diff --git a/docs/providers/gardener.md b/docs/providers/gardener.md index 6fe4a1502..6721a2d14 100644 --- a/docs/providers/gardener.md +++ b/docs/providers/gardener.md @@ -8,8 +8,8 @@ The `Gardener` provider is capable of accessing a `seed/shoot` environment and r The `Gardener` provider implements the following `rulesets`: - [DISA Kubernetes Security Technical Implementation Guide](../rulesets/disa-k8s-stig/ruleset.md) + - v2r5 - v2r4 - - v2r3 ### Configuration diff --git a/docs/providers/managedk8s.md b/docs/providers/managedk8s.md index e4bbb8201..4ba1a7141 100644 --- a/docs/providers/managedk8s.md +++ b/docs/providers/managedk8s.md @@ -10,8 +10,8 @@ The `Managed Kubernetes` provider is capable of accessing a managed Kubernetes e The `Managed Kubernetes` provider implements the following `rulesets`: - [DISA Kubernetes Security Technical Implementation Guide](../rulesets/disa-k8s-stig/ruleset.md) + - v2r5 - v2r4 - - v2r3 - [Security Hardened Kubernetes Cluster](../rulesets/security-hardened-k8s/ruleset.md) - v0.1.0 diff --git a/docs/providers/virtualgarden.md b/docs/providers/virtualgarden.md index 6e487f41f..7c8350094 100644 --- a/docs/providers/virtualgarden.md +++ b/docs/providers/virtualgarden.md @@ -8,8 +8,8 @@ The `Virtual Garden` provider is capable of accessing a `runtime/virtual garden` The `Gardener` provider implements the following `rulesets`: - [DISA Kubernetes Security Technical Implementation Guide](../rulesets/disa-k8s-stig/ruleset.md) + - v2r5 - v2r4 - - v2r3 ### Configuration diff --git a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go index b1ef36fbb..61da331a0 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/ruleset.go @@ -33,7 +33,7 @@ var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. // Versions are sorted from newest to oldest. - SupportedVersions = []string{"v2r4", "v2r3"} + SupportedVersions = []string{"v2r5", "v2r4"} ) // Ruleset implements DISA Kubernetes STIG. @@ -128,18 +128,18 @@ func FromGenericConfig(rulesetConfig config.RulesetConfig, additionalOpsPodLabel } switch rulesetConfig.Version { - case "v2r3": - if err := ruleset.validateV2R3RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { + case "v2r4": + if err := ruleset.validateV2R4RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { return nil, err } - if err := ruleset.registerV2R3Rules(ruleOptions); err != nil { + if err := ruleset.registerV2R4Rules(ruleOptions); err != nil { return nil, err } - case "v2r4": - if err := ruleset.validateV2R4RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { + case "v2r5": + if err := ruleset.validateV2R5RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { return nil, err } - if err := ruleset.registerV2R4Rules(ruleOptions); err != nil { + if err := ruleset.registerV2R5Rules(ruleOptions); err != nil { return nil, err } default: diff --git a/pkg/provider/gardener/ruleset/disak8sstig/v2r3_ruleset.go b/pkg/provider/gardener/ruleset/disak8sstig/v2r5_ruleset.go similarity index 91% rename from pkg/provider/gardener/ruleset/disak8sstig/v2r3_ruleset.go rename to pkg/provider/gardener/ruleset/disak8sstig/v2r5_ruleset.go index 51632da3a..ee0636ea0 100644 --- a/pkg/provider/gardener/ruleset/disak8sstig/v2r3_ruleset.go +++ b/pkg/provider/gardener/ruleset/disak8sstig/v2r5_ruleset.go @@ -1,4 +1,4 @@ -// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Gardener contributors +// SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Gardener contributors // // SPDX-License-Identifier: Apache-2.0 @@ -27,8 +27,8 @@ import ( sharedrules "github.com/gardener/diki/pkg/shared/ruleset/disak8sstig/rules" ) -func validateV2R3Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { - parsedOptions, err := getV2R3OptionOrNil[O](options) +func validateV2R5Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { + parsedOptions, err := getV2R5OptionOrNil[O](options) if err != nil { return field.ErrorList{ field.InternalError(fldPath, err), @@ -46,7 +46,7 @@ func validateV2R3Options[O rules.RuleOption](options any, fldPath *field.Path) f return nil } -func parseV2R3Options[O rules.RuleOption](options any) (*O, error) { +func parseV2R5Options[O rules.RuleOption](options any) (*O, error) { optionsByte, err := json.Marshal(options) if err != nil { return nil, err @@ -60,33 +60,33 @@ func parseV2R3Options[O rules.RuleOption](options any) (*O, error) { return &parsedOptions, nil } -func getV2R3OptionOrNil[O rules.RuleOption](options any) (*O, error) { +func getV2R5OptionOrNil[O rules.RuleOption](options any) (*O, error) { if options == nil { return nil, nil } - return parseV2R3Options[O](options) + return parseV2R5Options[O](options) } -func (r *Ruleset) validateV2R3RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) error { +func (r *Ruleset) validateV2R5RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) error { allErrs := field.ErrorList{} - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args, fldPath.Index(ruleOptions[sharedrules.ID242390].