Merge branch 'master' into security_fw_update

kubescape · Apr 21, 2024 · 37efdc3 · 37efdc3
2 parents 24089bc + e3f1133
commit 37efdc3
Show file tree

Hide file tree

Showing 18 changed files with 56 additions and 38 deletions.
diff --git a/attack-tracks/external-workload-with-cluster-takeover-roles.json b/attack-tracks/external-workload-with-cluster-takeover-roles.json
@@ -0,0 +1,20 @@
+{
+    "apiVersion": "regolibrary.kubescape/v1alpha1",
+    "kind": "AttackTrack",
+    "metadata": {
+        "name": "external-workload-with-cluster-takeover-roles"
+    },
+    "spec": {
+        "version": "1.0",
+        "data": {
+            "name": "Initial Access",
+            "description": "An attacker can access the Kubernetes environment.",
+            "subSteps": [
+                {
+                    "name": "Cluster Access",
+                    "description": "An attacker has access to sensitive information and can leverage them by creating pods in the cluster."
+                }
+            ]
+        }
+    }
+}
diff --git a/controls/C-0256-exposuretointernet.json b/controls/C-0256-exposuretointernet.json
@@ -17,6 +17,12 @@
                     "Initial Access"
                 ]
             },
+            {
+                "attackTrack": "external-workload-with-cluster-takeover-roles",
+                "categories": [
+                    "Initial Access"
+                ]
+            },
             {
                 "attackTrack": "external-database-without-authentication",
                 "categories": [

diff --git a/controls/C-0266-exposuretointernet-gateway.json b/controls/C-0266-exposuretointernet-gateway.json
@@ -16,6 +16,12 @@
                 "categories": [
                     "Initial Access"
                 ]
+            },
+            {
+                "attackTrack": "external-workload-with-cluster-takeover-roles",
+                "categories": [
+                    "Initial Access"
+                ]
             }
         ]
     },

diff --git a/controls/C-0267-workloadwithclustertakeoverroles.json b/controls/C-0267-workloadwithclustertakeoverroles.json
@@ -4,7 +4,16 @@
         "controlTypeTags": [
             "security"
         ],
-        "attackTracks": []
+        "attackTracks": [
+            {
+                "attackTrack": "external-workload-with-cluster-takeover-roles",
+                "categories": [
+                    "Cluster Access"
+                ],
+                "displayRelatedResources": true,
+                "clickableResourceKind": "ServiceAccount"
+            }
+        ]
     },
     "description": "Cluster takeover roles include workload creation or update and secret access. They can easily lead to super privileges in the cluster. If an attacker can exploit this workload then the attacker can take over the cluster using the RBAC privileges this workload is assigned to.",
     "remediation": "You should apply least privilege principle. Make sure each service account has only the permissions that are absolutely necessary.",
@@ -16,12 +25,12 @@
     "controlID": "C-0267",
     "baseScore": 6.0,
     "category": {
-        "name" : "Workload"
-   },
+        "name": "Workload"
+    },
     "scanningScope": {
         "matches": [
             "cluster",
             "file"
         ]
     }
-}
+}
diff --git a/frameworks/__YAMLscan.json b/frameworks/__YAMLscan.json
@@ -1,9 +1,7 @@
 {
     "name": "YAML-scanning",
     "description": "Controls relevant to yamls",
-    "attributes": {
-        "armoBuiltin": true
-    },
+    "attributes": {},
     "scanningScope": {
         "matches": [
             "file"

diff --git a/frameworks/allcontrols.json b/frameworks/allcontrols.json
@@ -1,9 +1,7 @@
 {
     "name": "AllControls",
     "description": "Contains all the controls from all the frameworks",
-    "attributes": {
-        "armoBuiltin": true
-    },
+    "attributes": {},
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/frameworks/armobest.json b/frameworks/armobest.json
@@ -1,9 +1,7 @@
 {
     "name": "ArmoBest",
     "description": "",
-    "attributes": {
-        "armoBuiltin": true
-    },
+    "attributes": {},
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/frameworks/cis-aks-t1.2.0.json b/frameworks/cis-aks-t1.2.0.json
@@ -2,7 +2,6 @@
     "name": "cis-aks-t1.2.0",
     "description": "Testing CIS for Azure Kubernetes Service (AKS) as suggested by CIS benchmark: https://workbench.cisecurity.org/benchmarks/9058",
     "attributes": {
-        "armoBuiltin": true,
         "version": "v1.2.0"
     },
     "scanningScope": {

