feat(controllermanager): add checks for Kubernetes Controller Manager #3291
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MrCloudSec
added
prowler-4.0
provider/kubernetes
jfagoagas
requested changes
Feb 22, 2024
.../services/controllermanager/controllermanager_bind_address/controllermanager_bind_address.py
Show resolved
Hide resolved
| "ResourceType": "KubernetesControllerManager", | ||
| "Description": "This check ensures that profiling is disabled in the Kubernetes Controller Manager, reducing the potential attack surface.", | ||
| "Risk": "Enabling profiling can expose detailed system and program information, which could be exploited if accessed by unauthorized users.", | ||
| "RelatedUrl": "https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md", |
There was a problem hiding this comment.
Broken link, if you use Github links please set the permalink.
| }, | ||
| "Recommendation": { | ||
| "Text": "Disable profiling in the Kubernetes Controller Manager for enhanced security.", | ||
| "Url": "https://kubernetes.io/docs/admin/kube-controller-manager/" |
| f"Controller Manager has profiling enabled in pod {pod.name}." | ||
| ) | ||
| for container in pod.containers.values(): | ||
| if "--profiling=false" in str(container.command): |
There was a problem hiding this comment.
I think you have to check if this is not set and just break the loop if that happens.
| f"Controller Manager has the root CA file set in pod {pod.name}." | ||
| ) | ||
| for container in pod.containers.values(): | ||
| if "--root-ca-file=" in str(container.command): |
There was a problem hiding this comment.
I think you have to check if this is not set and just break the loop if that happens.
| }, | ||
| "Recommendation": { | ||
| "Text": "Configure the Controller Manager with a root CA file to enhance security for pods communicating with the API server.", | ||
| "Url": "https://kubernetes.io/docs/admin/kube-controller-manager/" |
| "ResourceType": "KubernetesControllerManager", | ||
| "Description": "This check verifies that the Kubernetes Controller Manager is configured with the --root-ca-file argument set to a certificate bundle file, allowing pods to verify the API server's serving certificate.", | ||
| "Risk": "Not setting the root CA file can expose pods to man-in-the-middle attacks due to unverified TLS connections to the API server.", | ||
| "RelatedUrl": "https://github.com/kubernetes/kubernetes/issues/11000", |
There was a problem hiding this comment.
Is the only resource available?
| "ResourceType": "KubernetesControllerManager", | ||
| "Description": "This check ensures that the Kubernetes Controller Manager is configured with the RotateKubeletServerCertificate argument set to true, enabling automated rotation of kubelet server certificates.", | ||
| "Risk": "Not enabling kubelet server certificate rotation could lead to downtime due to expired certificates.", | ||
| "RelatedUrl": "https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller", |
| "ResourceType": "KubernetesControllerManager", | ||
| "Description": "This check verifies that the Kubernetes Controller Manager is configured to use individual service account credentials for each controller, enhancing the security and role separation within the Kubernetes system.", | ||
| "Risk": "Not using individual service account credentials can lead to overly broad permissions and potential security risks.", | ||
| "RelatedUrl": "https://kubernetes.io/docs/admin/service-accounts-admin/", |
| "ResourceType": "KubernetesControllerManager", | ||
| "Description": "This check ensures that the Kubernetes Controller Manager is configured with the --service-account-private-key-file argument set to the private key file for service accounts.", | ||
| "Risk": "Not setting a private key file for service accounts can hinder the ability to securely rotate service account tokens.", | ||
| "RelatedUrl": "https://kubernetes.io/docs/admin/kube-controller-manager/", |
jfagoagas
reviewed
Feb 22, 2024
| kubelete_server_cert = True | ||
| for command in container.command: | ||
| if command.startswith("--feature-gates"): | ||
| if "RotateKubeletServerCertificate=true" in ( |
There was a problem hiding this comment.
Ar you sure of this logic? Wouldn't it be the other way around?
jfagoagas
requested changes
Feb 22, 2024
jfagoagas
approved these changes
Feb 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add all checks for Kubernetes Controller Manager:
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.