diff --git a/RATIONALE.md b/RATIONALE.md index 52f12c808..d56efbc04 100644 --- a/RATIONALE.md +++ b/RATIONALE.md @@ -381,3 +381,6 @@ closing watches for ConfigMaps marked as immutable.*" #### *Check if Tiller is being used on the plaform*: [Tiller images](docs/LIST_OF_TESTS.md#tiller-images) > *Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons + +#### *Check if secrets are encrypted on the plaform*: [Kubescape secret/etcd](docs/LIST_OF_TESTS.md#kubescape-secret-etcd) +> *Secret encryption is not enabled by default in kubernetes environment. As secrets contains sensitive information, it is recommended to encrypt these values. For encrypting secret in etcd, we are using encryption in rest, this will cause, that there will not be secret key value in plain text format anymore in etcd. \ No newline at end of file diff --git a/USAGE.md b/USAGE.md index cacee4052..7278a0227 100644 --- a/USAGE.md +++ b/USAGE.md @@ -1395,3 +1395,15 @@ Switch to using Helm v3+ and make sure not to pull any images with name tiller i +## [Kubescape secret/etcd](docs/LIST_OF_TESTS.md#kubescape-secret-etcd) + +##### To run the Kubescape secret/etcd test, you can use the following command: +``` +./cnf-testsuite platform:kubescape_secret_etc +``` + +Remediation for failing this test: + +Check version of ETCDCTL in etcd pod, it should be v3.+ + + \ No newline at end of file diff --git a/embedded_files/points.yml b/embedded_files/points.yml index 9b5c54897..e0206d25c 100644 --- a/embedded_files/points.yml +++ b/embedded_files/points.yml @@ -360,6 +360,10 @@ emoji: "🔓🔑" tags: ["platform", "platform:security", "dynamic"] +- name: kubescape_secret_etcd + emoji: "🔓🔑" + tags: ["platform", "platform:security", "dynamic"] + - name: external_ips emoji: "🔓🔑" tags: [security, dynamic, workload, cert, normal] diff --git a/src/tasks/platform/security.cr b/src/tasks/platform/security.cr index 444cad34d..9a44e4c52 100644 --- a/src/tasks/platform/security.cr +++ b/src/tasks/platform/security.cr @@ -83,4 +83,23 @@ namespace "platform" do end end end + + desc "Kubescape secret/etcd" + task "kubescape_secret_etcd", ["kubescape_scan"] do |t, args| + next if args.named["offline"]? + + CNFManager::Task.task_runner(args, task: t, check_cnf_installed: false) do |args, config| + results_json = Kubescape.parse + test_json = Kubescape.test_by_test_name(results_json, "Secret/ETCD encryption enabled") + test_report = Kubescape.parse_test_report(test_json) + + if test_report.failed_resources.size == 0 + CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Passed, "Secret/etcd encryption enabled") + else + test_report.failed_resources.map {|r| stdout_failure(r.alert_message) } + stdout_failure("Remediation: #{test_report.remediation}") + CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Secret/etcd encryption disabled") + end + end + end end