Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Hardened Shoot Cluster] Rule 2000 Implementation #362

Merged
merged 4 commits into from
Nov 19, 2024
Merged

[Security Hardened Shoot Cluster] Rule 2000 Implementation #362

merged 4 commits into from
Nov 19, 2024

Conversation

georgibaltiev
Copy link
Contributor

What this PR does / why we need it:
This PR is an implementation of the Rule 2000 of the Security Hardened Shoot Cluster Ruleset. It retrieves metadata about the shoot cluster and evaluates the EnableAnonymousAuthentication flag (if present) of the Kube API Server component.

Which issue(s) this PR fixes:
Part of #304

Special notes for your reviewer:

Release note:

Implementation for rule `2000` from the `security-hardened-shoot-cluster` ruleset for provider `garden`.

@georgibaltiev georgibaltiev requested a review from a team as a code owner November 18, 2024 09:48
@gardener-robot gardener-robot added needs/review Needs review size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) labels Nov 18, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 18, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Nov 18, 2024
AleksandarSavchev
AleksandarSavchev requested changes Nov 18, 2024
View reviewed changes
Copy link
Member

@AleksandarSavchev AleksandarSavchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just 2 changes to test names.

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2000_test.go Outdated Show resolved Hide resolved
pkg/provider/garden/ruleset/securityhardenedshoot/rules/2000_test.go Outdated Show resolved Hide resolved
@gardener-robot gardener-robot added the needs/changes Needs (more) changes label Nov 18, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Nov 18, 2024
AleksandarSavchev
AleksandarSavchev reviewed Nov 18, 2024
View reviewed changes
pkg/provider/garden/ruleset/securityhardenedshoot/rules/2000_test.go Outdated
}
})

DescribeTable("Run cases", func(updateFn func(), expectedCheckResults []rule.CheckResult) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
DescribeTable("Run cases", func(updateFn func(), expectedCheckResults []rule.CheckResult) {
DescribeTable("Run cases", func(updateFn func(), expectedCheckResult rule.CheckResult) {

Last comment, no need for expectedCheckResults to be a slice when the function can only return a single rule.CheckResult

@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 18, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 18, 2024
AleksandarSavchev
AleksandarSavchev previously approved these changes Nov 18, 2024
View reviewed changes
Copy link
Member

@AleksandarSavchev AleksandarSavchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/changes Needs (more) changes needs/review Needs review labels Nov 18, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 18, 2024
@georgibaltiev georgibaltiev changed the title Add Rule 2000 to the Security Hardened Shoot Cluster Ruleset [Security Hardened Shoot Cluster] Rule 2000 Implementation Nov 18, 2024
dimityrmirchev
dimityrmirchev requested changes Nov 18, 2024
View reviewed changes
Copy link
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a single wording change request.

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2000.go Outdated
Comment on lines 49 to 52
case *shoot.Spec.Kubernetes.KubeAPIServer.EnableAnonymousAuthentication:
return rule.Result(r, rule.FailedCheckResult("Anonymous authentication is enabled on the kube-apiserver.", rule.NewTarget())), nil
default:
return rule.Result(r, rule.PassedCheckResult("Anonymous authentication is disabled on the kube-apiserver.", rule.NewTarget())), nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
case *shoot.Spec.Kubernetes.KubeAPIServer.EnableAnonymousAuthentication:
return rule.Result(r, rule.FailedCheckResult("Anonymous authentication is enabled on the kube-apiserver.", rule.NewTarget())), nil
default:
return rule.Result(r, rule.PassedCheckResult("Anonymous authentication is disabled on the kube-apiserver.", rule.NewTarget())), nil
case *shoot.Spec.Kubernetes.KubeAPIServer.EnableAnonymousAuthentication:
return rule.Result(r, rule.FailedCheckResult("Anonymous authentication is enabled for the kube-apiserver.", rule.NewTarget())), nil
default:
return rule.Result(r, rule.PassedCheckResult("Anonymous authentication is disabled for the kube-apiserver.", rule.NewTarget())), nil

@gardener-robot gardener-robot added needs/changes Needs (more) changes needs/review Needs review and removed needs/review Needs review reviewed/lgtm Has approval for merging labels Nov 19, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 19, 2024
dimityrmirchev
dimityrmirchev approved these changes Nov 19, 2024
View reviewed changes
Copy link
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@dimityrmirchev dimityrmirchev merged commit ff9ecf4 into gardener:main Nov 19, 2024
9 checks passed
@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging status/closed Issue is closed (either delivered or triaged) and removed needs/changes Needs (more) changes labels Nov 19, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 19, 2024
@georgibaltiev georgibaltiev deleted the rule-2000 branch November 19, 2024 08:17
@AleksandarSavchev AleksandarSavchev mentioned this pull request Nov 21, 2024
Closed
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dimityrmirchev dimityrmirchev dimityrmirchev approved these changes

@AleksandarSavchev AleksandarSavchev AleksandarSavchev left review comments

Assignees
No one assigned
Labels
needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@georgibaltiev @dimityrmirchev @AleksandarSavchev @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot