-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
Based on the information furnished in Self-Assessment and Hardening Guides for Rancher | Rancher , kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
- Loading branch information
1 parent
d70459b
commit c5ba3bf
Showing
63 changed files
with
19,915 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
--- | ||
## Version-specific settings that override the values in cfg/config.yaml | ||
|
||
master: | ||
components: | ||
- apiserver | ||
- scheduler | ||
- controllermanager | ||
- etcd | ||
- policies | ||
|
||
apiserver: | ||
bins: | ||
- containerd | ||
|
||
scheduler: | ||
bins: | ||
- containerd | ||
|
||
controllermanager: | ||
bins: | ||
- containerd | ||
|
||
etcd: | ||
bins: | ||
- containerd | ||
|
||
node: | ||
components: | ||
- kubelet | ||
- proxy | ||
|
||
kubelet: | ||
bins: | ||
- containerd | ||
defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig | ||
defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt | ||
|
||
proxy: | ||
bins: | ||
- containerd | ||
defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig | ||
|
||
policies: | ||
components: | ||
- policies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
--- | ||
controls: | ||
version: "k3s-cis-1.23" | ||
id: 3 | ||
text: "Control Plane Configuration" | ||
type: "controlplane" | ||
groups: | ||
- id: 3.1 | ||
text: "Authentication and Authorization" | ||
checks: | ||
- id: 3.1.1 | ||
text: "Client certificate authentication should not be used for users (Manual)" | ||
type: "manual" | ||
remediation: | | ||
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be | ||
implemented in place of client certificates. | ||
scored: false | ||
|
||
- id: 3.2 | ||
text: "Logging" | ||
checks: | ||
- id: 3.2.1 | ||
text: "Ensure that a minimal audit policy is created (Manual)" | ||
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'" | ||
type: "manual" | ||
tests: | ||
test_items: | ||
- flag: "--audit-policy-file" | ||
set: true | ||
remediation: | | ||
Create an audit policy file for your cluster. | ||
scored: false | ||
|
||
- id: 3.2.2 | ||
text: "Ensure that the audit policy covers key security concerns (Manual)" | ||
type: "manual" | ||
remediation: | | ||
Review the audit policy provided for the cluster and ensure that it covers | ||
at least the following areas, | ||
- Access to Secrets managed by the cluster. Care should be taken to only | ||
log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in | ||
order to avoid risk of logging sensitive data. | ||
- Modification of Pod and Deployment objects. | ||
- Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`. | ||
For most requests, minimally logging at the Metadata level is recommended | ||
(the most basic level of logging). | ||
scored: false |
Oops, something went wrong.