diff --git a/frameworks/cis-eks-t1.2.0.json b/frameworks/cis-eks-t1.2.0.json
@@ -2,7 +2,6 @@
     "name": "cis-eks-t1.2.0",
     "description": "Testing CIS for Amazon Elastic Kubernetes Service (EKS) as suggested by CIS benchmark: https://workbench.cisecurity.org/benchmarks/9681",
     "attributes": {
-        "armoBuiltin": true,
         "version": "v1.2.0"
     },
     "scanningScope": {

diff --git a/frameworks/cis-v1.23-t1.0.1.json b/frameworks/cis-v1.23-t1.0.1.json
@@ -2,7 +2,6 @@
     "name": "cis-v1.23-t1.0.1",
     "description": "Testing CIS for Kubernetes as suggested by CIS in https://workbench.cisecurity.org/benchmarks/8973",
     "attributes": {
-        "armoBuiltin": true,
         "version": "v1.0.1"
     },
     "scanningScope": {

diff --git a/frameworks/clusterscan.json b/frameworks/clusterscan.json
@@ -1,9 +1,7 @@
 {
     "name": "ClusterScan",
     "description": "Framework for scanning a cluster",
-    "attributes": {
-        "armoBuiltin": true
-    },
+    "attributes": {},
     "typeTags": [
         "security"
     ],

diff --git a/frameworks/devopsbest.json b/frameworks/devopsbest.json
@@ -1,9 +1,7 @@
 {
     "name": "DevOpsBest",
     "description": "",
-    "attributes": {
-        "armoBuiltin": true
-    },
+    "attributes": {},
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/frameworks/mitre.json b/frameworks/mitre.json
@@ -1,9 +1,7 @@
 {
     "name": "MITRE",
     "description": "Testing MITRE for Kubernetes as suggested by microsoft in https://www.microsoft.com/security/blog/wp-content/uploads/2020/04/k8s-matrix.png",
-    "attributes": {
-        "armoBuiltin": true
-    },
+    "attributes": {},
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/frameworks/nsaframework.json b/frameworks/nsaframework.json
@@ -1,9 +1,7 @@
 {
     "name": "NSA",
     "description": "Implement NSA security advices for K8s ",
-    "attributes": {
-        "armoBuiltin": true
-    },
+    "attributes": {},
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/frameworks/security.json b/frameworks/security.json
@@ -1,9 +1,7 @@
 {
     "name": "security",
     "description": "Controls that are used to assess security threats.",
-    "attributes": {
-        "armoBuiltin": true
-    },
+    "attributes": {},
     "typeTags": [
         "security"
     ],

diff --git a/frameworks/soc2.json b/frameworks/soc2.json
@@ -1,9 +1,7 @@
 {
     "name": "SOC2",
     "description": "SOC2 compliance related controls",
-    "attributes": {
-        "armoBuiltin": true
-    },
+    "attributes": {},
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/frameworks/workloadscan.json b/frameworks/workloadscan.json
@@ -1,9 +1,7 @@
 {
     "name": "WorkloadScan",
     "description": "Framework for scanning a workload",
-    "attributes": {
-        "armoBuiltin": true
-    },
+    "attributes": {},
     "typeTags": [
         "security"
     ],

diff --git a/rules/outdated-k8s-version/raw.rego b/rules/outdated-k8s-version/raw.rego
@@ -18,7 +18,7 @@ deny[msga] {
 
 has_outdated_version(version)  {
 	# the `supported_k8s_versions` is validated in the validations script against "https://api.github.com/repos/kubernetes/kubernetes/releases"
-    supported_k8s_versions := ["v1.29", "v1.28", "v1.27"] 
+    supported_k8s_versions := ["v1.30", "v1.29", "v1.28"] 
 	every v in supported_k8s_versions{
 		not startswith(version, v)
 	}