-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(helm): update chart trivy-operator ( 0.23.3 → 0.24.0 ) #3914
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| datasource | package | from | to | | ---------- | -------------- | ------ | ------ | | helm | trivy-operator | 0.23.3 | 0.24.0 | Signed-off-by: Jeff Billimek <billimek@users.noreply.github.com>
Helm Release Diff: --- /tmp/tmp.Uduow7vXHa 2024-07-04 10:29:37.854663896 +0000
+++ /tmp/tmp.fWANLlpMjU 2024-07-04 10:29:39.482676840 +0000
@@ -54,6 +54,7 @@
ib-systemd\",\"readOnly\":true},{\"mountPath\":\"/etc/kubernetes\",\"name\":\
\"etc-kubernetes\",\"readOnly\":true},{\"mountPath\":\"/etc/cni/net.d/\",\"\
name\":\"etc-cni-netd\",\"readOnly\":true}]"
+ scanJob.useGCRServiceAccount: "true"
scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":fal\
se,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRoo\
tFilesystem\":true}"
@@ -63,22 +64,13 @@
compliance.failEntriesLimit: "10"
report.recordFailedChecksOnly: "true"
trivy.serverURL: "http://trivy-service.default:4954"
- node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.2.1"
+ node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.3.1"
policies.bundle.oci.ref: "ghcr.io/aquasecurity/trivy-checks:0"
policies.bundle.insecure: "false"
node.collector.nodeSelector: "true"
---
-# Source: trivy-operator/templates/configmaps/policies.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: trivy-operator-policies-config
- namespace: default
-data:
-
----
# Source: trivy-operator/templates/configmaps/trivy-operator-config.yaml
kind: ConfigMap
apiVersion: v1
@@ -136,7 +128,7 @@
namespace: default
data:
trivy.repository: "ghcr.io/aquasecurity/trivy"
- trivy.tag: "0.52.0"
+ trivy.tag: "0.53.0"
trivy.imagePullPolicy: "IfNotPresent"
trivy.additionalVulnerabilityReportFields: ""
trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
@@ -747,7 +739,7 @@
automountServiceAccountToken: true
containers:
- name: "trivy-operator"
- image: "ghcr.io/aquasecurity/trivy-operator:0.21.3"
+ image: "ghcr.io/aquasecurity/trivy-operator:0.22.0"
imagePullPolicy: IfNotPresent
env:
- name: OPERATOR_NAMESPACE
@@ -837,7 +829,7 @@
runAsUser: 65534
containers:
- name: trivy-server
- image: "ghcr.io/aquasecurity/trivy:0.52.0"
+ image: "ghcr.io/aquasecurity/trivy:0.53.0"
imagePullPolicy: "IfNotPresent"
securityContext:
privileged: false
@@ -889,21 +881,25 @@
emptyDir: {}
---
-# Source: trivy-operator/templates/specs/cis-1.23.yaml
+# Source: trivy-operator/templates/specs/k8s-cis-1.23.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
- name: cis
+ name: k8s-cis-1.23
+ platform: k8s
+ type: cis
spec:
cron: "0 */6 * * *"
reportType: "summary"
compliance:
- id: cis
+ id: k8s-cis-1.23
title: CIS Kubernetes Benchmarks v1.23
description: CIS Kubernetes Benchmarks
+ platform: k8s
+ type: cis
relatedResources:
- https://www.cisecurity.org/benchmark/kubernetes
- version: "1.0"
+ version: "1.23"
controls:
- id: 1.1.1
name: Ensure that the API server pod specification file permissions are set to
@@ -912,6 +908,8 @@
of 600 or more restrictive
checks:
- id: AVD-KCV-0048
+ commands:
+ - id: CMD-0001
severity: HIGH
- id: 1.1.2
name: Ensure that the API server pod specification file ownership is set to
@@ -920,6 +918,8 @@
to root:root
checks:
- id: AVD-KCV-0049
+ commands:
+ - id: CMD-0002
severity: HIGH
- id: 1.1.3
name: Ensure that the controller manager pod specification file permissions are
@@ -928,6 +928,8 @@
permissions of 600 or more restrictive
checks:
- id: AVD-KCV-0050
+ commands:
+ - id: CMD-0003
severity: HIGH
- id: 1.1.4
name: Ensure that the controller manager pod specification file ownership is set
@@ -936,6 +938,8 @@
is set to root:root
checks:
- id: AVD-KCV-0051
+ commands:
+ - id: CMD-0004
severity: HIGH
- id: 1.1.5
name: Ensure that the scheduler pod specification file permissions are set to
@@ -944,6 +948,8 @@
600 or more restrictive
checks:
- id: AVD-KCV-0052
+ commands:
+ - id: CMD-0005
severity: HIGH
- id: 1.1.6
name: Ensure that the scheduler pod specification file ownership is set to
@@ -952,6 +958,8 @@
to root:root
checks:
- id: AVD-KCV-0053
+ commands:
+ - id: CMD-0006
severity: HIGH
- id: 1.1.7
name: Ensure that the etcd pod specification file permissions are set to 600 or
@@ -960,6 +968,8 @@
or more restrictive
checks:
- id: AVD-KCV-0054
+ commands:
+ - id: CMD-0007
severity: HIGH
- id: 1.1.8
name: Ensure that the etcd pod specification file ownership is set to root:root
@@ -967,6 +977,8 @@
root:root.