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[rules.Options242400](ruleOptions[sharedrules.ID242400].Args, fldPath.Index(ruleOptions[sharedrules.ID242400].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args, fldPath.Index(ruleOptions[sharedrules.ID242414].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args, fldPath.Index(ruleOptions[sharedrules.ID242415].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args, fldPath.Index(ruleOptions[sharedrules.ID242445].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args, fldPath.Index(ruleOptions[sharedrules.ID242446].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[rules.Options242451](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[rules.Options242466](ruleOptions[sharedrules.ID242466].Args, fldPath.Index(ruleOptions[sharedrules.ID242466].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[rules.Options242467](ruleOptions[sharedrules.ID242467].Args, fldPath.Index(ruleOptions[sharedrules.ID242467].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args, fldPath.Index(ruleOptions[sharedrules.ID245543].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options254800](ruleOptions[sharedrules.ID254800].Args, fldPath.Index(ruleOptions[sharedrules.ID254800].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args, fldPath.Index(ruleOptions[sharedrules.ID242390].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[rules.Options242400](ruleOptions[sharedrules.ID242400].Args, fldPath.Index(ruleOptions[sharedrules.ID242400].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args, fldPath.Index(ruleOptions[sharedrules.ID242414].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args, fldPath.Index(ruleOptions[sharedrules.ID242415].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args, fldPath.Index(ruleOptions[sharedrules.ID242445].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args, fldPath.Index(ruleOptions[sharedrules.ID242446].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[rules.Options242451](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[rules.Options242466](ruleOptions[sharedrules.ID242466].Args, fldPath.Index(ruleOptions[sharedrules.ID242466].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[rules.Options242467](ruleOptions[sharedrules.ID242467].Args, fldPath.Index(ruleOptions[sharedrules.ID242467].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args, fldPath.Index(ruleOptions[sharedrules.ID245543].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options254800](ruleOptions[sharedrules.ID254800].Args, fldPath.Index(ruleOptions[sharedrules.ID254800].Index).Child("args"))...) return allErrs.ToAggregate() } -func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig +func (r *Ruleset) registerV2R5Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig shootClient, err := client.New(r.ShootConfig, client.Options{Scheme: kubernetesgardener.ShootScheme}) if err != nil { return err @@ -112,51 +112,51 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon return err } - opts242390, err := getV2R3OptionOrNil[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args) + opts242390, err := getV2R5OptionOrNil[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args) if err != nil { return fmt.Errorf("rule option 242390 error: %s", err.Error()) } - opts242400, err := getV2R3OptionOrNil[rules.Options242400](ruleOptions[sharedrules.ID242400].Args) + opts242400, err := getV2R5OptionOrNil[rules.Options242400](ruleOptions[sharedrules.ID242400].Args) if err != nil { return fmt.Errorf("rule option 242400 error: %s", err.Error()) } - opts242414, err := getV2R3OptionOrNil[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args) + opts242414, err := getV2R5OptionOrNil[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args) if err != nil { return fmt.Errorf("rule option 242414 error: %s", err.Error()) } - opts242415, err := getV2R3OptionOrNil[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args) + opts242415, err := getV2R5OptionOrNil[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args) if err != nil { return fmt.Errorf("rule option 242415 error: %s", err.Error()) } - opts242442, err := getV2R3OptionOrNil[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args) + opts242442, err := getV2R5OptionOrNil[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args) if err != nil { return fmt.Errorf("rule option 242442 error: %s", err.Error()) } - opts242445, err := getV2R3OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args) + opts242445, err := getV2R5OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args) if err != nil { return fmt.Errorf("rule option 242445 error: %s", err.Error()) } - opts242446, err := getV2R3OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args) + opts242446, err := getV2R5OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args) if err != nil { return fmt.Errorf("rule option 242446 error: %s", err.Error()) } - opts242451, err := getV2R3OptionOrNil[rules.Options242451](ruleOptions[sharedrules.ID242451].Args) + opts242451, err := getV2R5OptionOrNil[rules.Options242451](ruleOptions[sharedrules.ID242451].Args) if err != nil { return fmt.Errorf("rule option 242451 error: %s", err.Error()) } - opts242466, err := getV2R3OptionOrNil[rules.Options242466](ruleOptions[sharedrules.ID242466].Args) + opts242466, err := getV2R5OptionOrNil[rules.Options242466](ruleOptions[sharedrules.ID242466].Args) if err != nil { return fmt.Errorf("rule option 242466 error: %s", err.Error()) } - opts242467, err := getV2R3OptionOrNil[rules.Options242467](ruleOptions[sharedrules.ID242467].Args) + opts242467, err := getV2R5OptionOrNil[rules.Options242467](ruleOptions[sharedrules.ID242467].Args) if err != nil { return fmt.Errorf("rule option 242467 error: %s", err.Error()) } - opts245543, err := getV2R3OptionOrNil[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args) + opts245543, err := getV2R5OptionOrNil[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args) if err != nil { return fmt.Errorf("rule option 245543 error: %s", err.Error()) } - opts254800, err := getV2R3OptionOrNil[sharedrules.Options254800](ruleOptions[sharedrules.ID254800].Args) + opts254800, err := getV2R5OptionOrNil[sharedrules.Options254800](ruleOptions[sharedrules.ID254800].Args) if err != nil { return fmt.Errorf("rule option 254800 error: %s", err.Error()) } @@ -205,12 +205,10 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityMedium), ), - &sharedrules.Rule242386{Client: seedClient, Namespace: r.shootNamespace}, &sharedrules.Rule242387{ Client: shootClient, V1RESTClient: shootClientSet.CoreV1().RESTClient(), }, - &sharedrules.Rule242388{Client: seedClient, Namespace: r.shootNamespace}, &sharedrules.Rule242389{Client: seedClient, Namespace: r.shootNamespace}, &sharedrules.Rule242390{Client: seedClient, Namespace: r.shootNamespace, Options: opts242390}, &sharedrules.Rule242391{ @@ -699,6 +697,24 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityHigh), ), + &sharedrules.Rule274882{ + Client: seedClient, + Namespace: r.shootNamespace, + }, + rule.NewSkipRule( + sharedrules.ID274883, + "Sensitive information must be stored using Kubernetes Secrets or an external Secret store provider.", + "Cannot be tested with confidence and should be enforced organizationally.", + rule.Skipped, + rule.SkipRuleWithSeverity(rule.SeverityHigh), + ), + rule.NewSkipRule( + sharedrules.ID274884, + "Kubernetes must limit Secret access on a need-to-know basis.", + "Cannot be tested with confidence and should be enforced organizationally.", + rule.Skipped, + rule.SkipRuleWithSeverity(rule.SeverityMedium), + ), } for i, r := range rules { @@ -717,8 +733,8 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon // check that the registered rules equal // the number of rules in that ruleset version - if len(rules) != 91 { - return fmt.Errorf("revision expects 91 registered rules, but got: %d", len(rules)) + if len(rules) != 94 { + return fmt.Errorf("revision expects 94 registered rules, but got: %d", len(rules)) } return r.AddRules(rules...) diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go index e6ff7020f..6d8d71c2d 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/ruleset.go @@ -33,7 +33,7 @@ var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. // Versions are sorted from newest to oldest. - SupportedVersions = []string{"v2r4", "v2r3"} + SupportedVersions = []string{"v2r5", "v2r4"} ) // Ruleset implements DISA Kubernetes STIG. @@ -123,18 +123,18 @@ func FromGenericConfig(rulesetConfig config.RulesetConfig, additionalOpsPodLabel } switch rulesetConfig.Version { - case "v2r3": - if err := ruleset.validateV2R3RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { + case "v2r4": + if err := ruleset.validateV2R4RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { return nil, err } - if err := ruleset.registerV2R3Rules(ruleOptions); err != nil { + if err := ruleset.registerV2R4Rules(ruleOptions); err != nil { return nil, err } - case "v2r4": - if err := ruleset.validateV2R4RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { + case "v2r5": + if err := ruleset.validateV2R5RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { return nil, err } - if err := ruleset.registerV2R4Rules(ruleOptions); err != nil { + if err := ruleset.registerV2R5Rules(ruleOptions); err != nil { return nil, err } default: diff --git a/pkg/provider/managedk8s/ruleset/disak8sstig/v2r3_ruleset.go b/pkg/provider/managedk8s/ruleset/disak8sstig/v2r5_ruleset.go similarity index 89% rename from pkg/provider/managedk8s/ruleset/disak8sstig/v2r3_ruleset.go rename to pkg/provider/managedk8s/ruleset/disak8sstig/v2r5_ruleset.go index 4febd771f..3ea7afee1 100644 --- a/pkg/provider/managedk8s/ruleset/disak8sstig/v2r3_ruleset.go +++ b/pkg/provider/managedk8s/ruleset/disak8sstig/v2r5_ruleset.go @@ -1,4 +1,4 @@ -// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Gardener