GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → raspbernetes → k8s-security-policies

raspbernetes / k8s-security-policies

Licence: Apache-2.0 license
This repository provides a security policies library that is used for securing Kubernetes clusters configurations. The security policies are created based on CIS Kubernetes benchmark and rules defined in Kubesec.io.

Programming Languages

Open Policy Agent
39 projects

Labels

kubernetessecuritybenchmarkcisgatekeeperopen-policy-agentviolationconftestkubernetes-clusterscis-kubernetes-benchmarkraspberneteskubesecrego-policyrego-files

Projects that are alternatives of or similar to k8s-security-policies

policies
A set of shared policies for use with Conftest and other Open Policy Agent tools
Stars: ✭ 61 (-61.87%)
Mutual labels:  open-policy-agent, conftest
kubernetes-security-benchmark
A simple way to evaluate the security of your Kubernetes deployment against sets of best practices defined by various community sources
Stars: ✭ 27 (-83.12%)
Mutual labels:  cis
cis-benchmark-centOS-8
Auditing Script based on CIS-BENCHMARK CENTOS 8
Stars: ✭ 34 (-78.75%)
Mutual labels:  cis
Prowler
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, ISO27001, GDPR, HIPAA, SOC2, ENS and other security frameworks.
Stars: ✭ 4,561 (+2750.63%)
Mutual labels:  cis
CIS-Ubuntu-20.04-Ansible
Ansible Role to Automate CIS v1.1.0 Ubuntu Linux 18.04 LTS, 20.04 LTS Remediation
Stars: ✭ 150 (-6.25%)
Mutual labels:  cis
slidefiles
[WIP] 整理过去的分享,从零开始的Kubernetes攻防 🧐
Stars: ✭ 2,033 (+1170.63%)
Mutual labels:  cis
CIS-for-macOS-High-Sierra
No description or website provided.
Stars: ✭ 15 (-90.62%)
Mutual labels:  cis
action-setup-kube-tools
Github Action that setup Kubernetes tools (kubectl, kustomize, helm, kubeconform, conftest, yq, rancher, tilt, skaffold) very fast and cache them on the runner. Please [✩Star] if you're using it!
Stars: ✭ 45 (-71.87%)
Mutual labels:  conftest
cis benchmarks audit
Simple command line tool to check for compliance against CIS Benchmarks
Stars: ✭ 182 (+13.75%)
Mutual labels:  cis
UBUNTU18-CIS
CIS Baseline Ansible Role for Ubuntu 18
Stars: ✭ 20 (-87.5%)
Mutual labels:  cis
CIS-for-macOS-High-Sierra-CP
No description or website provided.
Stars: ✭ 36 (-77.5%)
Mutual labels:  cis
inspec-gke-cis-benchmark
GKE CIS 1.1.0 Benchmark InSpec Profile
Stars: ✭ 27 (-83.12%)
Mutual labels:  cis
UBUNTU20-CIS
Ansible role for Ubuntu 2004 CIS Baseline
Stars: ✭ 136 (-15%)
Mutual labels:  cis
centos-cis-benchmark
CIS CentOS Linux 7 Benchmark
Stars: ✭ 64 (-60%)
Mutual labels:  cis
opa-kafka-plugin
Open Policy Agent (OPA) plug-in for Kafka authorization
Stars: ✭ 46 (-71.25%)
Mutual labels:  open-policy-agent
CIS-for-macOS-Sierra-CP
CIS for macOS 10.12 remediated with script and configuration profiles
Stars: ✭ 23 (-85.62%)
Mutual labels:  cis
Audit-Test-Automation
The Audit Test Automation Package gives you the ability to get an overview about the compliance status of several systems. You can easily create HTML-reports and have a transparent overview over compliance and non-compliance of explicit setttings and configurations in comparison to industry standards and hardening guides.
Stars: ✭ 37 (-76.87%)
Mutual labels:  cis
The Practical Linux Hardening Guide
This guide details creating a secure Linux production system. OpenSCAP (C2S/CIS, STIG).
Stars: ✭ 8,790 (+5393.75%)
Mutual labels:  cis
oci-service-broker
Oracle Cloud Infrastructure Service Broker is an open source implementation of Open service broker API Spec for OCI services. Customers can use this implementation to install Open Service Broker in Oracle Container Engine for Kubernetes or in other Kubernetes clusters.
Stars: ✭ 48 (-70%)
Mutual labels:  kubernetes-clusters
Gatekeeper
Lightweight library in C# for implementing roles-based access control (RBAC). With Gatekeeper, you can define users, roles, resources, and permissions, and authorize requests.
Stars: ✭ 25 (-84.37%)
Mutual labels:  gatekeeper
View All Similar Projects ➔

Kubernetes Security Policies

Raspbernetes

build FOSSA Status

Introduction

This repository provides a security policies library that is used for securing Kubernetes clusters configurations. The security policies are created based on CIS Kubernetes benchmark and rules defined in Kubesec.io. The policies are written in Rego, a high-level declarative language, its purpose-built for expressing policies over complex hierarchical data structures. For detailed information on Rego see the Policy Language documentation.

