v0.5.0

[gardener/diki]

✨ New Features

• [USER] Rule 242459 from DISA K8s STIG was revisited to expect maximum 0640 permissions instead of 0600. by @AleksandarSavchev [#154]
• [USER] Diki no longer supports DISA Kubernetes STIGs version v1r10. by @AleksandarSavchev [#168]
• [USER] New hack/run.sh script that executes diki run added. The script sets default ldflags if not specified and provides a comprehensive --help message. by @AleksandarSavchev [#120]

Docker Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.5.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.5.0

v0.4.0

[gardener/diki]

⚠️ Breaking Changes

• [DEPENDENCY] The vendor directory was removed in favour of the go mod cache. by @AleksandarSavchev [#105]

✨ New Features

• [USER] Rule 242382 from DISA K8s STIG was revisited to also expect kube-apiserver authorization modes to be set in a specific order. by @AleksandarSavchev [#107]
• [USER] Diki now uses a lighter image for pod executors in DISA K8s STIG V1R11 ruleset by @AleksandarSavchev [#98]

🏃 Others

• [DEPENDENCY] Diki is now built using go version 1.21.6. by @dependabot[bot] [#103]
• [DEPENDENCY] Bump github.com/gardener/gardener to 1.87.0. by @AleksandarSavchev [#105]
• [DEVELOPER] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references.
  by @AleksandarSavchev [#93]

Docker Images

• diki-linux-amd64: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.4.0
• diki-ops-linux-amd64: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.4.0

v0.3.0

[gardener/diki]

✨ New Features

• [USER] Added new option acceptedPods to DISA Kubernetes STIGS 242415 rule which allows the user to configure environment variables for selected pods to be accepted. by @AleksandarSavchev [#61]
• [USER] Added new option expectedFileOwner to DISA Kubernetes STIGS pod-files rule which allows the user to select which users and groups are expected. The options defaults to expecting only ID 0 for users and groups. by @AleksandarSavchev [#52]
• [USER] Diki now supports DISA Kubernetes STIG version v1r11. by @dimityrmirchev [#65]
• [DEVELOPER] Diki now has a basic implementation of a virtual garden provider. by @dimityrmirchev [#71]

🐛 Bug Fixes

• [USER] DISA Kubernetes STIGs pod-files rule now expects 0640 permission setting for *.key files of mandatory components. This change improves the 242467 rule which requires 0600 permissions for such files. 0600 is not enforced since k8s does not provide an easy way to change the owner of a file and containers are expected to run as nonroot. by @AleksandarSavchev [#60]
• [USER] A bug causing rule 242414 to crash when no options for the rule were set was fixed. by @AleksandarSavchev [#61]
• [USER] DISA Kubernetes STIGs Kubelet rules now creates diki pods only on nodes with free allocatable space. by @AleksandarSavchev [#59]

🏃 Others

• [USER] DISA Kubernetes STIGs 242442 rule no longer checks shoot pods that are not managed by Gardener. by @AleksandarSavchev [#56]
• [DEPENDENCY] Upgraded diki base image: gcr.io/distroless/static-debian11 -> gcr.io/distroless/static-debian12 by @AleksandarSavchev [#91]

[gardener/ops-toolbelt]

✨ New Features

• [OPERATOR] Added an installer script to install etcdctl on demand whenever needed by @aaronfern [gardener/ops-toolbelt#96]

🏃 Others

• [OPERATOR] Changed the default ops-toolbelt container image to eu.gcr.io/sap-se-gcr-k8s-public/eu_gcr_io/gardener-project/gardener/ops-toolbelt:latest by @tedteng [gardener/ops-toolbelt#95]

Docker Images

• diki-linux-amd64: eu.gcr.io/gardener-project/gardener/diki:v0.3.0
• diki-ops-linux-amd64: eu.gcr.io/gardener-project/gardener/diki-ops:v0.3.0

v0.2.0

[gardener/diki]

✨ New Features

• [USER] Metadata and providers are now sorted when generating a report in order to improve consistency and readability. by @dimityrmirchev [#37]
• [USER] DISA Kubernetes STIGs pod-files rule now passes files with owner and/or group ID 65532. by @AleksandarSavchev [#48]

🏃 Others

• [USER] Error messages when encountering pod timeouts while waiting for the pod to reach healthy state were improved. by @AleksandarSavchev [#38]
• [USER] DISA Kubernetes STIGS pod-files rule now checks only 1 pod per owner reference group. by @AleksandarSavchev [#43]
• [USER] DISA Kubernetes STIGS 242436 rule now fails when the kube-apiserver flag disable-admission-plugins is set to ValidatingAdmissionWebhook. by @AleksandarSavchev [#45]
• [USER] DISA Kubernetes STIGS pod-files rule now checks only files with paths part of the volumeMounts for the specific container. It also excludes directories of no interest like /var/log/journal. by @AleksandarSavchev [#39]
• [DEPENDENCY] Diki is now built using go version 1.21.2. by @dimityrmirchev [#44]
• [DEPENDENCY] Update go version to 1.21.1. by @AleksandarSavchev [#36]
• [DEPENDENCY] Diki is now built using go version 1.21.3. by @dimityrmirchev [#50]

[gardener/ops-toolbelt]

🏃 Others

• [USER] Bumped cli versions:
  • kubectl -> v1.26.9
  • nerdctl -> 1.6.0 by @petersutter [gardener/ops-toolbelt#93]

v0.1.0

[gardener/diki]

✨ New Features

• [USER] Diki can now run DISA Kubernetes STIG version v1r10 ruleset. by @AleksandarSavchev [#34]
• [USER] It is now possible to print version details about the diki binary by running diki version. by @dimityrmirchev [#16]
• [USER] The diki report command can now be used to merge multiple reports into a single report by setting the --distinct-by flag. by @AleksandarSavchev [#10]
• [USER] ETCD peer options rules 242380, 242426, 242432 and 242433 are now skipped when ETCD runs as a single instance. by @AleksandarSavchev [#3]
• [DEVELOPER] It is now possible to build diki binaries for different platforms by running make build. by @dimityrmirchev [#19]

🐛 Bug Fixes

• [USER] A bug causing file permission checks to be incorrect has been fixed. by @AleksandarSavchev [#25]
• [USER] A bug causing rule 242394 to error when it should pass was fixed. by @AleksandarSavchev [#2]
• [USER] A bug causing rule 242393 to pass with wrong message was fixed. by @AleksandarSavchev [#2]

🏃 Others

• [USER] Selecting accepted pods for rule 242414 in the config file has been changed to use pod and namespace label selectors instead of name prefixes. by @AleksandarSavchev [#12]