github-actions[bot]
commented
2 weeks ago Helm Release Diff: monitoring/trivy/trivy.yaml
--- /tmp/tmp.Uduow7vXHa 2024-07-04 10:29:37.854663896 +0000
+++ /tmp/tmp.fWANLlpMjU 2024-07-04 10:29:39.482676840 +0000
@@ -54,6 +54,7 @@
ib-systemd\",\"readOnly\":true},{\"mountPath\":\"/etc/kubernetes\",\"name\":\
\"etc-kubernetes\",\"readOnly\":true},{\"mountPath\":\"/etc/cni/net.d/\",\"\
name\":\"etc-cni-netd\",\"readOnly\":true}]"
+ scanJob.useGCRServiceAccount: "true"
scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":fal\
se,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRoo\
tFilesystem\":true}"
@@ -63,22 +64,13 @@
compliance.failEntriesLimit: "10"
report.recordFailedChecksOnly: "true"
trivy.serverURL: "http://trivy-service.default:4954"
- node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.2.1"
+ node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.3.1"
policies.bundle.oci.ref: "ghcr.io/aquasecurity/trivy-checks:0"
policies.bundle.insecure: "false"
node.collector.nodeSelector: "true"
---
-# Source: trivy-operator/templates/configmaps/policies.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: trivy-operator-policies-config
- namespace: default
-data:
-
----
# Source: trivy-operator/templates/configmaps/trivy-operator-config.yaml
kind: ConfigMap
apiVersion: v1
@@ -136,7 +128,7 @@
namespace: default
data:
trivy.repository: "ghcr.io/aquasecurity/trivy"
- trivy.tag: "0.52.0"
+ trivy.tag: "0.53.0"
trivy.imagePullPolicy: "IfNotPresent"
trivy.additionalVulnerabilityReportFields: ""
trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
@@ -747,7 +739,7 @@
automountServiceAccountToken: true
containers:
- name: "trivy-operator"
- image: "ghcr.io/aquasecurity/trivy-operator:0.21.3"
+ image: "ghcr.io/aquasecurity/trivy-operator:0.22.0"
imagePullPolicy: IfNotPresent
env:
- name: OPERATOR_NAMESPACE
@@ -837,7 +829,7 @@
runAsUser: 65534
containers:
- name: trivy-server
- image: "ghcr.io/aquasecurity/trivy:0.52.0"
+ image: "ghcr.io/aquasecurity/trivy:0.53.0"
imagePullPolicy: "IfNotPresent"
securityContext:
privileged: false
@@ -889,21 +881,25 @@
emptyDir: {}
---
-# Source: trivy-operator/templates/specs/cis-1.23.yaml
+# Source: trivy-operator/templates/specs/k8s-cis-1.23.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
- name: cis
+ name: k8s-cis-1.23
+ platform: k8s
+ type: cis
spec:
cron: "0 */6 * * *"
reportType: "summary"
compliance:
- id: cis
+ id: k8s-cis-1.23
title: CIS Kubernetes Benchmarks v1.23
description: CIS Kubernetes Benchmarks
+ platform: k8s
+ type: cis
relatedResources:
- https://www.cisecurity.org/benchmark/kubernetes
- version: "1.0"
+ version: "1.23"
controls:
- id: 1.1.1
name: Ensure that the API server pod specification file permissions are set to
@@ -912,6 +908,8 @@
of 600 or more restrictive
checks:
- id: AVD-KCV-0048
+ commands:
+ - id: CMD-0001
severity: HIGH
- id: 1.1.2
name: Ensure that the API server pod specification file ownership is set to
@@ -920,6 +918,8 @@
to root:root
checks:
- id: AVD-KCV-0049
+ commands:
+ - id: CMD-0002
severity: HIGH
- id: 1.1.3
name: Ensure that the controller manager pod specification file permissions are
@@ -928,6 +928,8 @@
permissions of 600 or more restrictive
checks:
- id: AVD-KCV-0050
+ commands:
+ - id: CMD-0003
severity: HIGH
- id: 1.1.4
name: Ensure that the controller manager pod specification file ownership is set
@@ -936,6 +938,8 @@
is set to root:root
checks:
- id: AVD-KCV-0051
+ commands:
+ - id: CMD-0004
severity: HIGH
- id: 1.1.5
name: Ensure that the scheduler pod specification file permissions are set to
@@ -944,6 +948,8 @@
600 or more restrictive
checks:
- id: AVD-KCV-0052
+ commands:
+ - id: CMD-0005
severity: HIGH
- id: 1.1.6
name: Ensure that the scheduler pod specification file ownership is set to
@@ -952,6 +958,8 @@
to root:root
checks:
- id: AVD-KCV-0053
+ commands:
+ - id: CMD-0006
severity: HIGH
- id: 1.1.7
name: Ensure that the etcd pod specification file permissions are set to 600 or
@@ -960,6 +968,8 @@
or more restrictive
checks:
- id: AVD-KCV-0054
+ commands:
+ - id: CMD-0007
severity: HIGH
- id: 1.1.8
name: Ensure that the etcd pod specification file ownership is set to root:root
@@ -967,6 +977,8 @@
root:root.