contributors +// SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Gardener contributors // // SPDX-License-Identifier: Apache-2.0 @@ -30,8 +30,8 @@ import ( sharedrules "github.com/gardener/diki/pkg/shared/ruleset/disak8sstig/rules" ) -func validateV2R3Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { - parsedOptions, err := getV2R3OptionOrNil[O](options) +func validateV2R5Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { + parsedOptions, err := getV2R5OptionOrNil[O](options) if err != nil { return field.ErrorList{ field.InternalError(fldPath, err), @@ -49,35 +49,35 @@ func validateV2R3Options[O rules.RuleOption](options any, fldPath *field.Path) f return nil } -func (r *Ruleset) validateV2R3RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) error { +func (r *Ruleset) validateV2R5RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) error { allErrs := field.ErrorList{} - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242383](ruleOptions[sharedrules.ID242383].Args, fldPath.Index(ruleOptions[sharedrules.ID242383].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242393](ruleOptions[sharedrules.ID242393].Args, fldPath.Index(ruleOptions[sharedrules.ID242393].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242394](ruleOptions[sharedrules.ID242394].Args, fldPath.Index(ruleOptions[sharedrules.ID242394].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242396](ruleOptions[sharedrules.ID242396].Args, fldPath.Index(ruleOptions[sharedrules.ID242396].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[rules.Options242400](ruleOptions[sharedrules.ID242400].Args, fldPath.Index(ruleOptions[sharedrules.ID242400].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242404](ruleOptions[sharedrules.ID242404].Args, fldPath.Index(ruleOptions[sharedrules.ID242404].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242406](ruleOptions[sharedrules.ID242406].Args, fldPath.Index(ruleOptions[sharedrules.ID242406].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242407](ruleOptions[sharedrules.ID242407].Args, fldPath.Index(ruleOptions[sharedrules.ID242407].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args, fldPath.Index(ruleOptions[sharedrules.ID242414].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args, fldPath.Index(ruleOptions[sharedrules.ID242415].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242417](ruleOptions[sharedrules.ID242417].Args, fldPath.Index(ruleOptions[sharedrules.ID242417].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[rules.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[option.ClusterObjectSelector](ruleOptions[sharedrules.ID242447].Args, fldPath.Index(ruleOptions[sharedrules.ID242447].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242448](ruleOptions[sharedrules.ID242448].Args, fldPath.Index(ruleOptions[sharedrules.ID242448].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242449](ruleOptions[sharedrules.ID242449].Args, fldPath.Index(ruleOptions[sharedrules.ID242449].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242450](ruleOptions[sharedrules.ID242450].Args, fldPath.Index(ruleOptions[sharedrules.ID242450].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[rules.Options242451](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242452](ruleOptions[sharedrules.ID242452].Args, fldPath.Index(ruleOptions[sharedrules.ID242452].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242453](ruleOptions[sharedrules.ID242453].Args, fldPath.Index(ruleOptions[sharedrules.ID242453].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[rules.Options242466](ruleOptions[sharedrules.ID242466].Args, fldPath.Index(ruleOptions[sharedrules.ID242466].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[rules.Options242467](ruleOptions[sharedrules.ID242467].Args, fldPath.Index(ruleOptions[sharedrules.ID242467].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242383](ruleOptions[sharedrules.ID242383].Args, fldPath.Index(ruleOptions[sharedrules.ID242383].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242393](ruleOptions[sharedrules.ID242393].Args, fldPath.Index(ruleOptions[sharedrules.ID242393].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242394](ruleOptions[sharedrules.ID242394].Args, fldPath.Index(ruleOptions[sharedrules.ID242394].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242396](ruleOptions[sharedrules.ID242396].Args, fldPath.Index(ruleOptions[sharedrules.ID242396].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[rules.Options242400](ruleOptions[sharedrules.ID242400].Args, fldPath.Index(ruleOptions[sharedrules.ID242400].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242404](ruleOptions[sharedrules.ID242404].Args, fldPath.Index(ruleOptions[sharedrules.ID242404].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242406](ruleOptions[sharedrules.ID242406].Args, fldPath.Index(ruleOptions[sharedrules.ID242406].