Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Hardened Shoot Cluster] Rule 2005 Implementation #363

Merged
merged 7 commits into from
Nov 19, 2024
Merged

[Security Hardened Shoot Cluster] Rule 2005 Implementation #363

merged 7 commits into from
Nov 19, 2024

Conversation

georgibaltiev
Copy link
Contributor

What this PR does / why we need it:
This PR implements rule 2005 of the Security Hardened Shoot Cluster Ruleset. It evaluates the kubelet configurations of the main and worker nodes by checking the value of their connection timeouts. The checkResults are in accordance with the DISA STIG guide for rule 245541 ref.

Which issue(s) this PR fixes:
Part of #304

Special notes for your reviewer:

Release note:

Implementation for rule `2005` from the `security-hardened-shoot-cluster` ruleset for provider `garden`.

@georgibaltiev georgibaltiev requested a review from a team as a code owner November 18, 2024 15:07
@gardener-robot-ci-1 gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Nov 18, 2024
@gardener-robot gardener-robot added needs/review Needs review size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) labels Nov 18, 2024
dimityrmirchev
dimityrmirchev requested changes Nov 18, 2024
View reviewed changes
Copy link
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mainly wording suggestions, but overall looks good

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
timeoutDuration := *shoot.Spec.Kubernetes.Kubelet.StreamingConnectionIdleTimeout
switch {
case timeoutDuration.Minutes() < 5:
checkResults = append(checkResults, rule.FailedCheckResult("The connection timeout is not set to a valid value (< 5m).", rule.NewTarget()))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use allowed/not allowed in the other messages as well.

Suggested change
checkResults = append(checkResults, rule.FailedCheckResult("The connection timeout is not set to a valid value (< 5m).", rule.NewTarget()))
checkResults = append(checkResults, rule.FailedCheckResult("The connection timeout is set to a not allowed value (< 5m).", rule.NewTarget()))

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to the reccomended value (5m).", rule.NewTarget()))
} else {
timeoutDuration := *shoot.Spec.Kubernetes.Kubelet.StreamingConnectionIdleTimeout
switch {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This switch can be reused as a function that accepts the timeout duration and the target. The function can return a single check result.

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
case timeoutDuration.Minutes() < 5:
checkResults = append(checkResults, rule.FailedCheckResult("The connection timeout is not set to a valid value (< 5m).", rule.NewTarget()))
case timeoutDuration.Minutes() == 5:
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to the reccomended value (5m).", rule.NewTarget()))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to the reccomended value (5m).", rule.NewTarget()))
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to the recommended value (5m).", rule.NewTarget()))

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
} else {
timeoutDuration := *shoot.Spec.Kubernetes.Kubelet.StreamingConnectionIdleTimeout
switch {
case timeoutDuration.Minutes() < 5:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
case timeoutDuration.Minutes() < 5:
case timeoutDuration < 5*time.Minute:

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
checkResults = append(checkResults, rule.FailedCheckResult("The connection timeout is not set to a valid value (< 5m).", rule.NewTarget()))
case timeoutDuration.Minutes() == 5:
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to the reccomended value (5m).", rule.NewTarget()))
case timeoutDuration.Hours() <= 4:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
case timeoutDuration.Hours() <= 4:
case timeoutDuration <= 4*time.Hour:

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
case timeoutDuration.Minutes() == 5:
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to the reccomended value (5m).", rule.NewTarget()))
case timeoutDuration.Hours() <= 4:
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to a valid value ([5m; 4h]).", rule.NewTarget()))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to a valid value ([5m; 4h]).", rule.NewTarget()))
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to an allowed, but not recommended value (should be 5m).", rule.NewTarget()))

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
var checkResults = []rule.CheckResult{}

if shoot.Spec.Kubernetes.Kubelet == nil || shoot.Spec.Kubernetes.Kubelet.StreamingConnectionIdleTimeout == nil {
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to the reccomended value (5m).", rule.NewTarget()))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is set to the reccomended value (5m).", rule.NewTarget()))
checkResults = append(checkResults, rule.PassedCheckResult("The connection timeout is not set and therefore will be defaulted to the recommended value (5m).", rule.NewTarget()))

@gardener-robot gardener-robot added the needs/changes Needs (more) changes label Nov 18, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Nov 19, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Nov 19, 2024
dimityrmirchev
dimityrmirchev requested changes Nov 19, 2024
View reviewed changes
pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
return rule.Result(r, checkResults...), nil
}

func evaluateTimeoutDuration(timeoutDuration metav1.Duration, target rule.Target) rule.CheckResult {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please move this function definition in the Run func so we do not pollute the whole package.

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
case timeoutDuration.Duration <= 4*time.Hour:
return rule.PassedCheckResult("The connection timeout is set to an allowed, but not recommended value (should be 5m).", target)
default:
return rule.FailedCheckResult("The connection timeout is not set to a valid value (> 4h).", target)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return rule.FailedCheckResult("The connection timeout is not set to a valid value (> 4h).", target)
return rule.FailedCheckResult("The connection timeout is not set to an allowed value (> 4h).", target)

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
case timeoutDuration.Duration < 5*time.Minute:
return rule.FailedCheckResult("The connection timeout is set to a not allowed value (< 5m).", target)
case timeoutDuration.Duration == 5*time.Minute:
return rule.PassedCheckResult("The connection timeout is set to the reccomended value (5m).", target)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return rule.PassedCheckResult("The connection timeout is set to the reccomended value (5m).", target)
return rule.PassedCheckResult("The connection timeout is set to the recommended value (5m).", target)

@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 19, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 19, 2024
dimityrmirchev
dimityrmirchev reviewed Nov 19, 2024
View reviewed changes
pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
case timeoutDuration.Duration <= 4*time.Hour:
return rule.PassedCheckResult("The connection timeout is set to an allowed, but not recommended value (should be 5m).", target)
default:
return rule.FailedCheckResult("The connection timeout is not set to an allowed value (> 4h).", target)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return rule.FailedCheckResult("The connection timeout is not set to an allowed value (> 4h).", target)
return rule.FailedCheckResult("The connection timeout is set to a not allowed value (> 4h).", target)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just saw that we use the following wording when the duration is <5m. Let's make this the same across the two cases.

@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 19, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 19, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Nov 19, 2024
AleksandarSavchev
AleksandarSavchev requested changes Nov 19, 2024
View reviewed changes
Copy link
Member

@AleksandarSavchev AleksandarSavchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Just one nit.

pkg/provider/garden/ruleset/securityhardenedshoot/rules/2005.go Outdated
}

var (
checkResults = []rule.CheckResult{}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
checkResults = []rule.CheckResult{}
checkResults []rule.CheckResult

@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Nov 19, 2024
AleksandarSavchev
AleksandarSavchev approved these changes Nov 19, 2024
View reviewed changes
Copy link
Member

@AleksandarSavchev AleksandarSavchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/changes Needs (more) changes needs/review Needs review labels Nov 19, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 19, 2024
dimityrmirchev
dimityrmirchev approved these changes Nov 19, 2024
View reviewed changes
Copy link
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@dimityrmirchev dimityrmirchev merged commit dbceeac into gardener:main Nov 19, 2024
9 checks passed
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Nov 19, 2024
@AleksandarSavchev AleksandarSavchev mentioned this pull request Nov 20, 2024
Closed
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dimityrmirchev dimityrmirchev dimityrmirchev approved these changes

@AleksandarSavchev AleksandarSavchev AleksandarSavchev approved these changes

Assignees
No one assigned
Labels
needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@georgibaltiev @dimityrmirchev @AleksandarSavchev @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot