draft: Convert k8s policies to v2, and fix many bugs#2466
Closed
shimonp21 wants to merge 1 commit intocloudquery:mainfrom
shimonp21:policy_draft
Closed
draft: Convert k8s policies to v2, and fix many bugs#2466shimonp21 wants to merge 1 commit intocloudquery:mainfrom shimonp21:policy_draft
shimonp21 wants to merge 1 commit intocloudquery:mainfrom
shimonp21:policy_draft
Conversation
- fixed many issues of duplicate rows. Each resources tested must have a single line in the output (but if our SELECT query joins with subtables, each resource may have many rows... ). - removed endpoint_api_serve_on_secure_port.. The check tested that the k8s-api was served on port 6443 or 443. But obviously the port number has very little to do with security. NSA-Cisa [page 18], of course, doesn't specify that these must be the port numbers. e.g. minikube uses port 8443 instead of 6443. The check also tested the port 'name', but that of course also doesn't necesarrily indicate the actual protocol used... - fixed `default_deny_ingress` and `default_deny_egress` policies to actually work (they always returned fail until now). Also deleted `default_dont_allow_ingress` and `default_dont_deny_egress`, since they seem to be duplicates of the `deny` policy? https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF
shimonp21
added a commit
that referenced
this pull request
Oct 6, 2022
[draft for easier reviewing at #2466] - fixed many issues of duplicate rows. Each resources tested must have a single line in the output (but if our SELECT query joins with subtables, each resource may have many rows... ). - removed endpoint_api_serve_on_secure_port.. The check tested that the k8s-api was served on port 6443 or 443. But obviously the port number has very little to do with security. NSA-Cisa [page 18], of course, doesn't specify that these must be the port numbers. e.g. minikube uses port 8443 instead of 6443. The check also tested the port 'name', but that of course also doesn't necesarrily indicate the actual protocol used... - fixed `default_deny_ingress` and `default_deny_egress` policies to actually work (they always returned fail until now). Also deleted `default_dont_allow_ingress` and `default_dont_deny_egress`, since they seem to be duplicates of the `deny` policy? https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF <!-- 🎉 Thank you for making CloudQuery awesome by submitting a PR 🎉 --> #### Summary <!-- Explain what problem this PR addresses --> <!-- Use the following steps to ensure your PR is ready to be reviewed - [ ] Read the [contribution guidelines](../blob/main/CONTRIBUTING.md) 🧑🎓 - [ ] Test locally on your own infrastructure - [ ] Run `go fmt` to format your code 🖊 - [ ] Lint your changes via `golangci-lint run` 🚨 (install golangci-lint [here](https://golangci-lint.run/usage/install/#local-installation)) - [ ] Update or add tests 🧪 - [ ] Ensure the status checks below are successful ✅ --->
Contributor
Author
|
merged in #2467 |
daniel-garcia
pushed a commit
to infobloxopen/ibcq-source-k8s
that referenced
this pull request
Feb 24, 2026
[draft for easier reviewing at cloudquery/cloudquery#2466] - fixed many issues of duplicate rows. Each resources tested must have a single line in the output (but if our SELECT query joins with subtables, each resource may have many rows... ). - removed endpoint_api_serve_on_secure_port.. The check tested that the k8s-api was served on port 6443 or 443. But obviously the port number has very little to do with security. NSA-Cisa [page 18], of course, doesn't specify that these must be the port numbers. e.g. minikube uses port 8443 instead of 6443. The check also tested the port 'name', but that of course also doesn't necesarrily indicate the actual protocol used... - fixed `default_deny_ingress` and `default_deny_egress` policies to actually work (they always returned fail until now). Also deleted `default_dont_allow_ingress` and `default_dont_deny_egress`, since they seem to be duplicates of the `deny` policy? https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF <!-- 🎉 Thank you for making CloudQuery awesome by submitting a PR 🎉 --> #### Summary <!-- Explain what problem this PR addresses --> <!-- Use the following steps to ensure your PR is ready to be reviewed - [ ] Read the [contribution guidelines](../blob/main/CONTRIBUTING.md) 🧑🎓 - [ ] Test locally on your own infrastructure - [ ] Run `go fmt` to format your code 🖊 - [ ] Lint your changes via `golangci-lint run` 🚨 (install golangci-lint [here](https://golangci-lint.run/usage/install/#local-installation)) - [ ] Update or add tests 🧪 - [ ] Ensure the status checks below are successful ✅ --->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
default_deny_ingressanddefault_deny_egresspolicies to actually work (they always returned fail until now). Also deleteddefault_dont_allow_ingressanddefault_dont_deny_egress, since they seem to be duplicates of thedenypolicy?https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF
Summary