Skip to content

Commit

Permalink
add control C-0273 - outdated k8s version (#596)
Browse files Browse the repository at this point in the history 
* add control C-0272

Signed-off-by: YiscahLevySilas1 <yiscahls@armosec.io>

* add control C-0273

Signed-off-by: YiscahLevySilas1 <yiscahls@armosec.io>

* add dependencies

Signed-off-by: YiscahLevySilas1 <yiscahls@armosec.io>

---------

Signed-off-by: YiscahLevySilas1 <yiscahls@armosec.io>
  • Loading branch information
@YiscahLevySilas1
YiscahLevySilas1 authored Mar 4, 2024
1 parent 26900de commit a9bf393
Show file tree
Hide file tree
Showing 12 changed files with 924 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/create-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,10 @@ jobs:
uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa
with:
python-version: 3.10.6
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install requests
# generating subsections ids
- name: Update frameworks subsections
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/pr-tests.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ jobs:
uses: actions/setup-python@v4
with:
python-version: 3.10.6
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install requests
# validate control-ID duplications
- run: python ./scripts/validations.py
Expand Down
22 changes: 22 additions & 0 deletions controls/C-0273-outdatedk8sversion.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"name": "Outdated Kubernetes version",
"attributes": {},
"description": "Identifies Kubernetes clusters running on outdated versions. Using old versions can expose clusters to known vulnerabilities, compatibility issues, and miss out on improved features and security patches. Keeping Kubernetes up-to-date is crucial for maintaining security and operational efficiency.",
"remediation": "Regularly update Kubernetes clusters to the latest stable version to mitigate known vulnerabilities and enhance functionality. Plan and execute upgrades considering workload compatibility, testing in a staging environment before applying changes to production. Follow Kubernetes' best practices for version management and upgrades to ensure a smooth transition and minimal downtime.",
"rulesNames": [
"outdated-k8s-version"
],
"long_description": "Running an outdated version of Kubernetes poses significant security risks and operational challenges. Older versions may contain unpatched vulnerabilities, leading to potential security breaches and unauthorized access. Additionally, outdated clusters might not support newer, more secure, and efficient features, impacting both performance and security. Regularly updating Kubernetes ensures compliance with the latest security standards and access to enhanced functionalities.",
"test": "Verifies the current Kubernetes version against the latest stable releases.",
"controlID": "C-0273",
"baseScore": 2.0,
"category": {
"name": "Control plane"
},
"scanningScope": {
"matches": [
"cluster",
"file"
]
}
}
25 changes: 25 additions & 0 deletions rules/outdated-k8s-version/raw.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package armo_builtins

import future.keywords.every

deny[msga] {
node := input[_]
node.kind == "Node"
current_version := node.status.nodeInfo.kubeletVersion
has_outdated_version(current_version)
path := "status.nodeInfo.kubeletVersion"
msga := {
"alertMessage": sprintf("Your kubelet version: %s, in node: %s is outdated", [current_version, node.metadata.name]),
"reviewPaths": [path],
"alertObject": {"k8SApiObjects": [node]},
}
}