checks:
- id: AVD-KCV-0055
+ commands:
+ - id: CMD-0008
severity: HIGH
- id: 1.1.9
name: Ensure that the Container Network Interface file permissions are set to
@@ -975,6 +987,8 @@
of 600 or more restrictive
checks:
- id: AVD-KCV-0056
+ commands:
+ - id: CMD-0009
severity: HIGH
- id: 1.1.10
name: Ensure that the Container Network Interface file ownership is set to
@@ -983,6 +997,8 @@
set to root:root
checks:
- id: AVD-KCV-0057
+ commands:
+ - id: CMD-0010
severity: HIGH
- id: 1.1.11
name: Ensure that the etcd data directory permissions are set to 700 or more
@@ -991,24 +1007,32 @@
restrictive
checks:
- id: AVD-KCV-0058
+ commands:
+ - id: CMD-0011
severity: HIGH
- id: 1.1.12
name: Ensure that the etcd data directory ownership is set to etcd:etcd
description: Ensure that the etcd data directory ownership is set to etcd:etcd
checks:
- id: AVD-KCV-0059
+ commands:
+ - id: CMD-0012
severity: LOW
- id: 1.1.13
name: Ensure that the admin.conf file permissions are set to 600
description: Ensure that the admin.conf file has permissions of 600
checks:
- id: AVD-KCV-0060
+ commands:
+ - id: CMD-0013
severity: CRITICAL
- id: 1.1.14
name: Ensure that the admin.conf file ownership is set to root:root
description: Ensure that the admin.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0061
+ commands:
+ - id: CMD-0014
severity: CRITICAL
- id: 1.1.15
name: Ensure that the scheduler.conf file permissions are set to 600 or more
@@ -1017,12 +1041,16 @@
restrictive
checks:
- id: AVD-KCV-0062
+ commands:
+ - id: CMD-0015
severity: HIGH
- id: 1.1.16
name: Ensure that the scheduler.conf file ownership is set to root:root
description: Ensure that the scheduler.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0063
+ commands:
+ - id: CMD-0016
severity: HIGH
- id: 1.1.17
name: Ensure that the controller-manager.conf file permissions are set to 600 or
@@ -1031,6 +1059,8 @@
or more restrictive
checks:
- id: AVD-KCV-0064
+ commands:
+ - id: CMD-0017
severity: HIGH
- id: 1.1.18
name: Ensure that the controller-manager.conf file ownership is set to root:root
@@ -1038,6 +1068,8 @@
root:root.
