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/specs/rke2-cis-1.24.yaml @@ -0,0 +1,915 @@ +{{- if .Values.compliance.specs | has "rke2-cis-1.24"}} +--- +apiVersion: aquasecurity.github.io/v1alpha1 +kind: ClusterComplianceReport +metadata: + name: rke2-cis-1.24 + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: 0.23.0 + app.kubernetes.io/managed-by: kubectl +spec: + cron: {{ .Values.compliance.cron | quote}} + reportType: {{ .Values.compliance.reportType | quote}} + compliance: + id: rke2-cis-1.24 + platform: rke2 + type: cis + title: CIS Kubernetes Benchmark - RKE2 v1.24 + description: CIS Kubernetes Benchmarks for RKE2 1.24 + relatedResources: + - https://www.cisecurity.org/benchmark/kubernetes + version: "1.24" + controls: + - id: 1.1.1 + name: Ensure that the API server pod specification file permissions are set to + 600 or more restrictive + description: Ensure that the API server pod specification file has permissions + of 600 or more restrictive + checks: + - id: AVD-KCV-0048 + commands: + - id: CMD-0001 + severity: HIGH + - id: 1.1.2 + name: Ensure that the API server pod specification file ownership is set to + root:root + description: Ensure that the API server pod specification file ownership is set + to root:root + checks: + - id: AVD-KCV-0049 + commands: + - id: CMD-0002 + severity: HIGH + - id: 1.1.3 + name: Ensure that the controller manager pod specification file permissions are + set to 600 or more restrictive + description: Ensure that the controller manager pod specification file has + permissions of 600 or more restrictive + checks: + - id: AVD-KCV-0050 + commands: + - id: CMD-0003 + severity: HIGH + - id: 1.1.4 + name: Ensure that the controller manager pod specification file ownership is set + to root:root + description: Ensure that the controller manager pod specification file ownership + is set to root:root + checks: + - id: AVD-KCV-0051 + commands: + - id: CMD-0004 + severity: HIGH + - id: 1.1.5 + name: Ensure that the scheduler pod specification file permissions are set to + 600 or more restrictive + description: Ensure that the scheduler pod specification file has permissions of + 600 or more restrictive + checks: + - id: AVD-KCV-0052 + commands: + - id: CMD-0005 + severity: HIGH + - id: 1.1.6 + name: Ensure that the scheduler pod specification file ownership is set to + root:root + description: Ensure that the scheduler pod specification file ownership is set + to root:root + checks: + - id: AVD-KCV-0053 + commands: + - id: CMD-0006 + severity: HIGH + - id: 1.1.7 + name: Ensure that the etcd pod specification file permissions are set to 600 or + more restrictive + description: Ensure that the etcd pod specification file has permissions of 600 + or more restrictive + checks: + - id: AVD-KCV-0054 + commands: + - id: CMD-0007 + severity: HIGH + - id: 1.1.8 + name: Ensure that the etcd pod specification file ownership is set to root:root + description: Ensure that the etcd pod specification file ownership is set to + root:root. + checks: + - id: AVD-KCV-0055 + commands: + - id: CMD-0008 + severity: HIGH + - id: 1.1.9 + name: Ensure that the Container Network Interface file permissions are set to + 600 or more restrictive + description: Ensure that the Container Network Interface files have permissions + of 600 or more restrictive + checks: + - id: AVD-KCV-0056 + commands: + - id: CMD-0009 + severity: HIGH + - id: 1.1.10 + name: Ensure that the Container Network Interface file ownership is set to + root:root + description: Ensure that the Container Network Interface files have ownership + set to root:root + checks: + - id: AVD-KCV-0057 + commands: + - id: CMD-0010 + severity: HIGH + - id: 1.1.11 + name: Ensure that the etcd data directory permissions are set to 700 or more + restrictive + description: Ensure that the etcd data directory has permissions of 700 or more + restrictive + checks: + - id: AVD-KCV-0058 + commands: + - id: CMD-0047 + severity: HIGH + - id: 1.1.12 + name: Ensure that the etcd data directory ownership is set to etcd:etcd + description: Ensure that the etcd data directory ownership is set to etcd:etcd + checks: + - id: AVD-KCV-0059 + commands: + - id: CMD-0046 + severity: LOW + - id: 1.1.13 + name: Ensure that the admin.conf file permissions are set to 600 + description: Ensure that the admin.conf file has permissions of 600 + checks: + - id: AVD-KCV-0060 + commands: + - id: CMD-0013 + severity: CRITICAL + - id: 1.1.14 + name: Ensure that the admin.conf file ownership is set to root:root + description: Ensure that the admin.conf file ownership is set to root:root + checks: + - id: AVD-KCV-0061 + commands: + - id: CMD-0014 + severity: CRITICAL + - id: 1.1.15 + name: Ensure that the scheduler.conf file permissions are set to 600 or more + restrictive + description: Ensure that the scheduler.conf file has permissions of 600 or more + restrictive + checks: + - id: AVD-KCV-0062 + commands: + - id: CMD-0015 + severity: HIGH + - id: 1.1.16 + name: Ensure that the scheduler.conf file ownership is set to root:root + description: Ensure that the scheduler.conf file ownership is set to root:root + checks: + - id: AVD-KCV-0063 + commands: + - id: CMD-0016 + severity: HIGH + - id: 1.1.17 + name: Ensure that the controller-manager.conf file permissions are set to 600 or + more restrictive + description: Ensure that the controller-manager.conf file has permissions of 600 + or more restrictive + checks: + - id: AVD-KCV-0064 + commands: + - id: CMD-0017 + severity: HIGH + - id: 1.1.18 + name: Ensure that the controller-manager.conf file ownership is set to root:root + description: Ensure that the controller-manager.conf file ownership is set to + root:root. + checks: + - id: AVD-KCV-0065 + commands: + - id: CMD-0018 + severity: HIGH + - id: 1.1.19 + name: Ensure that the Kubernetes PKI directory and file ownership is set to + root:root + description: Ensure that the Kubernetes PKI directory and file ownership is set + to root:root + checks: + - id: AVD-KCV-0066 + commands: + - id: CMD-0048 + severity: CRITICAL + - id: 1.1.20 + name: Ensure that the Kubernetes PKI certificate file permissions are set to 600 + or more restrictive + description: Ensure that Kubernetes PKI certificate files have permissions of + 600 or more restrictive + checks: + - id: AVD-KCV-0068 + commands: + - id: CMD-0049 + severity: CRITICAL + - id: 1.1.21 + name: Ensure that the Kubernetes PKI key file permissions are set to 600 + description: Ensure that Kubernetes PKI key files have permissions of 600 + checks: + - id: AVD-KCV-0067 + commands: + - id: CMD-0050 + severity: CRITICAL + - id: 1.2.1 + name: Ensure that the --anonymous-auth argument is set to false + description: Disable anonymous requests to the API server + checks: + - id: AVD-KCV-0001 + severity: MEDIUM + - id: 1.2.2 + name: Ensure that the --token-auth-file parameter is not set + description: Do not use token based authentication + checks: + - id: AVD-KCV-0002 + severity: LOW + - id: 1.2.3 + name: Ensure that the --DenyServiceExternalIPs is not set + description: This admission controller rejects all net-new usage of the Service + field externalIPs + checks: + - id: AVD-KCV-0003 + severity: LOW + - id: 1.2.4 + name: Ensure that the --kubelet-https argument is set to true + description: Use https for kubelet connections + checks: + - id: AVD-KCV-0004 + severity: LOW + - id: 1.2.5 + name: Ensure that the --kubelet-client-certificate and --kubelet-client-key + arguments are set as appropriate + description: Enable certificate based kubelet authentication + checks: + - id: AVD-KCV-0005 + severity: HIGH + - id: 1.2.6 + name: Ensure that the --kubelet-certificate-authority argument is set as + appropriate + description: Verify kubelets certificate before establishing connection + checks: + - id: AVD-KCV-0006 + severity: HIGH + - id: 1.2.7 + name: Ensure that the --authorization-mode argument is not set to AlwaysAllow + description: Do not always authorize all requests + checks: + - id: AVD-KCV-0007 + severity: LOW + - id: 1.2.8 + name: Ensure that the --authorization-mode argument includes Node + description: Restrict kubelet nodes to reading only objects associated with them + checks: + - id: AVD-KCV-0008 + severity: HIGH + - id: 1.2.9 + name: Ensure that the --authorization-mode argument includes RBAC + description: Turn on Role Based Access Control + checks: + - id: AVD-KCV-0009 + severity: HIGH + - id: 1.2.10 + name: Ensure that the admission control plugin EventRateLimit is set + description: Limit the rate at which the API server accepts requests + checks: + - id: AVD-KCV-0010 + severity: HIGH + - id: 1.2.11 + name: Ensure that the admission control plugin AlwaysAdmit is not set + description: Do not allow all requests + checks: + - id: AVD-KCV-0011 + severity: LOW + - id: 1.2.12 + name: Ensure that the admission control plugin AlwaysPullImages is set + description: Always pull images + checks: + - id: AVD-KCV-0012 + severity: MEDIUM + - id: 1.2.13 + name: Ensure that the admission control plugin SecurityContextDeny is set if + PodSecurityPolicy is not used + description: The SecurityContextDeny admission controller can be used to deny + pods which make use of some SecurityContext fields which could allow for + privilege escalation in the cluster. This should be used where + PodSecurityPolicy is not in place within the cluster + checks: + - id: AVD-KCV-0013 + severity: MEDIUM + - id: 1.2.14 + name: Ensure that the admission control plugin ServiceAccount is set + description: Automate service accounts management + checks: + - id: AVD-KCV-0014 + severity: LOW + - id: 1.2.15 + name: Ensure that the admission control plugin NamespaceLifecycle is set + description: Reject creating objects in a namespace that is undergoing termination + checks: + - id: AVD-KCV-0015 + severity: LOW + - id: 1.2.16 + name: Ensure that the admission control plugin NodeRestriction is set + description: Limit the Node and Pod objects that a kubelet could modify + checks: + - id: AVD-KCV-0016 + severity: LOW + - id: 1.2.17 + name: Ensure that the --secure-port argument is not set to 0 + description: Do not disable the secure port + checks: + - id: AVD-KCV-0017 + severity: HIGH + - id: 1.2.18 + name: Ensure that the --profiling argument is set to false + description: Disable profiling, if not needed + checks: + - id: AVD-KCV-0018 + severity: LOW + - id: 1.2.19 + name: Ensure that the --audit-log-path argument is set + description: Enable auditing on the Kubernetes API Server and set the desired + audit log path. + checks: + - id: AVD-KCV-0019 + severity: LOW + - id: 1.2.20 + name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate + description: Retain the logs for at least 30 days or as appropriate + checks: + - id: AVD-KCV-0020 + severity: LOW + - id: 1.2.21 + name: Ensure that the --audit-log-maxbackup argument is set to 10 or as + appropriate + description: Retain 10 or an appropriate number of old log file + checks: + - id: AVD-KCV-0021 + severity: LOW + - id: 1.2.22 + name: Ensure that the --audit-log-maxsize argument is set to 100 or as + appropriate + description: Rotate log files on reaching 100 MB or as appropriate + checks: + - id: AVD-KCV-0022 + severity: LOW + - id: 1.2.24 + name: Ensure that the --service-account-lookup argument is set to true + description: Validate service account before validating token + checks: + - id: AVD-KCV-0024 + severity: LOW + - id: 1.2.25 + name: Ensure that the --service-account-key-file argument is set as appropriate + description: Explicitly set a service account public key file for service + accounts on the apiserver + checks: + - id: AVD-KCV-0025 + severity: LOW + - id: 1.2.26 + name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as + appropriate + description: etcd should be configured to make use of TLS encryption for client + connections + checks: + - id: AVD-KCV-0026 + severity: LOW + - id: 1.2.27 + name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are + set as appropriate + description: Setup TLS connection on the API server + checks: + - id: AVD-KCV-0027 + severity: MEDIUM + - id: 1.2.28 + name: Ensure that the --client-ca-file argument is set appropriate + description: Setup TLS connection on the API server + checks: + - id: AVD-KCV-0028 + severity: LOW + - id: 1.2.29 + name: Ensure that the --etcd-cafile argument is set as appropriate + description: etcd should be configured to make use of TLS encryption for client + connections. + checks: + - id: AVD-KCV-0029 + severity: LOW + - id: 1.2.30 + name: Ensure that the --encryption-provider-config argument is set as + appropriate + description: Encrypt etcd key-value store + checks: + - id: AVD-KCV-0030 + severity: LOW + - id: 1.3.1 + name: Ensure that the --terminated-pod-gc-threshold argument is set as + appropriate + description: Activate garbage collector on pod termination, as appropriate + checks: + - id: AVD-KCV-0033 + severity: MEDIUM + - id: 1.3.3 + name: Ensure that the --use-service-account-credentials argument is set to true + description: Use individual service account credentials for each controller + checks: + - id: AVD-KCV-0035 + severity: MEDIUM + - id: 1.3.4 + name: Ensure that the --service-account-private-key-file argument is set as + appropriate + description: Explicitly set a service account private key file for service + accounts on the controller manager + checks: + - id: AVD-KCV-0036 + severity: MEDIUM + - id: 1.3.5 + name: Ensure that the --root-ca-file argument is set as appropriate + description: Allow pods to verify the API servers serving certificate before + establishing connections + checks: + - id: AVD-KCV-0037 + severity: MEDIUM + - id: 1.3.6 + name: Ensure that the RotateKubeletServerCertificate argument is set to true + description: Enable kubelet server certificate rotation on controller-manager + checks: + - id: AVD-KCV-0038 + severity: MEDIUM + - id: 1.3.7 + name: Ensure that the --bind-address argument is set to 127.0.0.1 + description: Do not bind the scheduler service to non-loopback insecure addresses + checks: + - id: AVD-KCV-0039 + severity: LOW + - id: 1.4.1 + name: Ensure that the --profiling argument is set to false + description: Disable profiling, if not needed + checks: + - id: AVD-KCV-0034 + severity: MEDIUM + - id: 1.4.2 + name: Ensure that the --bind-address argument is set to 127.0.0.1 + description: Do not bind the scheduler service to non-loopback insecure addresses + checks: + - id: AVD-KCV-0041 + severity: CRITICAL + - id: "2.1" + name: Ensure that the --cert-file and --key-file arguments are set as + appropriate + description: Configure TLS encryption for the etcd service + checks: + - id: AVD-KCV-0042 + severity: MEDIUM + - id: "2.2" + name: Ensure that the --client-cert-auth argument is set to true + description: Enable client authentication on etcd service + checks: + - id: AVD-KCV-0043 + severity: CRITICAL + - id: "2.3" + name: Ensure that the --auto-tls argument is not set to true + description: Do not use self-signed certificates for TLS + checks: + - id: AVD-KCV-0044 + severity: CRITICAL + - id: "2.4" + name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as + appropriate + description: etcd should be configured to make use of TLS encryption for peer + connections. + checks: + - id: AVD-KCV-0045 + severity: CRITICAL + - id: "2.5" + name: Ensure that the --peer-client-cert-auth argument is set to true + description: etcd should be configured for peer authentication + checks: + - id: AVD-KCV-0046 + severity: CRITICAL + - id: "2.6" + name: Ensure that the --peer-auto-tls argument is not set to true + description: Do not use self-signed certificates for TLS + checks: + - id: AVD-KCV-0047 + severity: HIGH + - id: 3.1.1 + name: Client certificate authentication should not be used for users (Manual) + description: Kubernetes provides the option to use client certificates for user + authentication. However as there is no way to revoke these certificates + when a user leaves an organization or loses their credential, they are + not suitable for this purpose + severity: HIGH + - id: 3.2.1 + name: Ensure that a minimal audit policy is created (Manual) + description: Kubernetes can audit the details of requests made to the API + server. The --audit- policy-file flag must be set for this logging to be + enabled. + severity: HIGH + - id: 3.2.2 + name: Ensure that the audit policy covers key security concerns (Manual) + description: Ensure that the audit policy created for the cluster covers key + security concerns + severity: HIGH + - id: 4.1.1 + name: Ensure that the kubelet service file permissions are set to 600 or more + restrictive + description: Ensure that the kubelet service file has permissions of 600 or more + restrictive. + checks: + - id: AVD-KCV-0069 + commands: + - id: CMD-0022 + severity: HIGH + - id: 4.1.2 + name: Ensure that the kubelet service file ownership is set to root:root + description: Ensure that the kubelet service file ownership is set to root:root + checks: + - id: AVD-KCV-0070 + commands: + - id: CMD-0023 + severity: HIGH + - id: 4.1.3 + name: If proxy kubeconfig file exists ensure permissions are set to 600 or more + restrictive + description: If kube-proxy is running, and if it is using a file-based + kubeconfig file, ensure that the proxy kubeconfig file has permissions + of 600 or more restrictive + checks: + - id: AVD-KCV-0071 + commands: + - id: CMD-0024 + severity: HIGH + - id: 4.1.4 + name: If proxy kubeconfig file exists ensure ownership is set to root:root + description: If kube-proxy is running, ensure that the file ownership of its + kubeconfig file is set to root:root + checks: + - id: AVD-KCV-0072 + commands: + - id: CMD-0025 + severity: HIGH + - id: 4.1.5 + name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 + or more restrictive + description: Ensure that the kubelet.conf file has permissions of 600 or more + restrictive + checks: + - id: AVD-KCV-0073 + commands: + - id: CMD-0026 + severity: HIGH + - id: 4.1.6 + name: Ensure that the --kubeconfig kubelet.conf file ownership is set to + root:root + description: Ensure that the kubelet.conf file ownership is set to root:root + checks: + - id: AVD-KCV-0074 + commands: + - id: CMD-0027 + severity: HIGH + - id: 4.1.7 + name: Ensure that the certificate authorities file permissions are set to 600 or + more restrictive + description: Ensure that the certificate authorities file has permissions of 600 + or more restrictive + checks: + - id: AVD-KCV-0075 + commands: + - id: CMD-0028 + severity: CRITICAL + - id: 4.1.8 + name: Ensure that the client certificate authorities file ownership is set to + root:root + description: Ensure that the certificate authorities file ownership is set to + root:root + checks: + - id: AVD-KCV-0076 + commands: + - id: CMD-0029 + severity: CRITICAL + - id: 4.1.9 + name: If the kubelet config.yaml configuration file is being used validate + permissions set to 600 or more restrictive + description: Ensure that if the kubelet refers to a configuration file with the + --config argument, that file has permissions of 600 or more restrictive + checks: + - id: AVD-KCV-0077 + commands: + - id: CMD-0030 + severity: HIGH + - id: 4.1.10 + name: If the kubelet config.yaml configuration file is being used validate file + ownership is set to root:root + description: Ensure that if the kubelet refers to a configuration file with the + --config argument, that file is owned by root:root + checks: + - id: AVD-KCV-0078 + commands: + - id: CMD-0031 + severity: HIGH + - id: 4.2.1 + name: Ensure that the --anonymous-auth argument is set to false + description: Disable anonymous requests to the Kubelet server + checks: + - id: AVD-KCV-0079 + commands: + - id: CMD-0032 + severity: CRITICAL + - id: 4.2.2 + name: Ensure that the --authorization-mode argument is not set to AlwaysAllow + description: Do not allow all requests. Enable explicit authorization + checks: + - id: AVD-KCV-0080 + commands: + - id: CMD-0033 + severity: CRITICAL + - id: 4.2.3 + name: Ensure that the --client-ca-file argument is set as appropriate + description: Enable Kubelet authentication using certificates + checks: + - id: AVD-KCV-0081 + commands: + - id: CMD-0034 + severity: CRITICAL + - id: 4.2.4 + name: Verify that the --read-only-port argument is set to 0 + description: Disable the read-only port + checks: + - id: AVD-KCV-0082 + commands: + - id: CMD-0035 + severity: HIGH + - id: 4.2.5 + name: Ensure that the --streaming-connection-idle-timeout argument is not set to + 0 + description: Do not disable timeouts on streaming connections + checks: + - id: AVD-KCV-0085 + commands: + - id: CMD-0036 + severity: HIGH + - id: 4.2.6 + name: Ensure that the --protect-kernel-defaults argument is set to true + description: Protect tuned kernel parameters from overriding kubelet default + kernel parameter values + checks: + - id: AVD-KCV-0083 + commands: + - id: CMD-0037 + severity: HIGH + - id: 4.2.7 + name: Ensure that the --make-iptables-util-chains argument is set to true + description: Allow Kubelet to manage iptables + checks: + - id: AVD-KCV-0084 + commands: + - id: CMD-0038 + severity: HIGH + - id: 4.2.8 + name: Ensure that the --hostname-override argument is not set + description: Do not override node hostnames + checks: + - id: AVD-KCV-0086 + commands: + - id: CMD-0039 + severity: HIGH + - id: 4.2.9 + name: Ensure that the --event-qps argument is set to 0 or a level which ensures + appropriate event capture + description: Security relevant information should be captured. The --event-qps + flag on the Kubelet can be used to limit the rate at which events are + gathered + checks: + - id: AVD-KCV-0087 + commands: + - id: CMD-0040 + severity: HIGH + - id: 4.2.10 + name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are + set as appropriate + description: Setup TLS connection on the Kubelets + checks: + - id: AVD-KCV-0088 + - id: AVD-KCV-0089 + commands: + - id: CMD-0041 + - id: CMD-0042 + severity: CRITICAL + - id: 4.2.11 + name: Ensure that the --rotate-certificates argument is not set to false + description: Enable kubelet client certificate rotation + checks: + - id: AVD-KCV-0090 + commands: + - id: CMD-0043 + severity: CRITICAL + - id: 4.2.12 + name: Verify that the RotateKubeletServerCertificate argument is set to true + description: Enable kubelet server certificate rotation + checks: + - id: AVD-KCV-0091 + commands: + - id: CMD-0044 + severity: CRITICAL + - id: 4.2.13 + name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers + description: Ensure that the Kubelet is configured to only use strong + cryptographic ciphers + checks: + - id: AVD-KCV-0092 + commands: + - id: CMD-0045 + severity: CRITICAL + - id: 5.1.1 + name: Ensure that the cluster-admin role is only used where required + description: The RBAC role cluster-admin provides wide-ranging powers over the + environment and should be used only where and when needed + checks: + - id: AVD-KSV-0111 + severity: HIGH + - id: 5.1.2 + name: Minimize access to secrets + description: The Kubernetes API stores secrets, which may be service account + tokens for the Kubernetes API or credentials used by workloads in the + cluster + checks: + - id: AVD-KSV-0041 + severity: HIGH + - id: 5.1.3 + name: Minimize wildcard use in Roles and ClusterRoles + description: Kubernetes Roles and ClusterRoles provide access to resources based + on sets of objects and actions that can be taken on those objects. It is + possible to set either of these to be the wildcard "*" which matches all + items + checks: + - id: AVD-KSV-0044 + - id: AVD-KSV-0045 + - id: AVD-KSV-0046 + severity: HIGH + - id: 5.1.6 + name: Ensure that Service Account Tokens are only mounted where necessary + description: Service accounts tokens should not be mounted in pods except where + the workload running in the pod explicitly needs to communicate with the + API server + checks: + - id: AVD-KSV-0036 + severity: HIGH + - id: 5.1.8 + name: Limit use of the Bind, Impersonate and Escalate permissions in the + Kubernetes cluster + description: Cluster roles and roles with the impersonate, bind or escalate + permissions should not be granted unless strictly required + checks: + - id: AVD-KSV-0043 + severity: HIGH + - id: 5.2.2 + name: Minimize the admission of privileged containers + description: Do not generally permit containers to be run with the + securityContext.privileged flag set to true + checks: + - id: AVD-KSV-0017 + severity: HIGH + - id: 5.2.3 + name: Minimize the admission of containers wishing to share the host process ID + namespace + description: Do not generally permit containers to be run with the hostPID flag + set to true. + checks: + - id: AVD-KSV-0010 + severity: HIGH + - id: 5.2.4 + name: Minimize the admission of containers wishing to share the host IPC + namespace + description: Do not generally permit containers to be run with the hostIPC flag + set to true + checks: + - id: AVD-KSV-0008 + severity: HIGH + - id: 5.2.5 + name: Minimize the admission of containers wishing to share the host network + namespace + description: Do not generally permit containers to be run with the hostNetwork + flag set to true + checks: + - id: AVD-KSV-0009 + severity: HIGH + - id: 5.2.6 + name: Minimize the admission of containers with allowPrivilegeEscalation + description: Do not generally permit containers to be run with the + allowPrivilegeEscalation flag set to true + checks: + - id: AVD-KSV-0001 + severity: HIGH + - id: 5.2.7 + name: Minimize the admission of root containers + description: Do not generally permit containers to be run as the root user + checks: + - id: AVD-KSV-0012 + severity: MEDIUM + - id: 5.2.8 + name: Minimize the admission of containers with the NET_RAW capability + description: Do not generally permit containers with the potentially dangerous + NET_RAW capability + checks: + - id: AVD-KSV-0022 + severity: MEDIUM + - id: 5.2.9 + name: Minimize the admission of containers with added capabilities + description: Do not generally permit containers with capabilities assigned + beyond the default set + checks: + - id: AVD-KSV-0004 + severity: LOW + - id: 5.2.10 + name: Minimize the admission of containers with capabilities assigned + description: Do not generally permit containers with capabilities + checks: + - id: AVD-KSV-0003 + severity: LOW + - id: 5.2.11 + name: Minimize the admission of containers with capabilities assigned + description: Do not generally permit containers with capabilities + checks: + - id: AVD-KSV-0103 + severity: MEDIUM + - id: 5.2.12 + name: Minimize the admission of HostPath volumes + description: Do not generally admit containers which make use of hostPath volumes + checks: + - id: AVD-KSV-0023 + severity: MEDIUM + - id: 5.2.13 + name: Minimize the admission of containers which use HostPorts + description: Do not generally permit containers which require the use of HostPorts + checks: + - id: AVD-KSV-0024 + severity: MEDIUM + - id: 5.3.1 + name: Ensure that the CNI in use supports Network Policies (Manual) + description: There are a variety of CNI plugins available for Kubernetes. If the + CNI in use does not support Network Policies it may not be possible to + effectively restrict traffic in the cluster + severity: MEDIUM + - id: 5.3.2 + name: Ensure that all Namespaces have Network Policies defined + description: Use network policies to isolate traffic in your cluster network + checks: + - id: AVD-KSV-0038 + severity: MEDIUM + - id: 5.4.1 + name: Prefer using secrets as files over secrets as environment variables + (Manual) + description: Kubernetes supports mounting secrets as data volumes or as + environment variables. Minimize the use of environment variable secrets + severity: MEDIUM + - id: 5.4.2 + name: Consider external secret storage (Manual) + description: Consider the use of an external secrets storage and management + system, instead of using Kubernetes Secrets directly, if you have more + complex secret management needs + severity: MEDIUM + - id: 5.5.1 + name: Configure Image Provenance using ImagePolicyWebhook admission controller + (Manual) + description: Configure Image Provenance for your deployment + severity: MEDIUM + - id: 5.7.1 + name: Create administrative boundaries between resources using namespaces + (Manual) + description: Use namespaces to isolate your Kubernetes objects + severity: MEDIUM + - id: 5.7.2 + name: Ensure that the seccomp profile is set to docker/default in your pod + definitions + description: Enable docker/default seccomp profile in your pod definitions + checks: + - id: AVD-KSV-0104 + severity: MEDIUM + - id: 5.7.3 + name: Apply Security Context to Your Pods and Containers + description: Apply Security Context to Your Pods and Containers + checks: + - id: AVD-KSV-0021 + - id: AVD-KSV-0020 + - id: AVD-KSV-0005 + - id: AVD-KSV-0025 + - id: AVD-KSV-0104 + - id: AVD-KSV-0030 + severity: HIGH + - id: 5.7.4 + name: The default namespace should not be used + description: Kubernetes provides a default namespace, where objects are placed + if no namespace is specified for them + checks: + - id: AVD-KSV-0110 + severity: MEDIUM +{{- end }} diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/trivy-server/statefulset.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/trivy-server/statefulset.yaml index a568c23a6..8106da368 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/templates/trivy-server/statefulset.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/templates/trivy-server/statefulset.yaml @@ -87,6 +87,14 @@ spec: name: trivy-operator-trivy-config - secretRef: name: trivy-operator-trivy-config + {{- if .Values.trivy.valuesFromConfigMap }} + - configMapRef: + name: {{ .Values.trivy.valuesFromConfigMap }} + {{- end }} + {{- if .Values.trivy.valuesFromSecret }} + - secretRef: + name: {{ .Values.trivy.valuesFromSecret }} + {{- end }} ports: - name: trivy-http containerPort: 4954 diff --git a/helmfile.d/upstream/aquasecurity/trivy-operator/values.yaml b/helmfile.d/upstream/aquasecurity/trivy-operator/values.yaml index 644d99cf4..af34eef59 100644 --- a/helmfile.d/upstream/aquasecurity/trivy-operator/values.yaml +++ b/helmfile.d/upstream/aquasecurity/trivy-operator/values.yaml @@ -185,8 +185,8 @@ operator: valuesFromSecret: "" image: - registry: "ghcr.io" - repository: "aquasecurity/trivy-operator" + registry: "mirror.gcr.io" + repository: "aquasec/trivy-operator" # -- tag is an override of the image tag, which is by default set by the # appVersion field in Chart.yaml. tag: "" @@ -267,7 +267,8 @@ trivyOperator: # hostPath: # path: /var/lib/etcd - + # -- useGCRServiceAccount the flag to enable the usage of GCR service account for