checks:
- id: AVD-KCV-0055
+ commands:
+ - id: CMD-0008
severity: HIGH
- id: 1.1.9
name: Ensure that the Container Network Interface file permissions are set to
@@ -975,6 +987,8 @@
of 600 or more restrictive
checks:
- id: AVD-KCV-0056
+ commands:
+ - id: CMD-0009
severity: HIGH
- id: 1.1.10
name: Ensure that the Container Network Interface file ownership is set to
@@ -983,6 +997,8 @@
set to root:root
checks:
- id: AVD-KCV-0057
+ commands:
+ - id: CMD-0010
severity: HIGH
- id: 1.1.11
name: Ensure that the etcd data directory permissions are set to 700 or more
@@ -991,24 +1007,32 @@
restrictive
checks:
- id: AVD-KCV-0058
+ commands:
+ - id: CMD-0011
severity: HIGH
- id: 1.1.12
name: Ensure that the etcd data directory ownership is set to etcd:etcd
description: Ensure that the etcd data directory ownership is set to etcd:etcd
checks:
- id: AVD-KCV-0059
+ commands:
+ - id: CMD-0012
severity: LOW
- id: 1.1.13
name: Ensure that the admin.conf file permissions are set to 600
description: Ensure that the admin.conf file has permissions of 600
checks:
- id: AVD-KCV-0060
+ commands:
+ - id: CMD-0013
severity: CRITICAL
- id: 1.1.14
name: Ensure that the admin.conf file ownership is set to root:root
description: Ensure that the admin.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0061
+ commands:
+ - id: CMD-0014
severity: CRITICAL
- id: 1.1.15
name: Ensure that the scheduler.conf file permissions are set to 600 or more
@@ -1017,12 +1041,16 @@
restrictive
checks:
- id: AVD-KCV-0062
+ commands:
+ - id: CMD-0015
severity: HIGH
- id: 1.1.16
name: Ensure that the scheduler.conf file ownership is set to root:root
description: Ensure that the scheduler.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0063
+ commands:
+ - id: CMD-0016
severity: HIGH
- id: 1.1.17
name: Ensure that the controller-manager.conf file permissions are set to 600 or
@@ -1031,6 +1059,8 @@
or more restrictive
checks:
- id: AVD-KCV-0064
+ commands:
+ - id: CMD-0017
severity: HIGH
- id: 1.1.18
name: Ensure that the controller-manager.conf file ownership is set to root:root
@@ -1038,6 +1068,8 @@
root:root.
