Powerpipe
Powerpipe is now the preferred way to run this mod! Migrating from Steampipe →
All v0.x versions of this mod will work in both Steampipe and Powerpipe, but v1.0.0 onwards will be in Powerpipe format only.
Enhancements
- Focus documentation on Powerpipe commands.
- Show how to combine Powerpipe mods with Steampipe plugins.
Breaking changes
- Updated the plugin dependency section of the mod to use
min_version
instead ofversion
. (#82)
Bug fixes
- Updated the docs to include the correct links for the
nsa_cisa_v1
benchmark. (#80) (Thanks @aniketh-varma for the contribution!) - Fixed the following queries to cast the data to boolean format. (#79)
cronjob_container_privilege_disabled
cronjob_host_network_access_disabled
cronjob_hostpid_hostipc_sharing_disabled
cronjob_immutable_container_filesystem
cronjob_non_root_container
daemonset_container_privilege_disabled
daemonset_host_network_access_disabled
daemonset_hostpid_hostipc_sharing_disabled
daemonset_immutable_container_filesystem
daemonset_non_root_container
deployment_container_privilege_disabled
deployment_host_network_access_disabled
deployment_hostpid_hostipc_sharing_disabled
deployment_immutable_container_filesystem
deployment_non_root_container
job_container_privilege_disabled
job_host_network_access_disabled
job_hostpid_hostipc_sharing_disabled
job_immutable_container_filesystem
job_non_root_container
pod_container_privilege_disabled
pod_immutable_container_filesystem
pod_non_root_container
pod_service_account_token_enabled
pod_template_container_privilege_disabled
pod_template_immutable_container_filesystem
replicaset_container_privilege_disabled
replicaset_host_network_access_disabled
replicaset_hostpid_hostipc_sharing_disabled
replicaset_immutable_container_filesystem
replicaset_non_root_container
replication_controller_container_privilege_disabled
replication_controller_host_network_access_disabled
replication_controller_hostpid_hostipc_sharing_disabled
replication_controller_immutable_container_filesystem
replication_controller_non_root_container
statefulset_container_privilege_disabled
statefulset_host_network_access_disabled
statefulset_hostpid_hostipc_sharing_disabled
statefulset_immutable_container_filesystem
statefulset_non_root_container
Bug fixes
- Fixed queries to correctly return data for
connection_name
andtags
dimensions instead of an error. (#73)
What's new?
- Added 39 new controls for the
ClusterRoleBinding
,CronJob
,DaemonSet
,Ingress
,Job
,Pod
resource types to theall_controls
benchmark. (#68)
What's new?
- Added 350+ new controls across all resource types to the
all_controls
benchmark. (#64)
Enhancements
- Added
path
to default set ofcommon_dimensions
, so now any file paths will appear by default in the additional dimensions in control results. (#63) - Added
iac
category to mod definition.
Dependencies
- Kubernetes plugin
v0.23.0
or higher is now required.
Enhancements
- Added 112 new controls to the
All Controls
benchmark for the following services: (#59)CronJob
DaemonSet
Deployment
Job
Pod
ReplicaSet
ReplicationController
StatefulSet
Enhancements
- Added 90 new controls to the
All Controls
benchmark for the following services: (#56)CronJob
DaemonSet
Deployment
Job
Pod
ReplicaSet
ReplicationController
StatefulSet
Bug fixes
- Fixed the
role_with_wildcards_used
control to correctly return data instead of an error. (#54)
Breaking changes
- The
Other Compliance Checks
benchmark (steampipe check benchmark.other_checks
) has been removed and replaced by the newAll Controls
benchmark (steampipe check benchmark.all_controls
). This new benchmark includes 154 service-specific controls. (#47)
Bug fixes
- Fixed the
namespace_*
queries to use the correct common dimensions. (#49)
Dependencies
- Kubernetes plugin
v0.20.0
or higher is now required. (#41)
What's new?
- Added
path
andsource_type
in the common dimensions to group and filter findings. (see var.common_dimensions) (#41)
Enhancements
- Updated the
resource
column to usepath
andstart_line
for manifest resources. (#41)
What's new?
- Added CIS v1.7.0 for Kubernetes v1.25 benchmark (
steampipe check benchmark.cis_v170
). (#35) - Added
connection_name
in the common dimensions to group and filter findings. (see var.common_dimensions) (#34) - Added
tags
as dimensions to group and filter findings. (see var.tag_dimensions) (#34)
Bug fixes
- Fixed dashboard localhost URLs in README and index doc. (#37)
Bug fixes
- Fixed the structure and the order of sub-benchmarks and controls of
cis_kube_v120_v100_5
benchmark based on the CIS documentation. (#30)
Bug fixes
- Fixed
pod_service_account_token_disabled
,pod_security_policy_*
andservice_account_token_disabled
queries to include the name of the relevant resource in theReason
column of the compliance report. (#23)
Enhancements
- Added
category
,service
, andtype
tags to benchmarks and controls. (#18)
Breaking changes
- Updated all CIS Kubernetes v1.20 v1.0.0 filenames, benchmarks, and controls to include the Kubernetes version for future version compatibility. (#18)
- Fixed all typos in control and query names namesapce->namespace. (#18)
What's new?
- Added a new benchmark (
cis_v100_5_7_2
) to theCIS v1.0.0 for Kubernetes v1.20
benchmark (#13) - Added new controls for
CronJob
,ConfigMap
,Ingress
,Role
,RoleBinding
,Secret
andStatefulSet
resource types toCIS v1.0.0 for Kubernetes v1.20
,Extra Checks
andNSA CISA Kubernetes Hardening Guidance v1
benchmarks (#13)
Enhancements
docs/index.md
file now includes the console output image
What's new?
- Added: CIS v1.0.0 for Kubernetes v1.20 benchmark (
steampipe check kubernetes_compliance.benchmark.cis_kubernetes_v120
) - Added: Extra Checks benchmark (
steampipe check kubernetes_compliance.benchmark.extra_checks
) to provide additional information around other Kubernetes compliance best practices
Bug fixes
- Fixed: Broken links in docs/index.md to mod controls and queries
What's new?
- Added: NSA CISA Kubernetes Hardening Guidance v1 benchmark (
steampipe check benchmark.nsa_cisa_v1
)