scanning images in GCR + useGCRServiceAccount: true # -- scanJobAutomountServiceAccountToken the flag to enable automount for service account token on scan job scanJobAutomountServiceAccountToken: false @@ -335,11 +336,11 @@ trivy: createConfig: true image: # -- registry of the Trivy image - registry: ghcr.io + registry: mirror.gcr.io # -- repository of the Trivy image - repository: aquasecurity/trivy + repository: aquasec/trivy # -- tag version of the Trivy image - tag: 0.52.0 + tag: 0.57.1 # -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace imagePullSecret: ~ @@ -516,8 +517,8 @@ trivy: serverCustomHeaders: ~ # serverCustomHeaders: "foo=bar" - dbRegistry: "ghcr.io" - dbRepository: "aquasecurity/trivy-db" + dbRegistry: "mirror.gcr.io" + dbRepository: "aquasec/trivy-db" # -- The username for dbRepository authentication # @@ -528,20 +529,22 @@ trivy: dbRepositoryPassword: ~ # -- javaDbRegistry is the registry for the Java vulnerability database. - javaDbRegistry: "ghcr.io" - javaDbRepository: "aquasecurity/trivy-java-db" + javaDbRegistry: "mirror.gcr.io" + javaDbRepository: "aquasec/trivy-java-db" # -- The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env) # dbRepositoryInsecure: "false" - # -- The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from ghcr.io/aquasecurity/trivy-checks + # -- The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from mirror.gcr.io/aquasec/trivy-checks # - useBuiltinRegoPolicies: "true" - + useBuiltinRegoPolicies: "false" + # -- The Flag to enable the usage of external rego policies config-map, this should be used when the user wants to use their own rego policies + # + externalRegoPoliciesEnabled: false # -- To enable the usage of embedded rego policies, set the flag useEmbeddedRegoPolicies. This should serve as a fallback for air-gapped environments. # When useEmbeddedRegoPolicies is set to true, useBuiltinRegoPolicies should be set to false. - useEmbeddedRegoPolicies: "false" + useEmbeddedRegoPolicies: "true" # -- The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner # @@ -592,13 +595,32 @@ trivy: # -- the number of replicas of the trivy-server replicas: 1 + # -- vaulesFromConfigMap name of a ConfigMap to apply TRIVY_* environment variables. Will override Helm values. + valuesFromConfigMap: "" + + # -- valuesFromSecret name of a Secret to apply TRIVY_* environment variables. Will override Helm AND ConfigMap values. + valuesFromSecret: "" + compliance: # -- failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report + # this limit is for preventing the report from being too large per control checks failEntriesLimit: 10 # -- reportType this flag control the type of report generated (summary or all) reportType: summary # -- cron this flag control the cron interval for compliance report generation cron: 0 */6 * * * + # -- specs is a list of compliance specs to be used by the cluster compliance scanner + # - k8s-cis-1.23 + # - k8s-nsa-1.0 + # - k8s-pss-baseline-0.1 + # - k8s-pss-restricted-0.1 + # - eks-cis-1.4 + # - rke2-cis-1.24 + specs: + - k8s-cis-1.23 + - k8s-nsa-1.0 + - k8s-pss-baseline-0.1 + - k8s-pss-restricted-0.1 rbac: create: true @@ -664,11 +686,11 @@ automountServiceAccountToken: true policiesBundle: # -- registry of the policies bundle - registry: ghcr.io + registry: mirror.gcr.io # -- repository of the policies bundle - repository: aquasecurity/trivy-checks + repository: aquasec/trivy-checks # -- tag version of the policies bundle - tag: 0 + tag: 1 # -- registryUser is the user for the registry registryUser: ~ # -- registryPassword is the password for the registry @@ -690,7 +712,7 @@ nodeCollector: # -- repository of the node-collector image repository: aquasecurity/node-collector # -- tag version of the node-collector image - tag: 0.2.1 + tag: 0.3.1 # -- imagePullSecret is the secret name to be used when pulling node-collector image from private registries example : reg-secret # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace imagePullSecret: ~ diff --git a/helmfile.d/upstream/index.yaml b/helmfile.d/upstream/index.yaml index df0e2e8e3..e91c27720 100644 --- a/helmfile.d/upstream/index.yaml +++ b/helmfile.d/upstream/index.yaml @@ -36,7 +36,7 @@ repositories: nvidia: https://helm.ngc.nvidia.com/nvidia charts: - aquasecurity/trivy-operator: 0.23.3 + aquasecurity/trivy-operator: 0.25.0 bitnami/fluentd: 7.1.1 bitnami/thanos: 15.0.5