-
Notifications
You must be signed in to change notification settings - Fork 38
🧹 k8s: use typed kubelet fields instead of raw configuration dict #2931
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -278,7 +278,7 @@ queries: | |
| compliance/soc2-2017: soc2-control-cc6-1-4 | ||
| compliance/vda-isa-5: vda-isa-5-4-1-3 | ||
| mql: | | ||
| kubelet.configuration['authentication']['anonymous']['enabled'] == false | ||
| kubelet.anonymousAuthEnabled == false | ||
| docs: | ||
| desc: | | ||
| This check ensures that anonymous authentication is disabled for the kubelet. Disabling anonymous authentication prevents unauthenticated users from accessing the kubelet's HTTPS endpoint, which could otherwise expose sensitive cluster information. | ||
|
|
@@ -319,7 +319,7 @@ queries: | |
| compliance/soc2-2017: soc2-control-cc7-1-1 | ||
| compliance/vda-isa-5: vda-isa-5-5-2-1 | ||
| mql: | | ||
| kubelet.configuration['eventRecordQPS'] == 0 | ||
| kubelet.eventRecordQPS == 0 | ||
| docs: | ||
| desc: | | ||
| This check ensures that the kubelet is configured to capture all event creation by setting the event record QPS (queries per second) to 0. This configuration guarantees that all events are logged, which is important for auditing and troubleshooting purposes. | ||
|
|
@@ -360,7 +360,7 @@ queries: | |
| compliance/soc2-2017: soc2-control-cc6-6-1 | ||
| compliance/vda-isa-5: vda-isa-5-5-2-6 | ||
| mql: | | ||
| kubelet.configuration['makeIPTablesUtilChains'] == true | ||
| kubelet.makeIPTablesUtilChains == true | ||
| docs: | ||
| desc: | | ||
| This check ensures that the kubelet is set up to create IPTables utility rules for various Kubernetes components. This configuration is important for maintaining correct network traffic routing and enforcing security policies at the node level. | ||
|
|
@@ -401,7 +401,7 @@ queries: | |
| compliance/soc2-2017: soc2-control-cc7-1-1 | ||
| compliance/vda-isa-5: vda-isa-5-5-2-1 | ||
| mql: | | ||
| kubelet.configuration["protectKernelDefaults"] == "true" | ||
| kubelet.protectKernelDefaults == true | ||
|
tas50 marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟡 warning — The old check compared |
||
| docs: | ||
| desc: | | ||
| This check ensures that the kubelet is configured to protect kernel defaults by setting `protectKernelDefaults` to `true`. This configuration prevents the kubelet from modifying kernel tunables at startup and enforces the use of secure, recommended kernel settings. | ||
|
|
@@ -444,7 +444,7 @@ queries: | |
| compliance/soc2-2017: soc2-control-cc6-6-1 | ||
| compliance/vda-isa-5: vda-isa-5-5-2-6 | ||
| mql: | | ||
| kubelet.configuration['readOnlyPort'] == 0 || kubelet.configuration['readOnlyPort'] == null | ||
| kubelet.readOnlyPort == 0 | ||
|
mondoo-code-review[bot] marked this conversation as resolved.
tas50 marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟡 warning — The old check allowed both |
||
| docs: | ||
| desc: | | ||
| This check ensures that the kubelet is not configured to serve unauthenticated read-only access. Disabling the read-only port prevents unauthenticated users from accessing sensitive kubelet information. | ||
|
|
@@ -485,7 +485,7 @@ queries: | |
| compliance/soc2-2017: soc2-control-cc6-1-3 | ||
| compliance/vda-isa-5: vda-isa-5-4-1-1 | ||
| mql: | | ||
| kubelet.configuration['authorization']['mode'] != "AlwaysAllow" | ||
| kubelet.authorizationMode != "AlwaysAllow" | ||
| docs: | ||
| desc: | | ||
| This check ensures that the kubelet is not configured with the AlwaysAllow authorization mode. Disabling AlwaysAllow enforces proper access control and prevents unauthorized requests from being automatically permitted. | ||
|
|
@@ -539,9 +539,9 @@ queries: | |
| "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", | ||
| "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] | ||
| mql: | | ||
| kubelet.configuration['tlsCipherSuites'] != empty | ||
| if (kubelet.configuration['tlsCipherSuites'] != empty) { | ||
| kubelet.configuration['tlsCipherSuites'].map( _.trim ).containsOnly(props.mondooKubernetesSecurityAllowedCiphers) | ||
| kubelet.tlsCipherSuites != empty | ||
| if (kubelet.tlsCipherSuites != empty) { | ||
| kubelet.tlsCipherSuites.map( _.trim ).containsOnly(props.mondooKubernetesSecurityAllowedCiphers) | ||
| } | ||
| docs: | ||
| desc: | | ||
|
|
@@ -593,8 +593,8 @@ queries: | |
| compliance/soc2-2017: soc2-control-cc6-7-2 | ||
| compliance/vda-isa-5: vda-isa-5-5-1-2 | ||
| mql: | | ||
| kubelet.configuration["tlsCertFile"] != empty | ||
| kubelet.configuration["tlsPrivateKeyFile"] != empty | ||
| kubelet.tlsCertFile != empty | ||
| kubelet.tlsPrivateKeyFile != empty | ||
| docs: | ||
| desc: | | ||
| This check ensures that the kubelet is not running with self-signed certificates generated by the kubelet itself. Instead, it requires the kubelet to use a user-provided certificate and key for secure communication. | ||
|
|
@@ -643,7 +643,7 @@ queries: | |
| compliance/soc2-2017: soc2-control-cc6-7-2 | ||
| compliance/vda-isa-5: vda-isa-5-5-1-2 | ||
| mql: | | ||
| kubelet.configuration["rotateCertificates"] != "false" | ||
| kubelet.rotateCertificates == true | ||
|
mondoo-code-review[bot] marked this conversation as resolved.
tas50 marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
mondoo-code-review[bot] marked this conversation as resolved.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟡 warning — The old check was |
||
| docs: | ||
| desc: | | ||
| This check ensures that the kubelet is running with automatic certificate rotation enabled. This configuration allows the kubelet to automatically renew its certificates with the API server as they approach expiration, maintaining uninterrupted secure communication. | ||
|
|
@@ -784,9 +784,9 @@ queries: | |
| compliance/soc2-2017: soc2-control-cc6-1-3 | ||
| compliance/vda-isa-5: vda-isa-5-4-1-1 | ||
| mql: | | ||
| kubelet.configuration['authentication']['x509']['clientCAFile'] != empty | ||
| if (kubelet.configuration['authentication']['x509']['clientCAFile'] != empty) { | ||
| cafile = kubelet.configuration["authentication"]["x509"]["clientCAFile"] | ||
| kubelet.clientCAFile != empty | ||
| if (kubelet.clientCAFile != empty) { | ||
| cafile = kubelet.clientCAFile | ||
| file(cafile) { | ||
| user.name == "root" | ||
| group.name == "root" | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.