☂ Implement `Garden` provider & `Security Hardened Shoot Cluster` ruleset

[AleksandarSavchev]

What would you like to be added: A Garden provider that has access to the garden cluster can be implemented:

• [X] Add Garden provider https://github.com/gardener/diki/pull/305

A new ruleset should also be created for the Garden provider. This ruleset can be named Security Hardened Shoot Cluster which checks targeted Shoot resource by Project and Shoot name. The ruleset should reference DISA K8s STIG rules, which can be checked in the Shoot spec and also add additional rules.

• [X] Add Security Hardened Shoot Cluster ruleset guide https://github.com/gardener/diki/pull/308

• [x] Implement rules

  • [x] 1000 Shoot clusters should enable required extensions. https://github.com/gardener/diki/pull/381
  • [x] 2000 Shoot clusters must have anonymous authentication disabled for the Kubernetes API server. https://github.com/gardener/diki/pull/362
  • [x] 2001 Kubernetes Worker Nodes must have ssh access disabled. https://github.com/gardener/diki/pull/358
  • [x] 2002 Shoot clusters must not have Alpha APIs enabled for any Kubernetes component. https://github.com/gardener/diki/pull/360
  • [X] 2003 Shoot clusters must enable kernel protection for Kubelets. https://github.com/gardener/diki/pull/343
  • [x] 2004 Shoot clusters must have ValidatingAdmissionWebhook admission plugin enabled. https://github.com/gardener/diki/pull/365
  • [X] 2005 Shoot clusters must not disable timeouts for Kubelet. https://github.com/gardener/diki/pull/363
  • [x] 2006 Shoot clusters must have static token kubeconfig disabled. https://github.com/gardener/diki/pull/366
  • [x] 2007 Shoot clusters must have a PodSecurity admission plugin configured. https://github.com/gardener/diki/pull/374

Update usage documentation:

• [x] add new usage documentation for running the Security Hardened Shoot Cluster ruleset https://github.com/gardener/diki/pull/384

[AleksandarSavchev]

/assign @georgibaltiev

[dimityrmirchev]

/close