checks:
- id: AVD-KCV-0065
+ commands:
+ - id: CMD-0018
severity: HIGH
- id: 1.1.19
name: Ensure that the Kubernetes PKI directory and file ownership is set to
@@ -1046,6 +1078,8 @@
to root:root
checks:
- id: AVD-KCV-0066
+ commands:
+ - id: CMD-0019
severity: CRITICAL
- id: 1.1.20
name: Ensure that the Kubernetes PKI certificate file permissions are set to 600
@@ -1054,12 +1088,16 @@
600 or more restrictive
checks:
- id: AVD-KCV-0068
+ commands:
+ - id: CMD-0020
severity: CRITICAL
- id: 1.1.21
name: Ensure that the Kubernetes PKI key file permissions are set to 600
description: Ensure that Kubernetes PKI key files have permissions of 600
checks:
- id: AVD-KCV-0067
+ commands:
+ - id: CMD-0021
severity: CRITICAL
- id: 1.2.1
name: Ensure that the --anonymous-auth argument is set to false
@@ -1348,17 +1386,20 @@
authentication. However as there is no way to revoke these
certificates when a user leaves an organization or loses their
credential, they are not suitable for this purpose
+ checks: null
severity: HIGH
- id: 3.2.1
name: Ensure that a minimal audit policy is created (Manual)
description: Kubernetes can audit the details of requests made to the API
server. The --audit- policy-file flag must be set for this logging to
be enabled.
+ checks: null
severity: HIGH
- id: 3.2.2
name: Ensure that the audit policy covers key security concerns (Manual)
description: Ensure that the audit policy created for the cluster covers key
security concerns
+ checks: null
severity: HIGH
- id: 4.1.1
name: Ensure that the kubelet service file permissions are set to 600 or more
@@ -1367,12 +1408,16 @@
restrictive.
checks:
- id: AVD-KCV-0069
+ commands:
+ - id: CMD-0022
severity: HIGH
- id: 4.1.2
name: Ensure that the kubelet service file ownership is set to root:root
description: Ensure that the kubelet service file ownership is set to root:root
checks:
- id: AVD-KCV-0070
+ commands:
+ - id: CMD-0023
severity: HIGH
- id: 4.1.3
name: If proxy kubeconfig file exists ensure permissions are set to 600 or more
@@ -1382,6 +1427,8 @@
of 600 or more restrictive
checks:
- id: AVD-KCV-0071
+ commands:
+ - id: CMD-0024
severity: HIGH
- id: 4.1.4
name: If proxy kubeconfig file exists ensure ownership is set to root:root
@@ -1389,6 +1436,8 @@
kubeconfig file is set to root:root
checks:
- id: AVD-KCV-0072
+ commands:
+ - id: CMD-0025
severity: HIGH
- id: 4.1.5
name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600
@@ -1397,6 +1446,8 @@
restrictive
checks:
- id: AVD-KCV-0073
+ commands:
+ - id: CMD-0026
severity: HIGH
- id: 4.1.6
name: Ensure that the --kubeconfig kubelet.conf file ownership is set to
@@ -1404,6 +1455,8 @@
description: Ensure that the kubelet.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0074
+ commands:
+ - id: CMD-0027
severity: HIGH
- id: 4.1.7
name: Ensure that the certificate authorities file permissions are set to 600 or
@@ -1412,6 +1465,8 @@
or more restrictive
checks:
- id: AVD-KCV-0075
+ commands:
+ - id: CMD-0028
severity: CRITICAL
- id: 4.1.8
name: Ensure that the client certificate authorities file ownership is set to
@@ -1420,6 +1475,8 @@
root:root
checks:
- id: AVD-KCV-0076
+ commands:
+ - id: CMD-0029
severity: CRITICAL
- id: 4.1.9
name: If the kubelet config.yaml configuration file is being used validate
@@ -1429,6 +1486,8 @@
restrictive
checks:
- id: AVD-KCV-0077
+ commands:
+ - id: CMD-0030
severity: HIGH
- id: 4.1.10
name: If the kubelet config.yaml configuration file is being used validate file
@@ -1437,30 +1496,40 @@
--config argument, that file is owned by root:root
checks:
- id: AVD-KCV-0078
+ commands:
+ - id: CMD-0031
severity: HIGH
- id: 4.2.1
name: Ensure that the --anonymous-auth argument is set to false
description: Disable anonymous requests to the Kubelet server
