Skip to content

Commit

Permalink
🧹 merge k8s incident response pack into a single pack (#61)
Browse files Browse the repository at this point in the history 
Also extended the pack to handle all workload types

Signed-off-by: Ivan Milchev <[email protected]>
  • Loading branch information
@imilchev
imilchev authored May 4, 2023
1 parent 8b8f4e6 commit 80b3b04
Show file tree
Hide file tree
Showing 2 changed files with 497 additions and 120 deletions.
141 changes: 141 additions & 0 deletions core/deprecated-mondoo-kubernetes-incident-response.mql.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
packs:
- uid: mondoo-kubernetes-cluster-incident-response
name: Kubernetes Cluster Incident Response Pack
version: 1.0.0
authors:
- name: Mondoo, Inc
email: [email protected]
tags:
mondoo.com/platform: kubernetes,k8s # remove k8s when v9 is released
mondoo.com/category: security
mondoo.com/state: deprecated
filters:
- asset.platform == "kubernetes" || asset.platform == "k8s-cluster"
queries:
- uid: k8s-cluster-version
title: Retrieve Kubernetes Cluster Version
query: |
k8s.serverVersion
- uid: role-bindings-with-cluster-admin-permissions
title: Retrieve role bindings with cluster-admin permissions
query: |
k8s.rolebindings.where(roleRef["kind"] == "ClusterRole" && roleRef["name"] == "cluster-admin") {
name
namespace
subjects
roleRef
}
- uid: clusterrole-bindings-with-cluster-admin-permissions
title: Retrieve ClusterRoleBindings with cluster-admin permissions
query: |
k8s.clusterrolebindings.where(roleRef["kind"] == "ClusterRole" && roleRef["name"] == "cluster-admin") {
name
subjects
roleRef
}
- uid: mondoo-kubernetes-pods-incident-response
name: Kubernetes Pods Incident Response Pack
version: 1.0.0
authors:
- name: Mondoo, Inc
email: [email protected]
tags:
mondoo.com/platform: kubernetes,k8s # remove k8s when v9 is released
mondoo.com/category: security
mondoo.com/state: deprecated
filters:
- asset.platform == "k8s-pod"
queries:
- uid: k8s-pod-security-context
title: Retrieve Pods' Security Context
query: |
k8s.pod {
ephemeralContainers {
securityContext
}
initContainers {
securityContext
}
containers {
securityContext
}
}
- uid: k8s-pod-container
title: Retrieve container image information
tags:
mondoo.com/platform: kubernetes
mondoo.com/category: security
query: |
k8s.pod {
name
namespace
initContainers {
image
containerImage {
name
identifier
identifierType
repository {
name
registry
}
}
}
containers {
image
containerImage {
name
identifier
identifierType
repository {
name
registry
}
}
}
ephemeralContainers {
image
containerImage {
name
identifier
identifierType
repository {
name
registry
}
}
}
podSpec["nodeName"]
}
- uid: mondoo-kubernetes-cronjobs-incident-response
name: Kubernetes CronJobs Incident Response Pack
version: 1.0.0
authors:
- name: Mondoo, Inc
email: [email protected]
tags:
mondoo.com/platform: kubernetes,k8s # remove k8s when v9 is released
mondoo.com/category: security
mondoo.com/state: deprecated
filters:
- asset.platform == "k8s-cronjob"
queries:
- uid: k8s-cronjobs
title: Retrieve CronJobs
query: |
k8s.cronjob {
name
namespace
containers {
image
containerImage {
name
identifier
identifierType
repository {
name
registry
}
}
}
}
Loading

0 comments on commit 80b3b04

Please sign in to comment.