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242407](ruleOptions[sharedrules.ID242407].Args, fldPath.Index(ruleOptions[sharedrules.ID242407].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args, fldPath.Index(ruleOptions[sharedrules.ID242414].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args, fldPath.Index(ruleOptions[sharedrules.ID242415].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242417](ruleOptions[sharedrules.ID242417].Args, fldPath.Index(ruleOptions[sharedrules.ID242417].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[rules.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[option.ClusterObjectSelector](ruleOptions[sharedrules.ID242447].Args, fldPath.Index(ruleOptions[sharedrules.ID242447].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242448](ruleOptions[sharedrules.ID242448].Args, fldPath.Index(ruleOptions[sharedrules.ID242448].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242449](ruleOptions[sharedrules.ID242449].Args, fldPath.Index(ruleOptions[sharedrules.ID242449].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242450](ruleOptions[sharedrules.ID242450].Args, fldPath.Index(ruleOptions[sharedrules.ID242450].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[rules.Options242451](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242452](ruleOptions[sharedrules.ID242452].Args, fldPath.Index(ruleOptions[sharedrules.ID242452].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242453](ruleOptions[sharedrules.ID242453].Args, fldPath.Index(ruleOptions[sharedrules.ID242453].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[rules.Options242466](ruleOptions[sharedrules.ID242466].Args, fldPath.Index(ruleOptions[sharedrules.ID242466].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[rules.Options242467](ruleOptions[sharedrules.ID242467].Args, fldPath.Index(ruleOptions[sharedrules.ID242467].Index).Child("args"))...) return allErrs.ToAggregate() } -func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig +func (r *Ruleset) registerV2R5Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig client, err := client.New(r.Config, client.Options{}) if err != nil { return err @@ -114,87 +114,87 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon authorityCertPool = nil } - opts242383, err := getV2R3OptionOrNil[sharedrules.Options242383](ruleOptions[sharedrules.ID242383].Args) + opts242383, err := getV2R5OptionOrNil[sharedrules.Options242383](ruleOptions[sharedrules.ID242383].Args) if err != nil { return fmt.Errorf("rule option 242383 error: %s", err.Error()) } - opts242393, err := getV2R3OptionOrNil[sharedrules.Options242393](ruleOptions[sharedrules.ID242393].Args) + opts242393, err := getV2R5OptionOrNil[sharedrules.Options242393](ruleOptions[sharedrules.ID242393].Args) if err != nil { return fmt.Errorf("rule option 242393 error: %s", err.Error()) } - opts242394, err := getV2R3OptionOrNil[sharedrules.Options242394](ruleOptions[sharedrules.ID242394].Args) + opts242394, err := getV2R5OptionOrNil[sharedrules.Options242394](ruleOptions[sharedrules.ID242394].Args) if err != nil { return fmt.Errorf("rule option 242394 error: %s", err.Error()) } - opts242396, err := getV2R3OptionOrNil[sharedrules.Options242396](ruleOptions[sharedrules.ID242396].Args) + opts242396, err := getV2R5OptionOrNil[sharedrules.Options242396](ruleOptions[sharedrules.ID242396].Args) if err != nil { return fmt.Errorf("rule option 242396 error: %s", err.Error()) } - opts242400, err := getV2R3OptionOrNil[rules.Options242400](ruleOptions[sharedrules.ID242400].Args) + opts242400, err := getV2R5OptionOrNil[rules.Options242400](ruleOptions[sharedrules.ID242400].Args) if err != nil { return fmt.Errorf("rule option 242400 error: %s", err.Error()) } - opts242404, err := getV2R3OptionOrNil[sharedrules.Options242404](ruleOptions[sharedrules.ID242404].Args) + opts242404, err := getV2R5OptionOrNil[sharedrules.Options242404](ruleOptions[sharedrules.ID242404].Args) if err != nil { return fmt.Errorf("rule option 242404 error: %s", err.Error()) } - opts242406, err := getV2R3OptionOrNil[sharedrules.Options242406](ruleOptions[sharedrules.ID242406].Args) + opts242406, err := getV2R5OptionOrNil[sharedrules.Options242406](ruleOptions[sharedrules.ID242406].Args) if err != nil { return fmt.Errorf("rule option 242406 error: %s", err.Error()) } - opts242407, err := getV2R3OptionOrNil[sharedrules.Options242407](ruleOptions[sharedrules.ID242407].Args) + opts242407, err := getV2R5OptionOrNil[sharedrules.Options242407](ruleOptions[sharedrules.ID242407].Args) if err != nil { return fmt.Errorf("rule option 242407 error: %s", err.Error()) } - opts242414, err := getV2R3OptionOrNil[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args) + opts242414, err := getV2R5OptionOrNil[disaoption.Options242414](ruleOptions[sharedrules.ID242414].Args) if err != nil { return fmt.Errorf("rule option 242414 error: %s", err.Error()) } - opts242415, err := getV2R3OptionOrNil[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args) + opts242415, err := getV2R5OptionOrNil[disaoption.Options242415](ruleOptions[sharedrules.ID242415].Args) if err != nil { return fmt.Errorf("rule option 242415 error: %s", err.Error()) } - opts242417, err := getV2R3OptionOrNil[sharedrules.Options242417](ruleOptions[sharedrules.ID242417].Args) + opts242417, err := getV2R5OptionOrNil[sharedrules.Options242417](ruleOptions[sharedrules.ID242417].Args) if err != nil { return fmt.Errorf("rule option 242417 error: %s", err.Error()) } - opts242442, err := getV2R3OptionOrNil[rules.Options242442](ruleOptions[sharedrules.ID242442].Args) + opts242442, err := getV2R5OptionOrNil[rules.Options242442](ruleOptions[sharedrules.ID242442].Args) if err != nil { return fmt.Errorf("rule option 242442 error: %s", err.Error()) } - opts242447, err := getV2R3OptionOrNil[option.ClusterObjectSelector](ruleOptions[sharedrules.ID242447].Args) + opts242447, err := getV2R5OptionOrNil[option.ClusterObjectSelector](ruleOptions[sharedrules.ID242447].Args) if err != nil { return fmt.Errorf("rule option 242447 error: %s", err.Error()) } - opts242448, err := getV2R3OptionOrNil[sharedrules.Options242448](ruleOptions[sharedrules.ID242448].Args) + opts242448, err := getV2R5OptionOrNil[sharedrules.Options242448](ruleOptions[sharedrules.ID242448].Args) if err != nil { return fmt.Errorf("rule option 242448 error: %s", err.Error()) } - opts242449, err := getV2R3OptionOrNil[sharedrules.Options242449](ruleOptions[sharedrules.ID242449].Args) + opts242449, err := getV2R5OptionOrNil[sharedrules.Options242449](ruleOptions[sharedrules.ID242449].Args) if err != nil { return fmt.Errorf("rule option 242449 error: %s", err.Error()) } - opts242450, err := getV2R3OptionOrNil[sharedrules.Options242450](ruleOptions[sharedrules.ID242450].Args) + opts242450, err := getV2R5OptionOrNil[sharedrules.Options242450](ruleOptions[sharedrules.ID242450].Args) if err != nil { return fmt.Errorf("rule option 242450 error: %s", err.Error()) } - opts242451, err := getV2R3OptionOrNil[rules.Options242451](ruleOptions[sharedrules.ID242451].Args) + opts242451, err := getV2R5OptionOrNil[rules.Options242451](ruleOptions[sharedrules.ID242451].Args) if err != nil { return fmt.Errorf("rule option 242451 error: %s", err.Error()) } - opts242452, err := getV2R3OptionOrNil[sharedrules.Options242452](ruleOptions[sharedrules.ID242452].Args) + opts242452, err := getV2R5OptionOrNil[sharedrules.Options242452](ruleOptions[sharedrules.ID242452].Args) if err != nil { return fmt.Errorf("rule option 242452 error: %s", err.Error()) } - opts242453, err := getV2R3OptionOrNil[sharedrules.Options242453](ruleOptions[sharedrules.ID242453].Args) + opts242453, err := getV2R5OptionOrNil[sharedrules.Options242453](ruleOptions[sharedrules.ID242453].Args) if err != nil { return fmt.Errorf("rule option 242453 error: %s", err.Error()) } - opts242466, err := getV2R3OptionOrNil[rules.Options242466](ruleOptions[sharedrules.ID242466].Args) + opts242466, err := getV2R5OptionOrNil[rules.Options242466](ruleOptions[sharedrules.ID242466].Args) if err != nil { return fmt.Errorf("rule option 242466 error: %s", err.Error()) } - opts242467, err := getV2R3OptionOrNil[rules.Options242467](ruleOptions[sharedrules.ID242467].Args) + opts242467, err := getV2R5OptionOrNil[rules.Options242467](ruleOptions[sharedrules.ID242467].Args) if err != nil { return fmt.Errorf("rule option 242467 error: %s", err.Error()) } @@ -281,24 +281,10 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityMedium), ), - rule.NewSkipRule( - sharedrules.ID242386, - "The Kubernetes API server must have the insecure port flag disabled.", - noControlPlaneMsg, - rule.Skipped, - rule.SkipRuleWithSeverity(rule.SeverityHigh), - ), &sharedrules.Rule242387{ Client: client, V1RESTClient: clientSet.CoreV1().RESTClient(), }, - rule.NewSkipRule( - sharedrules.ID242388, - "The Kubernetes API server must have the insecure bind address not set.", - noControlPlaneMsg, - rule.Skipped, - rule.SkipRuleWithSeverity(rule.SeverityHigh), - ), rule.NewSkipRule( sharedrules.ID242389, "The Kubernetes API server must have the secure port set.", @@ -894,6 +880,27 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityHigh), ), + rule.NewSkipRule( + sharedrules.ID274882, + "Kubernetes Secrets must be encrypted at rest.", + noControlPlaneMsg, + rule.Skipped, + rule.SkipRuleWithSeverity(rule.SeverityHigh), + ), + rule.NewSkipRule( + sharedrules.ID274883, + "Sensitive information must be stored using Kubernetes Secrets or an external Secret store provider.", + "Cannot be tested with confidence and should be enforced organizationally.", + rule.Skipped, + rule.SkipRuleWithSeverity(rule.SeverityHigh), + ), + rule.NewSkipRule( + sharedrules.ID274884, + "Kubernetes must limit Secret access on a need-to-know basis.", + "Cannot be tested with confidence and should be enforced organizationally.", + rule.Skipped, + rule.SkipRuleWithSeverity(rule.SeverityMedium), + ), } for