Skip to content

Commit

Permalink
feat(k8s)!: node-collector dynamic commands support (#6861)
Browse files Browse the repository at this point in the history
Signed-off-by: chenk <[email protected]>
  • Loading branch information
chen-keinan authored Jun 26, 2024
1 parent a76e328 commit 8d618e4
Show file tree
Hide file tree
Showing 18 changed files with 353 additions and 69 deletions.
224 changes: 223 additions & 1 deletion docs/docs/compliance/compliance.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,231 @@ to specify a built-in compliance report, select it by ID like `trivy --complianc
For the list of built-in compliance reports, please see the relevant section:

- [Docker compliance](../target/container_image.md#compliance)
- [Kubernetes compliance](../target/kubernetes.md#compliance)
- [Kubernetes compliance](../target/kubernetes.md#compliance)
- [AWS compliance](../target/aws.md#compliance)

## Contribute a Built-in Compliance Report

### Define a Compliance spec, based on CIS benchmark or other specs

Here is an example for CIS compliance report:

```yaml
---
spec:
id: k8s-cis-1.23
title: CIS Kubernetes Benchmarks v1.23
description: CIS Kubernetes Benchmarks
platform: k8s
type: cis
version: '1.23'
relatedResources:
- https://www.cisecurity.org/benchmark/kubernetes
controls:
- id: 1.1.1
name: Ensure that the API server pod specification file permissions are set to
600 or more restrictive
description: Ensure that the API server pod specification file has permissions
of 600 or more restrictive
checks:
- id: AVD-KCV-0073
commands:
- id: CMD-0001
severity: HIGH

```

### Compliance ID

ID field is the name used to execute the compliance scan via trivy
example:

```sh
trivy k8s --compliance k8s-cis-1.23
```

ID naming convention: {platform}-{type}-{version}

### Compliance Platform

The platform field specifies the type of platform on which to run this compliance report.
Supported platforms:

- k8s (native kubernetes cluster)
- eks (elastic kubernetes service)
- aks (azure kubernetes service)
- gke (google kubernetes engine)
- rke2 (rancher kubernetes engine v2)
- ocp (OpenShift Container Platform)
- docker (docker engine)
- aws (amazon web services)

### Compliance Type

The type field specifies the kind compliance report.

- cis (Center for Internet Security)
- nsa (National Security Agency)
- pss (Pod Security Standards)

### Compliance Version

The version field specifies the version of the compliance report.

- 1.23

### Compliance Check ID

Specify the check ID that needs to be evaluated based on the information collected from the command data output to assess the control.

Example of how to define check data under [checks folder](https://github.com/aquasecurity/trivy-checks/tree/main/checks):

```sh
# METADATA
# title: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive"
# description: "Ensure that the kubelet.conf file has permissions of 600 or more restrictive."
# scope: package
# schemas:
# - input: schema["kubernetes"]
# related_resources:
# - https://www.cisecurity.org/benchmark/kubernetes
# custom:
# id: KCV0073
# avd_id: AVD-KCV-0073
# severity: HIGH
# short_code: ensure-kubelet.conf-file-permissions-600-or-more-restrictive.
# recommended_action: "Change the kubelet.conf file permissions to 600 or more restrictive if exist"
# input:
# selector:
# - type: kubernetes
package builtin.kubernetes.KCV0073

import data.lib.kubernetes

types := ["master", "worker"]

validate_kubelet_file_permission(sp) := {"kubeletConfFilePermissions": violation} {
sp.kind == "NodeInfo"
sp.type == types[_]
violation := {permission | permission = sp.info.kubeletConfFilePermissions.values[_]; permission > 600}
count(violation) > 0
}

deny[res] {
output := validate_kubelet_file_permission(input)
msg := "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive"
res := result.new(msg, output)
}
```

### Compliance Command ID

***Note:*** This field is not mandatory, it is relevant to k8s compliance report when node-collector is in use

Specify the command ID (#ref) that needs to be executed to collect the information required to evaluate the control.

Example of how to define command data under [commands folder](https://github.com/aquasecurity/trivy-checks/tree/main/commands)

```yaml
---
- id: CMD-0001
key: kubeletConfFilePermissions
title: kubelet.conf file permissions
nodeType: worker
audit: stat -c %a $kubelet.kubeconfig
platfroms:
- k8s
- aks
```
#### Command ID
Find the next command ID by running the command on [trivy-checks project](https://github.com/aquasecurity/trivy-checks).
```sh
make command-id
```

#### Command Key

- Re-use an existing key or specifiy a new one (make sure key name has no spaces)

Note: The key value should match the key name evaluated by the Rego check.

### Command Title

Represent the purpose of the command

### Command NodeType

Specify the node type on which the command is supposed to run.

- worker
- master

### Command Audit

Specify here the shell command to be used please make sure to add error supression (2>/dev/null)

### Command Platforms

The list of platforms that support this command. Name should be taken from this list [Platforms](#compliance-platform)

### Command Config Files

The commands use a configuration file that helps obtain the paths to binaries and configuration files based on different platforms (e.g., Rancher, native Kubernetes, etc.).

For example:

```yaml
kubelet:
bins:
- kubelet
- hyperkube kubelet
confs:
- /etc/kubernetes/kubelet-config.yaml
- /var/lib/kubelet/config.yaml
```
### Commands Files Location
Currently checks files location are :`https://github.com/aquasecurity/trivy-checks/tree/main/checks`

Command files location: `https://github.com/aquasecurity/trivy-checks/tree/main/commands`
under command file

Note: command config files will be located under `https://github.com/aquasecurity/trivy-checks/tree/main/commands` as well

### Node-collector output

The node collector will read commands and execute each command, and incorporate the output into the NodeInfo resource.

example:

```json
{
"apiVersion": "v1",
"kind": "NodeInfo",
"metadata": {
"creationTimestamp": "2023-01-04T11:37:11+02:00"
},
"type": "master",
"info": {
"adminConfFileOwnership": {
"values": [
"root:root"
]
},
"adminConfFilePermissions": {
"values": [
600
]
}
...
}
}
```

## Custom compliance

You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ trivy image [flags] IMAGE_NAME
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--compliance string compliance report to generate (docker-cis)
--compliance string compliance report to generate (docker-cis-1.6.0)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--custom-headers strings custom headers in client mode
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ trivy kubernetes [flags] [CONTEXT]
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
--compliance string compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted)
--compliance string compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
Expand Down Expand Up @@ -71,7 +71,7 @@ trivy kubernetes [flags] [CONTEXT]
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--no-progress suppress progress bar
--node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.2.1")
--node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")
--node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/target/container_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -436,14 +436,14 @@ The following reports are available out of the box:

| Compliance | Version | Name for command | More info |
|----------------------------------------|---------|------------------|---------------------------------------------------------------------------------------------|
| CIS Docker Community Edition Benchmark | 1.1.0 | `docker-cis` | [Link](https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/) |
| CIS Docker Community Edition Benchmark | 1.1.0 | `docker-cis-1.6.0` | [Link](https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/) |

### Examples

Scan a container image configuration and generate a compliance summary report:

```
$ trivy image --compliance docker-cis [YOUR_IMAGE_NAME]
trivy image --compliance docker-cis-1.6.0 [YOUR_IMAGE_NAME]
```

!!! note
Expand Down
20 changes: 11 additions & 9 deletions docs/docs/target/kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -355,12 +355,14 @@ For an overview of Trivy's Compliance feature, including working with custom com
The following reports are available out of the box:
| Compliance | Name for command | More info |
|----------------------------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------|
| NSA, CISA Kubernetes Hardening Guidance v1.2 | `k8s-nsa` | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) |
| CIS Benchmark for Kubernetes v1.23 | `k8s-cis` | [Link](https://www.cisecurity.org/benchmark/kubernetes) |
| Pod Security Standards, Baseline | `k8s-pss-baseline` | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) |
| Pod Security Standards, Restricted | `k8s-pss-restricted` | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) |
| Compliance | Name for command | More info |
|----------------------------------------------|--------------------------|---------------------------------------------------------------------------------------------------------------------|
| NSA, CISA Kubernetes Hardening Guidance v1.0 | `k8s-nsa-1.0` | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) |
| CIS Benchmark for Kubernetes v1.23 | `k8s-cis-1.23` | [Link](https://www.cisecurity.org/benchmark/kubernetes) |
| CIS Benchmark for RKE2 v1.24 | `rke2-cis-1.24` | [Link](https://www.cisecurity.org/benchmark/kubernetes) |
| CIS Benchmark for EKS v1.4 | `eks-cis-1.4` | [Link](https://www.cisecurity.org/benchmark/kubernetes) |
| Pod Security Standards, Baseline | `k8s-pss-baseline-0.1` | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) |
| Pod Security Standards, Restricted | `k8s-pss-restricted-0.1` | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) |
Examples:
Expand All @@ -376,23 +378,23 @@ Get the detailed report for checks:
```
trivy k8s --compliance=k8s-cis --report all
trivy k8s --compliance=k8s-cis-1.23 --report all
```
Get summary report in JSON format:
```
trivy k8s --compliance=k8s-cis --report summary --format json
trivy k8s --compliance=k8s-cis-1.23 --report summary --format json
```
Get detailed report in JSON format:
```
trivy k8s --compliance=k8s-cis --report all --format json
trivy k8s --compliance=k8s-cis-1.23 --report all --format json
```
Expand Down
15 changes: 8 additions & 7 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,10 @@ require (
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20240613070307-2c3868d658ac
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v0.11.0
github.com/aquasecurity/trivy-checks v0.13.0
github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240516051533-4c5a4aad13b7
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240625102549-87c0f9c7bcf4
github.com/aws/aws-sdk-go-v2 v1.27.2
github.com/aws/aws-sdk-go-v2/config v1.27.18
github.com/aws/aws-sdk-go-v2/credentials v1.17.18
Expand Down Expand Up @@ -167,7 +167,7 @@ require (
github.com/antchfx/xpath v1.3.0 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go v1.53.0 // indirect
github.com/aws/aws-sdk-go v1.53.16 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect
Expand Down Expand Up @@ -205,6 +205,7 @@ require (
github.com/docker/go-metrics v0.0.1 // indirect
github.com/docker/go-units v0.5.0 // indirect
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
github.com/dsnet/compress v0.0.1 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
Expand Down Expand Up @@ -369,12 +370,12 @@ require (
k8s.io/apiextensions-apiserver v0.30.0 // indirect
k8s.io/apimachinery v0.30.1 // indirect
k8s.io/apiserver v0.30.0 // indirect
k8s.io/cli-runtime v0.30.0 // indirect
k8s.io/client-go v0.30.0 // indirect
k8s.io/component-base v0.30.0 // indirect
k8s.io/cli-runtime v0.30.1 // indirect
k8s.io/client-go v0.30.1 // indirect
k8s.io/component-base v0.30.1 // indirect
k8s.io/klog/v2 v2.120.1 // indirect
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
k8s.io/kubectl v0.30.0 // indirect
k8s.io/kubectl v0.30.1 // indirect
modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
modernc.org/libc v1.50.9 // indirect
modernc.org/mathutil v1.6.0 // indirect
Expand Down
Loading

0 comments on commit 8d618e4

Please sign in to comment.