checks:
- id: AVD-KCV-0065
+ commands:
+ - id: CMD-0018
severity: HIGH
- id: 1.1.19
name: Ensure that the Kubernetes PKI directory and file ownership is set to
@@ -1046,6 +1078,8 @@
to root:root
checks:
- id: AVD-KCV-0066
+ commands:
+ - id: CMD-0019
severity: CRITICAL
- id: 1.1.20
name: Ensure that the Kubernetes PKI certificate file permissions are set to 600
@@ -1054,12 +1088,16 @@
600 or more restrictive
checks:
- id: AVD-KCV-0068
+ commands:
+ - id: CMD-0020
severity: CRITICAL
- id: 1.1.21
name: Ensure that the Kubernetes PKI key file permissions are set to 600
description: Ensure that Kubernetes PKI key files have permissions of 600
checks:
- id: AVD-KCV-0067
+ commands:
+ - id: CMD-0021
severity: CRITICAL
- id: 1.2.1
name: Ensure that the --anonymous-auth argument is set to false
@@ -1348,17 +1386,20 @@
authentication. However as there is no way to revoke these
certificates when a user leaves an organization or loses their
credential, they are not suitable for this purpose
+ checks: null
severity: HIGH
- id: 3.2.1
name: Ensure that a minimal audit policy is created (Manual)
description: Kubernetes can audit the details of requests made to the API
server. The --audit- policy-file flag must be set for this logging to
be enabled.
+ checks: null
severity: HIGH
- id: 3.2.2
name: Ensure that the audit policy covers key security concerns (Manual)
description: Ensure that the audit policy created for the cluster covers key
security concerns
+ checks: null
severity: HIGH
- id: 4.1.1
name: Ensure that the kubelet service file permissions are set to 600 or more
@@ -1367,12 +1408,16 @@
restrictive.
checks:
- id: AVD-KCV-0069
+ commands:
+ - id: CMD-0022
severity: HIGH
- id: 4.1.2
name: Ensure that the kubelet service file ownership is set to root:root
description: Ensure that the kubelet service file ownership is set to root:root
checks:
- id: AVD-KCV-0070
+ commands:
+ - id: CMD-0023
severity: HIGH
- id: 4.1.3
name: If proxy kubeconfig file exists ensure permissions are set to 600 or more
@@ -1382,6 +1427,8 @@
of 600 or more restrictive
checks:
- id: AVD-KCV-0071
+ commands:
+ - id: CMD-0024
severity: HIGH
- id: 4.1.4
name: If proxy kubeconfig file exists ensure ownership is set to root:root
@@ -1389,6 +1436,8 @@
kubeconfig file is set to root:root
checks:
- id: AVD-KCV-0072
+ commands:
+ - id: CMD-0025
severity: HIGH
- id: 4.1.5
name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600
@@ -1397,6 +1446,8 @@
restrictive
checks:
- id: AVD-KCV-0073
+ commands:
+ - id: CMD-0026
severity: HIGH
- id: 4.1.6
name: Ensure that the --kubeconfig kubelet.conf file ownership is set to
@@ -1404,6 +1455,8 @@
description: Ensure that the kubelet.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0074
+ commands:
+ - id: CMD-0027
severity: HIGH
- id: 4.1.7
name: Ensure that the certificate authorities file permissions are set to 600 or
@@ -1412,6 +1465,8 @@
or more restrictive
checks:
- id: AVD-KCV-0075
+ commands:
+ - id: CMD-0028
severity: CRITICAL
- id: 4.1.8
name: Ensure that the client certificate authorities file ownership is set to
@@ -1420,6 +1475,8 @@
root:root
checks:
- id: AVD-KCV-0076
+ commands:
+ - id: CMD-0029
severity: CRITICAL
- id: 4.1.9
name: If the kubelet config.yaml configuration file is being used validate
@@ -1429,6 +1486,8 @@
restrictive
checks:
- id: AVD-KCV-0077
+ commands:
+ - id: CMD-0030
severity: HIGH
- id: 4.1.10
name: If the kubelet config.yaml configuration file is being used validate file
@@ -1437,30 +1496,40 @@
--config argument, that file is owned by root:root
checks:
- id: AVD-KCV-0078
+ commands:
+ - id: CMD-0031
severity: HIGH
- id: 4.2.1
name: Ensure that the --anonymous-auth argument is set to false
description: Disable anonymous requests to the Kubelet server
checks:
- id: AVD-KCV-0079
+ commands:
+ - id: CMD-0032
severity: CRITICAL
- id: 4.2.2
name: Ensure that the --authorization-mode argument is not set to AlwaysAllow
description: Do not allow all requests. Enable explicit authorization
checks:
- id: AVD-KCV-0080
+ commands:
+ - id: CMD-0033
severity: CRITICAL
- id: 4.2.3
name: Ensure that the --client-ca-file argument is set as appropriate
description: Enable Kubelet authentication using certificates
checks:
- id: AVD-KCV-0081
+ commands:
+ - id: CMD-0034
severity: CRITICAL
- id: 4.2.4
name: Verify that the --read-only-port argument is set to 0
description: Disable the read-only port
checks:
- id: AVD-KCV-0082
+ commands:
+ - id: CMD-0035
severity: HIGH
- id: 4.2.5
name: Ensure that the --streaming-connection-idle-timeout argument is not set to
@@ -1468,6 +1537,8 @@
description: Do not disable timeouts on streaming connections
checks:
- id: AVD-KCV-0085
+ commands:
+ - id: CMD-0036
severity: HIGH
- id: 4.2.6
name: Ensure that the --protect-kernel-defaults argument is set to true
@@ -1475,18 +1546,24 @@
kernel parameter values
checks:
- id: AVD-KCV-0083
+ commands:
+ - id: CMD-0037
severity: HIGH
- id: 4.2.7
name: Ensure that the --make-iptables-util-chains argument is set to true
description: Allow Kubelet to manage iptables
checks:
- id: AVD-KCV-0084
+ commands:
+ - id: CMD-0038
severity: HIGH
- id: 4.2.8
name: Ensure that the --hostname-override argument is not set
description: Do not override node hostnames
checks:
- id: AVD-KCV-0086
+ commands:
+ - id: CMD-0039
severity: HIGH
- id: 4.2.9
name: Ensure that the --event-qps argument is set to 0 or a level which ensures
@@ -1496,6 +1573,8 @@
gathered
checks:
- id: AVD-KCV-0087
+ commands:
+ - id: CMD-0040
severity: HIGH
- id: 4.2.10
name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are
@@ -1504,18 +1583,25 @@
checks:
- id: AVD-KCV-0088
- id: AVD-KCV-0089
+ commands:
+ - id: CMD-0041
+ - id: CMD-0042
severity: CRITICAL
- id: 4.2.11
name: Ensure that the --rotate-certificates argument is not set to false
description: Enable kubelet client certificate rotation
checks:
- id: AVD-KCV-0090
+ commands:
+ - id: CMD-0043
severity: CRITICAL
- id: 4.2.12
name: Verify that the RotateKubeletServerCertificate argument is set to true
description: Enable kubelet server certificate rotation
checks:
- id: AVD-KCV-0091
+ commands:
+ - id: CMD-0044
severity: CRITICAL
- id: 4.2.13
name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
@@ -1523,6 +1609,8 @@
cryptographic ciphers
checks:
- id: AVD-KCV-0092
+ commands:
+ - id: CMD-0045
severity: CRITICAL
- id: 5.1.1
name: Ensure that the cluster-admin role is only used where required
@@ -1653,6 +1741,7 @@
description: There are a variety of CNI plugins available for Kubernetes. If the
CNI in use does not support Network Policies it may not be possible to
effectively restrict traffic in the cluster
+ checks: null
severity: MEDIUM
- id: 5.3.2
name: Ensure that all Namespaces have Network Policies defined
@@ -1666,22 +1755,26 @@
description: Kubernetes supports mounting secrets as data volumes or as
environment variables. Minimize the use of environment variable
secrets
+ checks: null
severity: MEDIUM
- id: 5.4.2
name: Consider external secret storage (Manual)
description: Consider the use of an external secrets storage and management
system, instead of using Kubernetes Secrets directly, if you have more
complex secret management needs
+ checks: null
severity: MEDIUM
- id: 5.5.1
name: Configure Image Provenance using ImagePolicyWebhook admission controller
(Manual)
description: Configure Image Provenance for your deployment
+ checks: null
severity: MEDIUM
- id: 5.7.1
name: Create administrative boundaries between resources using namespaces
