Implement Garden provider & Security Hardened Shoot Cluster ruleset

[AleksandarSavchev]

What would you like to be added:
A Garden provider that has access to the garden cluster can be implemented:

• Add Garden provider Add Garden provider #305

A new ruleset should also be created for the Garden provider. This ruleset can be named Security Hardened Shoot Cluster which checks targeted Shoot resource by Project and Shoot name. The ruleset should reference DISA K8s STIG rules, which can be checked in the Shoot spec and also add additional rules.

• Add Security Hardened Shoot Cluster ruleset guide Add Security Hardened Shoot Cluster ruleset version v0.1.0  #308

• Implement rules

  • 1000 Shoot clusters should enable required extensions.
  • 2000 Shoot clusters must have anonymous authentication disabled for the Kubernetes API server.
  • 2001 Kubernetes Worker Nodes must have ssh access disabled. Add Rule 2001 to Security Hardened Shoot Ruleset #358
  • 2002 Shoot clusters must not have Alpha APIs enabled for any Kubernetes component. Add Rule 2002 to the Security Hardened Shoot Ruleset #360
  • 2003 Shoot clusters must enable kernel protection for Kubelets. [Security Hardened Shoot Cluster] Rule 2003 implementation #343
  • 2004 Shoot clusters must have ValidatingAdmissionWebhook admission plugin enabled.
  • 2005 Shoot clusters must not disable timeouts for Kubelet.
  • 2006 Shoot clusters must have static token kubeconfig disabled.
  • 2007 Shoot clusters must have a PodSecurity admission plugin configured.

Update usage documentation:

• add new usage documentation for running the Security Hardened Shoot Cluster ruleset

[AleksandarSavchev]

/assign @georgibaltiev