checks:
- id: AVD-KCV-0079
+ commands:
+ - id: CMD-0032
severity: CRITICAL
- id: 4.2.2
name: Ensure that the --authorization-mode argument is not set to AlwaysAllow
description: Do not allow all requests. Enable explicit authorization
checks:
- id: AVD-KCV-0080
+ commands:
+ - id: CMD-0033
severity: CRITICAL
- id: 4.2.3
name: Ensure that the --client-ca-file argument is set as appropriate
description: Enable Kubelet authentication using certificates
checks:
- id: AVD-KCV-0081
+ commands:
+ - id: CMD-0034
severity: CRITICAL
- id: 4.2.4
name: Verify that the --read-only-port argument is set to 0
description: Disable the read-only port
checks:
- id: AVD-KCV-0082
+ commands:
+ - id: CMD-0035
severity: HIGH
- id: 4.2.5
name: Ensure that the --streaming-connection-idle-timeout argument is not set to
@@ -1468,6 +1537,8 @@
description: Do not disable timeouts on streaming connections
checks:
- id: AVD-KCV-0085
+ commands:
+ - id: CMD-0036
severity: HIGH
- id: 4.2.6
name: Ensure that the --protect-kernel-defaults argument is set to true
@@ -1475,18 +1546,24 @@
kernel parameter values
checks:
- id: AVD-KCV-0083
+ commands:
+ - id: CMD-0037
severity: HIGH
- id: 4.2.7
name: Ensure that the --make-iptables-util-chains argument is set to true
description: Allow Kubelet to manage iptables
checks:
- id: AVD-KCV-0084
+ commands:
+ - id: CMD-0038
severity: HIGH
- id: 4.2.8
name: Ensure that the --hostname-override argument is not set
description: Do not override node hostnames
checks:
- id: AVD-KCV-0086
+ commands:
+ - id: CMD-0039
severity: HIGH
- id: 4.2.9
name: Ensure that the --event-qps argument is set to 0 or a level which ensures
@@ -1496,6 +1573,8 @@
gathered
checks:
- id: AVD-KCV-0087
+ commands:
+ - id: CMD-0040
severity: HIGH
- id: 4.2.10
name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are
@@ -1504,18 +1583,25 @@
checks:
- id: AVD-KCV-0088
- id: AVD-KCV-0089
+ commands:
+ - id: CMD-0041
+ - id: CMD-0042
severity: CRITICAL
- id: 4.2.11
name: Ensure that the --rotate-certificates argument is not set to false
description: Enable kubelet client certificate rotation
checks:
- id: AVD-KCV-0090
+ commands:
+ - id: CMD-0043
severity: CRITICAL
- id: 4.2.12
name: Verify that the RotateKubeletServerCertificate argument is set to true
description: Enable kubelet server certificate rotation
checks:
- id: AVD-KCV-0091
+ commands:
+ - id: CMD-0044
severity: CRITICAL
- id: 4.2.13
name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
@@ -1523,6 +1609,8 @@
cryptographic ciphers
checks:
- id: AVD-KCV-0092
+ commands:
+ - id: CMD-0045
severity: CRITICAL
- id: 5.1.1
name: Ensure that the cluster-admin role is only used where required
@@ -1653,6 +1741,7 @@
description: There are a variety of CNI plugins available for Kubernetes. If the
CNI in use does not support Network Policies it may not be possible to
effectively restrict traffic in the cluster
+ checks: null
severity: MEDIUM
- id: 5.3.2
name: Ensure that all Namespaces have Network Policies defined
@@ -1666,22 +1755,26 @@
description: Kubernetes supports mounting secrets as data volumes or as
environment variables. Minimize the use of environment variable
secrets
+ checks: null
severity: MEDIUM
- id: 5.4.2
name: Consider external secret storage (Manual)
description: Consider the use of an external secrets storage and management
system, instead of using Kubernetes Secrets directly, if you have more
complex secret management needs
+ checks: null
severity: MEDIUM
- id: 5.5.1
name: Configure Image Provenance using ImagePolicyWebhook admission controller
(Manual)
description: Configure Image Provenance for your deployment
+ checks: null
severity: MEDIUM
- id: 5.7.1
name: Create administrative boundaries between resources using namespaces
