v0.9.0

[gardener/diki]

✨ New Features

• [USER] The report generate command now accepts a --format flag which determines the output format of the generated report. It can be set to one of html or json. Defaults to html. by @AleksandarSavchev [#249]

Docker Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.9.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.9.0

v0.8.0

[gardener/diki]

✨ New Features

• [USER] A new field .args.additionalOpsPodLabels has been added to the gardener, managedk8s and virtual providers. The field contains key value pairs that will be added to the diki ops pods as additional labels. by @AleksandarSavchev [#223]
• [USER] The generated json report summary now contains a dikiVersion containing the release version of Diki. by @AleksandarSavchev [#233]
• [USER] Report metadata can now be added by setting the metadata field in the Diki config file. by @AleksandarSavchev [#235]

🐛 Bug Fixes

• [USER] A bug causing generated html reports to not truncate target path has been fixed. by @AleksandarSavchev [#236]

Docker Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.8.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.8.0

v0.7.0

[gardener/diki]

✨ New Features

• [USER] Tailwind CSS classes in HTML reports now have tw- prefix. by @AleksandarSavchev [#211]

🐛 Bug Fixes

• [USER] A bug causing rule 242452 for gardener provider to check seed nodes instead of shoot nodes was fixed. by @AleksandarSavchev [#212]

🏃 Others

• [USER] Rules in html reports are now sorted by rule ID. by @AleksandarSavchev [#216]
• [OPERATOR] diki-ops container image now includes only needed binaries. by @AleksandarSavchev [#215]

Docker Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.7.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.7.0

v0.6.1

[gardener/diki]

🐛 Bug Fixes

• [USER] A bug causing rule 242451 validation for managedk8s provider to crash when no file owner options for the rule were set was fixed. by @AleksandarSavchev [#205]

Docker Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.6.1
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.6.1

v0.6.0

[gardener/diki]

⚠️ Breaking Changes

• [USER] The functionality corresponding to the diki report command is now available under the diki report generate command. by @AleksandarSavchev [#164]
• [USER] Setting output.path in the diki configuration file is now deprecated. Users are advised to use the --output flag instead. by @AleksandarSavchev [#194]
• [OPERATOR] Release new diki versions to europe-docker.pkg.dev/gardener-project/releases by @zkdev [#203]

✨ New Features

• [USER] A new command diki report diff was introduced, that creates a json containing the difference between two json outputs from diki run. by @AleksandarSavchev [#164]
• [USER] A new command diki report generate diff that converts one or more json difference reports into a single html difference report was introduced. by @AleksandarSavchev [#199]
• [USER] Rule options are now validated before running ruleset rules. by @AleksandarSavchev [#175]
• [USER] The diki run command now accepts an --output flag. If set diki will write a report summary to the file path location. by @AleksandarSavchev [#194]
• [USER] The commands diki report generate and diki report diff now accept a --output flag that can be used to specify a file where the output report should be written. by @AleksandarSavchev [#164]

🐛 Bug Fixes

• [USER] Virtual Garden provider no longer requires garden kubeconfig to execute rulesets. by @AleksandarSavchev [#173]

Docker Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.6.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.6.0

v0.5.0

[gardener/diki]

✨ New Features

• [USER] Rule 242459 from DISA K8s STIG was revisited to expect maximum 0640 permissions instead of 0600. by @AleksandarSavchev [#154]
• [USER] Diki no longer supports DISA Kubernetes STIGs version v1r10. by @AleksandarSavchev [#168]
• [USER] New hack/run.sh script that executes diki run added. The script sets default ldflags if not specified and provides a comprehensive --help message. by @AleksandarSavchev [#120]

Docker Images

• diki-ops: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.5.0
• diki: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.5.0

v0.4.0

[gardener/diki]

⚠️ Breaking Changes

• [DEPENDENCY] The vendor directory was removed in favour of the go mod cache. by @AleksandarSavchev [#105]

✨ New Features

• [USER] Rule 242382 from DISA K8s STIG was revisited to also expect kube-apiserver authorization modes to be set in a specific order. by @AleksandarSavchev [#107]
• [USER] Diki now uses a lighter image for pod executors in DISA K8s STIG V1R11 ruleset by @AleksandarSavchev [#98]

🏃 Others

• [DEPENDENCY] Diki is now built using go version 1.21.6. by @dependabot[bot] [#103]
• [DEPENDENCY] Bump github.com/gardener/gardener to 1.87.0. by @AleksandarSavchev [#105]
• [DEVELOPER] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references.
  by @AleksandarSavchev [#93]

Docker Images

• diki-linux-amd64: europe-docker.pkg.dev/gardener-project/releases/gardener/diki:v0.4.0
• diki-ops-linux-amd64: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops:v0.4.0

v0.3.0

[gardener/diki]