Structure of the repo

The policies directory contains a list of folders, which corresponds to the list of policies. The folder is named with the benchmark standard and a number to differentiate with each other. For example, the 1.2.1 Ensure that the --anonymous-auth argument is set to false that in CIS benchmark is checked by the REGO files in directory CIS1.2.1. Check more on each policy in Policy Inventory

Each of these folders contains a rego file and unit test rego file. There is another lib folder which has two rego files that contain general functions that can be imported into other rego. kubernetes.rego contains functions and rules that will be used in security control rego files, test.rego contains functions that can be imported in the unit test files.

How does this work?

Violations

Each of the rego policies checks against the manifests of resources that can be deployed in the K8s cluster, the violation block in each policy rego files will normally contain these statements that will do:

  • Check what resource object the policy is checking against and return the object
  • Check if the object violates that controls defined in the benchmark
  • Display the error message if there is a violation Here is a quick example of a violation:
violation[msg] {
    kubernetes.pods[pod]
    not kubernetes.contains_element(params.allowedDeploymentsOrPods, kubernetes.name)
    is_automount_serviceaccount_token_enabled(pod)
    msg := kubernetes.format(sprintf("%v: %v - Automount Service account token must be set to false", [kubernetes.kind, kubernetes.name]))
}

The kubernetes. indicates it is calling a function from kubernetes.rego, which put general functions. The logic that specific to this control will be written in the same rego files.

Parameters

For each of the security policies, there will be parameters going to be used for checking against the resources. The parameters can be from external, for example, if these policies are going to be checked in gatekeeper engine, the parameters can be defined in the gatekeeper constraints, or we can directly have default parameters in the file itself, for standardizing the parameters, that we will union these parameters

params = object.union(default_parameters, kubernetes.parameters)

Unit tests

To verify the correctness of the policies, we use OPA testing framework to write the unit tests. Each unit tests will have test functions that need to start with the test in the function name, so they can be picked by the op test the positive case start with the name of test_no_violation and negative starts with test_violation and tests with a policy_input that will be in the same structure of the manifests.

test_violation {
    test.violations(violation) with input as policy_input(true)
}

test_no_violation {
    test.no_violations(violation) with input as policy_input(false)
}

The unit tests files need to have the same package as the rego policy itself. e.g. package cis_5_2_5 will the package name for CIS.5.2.5.rego and CIS.5.2.5_test.rego, so that the unit test will check the policy input against that violation block under the same package.

The opa test output indicates that all of the tests passed or not.

$opa test policies -v
data.spec_volumes_hostpath_path_var_run_docker_sock.test_no_violation: PASS (318.786µs)
data.containers_image_tag.test_violation_1: PASS (512.689µs)
data.containers_image_tag.test_violation_2: PASS (515.964µs)
data.containers_image_tag.test_no_violation: PASS (389.822µs)
data.containers_securitycontext_allowprivilegedeescalation_true.test_violation: PASS (474.668µs)
data.containers_securitycontext_allowprivilegedeescalation_true.test_no_violation: PASS (361.12µs)
--------------------------------------------------------------------------------
PASS: 5/5

How this can be used?

The policy library is written in a standard way that can be used by various tools, such as Conftest and Gatekeeper.

Gatekeeper

The rego policies can be used as a schema in the gatekeeper ConstraintTemplate and constraints can be deployed based on the template onto the Kubernetes clusters for checking the CREATE and UPDATE operations against API server, and gatekeeper also provides AUDIT functions for checking the existing resources against the constraints. Check Gatekeeper to understand more how the constraints can be created.

Conftest

Using conftest to check the structured yaml manifests files that will be deployed to your clusters. Make srue you have installed Conftest(Conftest) and run conftest test a yaml file agaist the policy library

conftest test deployment.yaml -p policies/. --all-namespaces

and the output will indicate if tests passed. An example:

FAIL - deployment.yaml - Containers must not run as root
FAIL - deployment.yaml - Deployments are not allowed

2 tests, 0 passed, 0 warnings, 2 failure

License

FOSSA Status

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].