Infrastructure hardening in the devops_os project
Context
devops_os (at /Users/gsaravanan/gsdev/devops_os) is a CLI scaffold generator with this pattern:
devopsos scaffold gha --options → generates GitHub Actions YAML
devopsos scaffold sre --options → generates Prometheus rules, Grafana dashboards, SLO manifests
devopsos scaffold argocd --options → generates ArgoCD application manifests
devopsos scaffold k8s --options → generates Kubernetes YAML (kubectl/kustomize/argocd/flux)
Key files:
cli/devopsos.py — Typer app with scaffold_app sub-app; each scaffold is registered as a sub-command
cli/scaffold_gha.py, scaffold_sre.py, scaffold_argocd.py etc — generator modules
kubernetes/k8s-config-generator.py — K8s YAML generator (standalone, not yet wired into Typer)
kubernetes/kubernetes-templates/ — argocd/, flux/, kustomize/ subdirs with YAML templates
Pattern for adding a new scaffold:
- Create
cli/scaffold_hardening.py with argparse/Typer CLI + file generation logic
- Create
hardening/templates/ with template files
- Register in
cli/devopsos.py as scaffold_app.add_typer(hardening_app, name="hardening")
- Add docs to
docs/
- Add tests to
tests/
What to document
Write docs/devops-os-hardening-sprint.md with the following sections:
1. Sprint Goal
One paragraph — what devopsos scaffold hardening delivers and why it belongs in devops_os (not GovPilot).
2. Hardening Standards Covered
Table of standards to implement:
| Standard |
Target |
Tool |
Files generated |
| CIS Kubernetes Benchmark v1.9 |
Kubernetes cluster |
Kyverno YAML policies |
kyverno-cis-k8s.yaml |
| CIS Docker Benchmark v1.6 |
Container runtime |
InSpec profile |
inspec/docker-cis/ |
| CIS RHEL 9 Benchmark |
OS (RHEL/Rocky/AlmaLinux) |
InSpec profile |
inspec/rhel9-cis/ |
| CIS Ubuntu 22.04 Benchmark |
OS (Ubuntu) |
InSpec profile |
inspec/ubuntu22-cis/ |
| DISA STIG for Kubernetes |
Kubernetes cluster |
Kyverno YAML policies |
kyverno-stig-k8s.yaml |
| NSA/CISA Kubernetes Hardening Guide |
Kubernetes cluster |
Kyverno + NetworkPolicy |
kyverno-nsa-k8s.yaml |
| Pod Security Standards (Kubernetes) |
Pod admission |
Kyverno ClusterPolicy |
kyverno-pod-security.yaml |
| Container Image Signing |
CI/CD + admission |
Kyverno + Cosign policy |
kyverno-image-signing.yaml |
| OWASP ASVS L1 (infra layer only) |
Application deployment |
Kyverno + Checkov |
asvs-l1-checks/ |
| Essential Eight (Australia ASD) |
General controls |
InSpec + Checkov |
essential-eight/ |
3. CLI Design
Show the full devopsos scaffold hardening CLI interface:
# Generate CIS Kubernetes hardening policies
devopsos scaffold hardening --standard cis-k8s --output hardening/
# Generate DISA STIG Kubernetes policies
devopsos scaffold hardening --standard stig-k8s --output hardening/
# Generate OS hardening InSpec profile for RHEL 9
devopsos scaffold hardening --standard cis-rhel9 --type inspec --output hardening/
# Generate all Kyverno policies for a production cluster
devopsos scaffold hardening --standard all --type kyverno --output hardening/
# Generate with compliance mapping (links back to GovPilot gap register)
devopsos scaffold hardening --standard cis-k8s --compliance-framework pci-dss --output hardening/
Options:
--standard — which hardening standard (cis-k8s, stig-k8s, nsa-k8s, cis-docker, cis-rhel9, cis-ubuntu22, pod-security, image-signing, essential-eight, all)
--type — output type: kyverno, inspec, checkov, all (default: all applicable)
--output — output directory (default: ./hardening/)
--compliance-framework — optional: tag outputs with compliance framework IDs (pci-dss, hipaa, iso27001, rbi, etc.) for GovPilot catalog linking
--severity — filter by minimum severity level (critical, high, medium, low)
--environment — target environment profile: dev, staging, production (adjusts enforcement levels)
4. File Structure Generated
Show what devopsos scaffold hardening --standard all --output hardening/ generates:
hardening/
├── kyverno/
│ ├── cis-k8s/
│ │ ├── 1-master-node-config.yaml — CIS 1.x master node API server settings
│ │ ├── 2-etcd-config.yaml — CIS 2.x etcd security
│ │ ├── 3-control-plane-config.yaml — CIS 3.x control plane settings
│ │ ├── 4-worker-node-config.yaml — CIS 4.x kubelet settings
│ │ └── 5-policies.yaml — CIS 5.x policies (RBAC, secrets, networking)
│ ├── stig-k8s/
│ │ └── stig-cluster-policies.yaml — DISA STIG rules for K8s
│ ├── nsa-k8s/
│ │ ├── pod-security.yaml — NSA pod hardening
│ │ └── network-policies.yaml — NSA network segmentation
│ ├── pod-security-standards.yaml — Baseline/Restricted PSS enforcement
│ └── image-signing.yaml — Cosign image signature verification
├── inspec/
│ ├── docker-cis/
│ │ ├── inspec.yml — profile metadata
│ │ └── controls/
│ │ ├── 1_host_configuration.rb — CIS 1.x host config checks
│ │ ├── 2_docker_daemon.rb — CIS 2.x daemon config
│ │ ├── 3_docker_daemon_files.rb — CIS 3.x file permissions
│ │ ├── 4_container_images.rb — CIS 4.x image checks
│ │ └── 5_container_runtime.rb — CIS 5.x runtime config
│ ├── rhel9-cis/
│ │ ├── inspec.yml
│ │ └── controls/