has_outdated_version(version) {
# the `supported_k8s_versions` is validated in the validations script against "https://api.github.com/repos/kubernetes/kubernetes/releases"
supported_k8s_versions := ["v1.29", "v1.28", "v1.27"]
every v in supported_k8s_versions{
not startswith(version, v)
}
}
22 changes: 22 additions & 0 deletions rules/outdated-k8s-version/rule.metadata.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"name": "outdated-k8s-version",
"attributes": {},
"ruleLanguage": "Rego",
"match": [
{
"apiGroups": [
""
],
"apiVersions": [
"v1"
],
"resources": [
"Node"
]
}
],
"ruleDependencies": [],
"description": "",
"remediation": "",
"ruleQuery": "armo_builtins"
}
38 changes: 38 additions & 0 deletions rules/outdated-k8s-version/test/fail/expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
[
{
"alertMessage": "Your kubelet version: v1.20.7, in node: minikube is outdated",
"failedPaths": null,
"reviewPaths": [
"status.nodeInfo.kubeletVersion"
],
"deletePaths": null,
"fixPaths": null,
"ruleStatus": "",
"packagename": "",
"alertScore": 0,
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "v1",
"kind": "Node",
"metadata": {
"labels": {
"beta.kubernetes.io/arch": "amd64",
"beta.kubernetes.io/os": "linux",
"kubernetes.io/arch": "amd64",
"kubernetes.io/hostname": "minikube",
"kubernetes.io/os": "linux",
"minikube.k8s.io/commit": "76d74191d82c47883dc7e1319ef7cebd3e00ee11",
"minikube.k8s.io/name": "minikube",
"minikube.k8s.io/updated_at": "2022_01_03T11_57_45_0700",
"minikube.k8s.io/version": "v1.21.0",
"node-role.kubernetes.io/control-plane": "",
"node-role.kubernetes.io/master": ""
},
"name": "minikube"
}
}
]
}
}
]
211 changes: 211 additions & 0 deletions rules/outdated-k8s-version/test/fail/input/node.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
{
"apiVersion": "v1",
"kind": "Node",
"metadata": {
"annotations": {
"kubeadm.alpha.kubernetes.io/cri-socket": "/var/run/dockershim.sock",
"node.alpha.kubernetes.io/ttl": "0",
"volumes.kubernetes.io/controller-managed-attach-detach": "true"
},
"creationTimestamp": "2022-01-03T09:57:41Z",
"labels": {
"beta.kubernetes.io/arch": "amd64",
"beta.kubernetes.io/os": "linux",
"kubernetes.io/arch": "amd64",
"kubernetes.io/hostname": "minikube",
"kubernetes.io/os": "linux",
"minikube.k8s.io/commit": "76d74191d82c47883dc7e1319ef7cebd3e00ee11",
"minikube.k8s.io/name": "minikube",
"minikube.k8s.io/updated_at": "2022_01_03T11_57_45_0700",
"minikube.k8s.io/version": "v1.21.0",
"node-role.kubernetes.io/control-plane": "",
"node-role.kubernetes.io/master": ""
},
"name": "minikube",
"resourceVersion": "33341",
"uid": "6b3a6670-92aa-41b5-a8a7-a96372b4986b"
},
"spec": {
"podCIDR": "10.244.0.0/24",
"podCIDRs": [
"10.244.0.0/24"
]
},
"status": {
"addresses": [
{
"address": "192.168.49.2",
"type": "InternalIP"
},
{
"address": "minikube",
"type": "Hostname"
}
],
"allocatable": {
"cpu": "4",
"ephemeral-storage": "92563096Ki",
"hugepages-2Mi": "0",
"memory": "10486240Ki",
"pods": "110"
},
"capacity": {
"cpu": "4",
"ephemeral-storage": "92563096Ki",
"hugepages-2Mi": "0",
"memory": "10486240Ki",
"pods": "110"
},
"conditions": [
{
"lastHeartbeatTime": "2022-01-05T07:47:39Z",
"lastTransitionTime": "2022-01-03T09:57:39Z",
"message": "kubelet has sufficient memory available",
"reason": "KubeletHasSufficientMemory",
"status": "False",
"type": "MemoryPressure"
},
{
"lastHeartbeatTime": "2022-01-05T07:47:39Z",
"lastTransitionTime": "2022-01-03T09:57:39Z",
"message": "kubelet has no disk pressure",
"reason": "KubeletHasNoDiskPressure",
"status": "False",
"type": "DiskPressure"
},
{
"lastHeartbeatTime": "2022-01-05T07:47:39Z",
"lastTransitionTime": "2022-01-03T09:57:39Z",
"message": "kubelet has sufficient PID available",
"reason": "KubeletHasSufficientPID",
"status": "False",
"type": "PIDPressure"
},
{
"lastHeartbeatTime": "2022-01-05T07:47:39Z",
"lastTransitionTime": "2022-01-03T09:58:00Z",
