v0.25.0

[github.com/gardener/diki:v0.25.0]

⚠️ Breaking Changes

• [USER] Diki no longer supports version V2R3 of the DISA STIG ruleset. by @georgibaltiev [#681]

✨ New Features

• [USER] Diki now supports version V2R5 of the DISA STIG ruleset. by @georgibaltiev [#681]
• [USER] A document, describing Diki's minimal required permissions has been added for the end users. by @georgibaltiev [#677]

📖 Documentation

• [USER] Diki's documentation and configuration files now use version V2R5 of the DISA STIG ruleset. by @georgibaltiev [#686]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.25.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.25.0

v0.24.0

[github.com/gardener/diki:v0.24.0]

🐛 Bug Fixes

• [USER] A bug causing GitHub Actions to incorrectly target diki-ops builder for diki images was fixed. Affected version with misnamed images are: v0.19.x, v0.20.x, v0.21.x, v0.22.x and v0.23.x. by @AleksandarSavchev [#669]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.24.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.24.0

v0.23.0

[github.com/gardener/diki:v0.23.0]

🐛 Bug Fixes

• [USER] A bug causing GitHub Actions to incorrectly target diki-ops builder for diki images was fixed. Affected version with misnamed images are: v0.19.x, v0.20.x, v0.21.x and v0.22.x. by @AleksandarSavchev [#668]
• [USER] The Renovate bot's configuration file has been updated to match the current pipeline definitions. by @georgibaltiev [#661]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.23.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.23.0

v0.22.0

[github.com/gardener/diki:v0.22.0]

✨ New Features

• [USER] The diki run command can be executed without specifying a run configuration when the provider is set to managedk8s. by @georgibaltiev [#620]
• [USER] [Rule 2000 of the Security Hardened Kubernetes Cluster ruleset] Namespaces marked for deletion without any pods will be marked as Warning findings instead of Failed by @georgibaltiev [#642]

🐛 Bug Fixes

• [USER] A bug causing Rule 1001 from Security Hardened Shoot Cluster guide to panic when target NamespacedCloudProfile has .spec.kubernetes field equal to nil was fixed. by @AleksandarSavchev [#625]

🏃 Others

• [DEVELOPER] Replace unmaintained yaml package gopkg.in/yaml.v3 with `go.yaml.in/yaml/v4". by @AleksandarSavchev [#633]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.22.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.22.0

v0.21.1

[github.com/gardener/diki:v0.21.1]

🐛 Bug Fixes

• [USER] A bug causing Rule 1001 from Security Hardened Shoot Cluster guide to panic when target NamespacedCloudProfile has .spec.kubernetes field equal to nil was fixed. by @AleksandarSavchev [#628]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.21.1
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.21.1

v0.21.0

[github.com/gardener/diki:v0.21.0]

⚠️ Breaking Changes

• [USER] Diki no longer supports DISA Kubernetes STIG version v2r2 by @AleksandarSavchev [#604]

✨ New Features

• [USER] Diki now supports rule 274882 of the DISA STIG ruleset. by @georgibaltiev [#613]
• [USER] Diki now supports DISA Kubernetes STIG version v2r4 by @AleksandarSavchev [#604]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.21.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.21.0

v0.20.0

[github.com/gardener/diki:v0.20.0]

⚠️ Breaking Changes

• [USER] DISA Kubernetes STIG rules 242400, 242442, 242447, 242448, 242451, 242466 and 242467 have their kube-proxy options changed and enhanced to use labelSelectors. Please check example/config/gardener.yaml and example/config/managedk8s.yaml. by @AleksandarSavchev [#595]
• [USER] The matchLabels and namespaceMatchLabels fields in rule's options are now deprecated in favour of the new labelSelector and namespaceLabelSelector fields. by @AleksandarSavchev [#515]
• [USER] DISA Kubernetes STIG rules 242414, 242415 and 242417 have their options for selecting Pods changed from acceptedPods[].podMatchLabels to acceptedPods[].matchLabels. by @AleksandarSavchev [#594]

✨ New Features

• [USER] Rule options from the Security Hardened Kubernetes Ruleset now use labelSelectors to match their accepted resources. by @AleksandarSavchev [#589]
• [USER] Options of Rules 2003 and 2008 of the Security Hardened Kubernetes ruleset can now configure wildcards for accepted volumes. by @georgibaltiev [#602]
• [USER] User of the managedk8s provider can now choose between the option to provide the kubeconfig path in the config file, use the KUBECONFIG env or simply make use of the ServiceAccount token mounted to a Pod. by @TorstenD-SAP [#597]

🐛 Bug Fixes

• [OPERATOR] Disable CGO for diki executables builds in workflows. This was causing the diki binaries to error in containers using alpine images. by @AleksandarSavchev [#573]
• [USER] A bug causing the DISA K8s STIG rule 242390 for the managedk8s provider to error when the provided kubeconfig uses a CA file or has insecure skip tls verify has been fixed. by @AleksandarSavchev [#600]
• [USER] A bug causing Rule 242390 from DISA K8s STIG to not return endpoints with anonymous authentication enabled in check results when options for the rule were not configured has been fixed. by @AleksandarSavchev [#575]
• [USER] A bug causing the DISA K8s STIG ruleset for the managedk8s provider to error when the provided kubeconfig does not contain CA Data has been fixed. by @AleksandarSavchev [#600]

🏃 Others

• [USER] Diki now refers to the diki show command when an error caused by a file misconfiguration occurs. by @georgibaltiev [#561]
• [OPERATOR] Use ubuntu-24.04-arm runner for diki executables builds in workflows. by @AleksandarSavchev [#573]
• [DEVELOPER] Migrate to tool directive in go.mod file. by @AleksandarSavchev [#576]

Container (OCI) Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.20.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.20.0

v0.19.2

[github.com/gardener/diki:v0.19.2]

🐛 Bug Fixes

• [OPERATOR] Disable CGO for diki executables builds in workflows. This was causing the diki binaries to error in containers using alpine images. by @AleksandarSavchev [#574]

🏃 Others

• [OPERATOR] Use ubuntu-24.04-arm runner for diki executables builds in workflows. by @AleksandarSavchev [#574]

v0.19.1

release v0.19.1

v0.19.0

[github.com/gardener/diki:v0.19.0]

✨ New Features

• [USER] Rules 242390 of the DISA STIG ruleset and 2000 of the Security Hardened Shoot Cluster ruleset now support options to exempt specific endpoints from disabling their anonymous authentication. by @georgibaltiev [#544]
• [DEVELOPER] make check now also checks for typos and files that contain : in their names. by @AleksandarSavchev [#553]
• [USER] Users can now configure a list of expected images that could have multiple versions for Rule 242442 of the DISA STIG ruleset. Any image finding that is listed in the configuration will be described as a Warning. by @georgibaltiev [#543]
• [USER] All Diki rulesets now validate their configured options with error messages that contain absolute paths to the bad/invalid values. by @georgibaltiev [#557]

🏃 Others

• [OPERATOR] Test results are now exported as inlined ocm-resource. by @heldkat [#540]
• [DEVELOPER] migrate CICD-pipelines to GitHub-Actions by @ccwienk [#524]