mondoo-operator

command module
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 29, 2022 License: Apache-2.0 Imports: 13 Imported by: 0

README

Mondoo Operator for Kubernetes

CI License

Project Status: This project is currently in Early-Access. The API and CRD may change.

Overview

The Mondoo Operator provides a new Kubernetes native way to do a security assessment of your whole Kubernetes Cluster. The purpose of this project is to simplify and automate the configuration for a Mondoo-based security assessment for Kubernetes clusters.

The Mondoo Operator provides the following features:

  • Continuous validation of deployed workloads
  • Continuous validation of Kubernetes nodes without privileged access
  • Admission Controller (coming soon)

It is backed by Mondoo's powerful Policy-as-Code the Mondoo Query Language (MQL). Mondoo ships out-of-the-box security policies for Kubernetes:

  • CIS Kubernetes Benchmark
  • Kubernetes Application Benchmark
           ┌─────────────────────────────────────────────────────────────────┐
           │                       Kubernetes Cluster                        │
           │┌───┐    ┌────────────────────────┐ ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐│
           ││   │   ┌┴───────────────────────┐│           DaemonSet          │
           ││   ├──▶│      Application       ├┘ │┌─────────────────────────┐││
           ││   │   └────────────────────────┘   │┌─────────────────┐      │ │
           ││   │                ▲              │││Mondoo Client Pod│ Nodes│││
           ││   │   ┌────────────┴───────────┐   │└─────────────────┘      │ │
┌────────┐ ││   │   │┌──────────────────────┐│  │└─────────────────────────┘││
│        │ ││   │ ┌─▶│  Validating Webhook  ││                               │
│Pipeline│─▶│API│─┘ │└──────────────────────┘│  │                           ││
│        │ ││   │   │                        │   ┌─────────────────────────┐ │
└────────┘ ││   │   │K8s Admission Controller│  ││┌─────────────────┐      │││
           ││   │   └────────────────────────┘   ││Mondoo Client Pod│ Nodes│ │
           ││   │                │              ││└─────────────────┘      │││
           ││   │                ▼               └─────────┬───────────────┘ │
           ││   │       ┌─────────────────┐     │          │                ││
           ││   ◀───────│Mondoo Client Pod│                │                 │
           │└───┘       └─────────────────┘     └ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ┘│
           └─────────────────────┬─────────────────────────┼─────────────────┘
           ┌─────────────────────▼─────────────────────────▼─────────────────┐
           │               Mondoo Platform (Policies, Reports)               │
           └─────────────────────────────────────────────────────────────────┘

Getting Started

The Mondoo Operator can be installed via different methods depending on your Kubernetes workflow:

Tested Kubernetes Environments

The following Kubernetes environments are tested:

  • AWS EKS 1.21
  • Azure AKS 1.21
  • GCP GKE 1.21 and 1.22
  • Minikube
  • K3S

Documentation

Please see the docs directory for more in-depth information.

Contributing

Many files (documentation, manifests, ...) are auto-generated. Before proposing a pull request:

  1. Commit your changes.
  2. Run make generate and make test.
  3. Commit the generated changes.

Security

If you find a security vulnerability related to the Mondoo Operator, please do not report it by opening a GitHub issue. Instead, send an e-mail to security@mondoo.com

License

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
api
v1alpha1
Package v1alpha1 contains API Schema definitions for the k8s v1alpha1 API group +kubebuilder:object:generate=true +groupName=k8s.mondoo.com
Package v1alpha1 contains API Schema definitions for the k8s v1alpha1 API group +kubebuilder:object:generate=true +groupName=k8s.mondoo.com
pkg

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL