easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1590 from PhilipGough/kubescape-1

Browse Source 
Document security audit exceptions for node-exporter
This commit is contained in:
Philip Gough
2022-01-27 09:59:22 +00:00
committed by GitHub
parent c2d6b3e8c6 586fc87b81
commit 3521698843
4 changed files with 43 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@@ -65,8 +65,8 @@ kubeconform: crdschemas manifests $(KUBECONFORM_BIN)
$(KUBECONFORM_BIN) -kubernetes-version $(KUBE_VERSION) -schema-location 'default' -schema-location 'crdschemas/{{ .ResourceKind }}.json' -skip CustomResourceDefinition manifests/ $(KUBECONFORM_BIN) -kubernetes-version $(KUBE_VERSION) -schema-location 'default' -schema-location 'crdschemas/{{ .ResourceKind }}.json' -skip CustomResourceDefinition manifests/
.PHONY: kubescape .PHONY: kubescape
kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above 40% kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above threshold percentage 't'
$(KUBESCAPE_BIN) scan -s framework -t 30 nsa manifests/*.yaml $(KUBESCAPE_BIN) scan -s framework -t 25 nsa manifests/*.yaml --exceptions 'kubescape-exceptions.json'
.PHONY: fmt .PHONY: fmt
fmt: $(JSONNETFMT_BIN) fmt: $(JSONNETFMT_BIN)

1
README.md
View File

@@ -50,6 +50,7 @@ If you are migrating from `release-0.7` branch or earlier please read [what chan
- [Customization Examples](#customization-examples) - [Customization Examples](#customization-examples)
- [Minikube Example](#minikube-example) - [Minikube Example](#minikube-example)
- [Continuous Delivery](#continuous-delivery) - [Continuous Delivery](#continuous-delivery)
- [Security](docs/security.md)
- [Troubleshooting](#troubleshooting) - [Troubleshooting](#troubleshooting)
- [Error retrieving kubelet metrics](#error-retrieving-kubelet-metrics) - [Error retrieving kubelet metrics](#error-retrieving-kubelet-metrics)
- [Authentication problem](#authentication-problem) - [Authentication problem](#authentication-problem)

11
docs/security.md Normal file
View File

@@ -0,0 +1,11 @@
## Security
The manifests generated in this repository are subject to a security audit in CI via [kubescape](https://github.com/armosec/kubescape).
The scan can be run locally via `make kubescape`.
While we aim for best practices in terms of security by default, due to the nature of the project, we are required to make the exceptions in the following components:
#### node-exporter
* Host Port is set. https://hub.armo.cloud/docs/c-0044 is not relevant since node-exporter is considered as a core platform component running as a DaemonSet.
* Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics.
* Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics.

29
kubescape-exceptions.json Normal file
View File

@@ -0,0 +1,29 @@
[
{
"name": "exclude-node-exporter-host-access-checks",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": "DaemonSet",
"name": "node-exporter"
}
}
],
"posturePolicies": [
{
"controlName": "Container hostPort"
},
{
"controlName": "Host PID/IPC privileges"
},
{
"controlName": "HostNetwork access"
}
]
}
]