│ │ ├── 1_filesystem.rb — CIS 1.x filesystem config
│ │ ├── 2_services.rb — CIS 2.x inetd, special services
│ │ ├── 3_network.rb — CIS 3.x network params
│ │ ├── 4_logging.rb — CIS 4.x logging and auditing
│ │ └── 5_access.rb — CIS 5.x access, auth, sudo
│ └── ubuntu22-cis/
│ ├── inspec.yml
│ └── controls/ (same structure)
├── essential-eight/
│ ├── README.md — maturity levels and applicability
│ └── checkov/
│ └── essential-eight-checks.py — Checkov custom checks for E8
└── compliance-mapping.yaml — maps each hardening rule → compliance control IDs
(used by GovPilot check catalog)
5. Implementation Plan
Break into 4 implementation tasks with file paths and what each touches:
Task 1 — CLI scaffold module (cli/scaffold_hardening.py)
- Typer sub-app with all options
- Calls template generators per standard
- Registers in
cli/devopsos.py
- ~200 lines
Task 2 — Kyverno policy templates (hardening/templates/kyverno/)
- YAML templates for each standard (CIS K8s, STIG, NSA, pod security, image signing)
- Parameterized with Jinja2 or string.Template for environment/severity customization
- Each policy has
annotations with compliance control IDs for GovPilot catalog linking
Task 3 — InSpec profile templates (hardening/templates/inspec/)
- Skeleton InSpec profiles for Docker CIS, RHEL9 CIS, Ubuntu 22 CIS
- Each control references CIS benchmark section and compliance framework control IDs
inspec.yml with profile metadata, controls/*.rb with test cases
Task 4 — Compliance mapping file (hardening/templates/compliance-mapping.yaml)
- YAML file linking each hardening rule to compliance framework control IDs
- Format:
rule_id → [framework_control_ids]
- Consumed by GovPilot
check_selector.py to link hardening checks into the catalog
7. Testing Plan
- Unit tests for each scaffold generator (
tests/test_hardening_scaffold.py)
- Validate generated Kyverno YAML with
kubectl apply --dry-run
- Validate InSpec profiles with
inspec check <profile-dir>
- Verify compliance-mapping.yaml links resolve to valid check catalog entries
8. Effort Estimate
Table: task → estimated days → who (devops-os team or cel-agents team)
Infrastructure hardening in the devops_os project
Context
devops_os (at /Users/gsaravanan/gsdev/devops_os) is a CLI scaffold generator with this pattern:
devopsos scaffold gha --options→ generates GitHub Actions YAMLdevopsos scaffold sre --options→ generates Prometheus rules, Grafana dashboards, SLO manifestsdevopsos scaffold argocd --options→ generates ArgoCD application manifestsdevopsos scaffold k8s --options→ generates Kubernetes YAML (kubectl/kustomize/argocd/flux)Key files:
cli/devopsos.py— Typer app with scaffold_app sub-app; each scaffold is registered as a sub-commandcli/scaffold_gha.py,scaffold_sre.py,scaffold_argocd.pyetc — generator moduleskubernetes/k8s-config-generator.py— K8s YAML generator (standalone, not yet wired into Typer)kubernetes/kubernetes-templates/— argocd/, flux/, kustomize/ subdirs with YAML templatesPattern for adding a new scaffold:
cli/scaffold_hardening.pywith argparse/Typer CLI + file generation logichardening/templates/with template filescli/devopsos.pyasscaffold_app.add_typer(hardening_app, name="hardening")docs/tests/What to document
Write
docs/devops-os-hardening-sprint.mdwith the following sections:1. Sprint Goal
One paragraph — what
devopsos scaffold hardeningdelivers and why it belongs in devops_os (not GovPilot).2. Hardening Standards Covered
Table of standards to implement:
3. CLI Design
Show the full
devopsos scaffold hardeningCLI interface:Options:
--standard— which hardening standard (cis-k8s, stig-k8s, nsa-k8s, cis-docker, cis-rhel9, cis-ubuntu22, pod-security, image-signing, essential-eight, all)--type— output type: kyverno, inspec, checkov, all (default: all applicable)--output— output directory (default: ./hardening/)--compliance-framework— optional: tag outputs with compliance framework IDs (pci-dss, hipaa, iso27001, rbi, etc.) for GovPilot catalog linking--severity— filter by minimum severity level (critical, high, medium, low)--environment— target environment profile: dev, staging, production (adjusts enforcement levels)4. File Structure Generated
Show what
devopsos scaffold hardening --standard all --output hardening/generates:5. Implementation Plan
Break into 4 implementation tasks with file paths and what each touches:
Task 1 — CLI scaffold module (
cli/scaffold_hardening.py)cli/devopsos.pyTask 2 — Kyverno policy templates (
hardening/templates/kyverno/)annotationswith compliance control IDs for GovPilot catalog linkingTask 3 — InSpec profile templates (
hardening/templates/inspec/)inspec.ymlwith profile metadata,controls/*.rbwith test casesTask 4 — Compliance mapping file (
hardening/templates/compliance-mapping.yaml)rule_id → [framework_control_ids]check_selector.pyto link hardening checks into the catalog7. Testing Plan
tests/test_hardening_scaffold.py)kubectl apply --dry-runinspec check <profile-dir>8. Effort Estimate
Table: task → estimated days → who (devops-os team or cel-agents team)