"message": "kubelet is posting ready status",
"reason": "KubeletReady",
"status": "True",
"type": "Ready"
}
],
"daemonEndpoints": {
"kubeletEndpoint": {
"Port": 10250
}
},
"images": [
{
"names": [
"influxdb@sha256:1a48c5c4b957b795cdf381bcf91e0d7de9edea2d9be984afbd6e4922e2e24484",
"influxdb:latest"
],
"sizeBytes": 345902306
},
{
"names": [
"k8s.gcr.io/etcd@sha256:4ad90a11b55313b182afc186b9876c8e891531b8db4c9bf1541953021618d0e2",
"k8s.gcr.io/etcd:3.4.13-0"
],
"sizeBytes": 253392289
},
{
"names": [
"kubernetesui/dashboard@sha256:7f80b5ba141bead69c4fee8661464857af300d7d7ed0274cf7beecedc00322e6",
"kubernetesui/dashboard:v2.1.0"
],
"sizeBytes": 225733746
},
{
"names": [
"k8s.gcr.io/kube-apiserver@sha256:5ab3d676c426bfb272fb7605e6978b90d5676913636a6105688862849961386f",
"k8s.gcr.io/kube-apiserver:v1.20.7"
],
"sizeBytes": 121762183
},
{
"names": [
"k8s.gcr.io/kube-proxy@sha256:5d2be61150535ed37b7a5fa5a8239f89afee505ab2fae05247447851eed710a8",
"k8s.gcr.io/kube-proxy:v1.20.7"
],
"sizeBytes": 118396107
},
{
"names": [
"k8s.gcr.io/kube-controller-manager@sha256:eb9b121cbe40cf9016b95cefd34fb9e62c4caf1516188a98b64f091d871a2d46",
"k8s.gcr.io/kube-controller-manager:v1.20.7"
],
"sizeBytes": 116298119
},
{
"names": [
"nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d",
"nginx:1.14.2"
],
"sizeBytes": 109129446
},
{
"names": [
"k8s.gcr.io/kube-scheduler@sha256:6fdb12580353b6cd59de486ca650e3ba9270bc8d52f1d3052cd9bb1d4f28e189",
"k8s.gcr.io/kube-scheduler:v1.20.7"
],
"sizeBytes": 47268231
},
{
"names": [
"k8s.gcr.io/coredns@sha256:73ca82b4ce829766d4f1f10947c3a338888f876fbed0540dc849c89ff256e90c",
"k8s.gcr.io/coredns:1.7.0"
],
"sizeBytes": 45227747
},
{
"names": [
"kubernetesui/metrics-scraper@sha256:555981a24f184420f3be0c79d4efb6c948a85cfce84034f85a563f4151a81cbf",
"kubernetesui/metrics-scraper:v1.0.4"
],
"sizeBytes": 36937728
},
{
"names": [
"gcr.io/k8s-minikube/storage-provisioner@sha256:18eb69d1418e854ad5a19e399310e52808a8321e4c441c1dddad8977a0d7a944",
"gcr.io/k8s-minikube/storage-provisioner:v5"
],
"sizeBytes": 31465472
},
{
"names": [
"k8s.gcr.io/goproxy@sha256:5334c7ad43048e3538775cb09aaf184f5e8acf4b0ea60e3bc8f1d93c209865a5",
"k8s.gcr.io/goproxy:0.1"
],
"sizeBytes": 5489816
},
{
"names": [
"k8s.gcr.io/test-webserver@sha256:f63e365c13646f231ec4a16791c6133ddd7b80fcd1947f41ab193968e02b0745",
"k8s.gcr.io/test-webserver:latest"
],
"sizeBytes": 4534272
},
{
"names": [
"k8s.gcr.io/pause@sha256:927d98197ec1141a368550822d18fa1c60bdae27b78b0c004f705f548c07814f",
"k8s.gcr.io/pause:3.2"
],
"sizeBytes": 682696
}
],
"nodeInfo": {
"architecture": "amd64",
"bootID": "85cb3c8a-7d8e-4885-9a9c-e8a340332f21",
"containerRuntimeVersion": "docker://20.10.7",
"kernelVersion": "5.11.0-43-generic",
"kubeProxyVersion": "v1.20.7",
"kubeletVersion": "v1.20.7",
"machineID": "b77ec962e3734760b1e756ffc5e83152",
"operatingSystem": "linux",
"osImage": "Ubuntu 20.04.2 LTS",
"systemUUID": "5bc452e6-12eb-404d-a17e-7df23ff82f57"
}
}
}
35 changes: 35 additions & 0 deletions rules/outdated-k8s-version/test/fail2/expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
[
{
"alertMessage": "Your kubelet version: v1.25.3, in node: attack-chain-6-control-plane is outdated",
"failedPaths": null,
"reviewPaths": [
"status.nodeInfo.kubeletVersion"
],
"deletePaths": null,
"fixPaths": null,
"ruleStatus": "",
"packagename": "",
"alertScore": 0,
"alertObject": {
"k8sApiObjects": [
{
"apiVersion": "v1",
"kind": "Node",
"metadata": {
"labels": {
"beta.kubernetes.io/arch": "amd64",
"beta.kubernetes.io/os": "linux",
"ingress-ready": "true",
"kubernetes.io/arch": "amd64",
"kubernetes.io/hostname": "attack-chain-6-control-plane",
"kubernetes.io/os": "linux",
"node-role.kubernetes.io/control-plane": "",
"node.kubernetes.io/exclude-from-external-load-balancers": ""
},
"name": "attack-chain-6-control-plane"
}
}
]
}
}
]
Loading

0 comments on commit a9bf393

Please sign in to comment.