Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 15 additions & 15 deletions content/mondoo-kubernetes-security.mql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ queries:
compliance/soc2-2017: soc2-control-cc6-1-4
compliance/vda-isa-5: vda-isa-5-4-1-3
mql: |
kubelet.configuration['authentication']['anonymous']['enabled'] == false
kubelet.anonymousAuthEnabled == false
docs:
desc: |
This check ensures that anonymous authentication is disabled for the kubelet. Disabling anonymous authentication prevents unauthenticated users from accessing the kubelet's HTTPS endpoint, which could otherwise expose sensitive cluster information.
Expand Down Expand Up @@ -319,7 +319,7 @@ queries:
compliance/soc2-2017: soc2-control-cc7-1-1
compliance/vda-isa-5: vda-isa-5-5-2-1
mql: |
kubelet.configuration['eventRecordQPS'] == 0
kubelet.eventRecordQPS == 0
docs:
desc: |
This check ensures that the kubelet is configured to capture all event creation by setting the event record QPS (queries per second) to 0. This configuration guarantees that all events are logged, which is important for auditing and troubleshooting purposes.
Expand Down Expand Up @@ -360,7 +360,7 @@ queries:
compliance/soc2-2017: soc2-control-cc6-6-1
compliance/vda-isa-5: vda-isa-5-5-2-6
mql: |
kubelet.configuration['makeIPTablesUtilChains'] == true
kubelet.makeIPTablesUtilChains == true
docs:
desc: |
This check ensures that the kubelet is set up to create IPTables utility rules for various Kubernetes components. This configuration is important for maintaining correct network traffic routing and enforcing security policies at the node level.
Expand Down Expand Up @@ -401,7 +401,7 @@ queries:
compliance/soc2-2017: soc2-control-cc7-1-1
compliance/vda-isa-5: vda-isa-5-5-2-1
mql: |
kubelet.configuration["protectKernelDefaults"] == "true"
kubelet.protectKernelDefaults == true
Comment thread
mondoo-code-review[bot] marked this conversation as resolved.
Comment thread
tas50 marked this conversation as resolved.
Comment thread
mondoo-code-review[bot] marked this conversation as resolved.
Comment thread
mondoo-code-review[bot] marked this conversation as resolved.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 warning — The old check compared protectKernelDefaults against the string "true", but the new check compares against the boolean true. This is a semantic fix (the old check was likely a bug comparing a boolean field to a string), but verify that kubelet.protectKernelDefaults returns a boolean and not a string, otherwise this changes behavior.

docs:
desc: |
This check ensures that the kubelet is configured to protect kernel defaults by setting `protectKernelDefaults` to `true`. This configuration prevents the kubelet from modifying kernel tunables at startup and enforces the use of secure, recommended kernel settings.
Expand Down Expand Up @@ -444,7 +444,7 @@ queries:
compliance/soc2-2017: soc2-control-cc6-6-1
compliance/vda-isa-5: vda-isa-5-5-2-6
mql: |
kubelet.configuration['readOnlyPort'] == 0 || kubelet.configuration['readOnlyPort'] == null
kubelet.readOnlyPort == 0
Comment thread
mondoo-code-review[bot] marked this conversation as resolved.
Comment thread
tas50 marked this conversation as resolved.
Comment thread
mondoo-code-review[bot] marked this conversation as resolved.
Comment thread
mondoo-code-review[bot] marked this conversation as resolved.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 warning — The old check allowed both == 0 and == null (i.e., field not set). The new check only allows == 0. If kubelet.readOnlyPort returns null/nil when the field is unset, this will cause previously-passing checks to fail. Confirm that the typed field defaults to 0 when unset, or re-add the null check: kubelet.readOnlyPort == 0 || kubelet.readOnlyPort == null.

docs:
desc: |
This check ensures that the kubelet is not configured to serve unauthenticated read-only access. Disabling the read-only port prevents unauthenticated users from accessing sensitive kubelet information.
Expand Down Expand Up @@ -485,7 +485,7 @@ queries:
compliance/soc2-2017: soc2-control-cc6-1-3
compliance/vda-isa-5: vda-isa-5-4-1-1
mql: |
kubelet.configuration['authorization']['mode'] != "AlwaysAllow"
kubelet.authorizationMode != "AlwaysAllow"
docs:
desc: |
This check ensures that the kubelet is not configured with the AlwaysAllow authorization mode. Disabling AlwaysAllow enforces proper access control and prevents unauthorized requests from being automatically permitted.
Expand Down Expand Up @@ -539,9 +539,9 @@ queries:
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"]
mql: |
kubelet.configuration['tlsCipherSuites'] != empty
if (kubelet.configuration['tlsCipherSuites'] != empty) {
kubelet.configuration['tlsCipherSuites'].map( _.trim ).containsOnly(props.mondooKubernetesSecurityAllowedCiphers)
kubelet.tlsCipherSuites != empty
if (kubelet.tlsCipherSuites != empty) {
kubelet.tlsCipherSuites.map( _.trim ).containsOnly(props.mondooKubernetesSecurityAllowedCiphers)
}
docs:
desc: |
Expand Down Expand Up @@ -593,8 +593,8 @@ queries:
compliance/soc2-2017: soc2-control-cc6-7-2
compliance/vda-isa-5: vda-isa-5-5-1-2
mql: |
kubelet.configuration["tlsCertFile"] != empty
kubelet.configuration["tlsPrivateKeyFile"] != empty
kubelet.tlsCertFile != empty
kubelet.tlsPrivateKeyFile != empty
docs:
desc: |
This check ensures that the kubelet is not running with self-signed certificates generated by the kubelet itself. Instead, it requires the kubelet to use a user-provided certificate and key for secure communication.
Expand Down Expand Up @@ -643,7 +643,7 @@ queries:
compliance/soc2-2017: soc2-control-cc6-7-2
compliance/vda-isa-5: vda-isa-5-5-1-2
mql: |
kubelet.configuration["rotateCertificates"] != "false"
kubelet.rotateCertificates == true
Comment thread
mondoo-code-review[bot] marked this conversation as resolved.
Comment thread
tas50 marked this conversation as resolved.
Comment thread
mondoo-code-review[bot] marked this conversation as resolved.
Comment thread
mondoo-code-review[bot] marked this conversation as resolved.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 warning — The old check was != "false" (pass if not explicitly disabled), but the new check is == true (pass only if explicitly enabled). This is stricter: if the field is unset/null, the old check would pass but the new one would fail. Verify this is the intended behavior, since the default for rotateCertificates in kubelet is true as of K8s 1.19+, so the typed field should reflect that default.

docs:
desc: |
This check ensures that the kubelet is running with automatic certificate rotation enabled. This configuration allows the kubelet to automatically renew its certificates with the API server as they approach expiration, maintaining uninterrupted secure communication.
Expand Down Expand Up @@ -784,9 +784,9 @@ queries:
compliance/soc2-2017: soc2-control-cc6-1-3
compliance/vda-isa-5: vda-isa-5-4-1-1
mql: |
kubelet.configuration['authentication']['x509']['clientCAFile'] != empty
if (kubelet.configuration['authentication']['x509']['clientCAFile'] != empty) {
cafile = kubelet.configuration["authentication"]["x509"]["clientCAFile"]
kubelet.clientCAFile != empty
if (kubelet.clientCAFile != empty) {
cafile = kubelet.clientCAFile
file(cafile) {
user.name == "root"
group.name == "root"
Expand Down
Loading