✨ New Features

• [USER] Added new option acceptedPods to DISA Kubernetes STIGS 242415 rule which allows the user to configure environment variables for selected pods to be accepted. by @AleksandarSavchev [#61]
• [USER] Added new option expectedFileOwner to DISA Kubernetes STIGS pod-files rule which allows the user to select which users and groups are expected. The options defaults to expecting only ID 0 for users and groups. by @AleksandarSavchev [#52]
• [USER] Diki now supports DISA Kubernetes STIG version v1r11. by @dimityrmirchev [#65]
• [DEVELOPER] Diki now has a basic implementation of a virtual garden provider. by @dimityrmirchev [#71]

🐛 Bug Fixes

• [USER] DISA Kubernetes STIGs pod-files rule now expects 0640 permission setting for *.key files of mandatory components. This change improves the 242467 rule which requires 0600 permissions for such files. 0600 is not enforced since k8s does not provide an easy way to change the owner of a file and containers are expected to run as nonroot. by @AleksandarSavchev [#60]
• [USER] A bug causing rule 242414 to crash when no options for the rule were set was fixed. by @AleksandarSavchev [#61]
• [USER] DISA Kubernetes STIGs Kubelet rules now creates diki pods only on nodes with free allocatable space. by @AleksandarSavchev [#59]

🏃 Others

• [USER] DISA Kubernetes STIGs 242442 rule no longer checks shoot pods that are not managed by Gardener. by @AleksandarSavchev [#56]
• [DEPENDENCY] Upgraded diki base image: gcr.io/distroless/static-debian11 -> gcr.io/distroless/static-debian12 by @AleksandarSavchev [#91]

[gardener/ops-toolbelt]

✨ New Features

• [OPERATOR] Added an installer script to install etcdctl on demand whenever needed by @aaronfern [gardener/ops-toolbelt#96]

🏃 Others

• [OPERATOR] Changed the default ops-toolbelt container image to eu.gcr.io/sap-se-gcr-k8s-public/eu_gcr_io/gardener-project/gardener/ops-toolbelt:latest by @tedteng [gardener/ops-toolbelt#95]

Docker Images

• diki-linux-amd64: eu.gcr.io/gardener-project/gardener/diki:v0.3.0
• diki-ops-linux-amd64: eu.gcr.io/gardener-project/gardener/diki-ops:v0.3.0

v0.2.0

[gardener/diki]

✨ New Features

• [USER] Metadata and providers are now sorted when generating a report in order to improve consistency and readability. by @dimityrmirchev [#37]
• [USER] DISA Kubernetes STIGs pod-files rule now passes files with owner and/or group ID 65532. by @AleksandarSavchev [#48]

🏃 Others

• [USER] Error messages when encountering pod timeouts while waiting for the pod to reach healthy state were improved. by @AleksandarSavchev [#38]
• [USER] DISA Kubernetes STIGS pod-files rule now checks only 1 pod per owner reference group. by @AleksandarSavchev [#43]
• [USER] DISA Kubernetes STIGS 242436 rule now fails when the kube-apiserver flag disable-admission-plugins is set to ValidatingAdmissionWebhook. by @AleksandarSavchev [#45]
• [USER] DISA Kubernetes STIGS pod-files rule now checks only files with paths part of the volumeMounts for the specific container. It also excludes directories of no interest like /var/log/journal. by @AleksandarSavchev [#39]
• [DEPENDENCY] Diki is now built using go version 1.21.2. by @dimityrmirchev [#44]
• [DEPENDENCY] Update go version to 1.21.1. by @AleksandarSavchev [#36]
• [DEPENDENCY] Diki is now built using go version 1.21.3. by @dimityrmirchev [#50]

[gardener/ops-toolbelt]

🏃 Others

• [USER] Bumped cli versions:
  • kubectl -> v1.26.9
  • nerdctl -> 1.6.0 by @petersutter [gardener/ops-toolbelt#93]

v0.1.0

[gardener/diki]

✨ New Features

• [USER] Diki can now run DISA Kubernetes STIG version v1r10 ruleset. by @AleksandarSavchev [#34]
• [USER] It is now possible to print version details about the diki binary by running diki version. by @dimityrmirchev [#16]
• [USER] The diki report command can now be used to merge multiple reports into a single report by setting the --distinct-by flag. by @AleksandarSavchev [#10]
• [USER] ETCD peer options rules 242380, 242426, 242432 and 242433 are now skipped when ETCD runs as a single instance. by @AleksandarSavchev [#3]
• [DEVELOPER] It is now possible to build diki binaries for different platforms by running make build. by @dimityrmirchev [#19]

🐛 Bug Fixes

• [USER] A bug causing file permission checks to be incorrect has been fixed. by @AleksandarSavchev [#25]
• [USER] A bug causing rule 242394 to error when it should pass was fixed. by @AleksandarSavchev [#2]
• [USER] A bug causing rule 242393 to pass with wrong message was fixed. by @AleksandarSavchev [#2]

🏃 Others

• [USER] Selecting accepted pods for rule 242414 in the config file has been changed to use pod and namespace label selectors instead of name prefixes. by @AleksandarSavchev [#12]