Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s #1523

Merged
merged 27 commits into from
Nov 26, 2023
Merged

Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s #1523

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
48ad15c
add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
KiranBodipi May 25, 2023
2f61dc1
Merge branch 'main' into main
KiranBodipi Jun 1, 2023
7be067c
add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
KiranBodipi May 25, 2023
5ca84a8
add support VMware Tanzu(TKGI) Benchmarks v1.2.53
KiranBodipi Jun 1, 2023
237705a
release: prepare v0.6.15 (#1455)
chen-keinan Jun 6, 2023
8931d37
build(deps): bump golang from 1.19.4 to 1.20.4 (#1436)
dependabot[bot] Jun 10, 2023
b8e25ad
build(deps): bump actions/setup-go from 3 to 4 (#1402)
dependabot[bot] Jun 24, 2023
44325de
Fix test_items in cis-1.7 - node - 4.2.12 (#1469)
andypitcher Jul 2, 2023
9abc03f
Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472)
andypitcher Jul 11, 2023
22b5df3
chore: add fips compliant images (#1473)
deven0t Jul 24, 2023
649d5ad
release: prepare v0.6.16-rc (#1476)
chen-keinan Jul 24, 2023
7041ee9
release: prepare v0.6.16 official (#1479)
chen-keinan Jul 25, 2023
63ab667
Update job.yaml (#1477)
guillermotti Jul 25, 2023
fa171d7
release: prepare v0.6.17 (#1480)
chen-keinan Jul 25, 2023
b7ed3c5
Bump docker base images (#1465)
sfc-gh-jelsesiy Jul 26, 2023
7a71cf7
build(deps): bump golang from 1.20.4 to 1.20.6 (#1475)
dependabot[bot] Jul 28, 2023
fe172aa
Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
KiranBodipi Oct 26, 2023
7eb142f
Merge branch 'main' into kb-cis-support-rancher
KiranBodipi Nov 2, 2023
73f2387
RKE/RKE2 CIS Benchmarks
KiranBodipi Nov 3, 2023
8529fb9
fixed vulnerabilities|upgraded package golang.org/x/net to version v0…
KiranBodipi Nov 3, 2023
91e13e5
Error handling for RKE Detection Pre-requisites
KiranBodipi Nov 6, 2023
d2f8a98
Merge branch 'aquasecurity:main' into kb-cis-support-rancher
KiranBodipi Nov 6, 2023
b36129c
Based on the information furnished in https://ranchermanager.docs.ran…
KiranBodipi Nov 7, 2023
a8b67fa
Merge branch 'main' into kb-cis-support-rancher
KiranBodipi Nov 16, 2023
bf258a6
addressed review comments
KiranBodipi Nov 21, 2023
9eaea49
Removed unncessary dependency - kubernetes-provider-detector
KiranBodipi Nov 21, 2023
2fb42f9
Merge branch 'main' into kb-cis-support-rancher
KiranBodipi Nov 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions cfg/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ master:
- /var/snap/microk8s/current/args/kube-apiserver
- /etc/origin/master/master-config.yaml
- /etc/kubernetes/manifests/talos-kube-apiserver.yaml
- /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml

scheduler:
Expand All @@ -53,6 +54,7 @@ master:
- /var/snap/microk8s/current/args/kube-scheduler
- /etc/origin/master/scheduler.json
- /etc/kubernetes/manifests/talos-kube-scheduler.yaml
- /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
kubeconfig:
- /etc/kubernetes/scheduler.conf
Expand All @@ -77,6 +79,7 @@ master:
- /var/snap/kube-controller-manager/current/args
- /var/snap/microk8s/current/args/kube-controller-manager
- /etc/kubernetes/manifests/talos-kube-controller-manager.yaml
- /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
kubeconfig:
- /etc/kubernetes/controller-manager.conf
Expand All @@ -101,6 +104,7 @@ master:
- /var/snap/etcd/common/etcd.conf.yaml
- /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service
- /var/lib/rancher/rke2/server/db/etcd/config
defaultconf: /etc/kubernetes/manifests/etcd.yaml
defaultdatadir: /var/lib/etcd/default.etcd