(Manual)
description: Use namespaces to isolate your Kubernetes objects
+ checks: null
severity: MEDIUM
- id: 5.7.2
name: Ensure that the seccomp profile is set to docker/default in your pod
@@ -1710,16 +1803,18 @@
severity: MEDIUM
---
-# Source: trivy-operator/templates/specs/nsa-1.0.yaml
+# Source: trivy-operator/templates/specs/k8s-nsa-1.0.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
- name: nsa
+ name: k8s-nsa-1.0
spec:
cron: "0 */6 * * *"
reportType: "summary"
compliance:
- id: nsa
+ id: k8s-nsa-1.0
+ platform: k8s
+ type: nsa
title: National Security Agency - Kubernetes Hardening Guidance v1.0
description: National Security Agency - Kubernetes Hardening Guidance
relatedResources:
@@ -1727,406 +1822,409 @@
version: "1.0"
controls:
- name: Non-root containers
- description: 'Check that container is not running as root'
- id: '1.0'
+ description: Check that container is not running as root
+ id: "1.0"
checks:
- id: AVD-KSV-0012
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Immutable container file systems
- description: 'Check that container root file system is immutable'
- id: '1.1'
+ description: Check that container root file system is immutable
+ id: "1.1"
checks:
- id: AVD-KSV-0014
- severity: 'LOW'
+ severity: LOW
- name: Preventing privileged containers
- description: 'Controls whether Pods can run privileged containers'
- id: '1.2'
+ description: Controls whether Pods can run privileged containers
+ id: "1.2"
checks:
- id: AVD-KSV-0017
- severity: 'HIGH'
+ severity: HIGH
- name: Share containers process namespaces
- description: 'Controls whether containers can share process namespaces'
- id: '1.3'
+ description: Controls whether containers can share process namespaces
+ id: "1.3"
checks:
- id: AVD-KSV-0008
- severity: 'HIGH'
+ severity: HIGH
- name: Share host process namespaces
- description: 'Controls whether share host process namespaces'
- id: '1.4'
+ description: Controls whether share host process namespaces
+ id: "1.4"
checks:
- id: AVD-KSV-0009
- severity: 'HIGH'
+ severity: HIGH
- name: Use the host network
- description: 'Controls whether containers can use the host network'
- id: '1.5'
+ description: Controls whether containers can use the host network
+ id: "1.5"
checks:
- id: AVD-KSV-0010
- severity: 'HIGH'
+ severity: HIGH
- name: Run with root privileges or with root group membership
- description: 'Controls whether container applications can run with root
- privileges or with root group membership'
- id: '1.6'
+ description: Controls whether container applications can run with root
+ privileges or with root group membership
+ id: "1.6"
checks:
- id: AVD-KSV-0029
- severity: 'LOW'
+ severity: LOW
- name: Restricts escalation to root privileges
- description: 'Control check restrictions escalation to root privileges'
- id: '1.7'
+ description: Control check restrictions escalation to root privileges
+ id: "1.7"
checks:
- id: AVD-KSV-0001
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Sets the SELinux context of the container
- description: 'Control checks if pod sets the SELinux context of the container'
- id: '1.8'
+ description: Control checks if pod sets the SELinux context of the container
+ id: "1.8"
checks:
- id: AVD-KSV-0002
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Restrict a container's access to resources with AppArmor
- description: 'Control checks the restriction of containers access to resources
- with AppArmor'
- id: '1.9'
+ description: Control checks the restriction of containers access to resources
+ with AppArmor
+ id: "1.9"
checks:
- id: AVD-KSV-0030
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Sets the seccomp profile used to sandbox containers.
