Mondoo Operator for Kubernetes
Project Status: This project is currently in Early-Access. The API and CRD may change.
Overview
The Mondoo Operator provides a new Kubernetes native way to do a security assessment of your whole Kubernetes Cluster. The purpose of this project is to simplify and automate the configuration for a Mondoo-based security assessment for Kubernetes clusters.
The Mondoo Operator provides the following features:
- Continuous validation of deployed workloads
- Continuous validation of Kubernetes nodes without privileged access
- Admission Controller (coming soon)
It is backed by Mondoo's powerful Policy-as-Code the Mondoo Query Language (MQL). Mondoo ships out-of-the-box security policies for Kubernetes:
- CIS Kubernetes Benchmark
- Kubernetes Application Benchmark
┌─────────────────────────────────────────────────────────────────┐
│ Kubernetes Cluster │
│┌───┐ ┌────────────────────────┐ ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐│
││ │ ┌┴───────────────────────┐│ DaemonSet │
││ ├──▶│ Application ├┘ │┌─────────────────────────┐││
││ │ └────────────────────────┘ │┌─────────────────┐ │ │
││ │ ▲ │││Mondoo Client Pod│ Nodes│││
││ │ ┌────────────┴───────────┐ │└─────────────────┘ │ │
┌────────┐ ││ │ │┌──────────────────────┐│ │└─────────────────────────┘││
│ │ ││ │ ┌─▶│ Validating Webhook ││ │
│Pipeline│─▶│API│─┘ │└──────────────────────┘│ │ ││
│ │ ││ │ │ │ ┌─────────────────────────┐ │
└────────┘ ││ │ │K8s Admission Controller│ ││┌─────────────────┐ │││
││ │ └────────────────────────┘ ││Mondoo Client Pod│ Nodes│ │
││ │ │ ││└─────────────────┘ │││
││ │ ▼ └─────────┬───────────────┘ │
││ │ ┌─────────────────┐ │ │ ││
││ ◀───────│Mondoo Client Pod│ │ │
│└───┘ └─────────────────┘ └ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ┘│
└─────────────────────┬─────────────────────────┼─────────────────┘
┌─────────────────────▼─────────────────────────▼─────────────────┐
│ Mondoo Platform (Policies, Reports) │
└─────────────────────────────────────────────────────────────────┘
Getting Started
The Mondoo Operator can be installed via different methods depending on your Kubernetes workflow:
Tested Kubernetes Environments
The following Kubernetes environments are tested:
- AWS EKS 1.21
- Azure AKS 1.21
- GCP GKE 1.21 and 1.22
- Minikube
- K3S
Documentation
Please see the docs directory for more in-depth information.
Contributing
Many files (documentation, manifests, ...) are auto-generated. Before proposing a pull request:
- Commit your changes.
- Run
make generate
and make test
.
- Commit the generated changes.
Security
If you find a security vulnerability related to the Mondoo Operator, please do not report it by opening a GitHub issue. Instead, send an e-mail to security@mondoo.com
License
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.