v0.22.0

[github.com/gardener/diki:v0.22.0]

✨ New Features

• [USER] The diki run command can be executed without specifying a run configuration when the provider is set to managedk8s. by @georgibaltiev [#620]
• [USER] [Rule 2000 of the Security Hardened Kubernetes Cluster ruleset] Namespaces marked for deletion without any pods will be marked as Warning findings instead of Failed by @georgibaltiev [#642]

🐛 Bug Fixes

• [USER] A bug causing Rule 1001 from Security Hardened Shoot Cluster guide to panic when target NamespacedCloudProfile has .spec.kubernetes field equal to nil was fixed. by @AleksandarSavchev [#625]

🏃 Others

• [DEVELOPER] Replace unmaintained yaml package gopkg.in/yaml.v3 with `go.yaml.in/yaml/v4". by @AleksandarSavchev [#633]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.22.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.22.0

v0.21.1

[github.com/gardener/diki:v0.21.1]

🐛 Bug Fixes

• [USER] A bug causing Rule 1001 from Security Hardened Shoot Cluster guide to panic when target NamespacedCloudProfile has .spec.kubernetes field equal to nil was fixed. by @AleksandarSavchev [#628]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.21.1
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.21.1

v0.21.0

[github.com/gardener/diki:v0.21.0]

⚠️ Breaking Changes

• [USER] Diki no longer supports DISA Kubernetes STIG version v2r2 by @AleksandarSavchev [#604]

✨ New Features

• [USER] Diki now supports rule 274882 of the DISA STIG ruleset. by @georgibaltiev [#613]
• [USER] Diki now supports DISA Kubernetes STIG version v2r4 by @AleksandarSavchev [#604]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.21.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.21.0

v0.20.0

[github.com/gardener/diki:v0.20.0]

⚠️ Breaking Changes

• [USER] DISA Kubernetes STIG rules 242400, 242442, 242447, 242448, 242451, 242466 and 242467 have their kube-proxy options changed and enhanced to use labelSelectors. Please check example/config/gardener.yaml and example/config/managedk8s.yaml. by @AleksandarSavchev [#595]
• [USER] The matchLabels and namespaceMatchLabels fields in rule's options are now deprecated in favour of the new labelSelector and namespaceLabelSelector fields. by @AleksandarSavchev [#515]
• [USER] DISA Kubernetes STIG rules 242414, 242415 and 242417 have their options for selecting Pods changed from acceptedPods[].podMatchLabels to acceptedPods[].matchLabels. by @AleksandarSavchev [#594]

✨ New Features

• [USER] Rule options from the Security Hardened Kubernetes Ruleset now use labelSelectors to match their accepted resources. by @AleksandarSavchev [#589]
• [USER] Options of Rules 2003 and 2008 of the Security Hardened Kubernetes ruleset can now configure wildcards for accepted volumes. by @georgibaltiev [#602]
• [USER] User of the managedk8s provider can now choose between the option to provide the kubeconfig path in the config file, use the KUBECONFIG env or simply make use of the ServiceAccount token mounted to a Pod. by @TorstenD-SAP [#597]

🐛 Bug Fixes

• [OPERATOR] Disable CGO for diki executables builds in workflows. This was causing the diki binaries to error in containers using alpine images. by @AleksandarSavchev [#573]
• [USER] A bug causing the DISA K8s STIG rule 242390 for the managedk8s provider to error when the provided kubeconfig uses a CA file or has insecure skip tls verify has been fixed. by @AleksandarSavchev [#600]
• [USER] A bug causing Rule 242390 from DISA K8s STIG to not return endpoints with anonymous authentication enabled in check results when options for the rule were not configured has been fixed. by @AleksandarSavchev [#575]
• [USER] A bug causing the DISA K8s STIG ruleset for the managedk8s provider to error when the provided kubeconfig does not contain CA Data has been fixed. by @AleksandarSavchev [#600]

🏃 Others

• [USER] Diki now refers to the diki show command when an error caused by a file misconfiguration occurs. by @georgibaltiev [#561]
• [OPERATOR] Use ubuntu-24.04-arm runner for diki executables builds in workflows. by @AleksandarSavchev [#573]
• [DEVELOPER] Migrate to tool directive in go.mod file. by @AleksandarSavchev [#576]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.20.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.20.0

v0.19.2

[github.com/gardener/diki:v0.19.2]

