A Kubernetes operator that orchestrates compliance scanning for Kubernetes clusters using the Diki compliance checker. Part of the Gardener ecosystem.
diki-operator automates the execution of compliance scans against Kubernetes clusters and manages the export of scan reports. It provides the following CRDs:
- ComplianceScan -- define and trigger compliance scans
- ScheduledComplianceScan -- schedule recurring compliance scans
- ReportOutput -- configurable outputs for diki scan reports
Cluster-scoped resource that specifies which rulesets to run, references optional ConfigMaps for ruleset/rule options, and tracks scan status (Pending, Running, Completed, Failed).
apiVersion: diki.gardener.cloud/v1alpha1
kind: ComplianceScan
metadata:
name: example-compliancescan
spec:
rulesets:
- id: disa-kubernetes-stig
version: v2r4
options:
ruleset:
configMapRef:
name: diki-options
namespace: kube-system
outputs:
- name: compliance-scan-reportCluster-scoped resource that defines a cron schedule for recurring ComplianceScans, with configurable history limits.
apiVersion: diki.gardener.cloud/v1alpha1
kind: ScheduledComplianceScan
metadata:
name: weekly-scan
spec:
schedule: "0 0 * * 0" # every Sunday at midnight
successfulScansHistoryLimit: 3
failedScansHistoryLimit: 1
scanTemplate:
spec:
rulesets:
- id: disa-kubernetes-stig
version: v2r4
outputs:
- name: compliance-scan-reportCluster-scoped resource that defines where compliance reports should be stored.
apiVersion: diki.gardener.cloud/v1alpha1
kind: ReportOutput
metadata:
name: compliance-scan-report
spec:
output:
configMap:
namespace: kube-system
namePrefix: compliance-scan-report-For local setup instructions, see the Getting Started Locally guide.
Feedback and contributions are always welcome!
Please report bugs or suggestions as GitHub issues or reach out on Slack (join the workspace here).