(Manual)
description: Use namespaces to isolate your Kubernetes objects
+ checks: null
severity: MEDIUM
- id: 5.7.2
name: Ensure that the seccomp profile is set to docker/default in your pod
@@ -1710,16 +1803,18 @@
severity: MEDIUM
---
-# Source: trivy-operator/templates/specs/nsa-1.0.yaml
+# Source: trivy-operator/templates/specs/k8s-nsa-1.0.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
- name: nsa
+ name: k8s-nsa-1.0
spec:
cron: "0 */6 * * *"
reportType: "summary"
compliance:
- id: nsa
+ id: k8s-nsa-1.0
+ platform: k8s
+ type: nsa
title: National Security Agency - Kubernetes Hardening Guidance v1.0
description: National Security Agency - Kubernetes Hardening Guidance
relatedResources:
@@ -1727,406 +1822,409 @@
version: "1.0"
controls:
- name: Non-root containers
- description: 'Check that container is not running as root'
- id: '1.0'
+ description: Check that container is not running as root
+ id: "1.0"
checks:
- id: AVD-KSV-0012
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Immutable container file systems
- description: 'Check that container root file system is immutable'
- id: '1.1'
+ description: Check that container root file system is immutable
+ id: "1.1"
checks:
- id: AVD-KSV-0014
- severity: 'LOW'
+ severity: LOW
- name: Preventing privileged containers
- description: 'Controls whether Pods can run privileged containers'
- id: '1.2'
+ description: Controls whether Pods can run privileged containers
+ id: "1.2"
checks:
- id: AVD-KSV-0017
- severity: 'HIGH'
+ severity: HIGH
- name: Share containers process namespaces
- description: 'Controls whether containers can share process namespaces'
- id: '1.3'
+ description: Controls whether containers can share process namespaces
+ id: "1.3"
checks:
- id: AVD-KSV-0008
- severity: 'HIGH'
+ severity: HIGH
- name: Share host process namespaces
- description: 'Controls whether share host process namespaces'
- id: '1.4'
+ description: Controls whether share host process namespaces
+ id: "1.4"
checks:
- id: AVD-KSV-0009
- severity: 'HIGH'
+ severity: HIGH
- name: Use the host network
- description: 'Controls whether containers can use the host network'
- id: '1.5'
+ description: Controls whether containers can use the host network
+ id: "1.5"
checks:
- id: AVD-KSV-0010
- severity: 'HIGH'
+ severity: HIGH
- name: Run with root privileges or with root group membership
- description: 'Controls whether container applications can run with root
- privileges or with root group membership'
- id: '1.6'
+ description: Controls whether container applications can run with root
+ privileges or with root group membership
+ id: "1.6"
checks:
- id: AVD-KSV-0029
- severity: 'LOW'
+ severity: LOW
- name: Restricts escalation to root privileges
- description: 'Control check restrictions escalation to root privileges'
- id: '1.7'
+ description: Control check restrictions escalation to root privileges
+ id: "1.7"
checks:
- id: AVD-KSV-0001
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Sets the SELinux context of the container
- description: 'Control checks if pod sets the SELinux context of the container'
- id: '1.8'
+ description: Control checks if pod sets the SELinux context of the container
+ id: "1.8"
checks:
- id: AVD-KSV-0002
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Restrict a container's access to resources with AppArmor
- description: 'Control checks the restriction of containers access to resources
- with AppArmor'
- id: '1.9'
+ description: Control checks the restriction of containers access to resources
+ with AppArmor
+ id: "1.9"
checks:
- id: AVD-KSV-0030
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Sets the seccomp profile used to sandbox containers.
