diff --git a/docs/providers/gardener.md b/docs/providers/gardener.md index 6721a2d14..3dc9b0bad 100644 --- a/docs/providers/gardener.md +++ b/docs/providers/gardener.md @@ -8,8 +8,8 @@ The `Gardener` provider is capable of accessing a `seed/shoot` environment and r The `Gardener` provider implements the following `rulesets`: - [DISA Kubernetes Security Technical Implementation Guide](../rulesets/disa-k8s-stig/ruleset.md) + - v2r6 - v2r5 - - v2r4 ### Configuration diff --git a/docs/providers/managedk8s.md b/docs/providers/managedk8s.md index 4ba1a7141..82ea7b386 100644 --- a/docs/providers/managedk8s.md +++ b/docs/providers/managedk8s.md @@ -10,8 +10,8 @@ The `Managed Kubernetes` provider is capable of accessing a managed Kubernetes e The `Managed Kubernetes` provider implements the following `rulesets`: - [DISA Kubernetes Security Technical Implementation Guide](../rulesets/disa-k8s-stig/ruleset.md) + - v2r6 - v2r5 - - v2r4 - [Security Hardened Kubernetes Cluster](../rulesets/security-hardened-k8s/ruleset.md) - v0.1.0 diff --git a/docs/providers/virtualgarden.md b/docs/providers/virtualgarden.md index 7c8350094..195c6d766 100644 --- a/docs/providers/virtualgarden.md +++ b/docs/providers/virtualgarden.md @@ -8,8 +8,8 @@ The `Virtual Garden` provider is capable of accessing a `runtime/virtual garden` The `Gardener` provider implements the following `rulesets`: - [DISA Kubernetes Security Technical Implementation Guide](../rulesets/disa-k8s-stig/ruleset.md) + - v2r6 - v2r5 - - v2r4 ### Configuration diff --git a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go index cd385d405..08d42a875 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go @@ -32,7 +32,7 @@ var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. // Versions are sorted from newest to oldest. - SupportedVersions = []string{"v2r5", "v2r4"} + SupportedVersions = []string{"v2r6", "v2r5"} ) // Ruleset implements DISA Kubernetes STIG. @@ -148,10 +148,10 @@ func ValidateRulesetConfig(rulesetConfig config.RulesetConfig, fldPath *field.Pa r := &Ruleset{} switch rulesetConfig.Version { - case "v2r4": - allErrs = append(allErrs, r.validateV2R4RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions"))...) case "v2r5": allErrs = append(allErrs, r.validateV2R5RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions"))...) + case "v2r6": + allErrs = append(allErrs, r.validateV2R6RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions"))...) default: allErrs = append(allErrs, field.NotSupported(fldPath.Child("version"), rulesetConfig.Version, SupportedVersions)) } @@ -161,10 +161,10 @@ func ValidateRulesetConfig(rulesetConfig config.RulesetConfig, fldPath *field.Pa func (r *Ruleset) registerRules(ruleOptions map[string]config.RuleOptionsConfig) error { switch r.version { - case "v2r4": - return r.registerV2R4Rules(ruleOptions) case "v2r5": return r.registerV2R5Rules(ruleOptions) + case "v2r6": + return r.registerV2R6Rules(ruleOptions) default: return sharedruleset.UnknownVersionError(r.ID(), r.Version(), "gardener") } diff --git a/pkg/provider/gardener/ruleset/disak8sstig/v2r4_ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/v2r6_ruleset.go similarity index 92% rename from pkg/provider/gardener/ruleset/disak8sstig/v2r4_ruleset.go rename to pkg/provider/gardener/ruleset/disak8sstig/v2r6_ruleset.go index 873362c1a..ffb28dc52 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/v2r4_ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/v2r6_ruleset.go @@ -1,4 +1,4 @@ -// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Gardener contributors +// SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Gardener contributors // // SPDX-License-Identifier: Apache-2.0 @@ -27,8 +27,8 @@ import ( sharedrules "github.com/gardener/diki/pkg/shared/ruleset/disak8sstig/rules" ) -func validateV2R4Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { - parsedOptions, err := getV2R4OptionOrNil[O](options) +func validateV2R6Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { + parsedOptions, err := getV2R6OptionOrNil[O](options) if err != nil { return field.ErrorList{ field.Invalid(fldPath, options, err.Error()), @@ -46,7 +46,7 @@ func validateV2R4Options[O rules.RuleOption](options any, fldPath *field.Path) f return nil } -func parseV2R4Options[O rules.RuleOption](options any) (*O, error) { +func parseV2R6Options[O rules.RuleOption](options any) (*O, error) { optionsByte, err := json.Marshal(options) if err != nil { return nil, err @@ -60,33 +60,33 @@ func parseV2R4Options[O rules.RuleOption](options any) (*O, error) { return &parsedOptions, nil } -func getV2R4OptionOrNil[O rules.RuleOption](options any) (*O, error) { +func getV2R6OptionOrNil[O rules.RuleOption](options any) (*O, error) { if options == nil { return nil, nil } - return parseV2R4Options[O](options) + return parseV2R6Options[O](options) } -func (r *Ruleset) validateV2R4RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) field.ErrorList { +func (r *Ruleset) validateV2R6RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args, fldPath.Index(ruleOptions[sharedrules.ID242390].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[rules.Options242400](ruleOptions[sharedrules.ID242400].Args, fldPath.Index(ruleOptions[sharedrules.ID242400].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args, fldPath.Index(ruleOptions[sharedrules.ID242414].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args, fldPath.Index(ruleOptions[sharedrules.ID242415].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args, fldPath.Index(ruleOptions[sharedrules.ID242445].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args, fldPath.Index(ruleOptions[sharedrules.ID242446].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[rules.Options242451](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[rules.Options242466](ruleOptions[sharedrules.ID242466].Args, fldPath.Index(ruleOptions[sharedrules.ID242466].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[rules.Options242467](ruleOptions[sharedrules.ID242467].Args, fldPath.Index(ruleOptions[sharedrules.ID242467].