i, r := range rules { @@ -912,14 +919,14 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon // check that the registered rules equal // the number of rules in that ruleset version - if len(rules) != 91 { - return fmt.Errorf("revision expects 91 registered rules, but got: %d", len(rules)) + if len(rules) != 94 { + return fmt.Errorf("revision expects 94 registered rules, but got: %d", len(rules)) } return r.AddRules(rules...) } -func parseV2R3Options[O rules.RuleOption](options any) (*O, error) { +func parseV2R5Options[O rules.RuleOption](options any) (*O, error) { optionsByte, err := json.Marshal(options) if err != nil { return nil, err @@ -933,9 +940,9 @@ func parseV2R3Options[O rules.RuleOption](options any) (*O, error) { return &parsedOptions, nil } -func getV2R3OptionOrNil[O rules.RuleOption](options any) (*O, error) { +func getV2R5OptionOrNil[O rules.RuleOption](options any) (*O, error) { if options == nil { return nil, nil } - return parseV2R3Options[O](options) + return parseV2R5Options[O](options) } diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go index 76c1086bf..49a9d641f 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/ruleset.go @@ -33,7 +33,7 @@ var ( _ ruleset.Ruleset = &Ruleset{} // SupportedVersions is a list of available versions for the DISA Kubernetes STIG Ruleset. // Versions are sorted from newest to oldest. - SupportedVersions = []string{"v2r4", "v2r3"} + SupportedVersions = []string{"v2r5", "v2r4"} ) // Ruleset implements DISA Kubernetes STIG. @@ -123,18 +123,18 @@ func FromGenericConfig(rulesetConfig config.RulesetConfig, additionalOpsPodLabel } switch rulesetConfig.Version { - case "v2r3": - if err := ruleset.validateV2R3RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { + case "v2r4": + if err := ruleset.validateV2R4RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { return nil, err } - if err := ruleset.registerV2R3Rules(ruleOptions); err != nil { + if err := ruleset.registerV2R4Rules(ruleOptions); err != nil { return nil, err } - case "v2r4": - if err := ruleset.validateV2R4RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { + case "v2r5": + if err := ruleset.validateV2R5RuleOptions(indexedRuleOptions, fldPath.Child("ruleOptions")); err != nil { return nil, err } - if err := ruleset.registerV2R4Rules(ruleOptions); err != nil { + if err := ruleset.registerV2R5Rules(ruleOptions); err != nil { return nil, err } default: diff --git a/pkg/provider/virtualgarden/ruleset/disak8sstig/v2r3_ruleset.go b/pkg/provider/virtualgarden/ruleset/disak8sstig/v2r5_ruleset.go similarity index 93% rename from pkg/provider/virtualgarden/ruleset/disak8sstig/v2r3_ruleset.go rename to pkg/provider/virtualgarden/ruleset/disak8sstig/v2r5_ruleset.go index d5fab8fe1..7d5b9b632 100644 --- a/pkg/provider/virtualgarden/ruleset/disak8sstig/v2r3_ruleset.go +++ b/pkg/provider/virtualgarden/ruleset/disak8sstig/v2r5_ruleset.go @@ -1,4 +1,4 @@ -// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Gardener contributors +// SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Gardener contributors // // SPDX-License-Identifier: Apache-2.0 @@ -24,8 +24,8 @@ import ( sharedrules "github.com/gardener/diki/pkg/shared/ruleset/disak8sstig/rules" ) -func validateV2R3Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { - parsedOptions, err := getV2R3OptionOrNil[O](options) +func validateV2R5Options[O rules.RuleOption](options any, fldPath *field.Path) field.ErrorList { + parsedOptions, err := getV2R5OptionOrNil[O](options) if err != nil { return field.ErrorList{ field.InternalError(fldPath, err), @@ -43,20 +43,20 @@ func validateV2R3Options[O rules.RuleOption](options any, fldPath *field.Path) f return nil } -func (r *Ruleset) validateV2R3RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) error { +func (r *Ruleset) validateV2R5RuleOptions(ruleOptions map[string]internalconfig.IndexedRuleOptionsConfig, fldPath *field.Path) error { allErrs := field.ErrorList{} - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args, fldPath.Index(ruleOptions[sharedrules.ID242390].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args, fldPath.Index(ruleOptions[sharedrules.ID242445].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args, fldPath.Index(ruleOptions[sharedrules.ID242446].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) - allErrs = append(allErrs, validateV2R3Options[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args, fldPath.Index(ruleOptions[sharedrules.ID245543].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args, fldPath.Index(ruleOptions[sharedrules.ID242390].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args, fldPath.Index(ruleOptions[sharedrules.ID242442].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args, fldPath.Index(ruleOptions[sharedrules.ID242445].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args, fldPath.Index(ruleOptions[sharedrules.ID242446].