🐛 Bug Fixes

• [OPERATOR] Disable CGO for diki executables builds in workflows. This was causing the diki binaries to error in containers using alpine images. by @AleksandarSavchev [#574]

🏃 Others

• [OPERATOR] Use ubuntu-24.04-arm runner for diki executables builds in workflows. by @AleksandarSavchev [#574]

v0.19.1

release v0.19.1

v0.19.0

[github.com/gardener/diki:v0.19.0]

✨ New Features

• [USER] Rules 242390 of the DISA STIG ruleset and 2000 of the Security Hardened Shoot Cluster ruleset now support options to exempt specific endpoints from disabling their anonymous authentication. by @georgibaltiev [#544]
• [DEVELOPER] make check now also checks for typos and files that contain : in their names. by @AleksandarSavchev [#553]
• [USER] Users can now configure a list of expected images that could have multiple versions for Rule 242442 of the DISA STIG ruleset. Any image finding that is listed in the configuration will be described as a Warning. by @georgibaltiev [#543]
• [USER] All Diki rulesets now validate their configured options with error messages that contain absolute paths to the bad/invalid values. by @georgibaltiev [#557]

🏃 Others

• [OPERATOR] Test results are now exported as inlined ocm-resource. by @heldkat [#540]
• [DEVELOPER] migrate CICD-pipelines to GitHub-Actions by @ccwienk [#524]

v0.18.0

[gardener/diki]

✨ New Features

• [USER] All Diki rules now return checkResults with stable values in targets. by @georgibaltiev [#530]

🏃 Others

• [USER] Rule 2000 of the Security Hardened Shoot Cluster ruleset now checks the StructuredAuthentication ConfigMap for anonymous authentication by @georgibaltiev [#510]
• [USER] Rule 242390 of the DISA Kubernetes STIG ruleset now checks the StructuredAuthentication ConfigMap for anonymous authentication by @georgibaltiev [#510]
• [USER] Rule 2005 of the Security Hardened Kubernetes Cluster ruleset now warns when an ImageID of a container is empty. by @georgibaltiev [#518]
• [USER] Diki no longer supports selecting etcd-main & etcd-events pods by the removed instance label from etcd-druid. by @georgibaltiev [#533]
• [USER] Rule 242442 of the DISA STIG ruleset now warns when an ImageID of a container is empty. by @georgibaltiev [#518]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.18.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.18.0

v0.17.0

[gardener/diki]

✨ New Features

• [USER] Rule options have been added to Rule 2002 from the security-hardened-k8s. by @AleksandarSavchev [#503]

🐛 Bug Fixes

• [USER] Rule 242442 now returns a more specific error message when parsing an empty imageID by @georgibaltiev [#499]
• [USER] A bug causing diki pods to appear in Failed rule checks has been fixed. by @AleksandarSavchev [#509]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.17.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.17.0

v0.16.0

[gardener/diki]

⚠️ Breaking Changes

• [USER] Diki no longer supports DISA Kubernetes STIG version v2r1 by @AleksandarSavchev [#480]
• [USER] A bug causing logs from controller-runtime clients to cause runtime errors has been fixed. by @AleksandarSavchev [#495]

✨ New Features

• [USER] [Security Hardened Kubernetes Cluster Ruleset] Rule 2000 now explicitly checks for a NetworkPolicy that allows all traffic in a specific namespace by @georgibaltiev [#486]
• [USER] Diki now supports DISA Kubernetes STIG version v2r3 by @AleksandarSavchev [#480]
• [USER] DISA STIG rule 242459 now checks for 644 permissions or more restrictive, for files in /etcd/data directory it expects 600 permissions. by @AleksandarSavchev [#481]
• [USER] Rule 1003 from the security-hardened-shoot-cluster ruleset for provider garden now checks if the Lakom extension is enabled, starting from version v0.2.1.
  by @AleksandarSavchev [#471]
• [USER] Rule 1003 from the security-hardened-shoot-cluster ruleset for provider garden now can be configured with an allowed list of Lakom scopes., starting from version v0.2.1. by @AleksandarSavchev [#471]

🏃 Others

• [USER] Rule 1001 from the security-hardened-shoot-cluster ruleset for provider garden now has it's severity downgraded from HIGH to MEDIUM, starting from version v0.2.1. by @AleksandarSavchev [#473]
• [USER] Rule 1002 from the security-hardened-shoot-cluster ruleset for provider garden now has it's severity downgraded from HIGH to MEDIUM, starting from version v0.2.1. by @AleksandarSavchev [#473]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.16.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.16.0