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args, fldPath.Index(ruleOptions[sharedrules.ID245543].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options254800](ruleOptions[sharedrules.ID254800].Args, fldPath.Index(ruleOptions[sharedrules.ID254800].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args, fldPath.Index(ruleOptions[sharedrules.ID242390].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[rules.Options242400](ruleOptions[sharedrules.ID242400].Args, fldPath.Index(ruleOptions[sharedrules.ID242400].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args, fldPath.Index(ruleOptions[sharedrules.ID242414].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args, fldPath.Index(ruleOptions[sharedrules.ID242415].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args, fldPath.Index(ruleOptions[sharedrules.ID242445].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args, fldPath.Index(ruleOptions[sharedrules.ID242446].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[rules.Options242451](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[rules.Options242466](ruleOptions[sharedrules.ID242466].Args, fldPath.Index(ruleOptions[sharedrules.ID242466].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[rules.Options242467](ruleOptions[sharedrules.ID242467].Args, fldPath.Index(ruleOptions[sharedrules.ID242467].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args, fldPath.Index(ruleOptions[sharedrules.ID245543].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options254800](ruleOptions[sharedrules.ID254800].Args, fldPath.Index(ruleOptions[sharedrules.ID254800].Index).Child("args"))...) return allErrs } -func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig +func (r *Ruleset) registerV2R6Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig shootClient, err := client.New(r.ShootConfig, client.Options{Scheme: kubernetesgardener.ShootScheme}) if err != nil { return err @@ -112,51 +112,51 @@ func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsCon return err } - opts242390, err := getV2R4OptionOrNil[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args) + opts242390, err := getV2R6OptionOrNil[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args) if err != nil { return fmt.Errorf("rule option 242390 error: %s", err.Error()) } - opts242400, err := getV2R4OptionOrNil[rules.Options242400](ruleOptions[sharedrules.ID242400].Args) + opts242400, err := getV2R6OptionOrNil[rules.Options242400](ruleOptions[sharedrules.ID242400].Args) if err != nil { return fmt.Errorf("rule option 242400 error: %s", err.Error()) } - opts242414, err := getV2R4OptionOrNil[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args) + opts242414, err := getV2R6OptionOrNil[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args) if err != nil { return fmt.Errorf("rule option 242414 error: %s", err.Error()) } - opts242415, err := getV2R4OptionOrNil[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args) + opts242415, err := getV2R6OptionOrNil[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args) if err != nil { return fmt.Errorf("rule option 242415 error: %s", err.Error()) } - opts242442, err := getV2R4OptionOrNil[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args) + opts242442, err := getV2R6OptionOrNil[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args) if err != nil { return fmt.Errorf("rule option 242442 error: %s", err.Error()) } - opts242445, err := getV2R4OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args) + opts242445, err := getV2R6OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args) if err != nil { return fmt.Errorf("rule option 242445 error: %s", err.Error()) } - opts242446, err := getV2R4OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args) + opts242446, err := getV2R6OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args) if err != nil { return fmt.Errorf("rule option 242446 error: %s", err.Error()) } - opts242451, err := getV2R4OptionOrNil[rules.Options242451](ruleOptions[sharedrules.ID242451].Args) + opts242451, err := getV2R6OptionOrNil[rules.Options242451](ruleOptions[sharedrules.ID242451].Args) if err != nil { return fmt.Errorf("rule option 242451 error: %s", err.Error()) } - opts242466, err := getV2R4OptionOrNil[rules.Options242466](ruleOptions[sharedrules.ID242466].Args) + opts242466, err := getV2R6OptionOrNil[rules.Options242466](ruleOptions[sharedrules.ID242466].Args) if err != nil { return fmt.Errorf("rule option 242466 error: %s", err.Error()) } - opts242467, err := getV2R4OptionOrNil[rules.Options242467](ruleOptions[sharedrules.ID242467].Args) + opts242467, err := getV2R6OptionOrNil[rules.Options242467](ruleOptions[sharedrules.ID242467].Args) if err != nil { return fmt.Errorf("rule option 242467 error: %s", err.Error()) } - opts245543, err := getV2R4OptionOrNil[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args) + opts245543, err := getV2R6OptionOrNil[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args) if err != nil { return fmt.Errorf("rule option 245543 error: %s", err.Error()) } - opts254800, err := getV2R4OptionOrNil[sharedrules.Options254800](ruleOptions[sharedrules.ID254800].Args) + opts254800, err := getV2R6OptionOrNil[sharedrules.Options254800](ruleOptions[sharedrules.ID254800].Args) if err != nil { return fmt.Errorf("rule option 254800 error: %s", err.Error()) } @@ -205,12 +205,10 @@ func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityMedium), ), - &sharedrules.Rule242386{Client: seedClient, Namespace: r.shootNamespace}, &sharedrules.Rule242387{ Client: shootClient, V1RESTClient: shootClientSet.CoreV1().RESTClient(), }, - &sharedrules.Rule242388{Client: seedClient, Namespace: r.shootNamespace}, &sharedrules.Rule242389{Client: seedClient, Namespace: r.shootNamespace}, &sharedrules.Rule242390{Client: seedClient, Namespace: r.shootNamespace, Options: opts242390}, &sharedrules.Rule242391{ @@ -735,8 +733,8 @@ func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsCon // check that the registered rules equal // the number of rules in that ruleset version - if len(rules) != 94 { - return