feat(etcd): add checks for Kubernetes etcd #3294
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MrCloudSec
added
prowler-4.0
provider/kubernetes
jfagoagas
requested changes
Feb 22, 2024
| "ResourceType": "EtcdService", | ||
| "Description": "This check ensures that client authentication is enabled for the etcd service, which is a key-value store used by Kubernetes for persistent storage of all REST API objects. Enabling client authentication helps in securing access to etcd.", | ||
| "Risk": "If --client-cert-auth is not set to true, etcd service may be accessible by unauthenticated clients, posing a significant security risk.", | ||
| "RelatedUrl": "https://coreos.com/etcd/docs/latest/op-guide/security.html", |
| }, | ||
| "Recommendation": { | ||
| "Text": "Enable client certificate authentication for the etcd service for improved security.", | ||
| "Url": "https://coreos.com/etcd/docs/latest/op-guide/security.html" |
prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.py
Show resolved
Hide resolved
| "ResourceType": "EtcdService", | ||
| "Description": "This check ensures that etcd does not use self-signed certificates for TLS, which are less secure than certificates from a trusted authority. Avoiding self-signed certificates enhances the security of etcd.", | ||
| "Risk": "Using --auto-tls=true may result in the use of self-signed certificates, reducing the overall security of the etcd service.", | ||
| "RelatedUrl": "https://coreos.com/etcd/docs/latest/op-guide/security.html", |
| }, | ||
| "Recommendation": { | ||
| "Text": "Ensure etcd is not using self-signed certificates for TLS.", | ||
| "Url": "https://coreos.com/etcd/docs/latest/op-guide/security.html" |
| for container in pod.containers.values(): | ||
| for command in container.command: | ||
| if command.startswith("--trusted-ca-file"): | ||
| etcd_ca_file = command.split("=")[1] |
There was a problem hiding this comment.
Also here you should get all the CA files configured in each container, not just one because they can be different.
prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.py
Show resolved
Hide resolved
.../providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.py
Show resolved
Hide resolved
prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.py
Show resolved
Hide resolved
prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.py
Show resolved
Hide resolved
|
The controller manager check included in this PR is expected right? If so, add it to the PR body. |
jfagoagas
requested changes
Feb 22, 2024
Comment on lines
16
to
18
| if "--auto-tls=" in str(container.command) and "--auto-tls=true" in str( | ||
| container.command | ||
| ): |
There was a problem hiding this comment.
Suggested change
| if "--auto-tls=" in str(container.command) and "--auto-tls=true" in str( | |
| container.command | |
| ): | |
| if "--auto-tls=true" in str(container.command): |
| for container in pod.containers.values(): | ||
| if "--peer-cert-file" not in str( | ||
| container.command | ||
| ) or "--peer-key-file" not in str(container.command): |
| f"Etcd has client certificate authentication enabled in pod {pod.name}." | ||
| ) | ||
| for container in pod.containers.values(): | ||
| if "--client-cert-auth=true" not in str(container.command): |
| report.status = "PASS" | ||
| report.status_extended = f"Etcd is configured for peer client certificate authentication in pod {pod.name}." | ||
| for container in pod.containers.values(): | ||
| if "--peer-client-cert-auth=true" not in str(container.command): |
There was a problem hiding this comment.
Include --peer-client-cert-auth
jfagoagas
reviewed
Feb 22, 2024
prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.py
Outdated
Show resolved
Hide resolved
jfagoagas
approved these changes
Feb 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add all checks for Kubernetes etcd and one left for scheduler:
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.