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242451].Args, fldPath.Index(ruleOptions[sharedrules.ID242451].Index).Child("args"))...) + allErrs = append(allErrs, validateV2R5Options[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args, fldPath.Index(ruleOptions[sharedrules.ID245543].Index).Child("args"))...) return allErrs.ToAggregate() } -func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig +func (r *Ruleset) registerV2R5Rules(ruleOptions map[string]config.RuleOptionsConfig) error { // TODO: add to FromGenericConfig runtimeClient, err := client.New(r.RuntimeConfig, client.Options{}) if err != nil { return err @@ -66,27 +66,27 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon if err != nil { return err } - opts242390, err := getV2R3OptionOrNil[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args) + opts242390, err := getV2R5OptionOrNil[sharedrules.Options242390](ruleOptions[sharedrules.ID242390].Args) if err != nil { return fmt.Errorf("rule option 242390 error: %s", err.Error()) } - opts242442, err := getV2R3OptionOrNil[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args) + opts242442, err := getV2R5OptionOrNil[disaoption.Options242442](ruleOptions[sharedrules.ID242442].Args) if err != nil { return fmt.Errorf("rule option 242442 error: %s", err.Error()) } - opts242445, err := getV2R3OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args) + opts242445, err := getV2R5OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242445].Args) if err != nil { return fmt.Errorf("rule option 242445 error: %s", err.Error()) } - opts242446, err := getV2R3OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args) + opts242446, err := getV2R5OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242446].Args) if err != nil { return fmt.Errorf("rule option 242446 error: %s", err.Error()) } - opts242451, err := getV2R3OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242451].Args) + opts242451, err := getV2R5OptionOrNil[disaoption.FileOwnerOptions](ruleOptions[sharedrules.ID242451].Args) if err != nil { return fmt.Errorf("rule option 242451 error: %s", err.Error()) } - opts245543, err := getV2R3OptionOrNil[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args) + opts245543, err := getV2R5OptionOrNil[sharedrules.Options245543](ruleOptions[sharedrules.ID245543].Args) if err != nil { return fmt.Errorf("rule option 245543 error: %s", err.Error()) } @@ -176,12 +176,6 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityMedium), ), - &sharedrules.Rule242386{ - Client: runtimeClient, - Namespace: ns, - DeploymentName: apiserverDeploymentName, - ContainerName: apiserverContainerName, - }, rule.NewSkipRule( sharedrules.ID242387, "The Kubernetes Kubelet must have the read-only port flag disabled.", @@ -189,12 +183,6 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityHigh), ), - &sharedrules.Rule242388{ - Client: runtimeClient, - Namespace: ns, - DeploymentName: apiserverDeploymentName, - ContainerName: apiserverContainerName, - }, &sharedrules.Rule242389{ Client: runtimeClient, Namespace: ns, @@ -757,6 +745,26 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon rule.Skipped, rule.SkipRuleWithSeverity(rule.SeverityHigh), ), + &sharedrules.Rule274882{ + Client: runtimeClient, + Namespace: ns, + DeploymentName: apiserverDeploymentName, + ContainerName: apiserverContainerName, + }, + rule.NewSkipRule( + sharedrules.ID274883, + "Sensitive information must be stored using Kubernetes Secrets or an external Secret store provider.", + "Cannot be tested with confidence and should be enforced organizationally.", + rule.Skipped, + rule.SkipRuleWithSeverity(rule.SeverityHigh), + ), + rule.NewSkipRule( + sharedrules.ID274884, + "Kubernetes must limit Secret access on a need-to-know basis.", + "Cannot be tested with confidence and should be enforced organizationally.", + rule.Skipped, + rule.SkipRuleWithSeverity(rule.SeverityMedium), + ), } for i, r := range rules { @@ -775,14 +783,14 @@ func (r *Ruleset) registerV2R3Rules(ruleOptions map[string]config.RuleOptionsCon // check that the registered rules equal // the number of rules in that ruleset version - if len(rules) != 91 { - return fmt.Errorf("revision expects 91 registered rules, but got: %d", len(rules)) + if len(rules) != 94 { + return fmt.Errorf("revision expects 94 registered rules, but got: %d", len(rules)) } return r.AddRules(rules...) } -func parseV2R3Options[O rules.RuleOption](options any) (*O, error) { +func parseV2R5Options[O rules.RuleOption](options any) (*O, error) { optionsByte, err := json.Marshal(options) if err != nil { return nil, err @@ -796,9 +804,9 @@ func parseV2R3Options[O rules.RuleOption](options any) (*O, error) { return &parsedOptions, nil } -func getV2R3OptionOrNil[O rules.RuleOption](options any) (*O, error) { +func getV2R5OptionOrNil[O rules.RuleOption](options any) (*O, error) { if options == nil { return nil, nil } - return parseV2R3Options[O](options) + return parseV2R5Options[O](options) }