fmt.Errorf("revision expects 94 registered rules, but got: %d", len(rules)) + if len(rules) != 92 { + return fmt.Errorf("revision expects 92 registered rules, but got: %d", len(rules)) } return r.AddRules(rules...) diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go index 3b59441eb..89227cd14 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go @@ -32,7 +32,7 @@ var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. // Versions are sorted from newest to oldest. - SupportedVersions = []string{"v2r5", "v2r4"} + SupportedVersions = []string{"v2r6", "v2r5"} ) // Ruleset implements DISA Kubernetes STIG. @@ -144,10 +144,10 @@ func ValidateRulesetConfig(rulesetConfig config.RulesetConfig, fldPath *field.Pa r := &Ruleset{} switch rulesetConfig.Version { - case "v2r4": - allErrs = append(allErrs, r.validateV2R4RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions"))...) case "v2r5": allErrs = append(allErrs, r.validateV2R5RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions"))...) + case "v2r6": + allErrs = append(allErrs, r.validateV2R6RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions"))...) default: allErrs = append(allErrs, field.NotSupported(fldPath.Child("version"), rulesetConfig.Version, SupportedVersions)) } @@ -157,10 +157,10 @@ func ValidateRulesetConfig(rulesetConfig config.RulesetConfig, fldPath *field.Pa func (r *Ruleset) registerRules(ruleOptions map[string]config.RuleOptionsConfig) error { switch r.version { - case "v2r4": - return r.registerV2R4Rules(ruleOptions) case "v2r5": return r.registerV2R5Rules(ruleOptions) + case "v2r6": + return r.registerV2R6Rules(ruleOptions) default: return sharedruleset.UnknownVersionError(r.ID(), r.Version(), "managedk8s") } diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/v2r4_ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/v2r6_ruleset.go similarity index 89% rename from pkg/provider/managedk8s/ruleset/disak8sstig/v2r4_ruleset.go rename to pkg/provider/managedk8s/ruleset/disak8sstig/v2r6_ruleset.go index f43263c49..c271d6535 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/v2r4_ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/v2r6_ruleset.go @@ -1,4 +1,4 @@ -// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Gardener contributors +// SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Gardener contributors // // SPDX-License-Identifier: Apache-2.0 @@ -30,8 +30,8 @@ import ( sharedrules "github.com/gardener/diki/pkg/shared/ruleset/disak8sstig/rules" ) -func validateV2R4Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { - parsedOptions, err := getV2R4OptionOrNil[O](options) +func validateV2R6Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { + parsedOptions, err := getV2R6OptionOrNil[O](options) if err != nil { return field.ErrorList{ field.Invalid(fldPath, options, err.Error()), @@ -49,35 +49,35 @@ func validateV2R4Options[O rules.RuleOption](options any, fldPath *field.Path) f return nil } -func (r *Ruleset) validateV2R4RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) field.ErrorList { +func (r *Ruleset) validateV2R6RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242383](ruleOptions[sharedrules.ID242383].Args, fldPath.Index(ruleOptions[sharedrules.ID242383].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242393](ruleOptions[sharedrules.ID242393].Args, fldPath.Index(ruleOptions[sharedrules.ID242393].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242394](ruleOptions[sharedrules.ID242394].Args, fldPath.Index(ruleOptions[sharedrules.ID242394].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242396](ruleOptions[sharedrules.ID242396].Args, fldPath.Index(ruleOptions[sharedrules.ID242396].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[rules.Options242400](ruleOptions[sharedrules.ID242400].Args, fldPath.Index(ruleOptions[sharedrules.ID242400].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242404](ruleOptions[sharedrules.ID242404].Args, fldPath.Index(ruleOptions[sharedrules.ID242404].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242406](ruleOptions[sharedrules.ID242406].Args, fldPath.Index(ruleOptions[sharedrules.ID242406].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242407](ruleOptions[sharedrules.ID242407].Args, fldPath.Index(ruleOptions[sharedrules.ID242407].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args, fldPath.Index(ruleOptions[sharedrules.ID242414].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args, fldPath.Index(ruleOptions[sharedrules.ID242415].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242417](ruleOptions[sharedrules.ID242417].Args, fldPath.Index(ruleOptions[sharedrules.ID242417].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[rules.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[option.ClusterObjectSelector](ruleOptions[sharedrules.ID242447].Args, fldPath.Index(ruleOptions[sharedrules.ID242447].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242448](ruleOptions[sharedrules.ID242448].Args, fldPath.Index(ruleOptions[sharedrules.ID242448].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242449](ruleOptions[sharedrules.ID242449].Args, fldPath.Index(ruleOptions[sharedrules.ID242449].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242450](ruleOptions[sharedrules.ID242450].Args, fldPath.Index(ruleOptions[sharedrules.ID242450].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[rules.Options242451](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242452](ruleOptions[sharedrules.ID242452].Args, fldPath.Index(ruleOptions[sharedrules.ID242452].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242453](ruleOptions[sharedrules.ID242453].Args, fldPath.Index(ruleOptions[sharedrules.ID242453].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[rules.Options242466](ruleOptions[sharedrules.ID242466].Args, fldPath.Index(ruleOptions[sharedrules.ID242466].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[rules.Options242467](ruleOptions[sharedrules.ID242467].Args, fldPath.Index(ruleOptions[sharedrules.ID242467].