Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s #1523

Merged
merged 27 commits into from
Nov 26, 2023
Merged

Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s #1523

merged 27 commits into from
Nov 26, 2023

Commits on May 31, 2023

  1. add Support VMware Tanzu(TKGI) Benchmarks v1.2.53 

    with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
    @KiranBodipi
    KiranBodipi committed May 31, 2023
    Configuration menu
    Copy the full SHA
    48ad15c View commit details
    Browse the repository at this point in the history

Commits on Jun 1, 2023

  1. Merge branch 'main' into main

    @KiranBodipi
    KiranBodipi authored Jun 1, 2023
    Configuration menu
    Copy the full SHA
    2f61dc1 View commit details
    Browse the repository at this point in the history

  2. add Support VMware Tanzu(TKGI) Benchmarks v1.2.53 

    with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
    @KiranBodipi
    KiranBodipi committed Jun 1, 2023
    Configuration menu
    Copy the full SHA
    7be067c View commit details
    Browse the repository at this point in the history

  3. add support VMware Tanzu(TKGI) Benchmarks v1.2.53 

    fixed all the yaml lint errors
    @KiranBodipi
    KiranBodipi committed Jun 1, 2023
    Configuration menu
    Copy the full SHA
    5ca84a8 View commit details
    Browse the repository at this point in the history

Commits on Nov 2, 2023

  1. release: prepare v0.6.15 (aquasecurity#1455) 

    Signed-off-by: chenk <[email protected]>
    @chen-keinan @KiranBodipi
    chen-keinan authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    237705a View commit details
    Browse the repository at this point in the history

  2. build(deps): bump golang from 1.19.4 to 1.20.4 (aquasecurity#1436) 

    Bumps golang from 1.19.4 to 1.20.4.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot @KiranBodipi
    dependabot[bot] authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    8931d37 View commit details
    Browse the repository at this point in the history

  3. build(deps): bump actions/setup-go from 3 to 4 (aquasecurity#1402) 

    Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <[email protected]>
    @dependabot @chen-keinan @KiranBodipi
    2 people authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    b8e25ad View commit details
    Browse the repository at this point in the history

  4. Fix test_items in cis-1.7 - node - 4.2.12 (aquasecurity#1469) 

    Related issue: aquasecurity#1468
    @andypitcher @KiranBodipi
    andypitcher authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    44325de View commit details
    Browse the repository at this point in the history

  5. Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (aquasecurity#1472)

    @andypitcher @KiranBodipi
    andypitcher authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    9abc03f View commit details
    Browse the repository at this point in the history

  6. chore: add fips compliant images (aquasecurity#1473) 

    For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips
    @deven0t @KiranBodipi
    deven0t authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    22b5df3 View commit details
    Browse the repository at this point in the history

  7. release: prepare v0.6.16-rc (aquasecurity#1476) 

    * release: prepare v0.6.16-rc

Signed-off-by: chenk <[email protected]>

* release: prepare v0.6.16-rc

Signed-off-by: chenk <[email protected]>

---------

Signed-off-by: chenk <[email protected]>
    @chen-keinan @KiranBodipi
    chen-keinan authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    649d5ad View commit details
    Browse the repository at this point in the history

  8. release: prepare v0.6.16 official (aquasecurity#1479) 

    Signed-off-by: chenk <[email protected]>
    @chen-keinan @KiranBodipi
    chen-keinan authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    7041ee9 View commit details
    Browse the repository at this point in the history

  9. Update job.yaml (aquasecurity#1477) 

    * Update job.yaml

Fix on typo for image version

* chore: sync with upstream

Signed-off-by: chenk <[email protected]>

---------

Signed-off-by: chenk <[email protected]>
Co-authored-by: chenk <[email protected]>
    @guillermotti @chen-keinan @KiranBodipi
    2 people authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    63ab667 View commit details
    Browse the repository at this point in the history

