Project Status: This project is stable. Any API and CRD changes will be handled in way where previous versions are kept working or migrated.
The Mondoo Operator provides a new Kubernetes native way to do a security assessment of your whole Kubernetes Cluster. The purpose of this project is to simplify and automate the configuration for a Mondoo-based security assessment for Kubernetes clusters.
The Mondoo Operator provides the following features:
- Continuous validation of deployed workloads
- Continuous validation of Kubernetes nodes without privileged access
- Admission Controller
It is backed by Mondoo's powerful policy-as-code engine cnspec and MQL. Mondoo ships out-of-the-box security policies for:
- CIS Kubernetes Benchmarks
- CIS AKS/EKS/GKE/OpenShift Benchmarks
- NSA/CISA Kubernetes Hardening Guide
- Kubernetes Cluster and Workload Security
- Kubernetes Best Practices
The Mondoo Operator can be installed via different methods depending on your Kubernetes workflow:
The following Kubernetes environments are tested:
- AWS EKS 1.23, 1.24, 1.25, and 1.26
- Azure AKS 1.24, 1.25, and 1.26
- GCP GKE 1.23, 1.24, 1.25, and 1.26
- Minikube with Kubernetes versions 1.24, 1.25, 1.26, and 1.27
- Rancher RKE1 1.22 and 1.23
- K3S 1.24, 1.25, 1.26, and 1.27
Please see the docs directory for more in-depth information.
Many files (documentation, manifests, ...) are auto-generated. Before proposing a pull request:
- Commit your changes.
- Run
make generateandmake test. - Commit the generated changes.
If you find a security vulnerability related to the Mondoo Operator, please do not report it by opening a GitHub issue. Instead, send an e-mail to [email protected]
Join the Mondoo Community GitHub Discussions to collaborate on policy as code and security automation.