- description: 'Control checks the sets the seccomp profile used to sandbox
- containers'
- id: '1.10'
+ description: Control checks the sets the seccomp profile used to sandbox containers
+ id: "1.10"
checks:
- id: AVD-KSV-0030
- severity: 'LOW'
+ severity: LOW
- name: Protecting Pod service account tokens
- description: 'Control check whether disable secret token been mount
- ,automountServiceAccountToken: false'
- id: '1.11'
+ description: "Control check whether disable secret token been mount
+ ,automountServiceAccountToken: false"
+ id: "1.11"
checks:
- id: AVD-KSV-0036
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Namespace kube-system should not be used by users
- description: 'Control check whether Namespace kube-system is not be used by users'
- id: '1.12'
- defaultStatus: 'FAIL'
+ description: Control check whether Namespace kube-system is not be used by users
+ id: "1.12"
+ defaultStatus: FAIL
checks:
- id: AVD-KSV-0037
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Pod and/or namespace Selectors usage
- description: 'Control check validate the pod and/or namespace Selectors usage'
- id: '2.0'
- defaultStatus: 'FAIL'
+ description: Control check validate the pod and/or namespace Selectors usage
+ id: "2.0"
+ defaultStatus: FAIL
checks:
- id: AVD-KSV-0038
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Use CNI plugin that supports NetworkPolicy API (Manual)
- description: 'Control check whether check cni plugin installed'
- id: '3.0'
- defaultStatus: 'FAIL'
- severity: 'CRITICAL'
+ description: Control check whether check cni plugin installed
+ id: "3.0"
+ defaultStatus: FAIL
+ severity: CRITICAL
- name: Use ResourceQuota policies to limit resources
- description: 'Control check the use of ResourceQuota policy to limit aggregate
- resource usage within namespace'
- id: '4.0'
- defaultStatus: 'FAIL'
+ description: Control check the use of ResourceQuota policy to limit aggregate
+ resource usage within namespace
+ id: "4.0"
+ defaultStatus: FAIL
checks:
- id: AVD-KSV-0040
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Use LimitRange policies to limit resources
- description: 'Control check the use of LimitRange policy limit resource usage
- for namespaces or nodes'
- id: '4.1'
- defaultStatus: 'FAIL'
+ description: Control check the use of LimitRange policy limit resource usage for
+ namespaces or nodes
+ id: "4.1"
+ defaultStatus: FAIL
checks:
- id: AVD-KSV-0039
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Control plan disable insecure port (Manual)
- description: 'Control check whether control plan disable insecure port'
- id: '5.0'
- defaultStatus: 'FAIL'
- severity: 'CRITICAL'
+ description: Control check whether control plan disable insecure port
+ id: "5.0"
+ defaultStatus: FAIL
+ severity: CRITICAL
- name: Encrypt etcd communication
- description: 'Control check whether etcd communication is encrypted'
- id: '5.1'
+ description: Control check whether etcd communication is encrypted
+ id: "5.1"
checks:
- id: AVD-KCV-0030
- severity: 'CRITICAL'
+ severity: CRITICAL
- name: Ensure kube config file permission (Manual)
- description: 'Control check whether kube config file permissions'
- id: '6.0'
- defaultStatus: 'FAIL'
- severity: 'CRITICAL'
+ description: Control check whether kube config file permissions
+ id: "6.0"
+ defaultStatus: FAIL
+ severity: CRITICAL
- name: Check that encryption resource has been set
- description: 'Control checks whether encryption resource has been set'
- id: '6.1'
+ description: Control checks whether encryption resource has been set
+ id: "6.1"
checks:
- id: AVD-KCV-0029
- severity: 'CRITICAL'
+ severity: CRITICAL
- name: Check encryption provider
- description: 'Control checks whether encryption provider has been set'
- id: '6.2'
+ description: Control checks whether encryption provider has been set
+ id: "6.2"
checks:
- id: AVD-KCV-0004
- severity: 'CRITICAL'
+ severity: CRITICAL
- name: Make sure anonymous-auth is unset
- description: 'Control checks whether anonymous-auth is unset'
- id: '7.0'
+ description: Control checks whether anonymous-auth is unset
+ id: "7.0"
checks:
- id: AVD-KCV-0001
- severity: 'CRITICAL'
+ severity: CRITICAL
- name: Make sure -authorization-mode=RBAC
- description: 'Control check whether RBAC permission is in use'
- id: '7.1'
+ description: Control check whether RBAC permission is in use
+ id: "7.1"
checks:
- id: AVD-KCV-0008
- severity: 'CRITICAL'
+ severity: CRITICAL
- name: Audit policy is configure (Manual)
- description: 'Control check whether audit policy is configure'
- id: '8.0'
- defaultStatus: 'FAIL'
- severity: 'HIGH'
+ description: Control check whether audit policy is configure