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242383](ruleOptions[sharedrules.ID242383].Args, fldPath.Index(ruleOptions[sharedrules.ID242383].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242393](ruleOptions[sharedrules.ID242393].Args, fldPath.Index(ruleOptions[sharedrules.ID242393].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242394](ruleOptions[sharedrules.ID242394].Args, fldPath.Index(ruleOptions[sharedrules.ID242394].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242396](ruleOptions[sharedrules.ID242396].Args, fldPath.Index(ruleOptions[sharedrules.ID242396].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[rules.Options242400](ruleOptions[sharedrules.ID242400].Args, fldPath.Index(ruleOptions[sharedrules.ID242400].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242404](ruleOptions[sharedrules.ID242404].Args, fldPath.Index(ruleOptions[sharedrules.ID242404].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242406](ruleOptions[sharedrules.ID242406].Args, fldPath.Index(ruleOptions[sharedrules.ID242406].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242407](ruleOptions[sharedrules.ID242407].Args, fldPath.Index(ruleOptions[sharedrules.ID242407].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args, fldPath.Index(ruleOptions[sharedrules.ID242414].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args, fldPath.Index(ruleOptions[sharedrules.ID242415].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242417](ruleOptions[sharedrules.ID242417].Args, fldPath.Index(ruleOptions[sharedrules.ID242417].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[rules.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[option.ClusterObjectSelector](ruleOptions[sharedrules.ID242447].Args, fldPath.Index(ruleOptions[sharedrules.ID242447].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242448](ruleOptions[sharedrules.ID242448].Args, fldPath.Index(ruleOptions[sharedrules.ID242448].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242449](ruleOptions[sharedrules.ID242449].Args, fldPath.Index(ruleOptions[sharedrules.ID242449].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242450](ruleOptions[sharedrules.ID242450].Args, fldPath.Index(ruleOptions[sharedrules.ID242450].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[rules.Options242451](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242452](ruleOptions[sharedrules.ID242452].Args, fldPath.Index(ruleOptions[sharedrules.ID242452].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242453](ruleOptions[sharedrules.ID242453].Args, fldPath.Index(ruleOptions[sharedrules.ID242453].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[rules.Options242466](ruleOptions[sharedrules.ID242466].Args, fldPath.Index(ruleOptions[sharedrules.ID242466].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[rules.Options242467](ruleOptions[sharedrules.ID242467].Args, fldPath.Index(ruleOptions[sharedrules.ID242467].Index).Child("args"))...) return allErrs } -func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig +func (r *Ruleset) registerV2R6Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig client, err := client.New(r.Config, client.Options{}) if err != nil { return err @@ -114,87 +114,87 @@ func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsCon authorityCertPool = nil } - opts242383, err := getV2R4OptionOrNil[sharedrules.Options242383](ruleOptions[sharedrules.ID242383].Args) + opts242383, err := getV2R6OptionOrNil[sharedrules.Options242383](ruleOptions[sharedrules.ID242383].Args) if err != nil { return fmt.Errorf("rule option 242383 error: %s", err.Error()) } - opts242393, err := getV2R4OptionOrNil[sharedrules.Options242393](ruleOptions[sharedrules.ID242393].Args) + opts242393, err := getV2R6OptionOrNil[sharedrules.Options242393](ruleOptions[sharedrules.ID242393].Args) if err != nil { return fmt.Errorf("rule option 242393 error: %s", err.Error()) } - opts242394, err := getV2R4OptionOrNil[sharedrules.Options242394](ruleOptions[sharedrules.ID242394].Args) + opts242394, err := getV2R6OptionOrNil[sharedrules.Options242394](ruleOptions[sharedrules.ID242394].Args) if err != nil { return fmt.Errorf("rule option 242394 error: %s", err.Error()) } - opts242396, err := getV2R4OptionOrNil[sharedrules.Options242396](ruleOptions[sharedrules.ID242396].Args) + opts242396, err := getV2R6OptionOrNil[sharedrules.Options242396](ruleOptions[sharedrules.ID242396].Args) if err != nil { return fmt.Errorf("rule option 242396 error: %s", err.Error()) } - opts242400, err := getV2R4OptionOrNil[rules.Options242400](ruleOptions[sharedrules.ID242400].Args) + opts242400, err := getV2R6OptionOrNil[rules.Options242400](ruleOptions[sharedrules.ID242400].Args) if err != nil { return fmt.Errorf("rule option 242400 error: %s", err.Error()) } - opts242404, err := getV2R4OptionOrNil[sharedrules.Options242404](ruleOptions[sharedrules.ID242404].Args) + opts242404, err := getV2R6OptionOrNil[sharedrules.Options242404](ruleOptions[sharedrules.ID242404].Args) if err != nil { return fmt.Errorf("rule option 242404 error: %s", err.Error()) } - opts242406, err := getV2R4OptionOrNil[sharedrules.Options242406](ruleOptions[sharedrules.ID242406].Args) + opts242406, err := getV2R6OptionOrNil[sharedrules.Options242406](ruleOptions[sharedrules.ID242406].Args) if err != nil { return fmt.Errorf("rule option 242406 error: %s", err.Error()) } - opts242407, err := getV2R4OptionOrNil[sharedrules.Options242407](ruleOptions[sharedrules.ID242407].Args) + opts242407, err := getV2R6OptionOrNil[sharedrules.Options242407](ruleOptions[sharedrules.ID242407].Args) if err != nil { return fmt.Errorf("rule option 242407 error: %s", err.Error()) } - opts242414, err := getV2R4OptionOrNil[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args) + opts242414, err := getV2R6OptionOrNil[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args) if err != nil { return fmt.Errorf("rule option 242414 error: %s", err.Error()) } - opts242415, err := getV2R4OptionOrNil[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args) + opts242415, err := getV2R6OptionOrNil[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args) if err != nil { return fmt.Errorf("rule option 242415 error: %s", err.Error()) } - opts242417, err := getV2R4OptionOrNil[sharedrules.Options242417](ruleOptions[sharedrules.ID242417].Args) + opts242417, err := getV2R6OptionOrNil[sharedrules.Options242417](ruleOptions[sharedrules.ID242417].Args) if err != nil { return fmt.Errorf("rule option 242417 error: %s", err.Error()) } - opts242442, err := getV2R4OptionOrNil[rules.Options242442](ruleOptions[sharedrules.ID242442].Args) + opts242442, err := getV2R6OptionOrNil[rules.Options242442](ruleOptions[sharedrules.ID242442].Args) if err != nil { return fmt.Errorf("rule option 242442 error: %s", err.Error()) } - opts242447, err := getV2R4OptionOrNil[option.ClusterObjectSelector](ruleOptions[sharedrules.ID242447].Args) + opts242447, err := getV2R6OptionOrNil[option.ClusterObjectSelector](ruleOptions[sharedrules.ID242447].Args) if err != nil { return fmt.Errorf("rule option 242447 error: %s", err.Error()) } - opts242448, err := getV2R4OptionOrNil[sharedrules.Options242448](ruleOptions[sharedrules.ID242448].Args) + opts242448, err := getV2R6OptionOrNil[sharedrules.Options242448](ruleOptions[sharedrules.ID242448].Args) if err != nil { return fmt.Errorf("rule option 242448 error: %s", err.Error()) } - opts242449, err := getV2R4OptionOrNil[sharedrules.Options242449](ruleOptions[sharedrules.ID242449].Args) + opts242449, err := getV2R6OptionOrNil[sharedrules.Options242449](ruleOptions[sharedrules.ID242449].Args) if err != nil { return fmt.Errorf("rule option 242449 error: %s", err.Error()) } - opts242450, err := getV2R4OptionOrNil[sharedrules.Options242450](ruleOptions[sharedrules.ID242450].Args) + opts242450, err := getV2R6OptionOrNil[sharedrules.Options242450](ruleOptions[sharedrules.ID242450].Args) if err != nil { return fmt.Errorf("rule option 242450 error: %s", err.Error()) } - opts242451, err := getV2R4OptionOrNil[rules.Options242451](ruleOptions[sharedrules.ID242451].Args) + opts242451, err := getV2R6OptionOrNil[rules.Options242451](ruleOptions[sharedrules.ID242451].Args) if err != nil { return fmt.Errorf("rule option 242451 error: %s", err.Error()) } - opts242452, err := getV2R4OptionOrNil[sharedrules.Options242452](ruleOptions[sharedrules.ID242452].Args) + opts242452, err := getV2R6OptionOrNil[sharedrules.Options242452](ruleOptions[sharedrules.ID242452].Args) if err != nil { return fmt.Errorf("rule option 242452 error: %s", err.Error()) } - opts242453, err := getV2R4OptionOrNil[sharedrules.Options242453](ruleOptions[sharedrules.ID242453].Args) + opts242453, err := getV2R6OptionOrNil[sharedrules.Options242453](ruleOptions[sharedrules.ID242453].Args) if err != nil { return fmt.Errorf("rule option 242453 error: %s", err.Error()) } - opts242466, err := getV2R4OptionOrNil[rules.Options242466](ruleOptions[sharedrules.ID242466].Args) + opts242466, err := getV2R6OptionOrNil[rules.Options242466](ruleOptions[sharedrules.ID242466].Args) if err != nil { return fmt.Errorf("rule option 242466 error: %s", err.Error()) } - opts242467, err := getV2R4OptionOrNil[rules.Options242467](ruleOptions[sharedrules.ID242467].Args) + opts242467, err := getV2R6OptionOrNil[rules.Options242467](ruleOptions[sharedrules.ID242467].Args) if err != nil { return fmt.Errorf("rule option 242467 error: %s", err.Error()) } @@ -281,24 +281,10 @@ func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityMedium), ), - rule.NewSkipRule( - sharedrules.ID242386, - "The Kubernetes API server must have the insecure port flag disabled.", - noControlPlaneMsg, - rule.Skipped, - rule.SkipRuleWithSeverity(rule.SeverityHigh), - ), &sharedrules.Rule242387{ Client: client, V1RESTClient: clientSet.CoreV1().RESTClient(), }, - rule.NewSkipRule( - sharedrules.ID242388, - "The Kubernetes API server must have the insecure bind address not set.", - noControlPlaneMsg, - rule.Skipped, - rule.SkipRuleWithSeverity(rule.SeverityHigh), - ), rule.NewSkipRule( sharedrules.ID242389, "The Kubernetes API server must have the secure port set.", @@ -933,14 +919,14 @@ func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsCon // check that the registered rules equal // the number of rules in that ruleset version - if len(rules) != 94 { - return fmt.Errorf("revision expects 94 registered rules, but got: %d", len(rules)) + if len(rules) != 92 { + return fmt.Errorf("revision expects 92 registered rules, but got: %d", len(rules)) } return r.AddRules(rules...) } -func parseV2R4Options[O rules.RuleOption](options any) (*O, error) { +func parseV2R6Options[O rules.RuleOption](options any) (*O, error) { optionsByte, err := json.Marshal(options) if err != nil { return nil, err @@ -954,9 +940,9 @@ func parseV2R4Options[O rules.RuleOption](options any) (*O, error) { return &parsedOptions, nil } -func getV2R4OptionOrNil[O rules.RuleOption](options any) (*O, error) { +func getV2R6OptionOrNil[O rules.RuleOption](options any) (*O, error) { if options == nil { return nil, nil } - return parseV2R4Options[O](options) + return parseV2R6Options[O](options) } diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go index 23f6c2866..a591768d0 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go @@ -32,7 +32,7 @@ var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. // Versions are sorted from newest to oldest. - SupportedVersions = []string{"v2r5", "v2r4"} + SupportedVersions = []string{"v2r6", "v2r5"} ) // Ruleset implements DISA Kubernetes STIG. @@ -144,10 +144,10 @@ func ValidateRulesetConfig(rulesetConfig config.RulesetConfig, fldPath *field.Pa r := &Ruleset{} switch rulesetConfig.Version { - case "v2r4": - allErrs = append(allErrs, r.validateV2R4RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions"))...) case "v2r5": allErrs = append(allErrs, r.validateV2R5RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions"))...) + case "v2r6": + allErrs = append(allErrs, r.validateV2R6RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions"))...) default: allErrs = append(allErrs, field.NotSupported(fldPath.Child("version"), rulesetConfig.Version, SupportedVersions)) } @@ -157,10 +157,10 @@ func ValidateRulesetConfig(rulesetConfig