- description: 'Control checks the sets the seccomp profile used to sandbox
- containers'
- id: '1.10'
+ description: Control checks the sets the seccomp profile used to sandbox containers
+ id: "1.10"
checks:
- id: AVD-KSV-0030
- severity: 'LOW'
+ severity: LOW
- name: Protecting Pod service account tokens
- description: 'Control check whether disable secret token been mount
- ,automountServiceAccountToken: false'
- id: '1.11'
+ description: "Control check whether disable secret token been mount
+ ,automountServiceAccountToken: false"
+ id: "1.11"
checks:
- id: AVD-KSV-0036
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Namespace kube-system should not be used by users
- description: 'Control check whether Namespace kube-system is not be used by users'
- id: '1.12'
- defaultStatus: 'FAIL'
+ description: Control check whether Namespace kube-system is not be used by users
+ id: "1.12"
+ defaultStatus: FAIL
checks:
- id: AVD-KSV-0037
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Pod and/or namespace Selectors usage
- description: 'Control check validate the pod and/or namespace Selectors usage'
- id: '2.0'
- defaultStatus: 'FAIL'
+ description: Control check validate the pod and/or namespace Selectors usage
+ id: "2.0"
+ defaultStatus: FAIL
checks:
- id: AVD-KSV-0038
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Use CNI plugin that supports NetworkPolicy API (Manual)
- description: 'Control check whether check cni plugin installed'
- id: '3.0'
- defaultStatus: 'FAIL'
- severity: 'CRITICAL'
+ description: Control check whether check cni plugin installed
+ id: "3.0"
+ defaultStatus: FAIL
+ severity: CRITICAL
- name: Use ResourceQuota policies to limit resources
- description: 'Control check the use of ResourceQuota policy to limit aggregate
- resource usage within namespace'
- id: '4.0'
- defaultStatus: 'FAIL'
+ description: Control check the use of ResourceQuota policy to limit aggregate
+ resource usage within namespace
+ id: "4.0"
+ defaultStatus: FAIL
checks:
- id: AVD-KSV-0040
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Use LimitRange policies to limit resources
- description: 'Control check the use of LimitRange policy limit resource usage
- for namespaces or nodes'
- id: '4.1'
- defaultStatus: 'FAIL'
+ description: Control check the use of LimitRange policy limit resource usage for
+ namespaces or nodes
+ id: "4.1"
+ defaultStatus: FAIL
checks:
- id: AVD-KSV-0039
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Control plan disable insecure port (Manual)
- description: 'Control check whether control plan disable insecure port'
- id: '5.0'
- defaultStatus: 'FAIL'
- severity: 'CRITICAL'
+ description: Control check whether control plan disable insecure port
+ id: "5.0"
+ defaultStatus: FAIL
+ severity: CRITICAL
- name: Encrypt etcd communication
- description: 'Control check whether etcd communication is encrypted'
- id: '5.1'
+ description: Control check whether etcd communication is encrypted
+ id: "5.1"
checks:
- id: AVD-KCV-0030
- severity: 'CRITICAL'
+ severity: CRITICAL
- name: Ensure kube config file permission (Manual)
- description: 'Control check whether kube config file permissions'
- id: '6.0'
- defaultStatus: 'FAIL'
- severity: 'CRITICAL'
+ description: Control check whether kube config file permissions
+ id: "6.0"
+ defaultStatus: FAIL
+ severity: CRITICAL
- name: Check that encryption resource has been set
- description: 'Control checks whether encryption resource has been set'
- id: '6.1'
+ description: Control checks whether encryption resource has been set
+ id: "6.1"
checks:
- id: AVD-KCV-0029
- severity: 'CRITICAL'
+ severity: CRITICAL
- name: Check encryption provider
- description: 'Control checks whether encryption provider has been set'
- id: '6.2'
+ description: Control checks whether encryption provider has been set
+ id: "6.2"
checks:
- id: AVD-KCV-0004
- severity: 'CRITICAL'
+ severity: CRITICAL
- name: Make sure anonymous-auth is unset
- description: 'Control checks whether anonymous-auth is unset'
- id: '7.0'
+ description: Control checks whether anonymous-auth is unset
+ id: "7.0"
checks:
- id: AVD-KCV-0001
- severity: 'CRITICAL'
+ severity: CRITICAL
- name: Make sure -authorization-mode=RBAC
- description: 'Control check whether RBAC permission is in use'
- id: '7.1'
+ description: Control check whether RBAC permission is in use
+ id: "7.1"
checks:
- id: AVD-KCV-0008
- severity: 'CRITICAL'
+ severity: CRITICAL
- name: Audit policy is configure (Manual)
- description: 'Control check whether audit policy is configure'
- id: '8.0'
- defaultStatus: 'FAIL'
- severity: 'HIGH'
+ description: Control check whether audit policy is configure
+ id: "8.0"
+ defaultStatus: FAIL
+ severity: HIGH
- name: Audit log path is configure
- description: 'Control check whether audit log path is configure'
- id: '8.1'
+ description: Control check whether audit log path is configure
+ id: "8.1"
checks:
- id: AVD-KCV-0019
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Audit log aging
- description: 'Control check whether audit log aging is configure'
- id: '8.2'
+ description: Control check whether audit log aging is configure
+ id: "8.2"
checks:
- id: AVD-KCV-0020
- severity: 'MEDIUM'
+ severity: MEDIUM
---
-# Source: trivy-operator/templates/specs/pss-baseline.yaml
+# Source: trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
- name: pss-baseline
+ name: k8s-pss-baseline-0.1
spec:
cron: "0 */6 * * *"
reportType: "summary"
compliance:
- id: pss-baseline
+ id: k8s-pss-baseline-0.1
+ platform: eks
+ type: pss-baseline
title: Kubernetes Pod Security Standards - Baseline
description: Kubernetes Pod Security Standards - Baseline
relatedResources:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
- version: '0.1'
+ version: "0.1"
controls:
- name: HostProcess
description: Windows pods offer the ability to run HostProcess containers which
enables privileged access to the Windows node. Privileged access to
the host is disallowed in the baseline policy
- id: '1'
+ id: "1"
checks:
- id: AVD-KSV-0103
- severity: 'HIGH'
+ severity: HIGH
- name: Host Namespaces
description: Sharing the host namespaces must be disallowed.
