Mondoo 7.9 is out!
๐ฅณ Mondoo 7.9 is out! This release includes a new Kubernetes Ingress resource and automatic discovery of Amazon ECR registries!โ
Get this release: Installation Docs | Package Downloads | Docker Container
๐ NEW FEATURESโ
Kubernetes Ingress resourceโ
Problem: You want to ensure the security of Kubernetes Ingresses.
Solution: Mondoo now includes new resources for exploring and securing Kubernetes Ingress objects. New resources support exploring the Ingress objects themselves as well as the HTTP rules in each Ingress.
New Ingress resources:
- k8s.ingress
- k8s.ingressbackend
- k8s.ingresshttprulepath
- k8s.ingressresourceref
- k8s.ingressrule
- k8s.ingressservicebackend
Example cnspec shell query:
k8s.ingresses: [
0: {
annotations: {}
namespace: "default"
labels: {}
manifest: {
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata: {
creationTimestamp: null
name: "no-tls-ingress"
namespace: "default"
}
spec: {
ingressClassName: "nginx"
rules: [
0: {
host: "api.nexus.info"
http: {
paths: [
0: {
backend: {
resource: {
apiGroup: "k8s.example.io"
kind: "MyKind"
name: "my-resource"
}
}
path: "/"
pathType: "Prefix"
}
]
}
}
...
You can also automatically discover Ingress objects during your cluster scan with the --discover ingresses
flag. With this flag, each Ingress object is scanned as an asset available in the Mondoo Console.
Stay tuned for new Ingress security policies and auto-discovery of HTTP/HTTPS endpoints so you can automatically discover incorrectly configured or expiring certificates.
Amazon ECR discovery supportโ
Problem: To scan an AWS ECR registry, you have to know its address.
Solution: The cnquery/cnspec AWS scanner now automatically discovers and scans ECR registries.
Just type cnspec scan aws --discover ecs
, or cnspec scan aws --discover all
.
๐งน IMPROVEMENTSโ
Improve EC2 instance discoveryโ
When running cnspec scan aws --discover instances
cnspec now uses EC2 Instance Connect and SSM to connect and remotely scan EC2 instances.
๐ BUG FIXES AND UPDATESโ
- Improve the reliability of many controls in CIS and Mondoo Linux policies.
- Change SSM-scanned instances to not show up as "Other" scans.
- Avoid rate limiting in the AWS Lambda integration by reducing total API calls.
- Improve help and resource autocomplete text.
- Remove some unhelpful warning log messages in cnspec and cnquery.
- Fix the display of long Kubernetes integration names in the Kubernetes integration page.
- Fix login failures using the latest release of Safari on macOS and iOS.
- Fix incorrect display of long organization IDs in the create organization window.