+ id: "8.0"
+ defaultStatus: FAIL
+ severity: HIGH
- name: Audit log path is configure
- description: 'Control check whether audit log path is configure'
- id: '8.1'
+ description: Control check whether audit log path is configure
+ id: "8.1"
checks:
- id: AVD-KCV-0019
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Audit log aging
- description: 'Control check whether audit log aging is configure'
- id: '8.2'
+ description: Control check whether audit log aging is configure
+ id: "8.2"
checks:
- id: AVD-KCV-0020
- severity: 'MEDIUM'
+ severity: MEDIUM
---
-# Source: trivy-operator/templates/specs/pss-baseline.yaml
+# Source: trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
- name: pss-baseline
+ name: k8s-pss-baseline-0.1
spec:
cron: "0 */6 * * *"
reportType: "summary"
compliance:
- id: pss-baseline
+ id: k8s-pss-baseline-0.1
+ platform: eks
+ type: pss-baseline
title: Kubernetes Pod Security Standards - Baseline
description: Kubernetes Pod Security Standards - Baseline
relatedResources:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
- version: '0.1'
+ version: "0.1"
controls:
- name: HostProcess
description: Windows pods offer the ability to run HostProcess containers which
enables privileged access to the Windows node. Privileged access to
the host is disallowed in the baseline policy
- id: '1'
+ id: "1"
checks:
- id: AVD-KSV-0103
- severity: 'HIGH'
+ severity: HIGH
- name: Host Namespaces
description: Sharing the host namespaces must be disallowed.
- id: '2'
+ id: "2"
checks:
- id: AVD-KSV-0008
- severity: 'HIGH'
+ severity: HIGH
- name: Privileged Containers
description: Privileged Pods disable most security mechanisms and must be
disallowed.
- id: '3'
+ id: "3"
checks:
- id: AVD-KSV-0017
- severity: 'HIGH'
+ severity: HIGH
- name: Capabilities
description: Adding additional capabilities beyond those listed below must be
disallowed.
- id: '4'
+ id: "4"
checks:
- id: AVD-KSV-0022
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: HostPath Volumes
description: HostPath volumes must be forbidden.
- id: '5'
+ id: "5"
checks:
- - id: 'AVD-KSV-0023'
- severity: 'MEDIUM'
+ - id: AVD-KSV-0023
+ severity: MEDIUM
- name: host ports
description: hostports should be disallowed, or at minimum restricted to a known
list.
- id: '6'
+ id: "6"
checks:
- id: avd-ksv-0024
- severity: 'HIGH'
+ severity: HIGH
- name: AppArmor
description: On supported hosts, the runtime/default AppArmor profile is applied
by default. The baseline policy should prevent overriding or disabling
the default AppArmor profile, or restrict overrides to an allowed set
of profiles.
- id: '7'
+ id: "7"
checks:
- id: avd-ksv-0002
- severity: 'HIGH'
+ severity: HIGH
- name: SELinux
description: Setting the SELinux type is restricted, and setting a custom
SELinux user or role option is forbidden.
- id: '8'
+ id: "8"
checks:
- id: avd-ksv-0025
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: /proc Mount Type
description: The default /proc masks are set up to reduce attack surface, and
should be required.
- id: '9'
+ id: "9"
checks:
- id: avd-ksv-0027
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Seccomp
description: Seccomp profile must not be explicitly set to Unconfined.
- id: '10'
+ id: "10"
checks:
- id: avd-ksv-0104
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Sysctls
description: Sysctls can disable security mechanisms or affect all containers on
a host, and should be disallowed except for an allowed 'safe' subset.
A sysctl is considered safe if it is namespaced in the container or
the Pod, and it is isolated from other Pods or processes on the same
Node.
- id: '11'
+ id: "11"
checks:
- id: avd-ksv-0026
- severity: 'MEDIUM'
+ severity: MEDIUM
---
-# Source: trivy-operator/templates/specs/pss-restricted.yaml
+# Source: trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
- name: pss-restricted
+ name: k8s-pss-restricted-0.1
spec:
cron: "0 */6 * * *"
reportType: "summary"
compliance:
- id: pss-restricted
+ id: k8s-pss-restricted-0.1
+ platform: k8s
+ type: pss-restricted
title: Kubernetes Pod Security Standards - Restricted
description: Kubernetes Pod Security Standards - Restricted
relatedResources:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
- version: '0.1'
+ version: "0.1"
controls:
- name: HostProcess
description: Windows pods offer the ability to run HostProcess containers which
enables privileged access to the Windows node. Privileged access to
the host is disallowed in the baseline policy
- id: '1'
+ id: "1"
checks:
- id: AVD-KSV-0103
- severity: 'HIGH'
+ severity: HIGH
- name: Host Namespaces
description: Sharing the host namespaces must be disallowed.