- id: '2'
+ id: "2"
checks:
- id: AVD-KSV-0008
- severity: 'HIGH'
+ severity: HIGH
- name: Privileged Containers
description: Privileged Pods disable most security mechanisms and must be
disallowed.
- id: '3'
+ id: "3"
checks:
- id: AVD-KSV-0017
- severity: 'HIGH'
+ severity: HIGH
- name: Capabilities
description: Adding additional capabilities beyond those listed below must be
disallowed.
- id: '4'
+ id: "4"
checks:
- id: AVD-KSV-0022
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: HostPath Volumes
description: HostPath volumes must be forbidden.
- id: '5'
+ id: "5"
checks:
- - id: 'AVD-KSV-0023'
- severity: 'MEDIUM'
+ - id: AVD-KSV-0023
+ severity: MEDIUM
- name: host ports
description: hostports should be disallowed, or at minimum restricted to a known
list.
- id: '6'
+ id: "6"
checks:
- id: avd-ksv-0024
- severity: 'HIGH'
+ severity: HIGH
- name: AppArmor
description: On supported hosts, the runtime/default AppArmor profile is applied
by default. The baseline policy should prevent overriding or disabling
the default AppArmor profile, or restrict overrides to an allowed set
of profiles.
- id: '7'
+ id: "7"
checks:
- id: avd-ksv-0002
- severity: 'HIGH'
+ severity: HIGH
- name: SELinux
description: Setting the SELinux type is restricted, and setting a custom
SELinux user or role option is forbidden.
- id: '8'
+ id: "8"
checks:
- id: avd-ksv-0025
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: /proc Mount Type
description: The default /proc masks are set up to reduce attack surface, and
should be required.
- id: '9'
+ id: "9"
checks:
- id: avd-ksv-0027
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Seccomp
description: Seccomp profile must not be explicitly set to Unconfined.
- id: '10'
+ id: "10"
checks:
- id: avd-ksv-0104
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Sysctls
description: Sysctls can disable security mechanisms or affect all containers on
a host, and should be disallowed except for an allowed 'safe' subset.
A sysctl is considered safe if it is namespaced in the container or
the Pod, and it is isolated from other Pods or processes on the same
Node.
- id: '11'
+ id: "11"
checks:
- id: avd-ksv-0026
- severity: 'MEDIUM'
+ severity: MEDIUM
---
-# Source: trivy-operator/templates/specs/pss-restricted.yaml
+# Source: trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
- name: pss-restricted
+ name: k8s-pss-restricted-0.1
spec:
cron: "0 */6 * * *"
reportType: "summary"
compliance:
- id: pss-restricted
+ id: k8s-pss-restricted-0.1
+ platform: k8s
+ type: pss-restricted
title: Kubernetes Pod Security Standards - Restricted
description: Kubernetes Pod Security Standards - Restricted
relatedResources:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
- version: '0.1'
+ version: "0.1"
controls:
- name: HostProcess
description: Windows pods offer the ability to run HostProcess containers which
enables privileged access to the Windows node. Privileged access to
the host is disallowed in the baseline policy
- id: '1'
+ id: "1"
checks:
- id: AVD-KSV-0103
- severity: 'HIGH'
+ severity: HIGH
- name: Host Namespaces
description: Sharing the host namespaces must be disallowed.
- id: '2'
+ id: "2"
checks:
- id: AVD-KSV-0008
- severity: 'HIGH'
+ severity: HIGH
- name: Privileged Containers
description: Privileged Pods disable most security mechanisms and must be
disallowed.
- id: '3'
+ id: "3"
checks:
- id: AVD-KSV-0017
- severity: 'HIGH'
+ severity: HIGH
- name: Capabilities
description: Adding additional capabilities beyond those listed below must be
disallowed.
- id: '4'
+ id: "4"
checks:
- id: AVD-KSV-0022
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: HostPath Volumes
description: HostPath volumes must be forbidden.
- id: '5'
+ id: "5"
checks:
- id: AVD-KSV-0023
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: host ports
description: hostports should be disallowed, or at minimum restricted to a known
list.
- id: '6'
+ id: "6"
checks:
- id: avd-ksv-0024
- severity: 'HIGH'
+ severity: HIGH
- name: AppArmor
description: On supported hosts, the runtime/default AppArmor profile is applied
by default. The baseline policy should prevent overriding or disabling
the default AppArmor profile, or restrict overrides to an allowed set
of profiles.
- id: '7'
+ id: "7"
checks:
- id: avd-ksv-0002
- severity: 'HIGH'
+ severity: HIGH
- name: SELinux
description: Setting the SELinux type is restricted, and setting a custom
SELinux user or role option is forbidden.
- id: '8'
+ id: "8"
checks:
- id: avd-ksv-0025
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: /proc Mount Type
description: The default /proc masks are set up to reduce attack surface, and
should be required.
- id: '9'
+ id: "9"
checks:
- id: avd-ksv-0027
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Seccomp
description: Seccomp profile must not be explicitly set to Unconfined.
- id: '10'
+ id: "10"
checks:
- id: avd-ksv-0104
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Sysctls
description: Sysctls can disable security mechanisms or affect all containers on
a host, and should be disallowed except for an allowed 'safe' subset.
A sysctl is considered safe if it is namespaced in the container or
the Pod, and it is isolated from other Pods or processes on the same
Node.
- id: '11'
+ id: "11"
checks:
- id: avd-ksv-0026
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Volume Types
description: The restricted policy only permits specific volume types.
- id: '12'
+ id: "12"
checks:
- id: avd-ksv-0028
severity: LOW
- name: Privilege Escalation
description: Privilege escalation (such as via set-user-ID or set-group-ID file
mode) should not be allowed.
- id: '13'
+ id: "13"
checks:
- id: avd-ksv-0001
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Running as Non-root
description: Containers must be required to run as non-root users.
- id: '14'
+ id: "14"
checks:
- id: avd-ksv-0012
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Running as Non-root user
description: Containers must not set runAsUser to 0
- id: '15'
+ id: "15"
checks:
- id: avd-ksv-0105
- severity: 'LOW'
+ severity: LOW
- name: Seccomp
description: Seccomp profile must be explicitly set to one of the allowed
values. Both the Unconfined profile and the absence of a profile are
prohibited
- id: '16'
+ id: "16"
checks:
- id: avd-ksv-0030
- severity: 'LOW'
+ severity: LOW
- name: Capabilities
description: Containers must drop ALL capabilities, and are only permitted to
add back the NET_BIND_SERVICE capability.
- id: '17'
+ id: "17"
checks:
- id: avd-ksv-0106
- severity: 'LOW'
+ severity: LOW
This PR contains the following updates:
0.23.3->0.24.0Release Notes
aquasecurity/helm-charts (trivy-operator)
### [`v0.24.0`](https://togithub.com/aquasecurity/helm-charts/releases/tag/trivy-operator-0.24.0) [Compare Source](https://togithub.com/aquasecurity/helm-charts/compare/trivy-operator-0.23.3...trivy-operator-0.24.0) Keeps security report resources updatedConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.