search

gardener / diki

Diki is a compliance checker that aims to enhance the security posture of your Kubernetes clusters.
Apache License 2.0
7 stars 8 forks source link

[Security Hardened Shoot Cluster] Rule 2007 Implementation #374

Closed georgibaltiev closed 3 days ago

georgibaltiev commented 6 days ago

What this PR does / why we need it: This PR is an implementation of Rule 2007. It checks the PodSecurity admission plugin of the kube-apiserver and evaluates the restrictions it has, by comparing it to a maxmially allowed privilege that can be passed as an argument to the rule in the config file. By default it checks if the PodSecurity plugin is has a restriction of baseline or higher.

Which issue(s) this PR fixes: Part of #304

Special notes for your reviewer:

Release note:

Implementation for rule `2007` from the `security-hardened-shoot-cluster` ruleset for provider `garden`.
Argument `minPodSecurityLevel` for rule `254800` from the `disa-k8s-stig` ruleset for provider `gardener` was renamed to `minPodSecurityStandardsProfile`.
AleksandarSavchev commented 6 days ago

Note. The example config should be updated with the new available options.