config.RulesetConfig, fldPath *field.Pa func (r *Ruleset) registerRules(ruleOptions map[string]config.RuleOptionsConfig) error { switch r.version { - case "v2r4": - return r.registerV2R4Rules(ruleOptions) case "v2r5": return r.registerV2R5Rules(ruleOptions) + case "v2r6": + return r.registerV2R6Rules(ruleOptions) default: return sharedruleset.UnknownVersionError(r.ID(), r.Version(), "virtualgarden") } diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/v2r4_ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/v2r6_ruleset.go similarity index 94% rename from pkg/provider/virtualgarden/ruleset/disak8sstig/v2r4_ruleset.go rename to pkg/provider/virtualgarden/ruleset/disak8sstig/v2r6_ruleset.go index ee2253b45..c03ee6ece 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/v2r4_ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/v2r6_ruleset.go @@ -1,4 +1,4 @@ -// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Gardener contributors +// SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Gardener contributors // // SPDX-License-Identifier: Apache-2.0 @@ -24,8 +24,8 @@ import ( sharedrules "github.com/gardener/diki/pkg/shared/ruleset/disak8sstig/rules" ) -func validateV2R4Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { - parsedOptions, err := getV2R4OptionOrNil[O](options) +func validateV2R6Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { + parsedOptions, err := getV2R6OptionOrNil[O](options) if err != nil { return field.ErrorList{ field.Invalid(fldPath, options, err.Error()), @@ -43,20 +43,20 @@ func validateV2R4Options[O rules.RuleOption](options any, fldPath *field.Path) f return nil } -func (r *Ruleset) validateV2R4RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) field.ErrorList { +func (r *Ruleset) validateV2R6RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args, fldPath.Index(ruleOptions[sharedrules.ID242390].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args, fldPath.Index(ruleOptions[sharedrules.ID242445].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args, fldPath.Index(ruleOptions[sharedrules.ID242446].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R4Options[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args, fldPath.Index(ruleOptions[sharedrules.ID245543].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args, fldPath.Index(ruleOptions[sharedrules.ID242390].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args, fldPath.Index(ruleOptions[sharedrules.ID242445].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args, fldPath.Index(ruleOptions[sharedrules.ID242446].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R6Options[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args, fldPath.Index(ruleOptions[sharedrules.ID245543].Index).Child("args"))...) return allErrs } -func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig +func (r *Ruleset) registerV2R6Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig runtimeClient, err := client.New(r.RuntimeConfig, client.Options{}) if err != nil { return err @@ -66,27 +66,27 @@ func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsCon if err != nil { return err } - opts242390, err := getV2R4OptionOrNil[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args) + opts242390, err := getV2R6OptionOrNil[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args) if err != nil { return fmt.Errorf("rule option 242390 error: %s", err.Error()) } - opts242442, err := getV2R4OptionOrNil[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args) + opts242442, err := getV2R6OptionOrNil[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args) if err != nil { return fmt.Errorf("rule option 242442 error: %s", err.Error()) } - opts242445, err := getV2R4OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args) + opts242445, err := getV2R6OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args) if err != nil { return fmt.Errorf("rule option 242445 error: %s", err.Error()) } - opts242446, err := getV2R4OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args) + opts242446, err := getV2R6OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args) if err != nil { return fmt.Errorf("rule option 242446 error: %s", err.Error()) } - opts242451, err := getV2R4OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242451].Args) + opts242451, err := getV2R6OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242451].Args) if err != nil { return fmt.Errorf("rule option 242451 error: %s", err.Error()) } - opts245543, err := getV2R4OptionOrNil[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args) + opts245543, err := getV2R6OptionOrNil[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args) if err != nil { return fmt.Errorf("rule option 245543 error: %s", err.Error()) } @@ -176,12 +176,6 @@ func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityMedium), ), - &sharedrules.Rule242386{ - Client: runtimeClient, - Namespace: ns, - DeploymentName: apiserverDeploymentName, - ContainerName: apiserverContainerName, - }, rule.NewSkipRule( sharedrules.ID242387, "The Kubernetes Kubelet must have the read-only port flag disabled.", @@ -189,12 +183,6 @@ func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityHigh), ), - &sharedrules.Rule242388{ - Client: runtimeClient, - Namespace: ns, - DeploymentName: apiserverDeploymentName, - ContainerName: apiserverContainerName, - }, &sharedrules.Rule242389{ Client: runtimeClient, Namespace: ns, @@ -795,14 +783,14 @@ func (r *Ruleset) registerV2R4Rules(ruleOptions map[string]config.RuleOptionsCon // check that the registered rules equal // the number of rules in that ruleset version - if len(rules) != 94 { - return fmt.Errorf("revision expects 94 registered rules, but got: %d", len(rules)) + if len(rules) != 92 { + return fmt.Errorf("revision expects 92 registered rules, but got: %d", len(rules)) } return r.AddRules(rules...) } -func parseV2R4Options[O rules.RuleOption](options any) (*O, error) { +func parseV2R6Options[O rules.RuleOption](options any) (*O, error) { optionsByte, err := json.Marshal(options) if err != nil { return nil, err @@ -816,9 +804,9 @@ func parseV2R4Options[O rules.RuleOption](options any) (*O, error) { return &parsedOptions, nil } -func getV2R4OptionOrNil[O rules.RuleOption](options any) (*O, error) { +func getV2R6OptionOrNil[O rules.RuleOption](options any) (*O, error) { if options == nil { return nil, nil } - return parseV2R4Options[O](options) + return parseV2R6Options[O](options) } diff --git a/pkg/shared/ruleset/disak8sstig/rules/242386.go b/pkg/shared/ruleset/disak8sstig/rules/242386.go deleted file mode 100644 index 9a6b8e407..000000000 --- a/pkg/shared/ruleset/disak8sstig/rules/242386.go +++ /dev/null @@ -1,67 +0,0 @@ -// SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and Gardener contributors -// -// SPDX-License-Identifier: Apache-2.0 - -package rules - -import ( - "context" - "fmt" - - "sigs.k8s.io/controller-runtime/pkg/client" - - kubeutils "github.com/gardener/diki/pkg/kubernetes/utils" - "github.com/gardener/diki/pkg/rule" -) - -// TODO (georgibaltiev): Remove the implementation of this rule once support for DISA STIG version v2r4 has been dropped. -var ( - _ rule.Rule = &Rule242386{} - _ rule.Severity = &Rule242386{} -) - -type Rule242386 struct { - Client client.Client - Namespace string - DeploymentName string - ContainerName string -} - -func (r *Rule242386) ID() string { - return ID242386 -} - -func (r *Rule242386) Name() string { - return "The Kubernetes API server must have the insecure port flag disabled." -} - -func (r *Rule242386) Severity() rule.SeverityLevel { - return rule.SeverityHigh -} - -func (r *Rule242386) Run(ctx context.Context) (rule.RuleResult, error) { - const optName = "insecure-port" - deploymentName := "kube-apiserver" - containerName := "kube-apiserver" - - if r.DeploymentName != "" { - deploymentName = r.DeploymentName - } - - if r.ContainerName != "" { - containerName = r.ContainerName - } - target := rule.NewTarget("kind", "Deployment", "name", deploymentName, "namespace", r.Namespace) - - insecurePortOptionSlice, err := kubeutils.GetCommandOptionFromDeployment(ctx, r.Client, deploymentName, containerName, r.Namespace, optName) - if err != nil { - return rule.Result(r, rule.ErroredCheckResult(err.Error(), target)), nil - } - - if len(insecurePortOptionSlice) == 0 { - return rule.Result(r, rule.PassedCheckResult(fmt.Sprintf("Option %s not set.", optName), target)), nil - } - - // insecure-port is deprecated but still needed for health checks. ref https://github.com/kubernetes/kubernetes/issues/43784 - return rule.Result(r, rule.FailedCheckResult(fmt.Sprintf("Option %s set.", optName), target)), nil -} diff --git a/pkg/shared/ruleset/disak8sstig/rules/242386_test.go b/pkg/shared/ruleset/disak8sstig/rules/242386_test.go deleted file mode 100644 index 881ee08dd..000000000 --- a/pkg/shared/ruleset/disak8sstig/rules/242386_test.go +++ /dev/null @@ -1,101 +0,0 @@ -// SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and Gardener contributors -// -// SPDX-License-Identifier: Apache-2.0 - -package rules_test - -import ( - "context" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - gomegatypes "github.com/onsi/gomega/types" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" - - "github.com/gardener/diki/pkg/rule" - "github.com/gardener/diki/pkg/shared/ruleset/disak8sstig/rules" -) - -var _ = Describe("#242386", func() { - var ( - fakeClient client.Client - ctx = context.TODO() - namespace = "foo" - - ksDeployment *appsv1.Deployment - target = rule.NewTarget("kind", "Deployment", "name", "kube-apiserver", "namespace", namespace) - ) - - BeforeEach(func() { - fakeClient = fakeclient.NewClientBuilder().Build() - ksDeployment = &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{ - Name: "kube-apiserver", - Namespace: namespace, - }, - Spec: appsv1.DeploymentSpec{ - Template: corev1.PodTemplateSpec{ - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "kube-apiserver", - Command: []string{}, - Args: []string{}, - }, - }, - }, - }, - }, - } - }) - - It("should error when kube-apiserver is not found", func() { - r := &rules.Rule242386{Client: fakeClient, Namespace: namespace} - - ruleResult, err := r.Run(ctx) - Expect(err).ToNot(HaveOccurred()) - - Expect(ruleResult.CheckResults).To(Equal([]rule.CheckResult{ - { - Status: rule.Errored, - Message: "deployments.apps \"kube-apiserver\" not found", - Target: target, - }, - }, - )) - }) - - DescribeTable("Run cases", - func(container corev1.Container, expectedCheckResults []rule.CheckResult, errorMatcher gomegatypes.GomegaMatcher) { - ksDeployment.Spec.Template.Spec.Containers = []corev1.Container{container} - Expect(fakeClient.Create(ctx, ksDeployment)).To(Succeed()) - - r := &rules.Rule242386{Client: fakeClient, Namespace: namespace} - ruleResult, err := r.Run(ctx) - Expect(err).To(errorMatcher) - - Expect(ruleResult.CheckResults).To(Equal(expectedCheckResults)) - }, - - Entry("should pass when insecure-port is not set", - corev1.Container{Name: "kube-apiserver", Command: []string{"--flag1=value1", "--flag2=value2"}}, - []rule.CheckResult{{Status: rule.Passed, Message: "Option insecure-port not set.", Target: target}}, - BeNil()), - Entry("should fail when insecure-port is set", - corev1.Container{Name: "kube-apiserver", Command: []string{"--insecure-port=8080"}}, - []rule.CheckResult{{Status: rule.Failed, Message: "Option insecure-port set.", Target: target}}, - BeNil()), - Entry("should fail when insecure-port is set more than once", - corev1.Container{Name: "kube-apiserver", Command: []string{"--insecure-port=8080"}, Args: []string{"--insecure-port=8888"}}, - []rule.CheckResult{{Status: rule.Failed, Message: "Option insecure-port set.", Target: target}}, - BeNil()), - Entry("should error when deployment does not have container 'kube-apiserver'", - corev1.Container{Name: "not-kube-apiserver", Command: []string{"--insecure-port=8080"}}, - []rule.CheckResult{{Status: rule.Errored, Message: "deployment: kube-apiserver does not contain container: kube-apiserver", Target: target}}, - BeNil()), - ) -}) diff --git a/pkg/shared/ruleset/disak8sstig/rules/242388.go b/pkg/shared/ruleset/disak8sstig/rules/242388.go