Releases: gardener/diki
Releases · gardener/diki
v0.3.0
[gardener/diki]
✨ New Features
[USER]Added new optionacceptedPodsto DISA Kubernetes STIGS242415rule which allows the user to configure environment variables for selected pods to be accepted. by @AleksandarSavchev [#61][USER]Added new optionexpectedFileOwnerto DISA Kubernetes STIGSpod-filesrule which allows the user to select whichusersandgroupsare expected. The options defaults to expecting only ID0forusersandgroups. by @AleksandarSavchev [#52][USER]Diki now supports DISA Kubernetes STIG versionv1r11. by @dimityrmirchev [#65][DEVELOPER]Diki now has a basic implementation of a virtual garden provider. by @dimityrmirchev [#71]
🐛 Bug Fixes
[USER]DISA Kubernetes STIGspod-filesrule now expects0640permission setting for*.keyfiles of mandatory components. This change improves the242467rule which requires0600permissions for such files.0600is not enforced since k8s does not provide an easy way to change the owner of a file and containers are expected to run as nonroot. by @AleksandarSavchev [#60][USER]A bug causing rule242414to crash when no options for the rule were set was fixed. by @AleksandarSavchev [#61][USER]DISA Kubernetes STIGs Kubelet rules now createsdikipods only on nodes with free allocatable space. by @AleksandarSavchev [#59]
🏃 Others
[USER]DISA Kubernetes STIGs242442rule no longer checks shoot pods that are not managed by Gardener. by @AleksandarSavchev [#56][DEPENDENCY]Upgraded diki base image: gcr.io/distroless/static-debian11 -> gcr.io/distroless/static-debian12 by @AleksandarSavchev [#91]
[gardener/ops-toolbelt]
✨ New Features
[OPERATOR]Added an installer script to install etcdctl on demand whenever needed by @aaronfern [gardener/ops-toolbelt#96]
🏃 Others
[OPERATOR]Changed the defaultops-toolbeltcontainer image toeu.gcr.io/sap-se-gcr-k8s-public/eu_gcr_io/gardener-project/gardener/ops-toolbelt:latestby @tedteng [gardener/ops-toolbelt#95]
Docker Images
- diki-linux-amd64:
eu.gcr.io/gardener-project/gardener/diki:v0.3.0 - diki-ops-linux-amd64:
eu.gcr.io/gardener-project/gardener/diki-ops:v0.3.0
Contributors
dimityrmirchev, tedteng, and 2 other contributors
Assets 8
v0.2.0
[gardener/diki]
✨ New Features
[USER]Metadata and providers are now sorted when generating a report in order to improve consistency and readability. by @dimityrmirchev [#37][USER]DISA Kubernetes STIGspod-filesrule now passes files with owner and/or group ID65532. by @AleksandarSavchev [#48]
🏃 Others
[USER]Error messages when encountering pod timeouts while waiting for the pod to reach healthy state were improved. by @AleksandarSavchev [#38][USER]DISA Kubernetes STIGSpod-filesrule now checks only 1 pod per owner reference group. by @AleksandarSavchev [#43][USER]DISA Kubernetes STIGS242436rule now fails when thekube-apiserverflagdisable-admission-pluginsis set toValidatingAdmissionWebhook. by @AleksandarSavchev [#45][USER]DISA Kubernetes STIGSpod-filesrule now checks only files with paths part of thevolumeMountsfor the specific container. It also excludes directories of no interest like/var/log/journal. by @AleksandarSavchev [#39][DEPENDENCY]Diki is now built using go version1.21.2. by @dimityrmirchev [#44][DEPENDENCY]Update go version to1.21.1. by @AleksandarSavchev [#36][DEPENDENCY]Diki is now built using go version1.21.3. by @dimityrmirchev [#50]
[gardener/ops-toolbelt]
🏃 Others
[USER]Bumped cli versions:- kubectl ->
v1.26.9 - nerdctl ->
1.6.0by @petersutter [gardener/ops-toolbelt#93]
- kubectl ->
Contributors
petersutter, dimityrmirchev, and AleksandarSavchev
Assets 8
v0.1.0
[gardener/diki]
✨ New Features
[USER]Diki can now run DISA Kubernetes STIG versionv1r10ruleset. by @AleksandarSavchev [#34][USER]It is now possible to print version details about the diki binary by runningdiki version. by @dimityrmirchev [#16][USER]Thediki reportcommand can now be used to merge multiple reports into a single report by setting the--distinct-byflag. by @AleksandarSavchev [#10][USER]ETCDpeer options rules242380,242426,242432and242433are now skipped whenETCDruns as a single instance. by @AleksandarSavchev [#3][DEVELOPER]It is now possible to builddikibinaries for different platforms by runningmake build. by @dimityrmirchev [#19]
🐛 Bug Fixes
[USER]A bug causing file permission checks to be incorrect has been fixed. by @AleksandarSavchev [#25][USER]A bug causing rule242394to error when it should pass was fixed. by @AleksandarSavchev [#2][USER]A bug causing rule242393to pass with wrong message was fixed. by @AleksandarSavchev [#2]
🏃 Others
[USER]Selecting accepted pods for rule242414in the config file has been changed to use pod and namespace label selectors instead of name prefixes. by @AleksandarSavchev [#12]
Contributors
dimityrmirchev and AleksandarSavchev