  10. release: prepare v0.6.17 (aquasecurity#1480) 

    Signed-off-by: chenk <[email protected]>
    @chen-keinan @KiranBodipi
    chen-keinan authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    fa171d7 View commit details
    Browse the repository at this point in the history

  11. Bump docker base images (aquasecurity#1465) 

    During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.

```
grype aquasec/kube-bench:v0.6.15
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [73 packages]
 ✔ Scanning image...       [4 vulnerabilities]
   ├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
   └── 4 fixed
NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
libssl3     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
openssl     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
```

The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly
    @sfc-gh-jelsesiy @KiranBodipi
    sfc-gh-jelsesiy authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    b7ed3c5 View commit details
    Browse the repository at this point in the history

  12. build(deps): bump golang from 1.20.4 to 1.20.6 (aquasecurity#1475) 

    Bumps golang from 1.20.4 to 1.20.6.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot @KiranBodipi
    dependabot[bot] authored and KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    7a71cf7 View commit details
    Browse the repository at this point in the history

  13. Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s 

    Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
    @KiranBodipi
    KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    fe172aa View commit details
    Browse the repository at this point in the history

  14. Merge branch 'main' into kb-cis-support-rancher

    @KiranBodipi
    KiranBodipi committed Nov 2, 2023
    Configuration menu
    Copy the full SHA
    7eb142f View commit details
    Browse the repository at this point in the history

Commits on Nov 3, 2023

  1. RKE/RKE2 CIS Benchmarks 

    Updated the order of checks for RKE and RKE2 Platforms.
    @KiranBodipi
    KiranBodipi committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    73f2387 View commit details
    Browse the repository at this point in the history

  2. fixed vulnerabilities|upgraded package golang.org/x/net to version v0… 

    ….17.0
    @KiranBodipi
    KiranBodipi committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    8529fb9 View commit details
    Browse the repository at this point in the history

Commits on Nov 6, 2023

  1. Error handling for RKE Detection Pre-requisites

    @KiranBodipi
    KiranBodipi committed Nov 6, 2023
    Configuration menu
    Copy the full SHA
    91e13e5 View commit details
    Browse the repository at this point in the history

  2. Merge branch 'aquasecurity:main' into kb-cis-support-rancher

    @KiranBodipi
    KiranBodipi authored Nov 6, 2023
    Configuration menu
    Copy the full SHA
    d2f8a98 View commit details
    Browse the repository at this point in the history

Commits on Nov 16, 2023

  1. Based on the information furnished in https://ranchermanager.docs.ran… 

    …cher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.

updated documentation specific to added rancher platforms
    @KiranBodipi
    KiranBodipi committed Nov 16, 2023
    Configuration menu
    Copy the full SHA
    b36129c View commit details
    Browse the repository at this point in the history

  2. Merge branch 'main' into kb-cis-support-rancher

    @KiranBodipi
    KiranBodipi committed Nov 16, 2023
    Configuration menu
    Copy the full SHA
    a8b67fa View commit details
    Browse the repository at this point in the history

Commits on Nov 21, 2023

  1. addressed review comments 

    1.Implemented IsRKE functionality in kube-bench
2. Removed containerd from global level config and accommodated in individual config file
3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)
    @KiranBodipi
    KiranBodipi committed Nov 21, 2023
    Configuration menu
    Copy the full SHA
    bf258a6 View commit details
    Browse the repository at this point in the history

  2. Removed unncessary dependency - kubernetes-provider-detector

    @KiranBodipi
    KiranBodipi committed Nov 21, 2023
    Configuration menu
    Copy the full SHA
    9eaea49 View commit details
    Browse the repository at this point in the history

Commits on Nov 23, 2023

  1. Merge branch 'main' into kb-cis-support-rancher

    @KiranBodipi
    KiranBodipi authored Nov 23, 2023
    Configuration menu
    Copy the full SHA
    2fb42f9 View commit details
    Browse the repository at this point in the history