deleted file mode 100644 index e4c72b93e..000000000 --- a/pkg/shared/ruleset/disak8sstig/rules/242388.go +++ /dev/null @@ -1,67 +0,0 @@ -// SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and Gardener contributors -// -// SPDX-License-Identifier: Apache-2.0 - -package rules - -import ( - "context" - "fmt" - - "sigs.k8s.io/controller-runtime/pkg/client" - - kubeutils "github.com/gardener/diki/pkg/kubernetes/utils" - "github.com/gardener/diki/pkg/rule" -) - -// TODO (georgibaltiev): Remove the implementation of this rule once support for DISA STIG version v2r4 has been dropped. -var ( - _ rule.Rule = &Rule242388{} - _ rule.Severity = &Rule242388{} -) - -type Rule242388 struct { - Client client.Client - Namespace string - DeploymentName string - ContainerName string -} - -func (r *Rule242388) ID() string { - return ID242388 -} - -func (r *Rule242388) Name() string { - return "The Kubernetes API server must have the insecure bind address not set." -} - -func (r *Rule242388) Severity() rule.SeverityLevel { - return rule.SeverityHigh -} - -func (r *Rule242388) Run(ctx context.Context) (rule.RuleResult, error) { - const optName = "insecure-bind-address" - deploymentName := "kube-apiserver" - containerName := "kube-apiserver" - - if r.DeploymentName != "" { - deploymentName = r.DeploymentName - } - - if r.ContainerName != "" { - containerName = r.ContainerName - } - target := rule.NewTarget("kind", "Deployment", "name", deploymentName, "namespace", r.Namespace) - - insecureBindAddressOptionSlice, err := kubeutils.GetCommandOptionFromDeployment(ctx, r.Client, deploymentName, containerName, r.Namespace, optName) - if err != nil { - return rule.Result(r, rule.ErroredCheckResult(err.Error(), target)), nil - } - - if len(insecureBindAddressOptionSlice) == 0 { - return rule.Result(r, rule.PassedCheckResult(fmt.Sprintf("Option %s not set.", optName), target)), nil - } - - // insecure-bind-address is deprecated but still needed for health checks. ref https://github.com/kubernetes/kubernetes/issues/43784 - return rule.Result(r, rule.FailedCheckResult(fmt.Sprintf("Option %s set.", optName), target)), nil -} diff --git a/pkg/shared/ruleset/disak8sstig/rules/242388_test.go b/pkg/shared/ruleset/disak8sstig/rules/242388_test.go deleted file mode 100644 index 683f32457..000000000 --- a/pkg/shared/ruleset/disak8sstig/rules/242388_test.go +++ /dev/null @@ -1,101 +0,0 @@ -// SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and Gardener contributors -// -// SPDX-License-Identifier: Apache-2.0 - -package rules_test - -import ( - "context" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - gomegatypes "github.com/onsi/gomega/types" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" - - "github.com/gardener/diki/pkg/rule" - "github.com/gardener/diki/pkg/shared/ruleset/disak8sstig/rules" -) - -var _ = Describe("#242388", func() { - var ( - fakeClient client.Client - ctx = context.TODO() - namespace = "foo" - - ksDeployment *appsv1.Deployment - target = rule.NewTarget("kind", "Deployment", "name", "kube-apiserver", "namespace", namespace) - ) - - BeforeEach(func() { - fakeClient = fakeclient.NewClientBuilder().Build() - ksDeployment = &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{ - Name: "kube-apiserver", - Namespace: namespace, - }, - Spec: appsv1.DeploymentSpec{ - Template: corev1.PodTemplateSpec{ - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "kube-apiserver", - Command: []string{}, - Args: []string{}, - }, - }, - }, - }, - }, - } - }) - - It("should error when kube-apiserver is not found", func() { - r := &rules.Rule242388{Client: fakeClient, Namespace: namespace} - - ruleResult, err := r.Run(ctx) - Expect(err).ToNot(HaveOccurred()) - - Expect(ruleResult.CheckResults).To(Equal([]rule.CheckResult{ - { - Status: rule.Errored, - Message: "deployments.apps \"kube-apiserver\" not found", - Target: target, - }, - }, - )) - }) - - DescribeTable("Run cases", - func(container corev1.Container, expectedCheckResults []rule.CheckResult, errorMatcher gomegatypes.GomegaMatcher) { - ksDeployment.Spec.Template.Spec.Containers = []corev1.Container{container} - Expect(fakeClient.Create(ctx, ksDeployment)).To(Succeed()) - - r := &rules.Rule242388{Client: fakeClient, Namespace: namespace} - ruleResult, err := r.Run(ctx) - Expect(err).To(errorMatcher) - - Expect(ruleResult.CheckResults).To(Equal(expectedCheckResults)) - }, - - Entry("should pass when insecure-bind-address is not set", - corev1.Container{Name: "kube-apiserver", Command: []string{"--flag1=value1", "--flag2=value2"}}, - []rule.CheckResult{{Status: rule.Passed, Message: "Option insecure-bind-address not set.", Target: target}}, - BeNil()), - Entry("should fail when insecure-bind-address is set", - corev1.Container{Name: "kube-apiserver", Command: []string{"--insecure-bind-address=localhost"}}, - []rule.CheckResult{{Status: rule.Failed, Message: "Option insecure-bind-address set.", Target: target}}, - BeNil()), - Entry("should fail when insecure-bind-address is set more than once", - corev1.Container{Name: "kube-apiserver", Command: []string{"--insecure-bind-address=127.0.0.1"}, Args: []string{"--insecure-bind-address=255.255.255.255"}}, - []rule.CheckResult{{Status: rule.Failed, Message: "Option insecure-bind-address set.", Target: target}}, - BeNil()), - Entry("should error when deployment does not have container 'kube-apiserver'", - corev1.Container{Name: "not-kube-apiserver", Command: []string{"--insecure-bind-address=255.255.255.255"}}, - []rule.CheckResult{{Status: rule.Errored, Message: "deployment: kube-apiserver does not contain container: kube-apiserver", Target: target}}, - BeNil()), - ) -}) diff --git a/pkg/shared/ruleset/disak8sstig/rules/ids.go b/pkg/shared/ruleset/disak8sstig/rules/ids.go index e9bd601b9..b8fbf7f91 100644 --- a/pkg/shared/ruleset/disak8sstig/rules/ids.go +++ b/pkg/shared/ruleset/disak8sstig/rules/ids.go @@ -15,9 +15,7 @@ const ( ID242383 = "242383" ID242384 = "242384" ID242385 = "242385" - ID242386 = "242386" ID242387 = "242387" - ID242388 = "242388" ID242389 = "242389" ID242390 = "242390" ID242391 = "242391"