diff --git a/content/mondoo-kubernetes-security.mql.yaml b/content/mondoo-kubernetes-security.mql.yaml index d50d1f2cc..7d2251fb4 100644 --- a/content/mondoo-kubernetes-security.mql.yaml +++ b/content/mondoo-kubernetes-security.mql.yaml @@ -278,7 +278,7 @@ queries: compliance/soc2-2017: soc2-control-cc6-1-4 compliance/vda-isa-5: vda-isa-5-4-1-3 mql: | - kubelet.configuration['authentication']['anonymous']['enabled'] == false + kubelet.anonymousAuthEnabled == false docs: desc: | This check ensures that anonymous authentication is disabled for the kubelet. Disabling anonymous authentication prevents unauthenticated users from accessing the kubelet's HTTPS endpoint, which could otherwise expose sensitive cluster information. @@ -319,7 +319,7 @@ queries: compliance/soc2-2017: soc2-control-cc7-1-1 compliance/vda-isa-5: vda-isa-5-5-2-1 mql: | - kubelet.configuration['eventRecordQPS'] == 0 + kubelet.eventRecordQPS == 0 docs: desc: | This check ensures that the kubelet is configured to capture all event creation by setting the event record QPS (queries per second) to 0. This configuration guarantees that all events are logged, which is important for auditing and troubleshooting purposes. @@ -360,7 +360,7 @@ queries: compliance/soc2-2017: soc2-control-cc6-6-1 compliance/vda-isa-5: vda-isa-5-5-2-6 mql: | - kubelet.configuration['makeIPTablesUtilChains'] == true + kubelet.makeIPTablesUtilChains == true docs: desc: | This check ensures that the kubelet is set up to create IPTables utility rules for various Kubernetes components. This configuration is important for maintaining correct network traffic routing and enforcing security policies at the node level. @@ -401,7 +401,7 @@ queries: compliance/soc2-2017: soc2-control-cc7-1-1 compliance/vda-isa-5: vda-isa-5-5-2-1 mql: | - kubelet.configuration["protectKernelDefaults"] == "true" + kubelet.protectKernelDefaults == true docs: desc: | This check ensures that the kubelet is configured to protect kernel defaults by setting `protectKernelDefaults` to `true`. This configuration prevents the kubelet from modifying kernel tunables at startup and enforces the use of secure, recommended kernel settings. @@ -444,7 +444,7 @@ queries: compliance/soc2-2017: soc2-control-cc6-6-1 compliance/vda-isa-5: vda-isa-5-5-2-6 mql: | - kubelet.configuration['readOnlyPort'] == 0 || kubelet.configuration['readOnlyPort'] == null + kubelet.readOnlyPort == 0 docs: desc: | This check ensures that the kubelet is not configured to serve unauthenticated read-only access. Disabling the read-only port prevents unauthenticated users from accessing sensitive kubelet information. @@ -485,7 +485,7 @@ queries: compliance/soc2-2017: soc2-control-cc6-1-3 compliance/vda-isa-5: vda-isa-5-4-1-1 mql: | - kubelet.configuration['authorization']['mode'] != "AlwaysAllow" + kubelet.authorizationMode != "AlwaysAllow" docs: desc: | This check ensures that the kubelet is not configured with the AlwaysAllow authorization mode. Disabling AlwaysAllow enforces proper access control and prevents unauthorized requests from being automatically permitted. @@ -539,9 +539,9 @@ queries: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] mql: | - kubelet.configuration['tlsCipherSuites'] != empty - if (kubelet.configuration['tlsCipherSuites'] != empty) { - kubelet.configuration['tlsCipherSuites'].map( _.trim ).containsOnly(props.mondooKubernetesSecurityAllowedCiphers) + kubelet.tlsCipherSuites != empty + if (kubelet.tlsCipherSuites != empty) { + kubelet.tlsCipherSuites.map( _.trim ).containsOnly(props.mondooKubernetesSecurityAllowedCiphers) } docs: desc: | @@ -593,8 +593,8 @@ queries: compliance/soc2-2017: soc2-control-cc6-7-2 compliance/vda-isa-5: vda-isa-5-5-1-2 mql: | - kubelet.configuration["tlsCertFile"] != empty - kubelet.configuration["tlsPrivateKeyFile"] != empty + kubelet.tlsCertFile != empty + kubelet.tlsPrivateKeyFile != empty docs: desc: | This check ensures that the kubelet is not running with self-signed certificates generated by the kubelet itself. Instead, it requires the kubelet to use a user-provided certificate and key for secure communication. @@ -643,7 +643,7 @@ queries: compliance/soc2-2017: soc2-control-cc6-7-2 compliance/vda-isa-5: vda-isa-5-5-1-2 mql: | - kubelet.configuration["rotateCertificates"] != "false" + kubelet.rotateCertificates == true docs: desc: | This check ensures that the kubelet is running with automatic certificate rotation enabled. This configuration allows the kubelet to automatically renew its certificates with the API server as they approach expiration, maintaining uninterrupted secure communication. @@ -784,9 +784,9 @@ queries: compliance/soc2-2017: soc2-control-cc6-1-3 compliance/vda-isa-5: vda-isa-5-4-1-1 mql: | - kubelet.configuration['authentication']['x509']['clientCAFile'] != empty - if (kubelet.configuration['authentication']['x509']['clientCAFile'] != empty) { - cafile = kubelet.configuration["authentication"]["x509"]["clientCAFile"] + kubelet.clientCAFile != empty + if (kubelet.clientCAFile != empty) { + cafile = kubelet.clientCAFile file(cafile) { user.name == "root" group.name == "root"