Expand Down Expand Up @@ -132,6 +136,9 @@ node:
- "/etc/kubernetes/certs/ca.crt"
- "/etc/kubernetes/cert/ca.pem"
- "/var/snap/microk8s/current/certs/ca.crt"
- "/var/lib/rancher/rke2/agent/server.crt"
- "/var/lib/rancher/rke2/agent/client-ca.crt"
- "/var/lib/rancher/k3s/agent/client-ca.crt"
svc:
# These paths must also be included
# in the 'confs' property below
Expand All @@ -151,8 +158,12 @@ node:
- "/var/lib/kubelet/kubeconfig"
- "/etc/kubernetes/kubelet-kubeconfig"
- "/etc/kubernetes/kubelet/kubeconfig"
- "/etc/kubernetes/ssl/kubecfg-kube-node.yaml"
- "/var/snap/microk8s/current/credentials/kubelet.config"
- "/etc/kubernetes/kubeconfig-kubelet"
- "/var/lib/rancher/rke2/agent/kubelet.kubeconfig"
- "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
- "/var/lib/rancher/k3s/agent/kubelet.kubeconfig"
confs:
- "/etc/kubernetes/kubelet-config.yaml"
- "/var/lib/kubelet/config.yaml"
Expand All @@ -177,6 +188,8 @@ node:
- "/etc/systemd/system/snap.kubelet.daemon.service"
- "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"
- "/etc/kubernetes/kubelet.yaml"
- "/var/lib/rancher/rke2/agent/kubelet.kubeconfig"

defaultconf: "/var/lib/kubelet/config.yaml"
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
Expand All @@ -200,8 +213,11 @@ node:
- "/etc/kubernetes/kubelet-kubeconfig"
- "/etc/kubernetes/kubelet-kubeconfig.conf"
- "/etc/kubernetes/kubelet/config"
- "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml"
- "/var/lib/kubelet/kubeconfig"
- "/var/snap/microk8s/current/credentials/proxy.config"
- "/var/lib/rancher/rke2/agent/kubeproxy.kubeconfig"
- "/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"
svc:
- "/lib/systemd/system/kube-proxy.service"
- "/etc/systemd/system/snap.microk8s.daemon-proxy.service"
Expand All @@ -227,6 +243,8 @@ etcd:
- /var/snap/etcd/common/etcd.conf.yaml
- /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service
- /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
- /var/lib/rancher/k3s/server/db/etcd/config
defaultconf: /etc/kubernetes/manifests/etcd.yaml
defaultdatadir: /var/lib/etcd/default.etcd

Expand Down Expand Up @@ -272,6 +290,15 @@ version_mapping:
"cis-1.6-k3s": "cis-1.6-k3s"
"cis-1.24-microk8s": "cis-1.24-microk8s"
"tkgi-1.2.53": "tkgi-1.2.53"
"k3s-cis-1.7": "k3s-cis-1.7"
"k3s-cis-1.23": "k3s-cis-1.23"
"k3s-cis-1.24": "k3s-cis-1.24"
"rke-cis-1.7": "rke-cis-1.7"
"rke-cis-1.23": "rke-cis-1.23"
"rke-cis-1.24": "rke-cis-1.24"
"rke2-cis-1.7": "rke2-cis-1.7"
"rke2-cis-1.23": "rke2-cis-1.23"
"rke2-cis-1.24": "rke2-cis-1.24"

target_mapping:
"cis-1.5":
Expand Down Expand Up @@ -386,3 +413,57 @@ target_mapping:
- "controlplane"
- "node"
- "policies"
"k3s-cis-1.7":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"k3s-cis-1.23":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"k3s-cis-1.24":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke-cis-1.7":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke-cis-1.23":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke-cis-1.24":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke2-cis-1.7":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke2-cis-1.23":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke2-cis-1.24":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
46 changes: 46 additions & 0 deletions cfg/k3s-cis-1.23/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
## Version-specific settings that override the values in cfg/config.yaml

master:
components:
- apiserver
- scheduler
- controllermanager
- etcd
- policies

apiserver:
bins:
- containerd

scheduler:
bins:
- containerd

controllermanager:
bins:
- containerd

etcd:
bins:
- containerd

node:
components:
- kubelet
- proxy

kubelet:
bins:
- containerd
defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig
defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt

proxy:
bins:
- containerd
defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig

policies:
components:
- policies
47 changes: 47 additions & 0 deletions cfg/k3s-cis-1.23/controlplane.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
controls:
version: "k3s-cis-1.23"
id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 3.1
text: "Authentication and Authorization"
checks:
- id: 3.1.1
text: "Client certificate authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates.
scored: false

- id: 3.2
text: "Logging"
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Manual)"
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'"
type: "manual"
tests:
test_items:
- flag: "--audit-policy-file"
set: true
remediation: |
Create an audit policy file for your cluster.
scored: false

- id: 3.2.2
text: "Ensure that the audit policy covers key security concerns (Manual)"
type: "manual"
remediation: |
Review the audit policy provided for the cluster and ensure that it covers
at least the following areas,
- Access to Secrets managed by the cluster. Care should be taken to only
log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in
order to avoid risk of logging sensitive data.
- Modification of Pod and Deployment objects.
- Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`.
For most requests, minimally logging at the Metadata level is recommended
(the most basic level of logging).
scored: false
Loading
Loading