Skip to content

Custom Resource Definitions

Overview

This project houses CustomResourceDefinitions (CRDs) related to security and compliance checks along with the code generated by Kubernetes code generators to write such custom resources in a natural way.

NAME SHORTNAMES APIGROUP NAMESPACED KIND
vulnerabilityreports vulns,vuln aquasecurity.github.io true VulnerabilityReport
configauditreports configaudit aquasecurity.github.io true ConfigAuditReport
ciskubebenchreports kubebench aquasecurity.github.io false CISKubeBenchReport
kubehunterreports kubehunter aquasecurity.github.io false KubeHunterReport

Note

We are open to suggestions for adding new or changes to the existing CRDs in the case that would enable additional third-party integrations.

VulnerabilityReport

An instance of the VulnerabilityReport represents the latest vulnerabilities found in a container image of a given Kubernetes workload. It consists of a list of OS package and application vulnerabilities with a summary of vulnerabilities grouped by severity. For multi-container workloads Starboard creates multiple instances of VulnerabilityReports, which are stored in the same namespace and are owned by this workload. Each report follows the naming convention <workload kind>-<workload name>-<container-name>.

Note

For various reasons we'll probably change the naming convention to name VulnerabilityReports by image digest (see #288).

Any static vulnerability scanner that is compliant with the VulnerabilityReport schema can be integrated with Starboard. You can find the list of available integrations here.

ConfigAuditReport

An instance of the ConfigAuditReport represents checks performed by configuration auditing tools, such as Polaris, against a Kubernetes workload's configuration. For example, check that a given container image runs as non root user or that a container has resource requests and limits set. Currently checks only relate to Kubernetes workloads, but most likely we'll extend this model to cater for other Kubernetes objects such as Services, ConfigMaps, etc (see #300).

Each report owned by the underlying Kubernetes workload and is stored in the same namespace, following the <workload-kind>-<workload-name> naming convention.

Third party Kubernetes configuration checkers, linters, and sanitizers that are compliant with the ConfigAuditReport schema can be integrated with Starboard.

Note

The challenge with onboarding third party configuration checkers is that they tend to have different interfaces to perform scans and vary in output formats for a relatively common goal, which is inspecting deployment descriptors for known configuration pitfalls.

CISKubeBenchReport

The CISKubeBenchReport is a cluster scoped resource owned by a Kubernetes node, which represents the latest result of running CIS Kubernetes Benchmark tests on that node. It's named after a corresponding node.

We do not anticipate many (at all) kube-bench alike tools, hence the schema of this report is currently the same as the output of kube-bench.

KubeHunterReport

The KubeHunterReport is a cluster scoped resource which represents the outcome of running pen tests against your cluster. Currently the data model is the same as kube-hunter's output, but we can make it more generic to onboard third party pen testing tools. There's zero to one instances of KubeHunterReports with hardcoded name cluster without any owner reference being set as there's no built-in Kubernetes resource that represents a cluster.