- id: '2'
+ id: "2"
checks:
- id: AVD-KSV-0008
- severity: 'HIGH'
+ severity: HIGH
- name: Privileged Containers
description: Privileged Pods disable most security mechanisms and must be
disallowed.
- id: '3'
+ id: "3"
checks:
- id: AVD-KSV-0017
- severity: 'HIGH'
+ severity: HIGH
- name: Capabilities
description: Adding additional capabilities beyond those listed below must be
disallowed.
- id: '4'
+ id: "4"
checks:
- id: AVD-KSV-0022
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: HostPath Volumes
description: HostPath volumes must be forbidden.
- id: '5'
+ id: "5"
checks:
- id: AVD-KSV-0023
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: host ports
description: hostports should be disallowed, or at minimum restricted to a known
list.
- id: '6'
+ id: "6"
checks:
- id: avd-ksv-0024
- severity: 'HIGH'
+ severity: HIGH
- name: AppArmor
description: On supported hosts, the runtime/default AppArmor profile is applied
by default. The baseline policy should prevent overriding or disabling
the default AppArmor profile, or restrict overrides to an allowed set
of profiles.
- id: '7'
+ id: "7"
checks:
- id: avd-ksv-0002
- severity: 'HIGH'
+ severity: HIGH
- name: SELinux
description: Setting the SELinux type is restricted, and setting a custom
SELinux user or role option is forbidden.
- id: '8'
+ id: "8"
checks:
- id: avd-ksv-0025
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: /proc Mount Type
description: The default /proc masks are set up to reduce attack surface, and
should be required.
- id: '9'
+ id: "9"
checks:
- id: avd-ksv-0027
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Seccomp
description: Seccomp profile must not be explicitly set to Unconfined.
- id: '10'
+ id: "10"
checks:
- id: avd-ksv-0104
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Sysctls
description: Sysctls can disable security mechanisms or affect all containers on
a host, and should be disallowed except for an allowed 'safe' subset.
A sysctl is considered safe if it is namespaced in the container or
the Pod, and it is isolated from other Pods or processes on the same
Node.
- id: '11'
+ id: "11"
checks:
- id: avd-ksv-0026
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Volume Types
description: The restricted policy only permits specific volume types.
- id: '12'
+ id: "12"
checks:
- id: avd-ksv-0028
severity: LOW
- name: Privilege Escalation
description: Privilege escalation (such as via set-user-ID or set-group-ID file
mode) should not be allowed.
- id: '13'
+ id: "13"
checks:
- id: avd-ksv-0001
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Running as Non-root
description: Containers must be required to run as non-root users.
- id: '14'
+ id: "14"
checks:
- id: avd-ksv-0012
- severity: 'MEDIUM'
+ severity: MEDIUM
- name: Running as Non-root user
description: Containers must not set runAsUser to 0
- id: '15'
+ id: "15"
checks:
- id: avd-ksv-0105
- severity: 'LOW'
+ severity: LOW
- name: Seccomp
description: Seccomp profile must be explicitly set to one of the allowed
values. Both the Unconfined profile and the absence of a profile are
prohibited
- id: '16'
+ id: "16"
checks:
- id: avd-ksv-0030
- severity: 'LOW'
+ severity: LOW
- name: Capabilities
description: Containers must drop ALL capabilities, and are only permitted to
add back the NET_BIND_SERVICE capability.
- id: '17'
+ id: "17"
checks:
- id: avd-ksv-0106
- severity: 'LOW'
+ severity: LOW |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.23.3
->0.24.0
Release Notes
aquasecurity/helm-charts (trivy-operator)
v0.24.0
Compare Source
Keeps security report resources updated
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.