kube-bench/docs/architecture.md

## Test config YAML representation

The tests (or "controls") are maintained in YAML documents. There are different versions of these test YAML files reflecting different [versions and platforms of the CIS Kubernetes Benchmark](./platforms.md). You will find more information about the test file YAML definitions in our [controls documentation](./controls.md).

## Kube-bench benchmarks

The test files for the various versions of Benchmarks can be found in directories
with same name as the Benchmark versions under the `cfg` directory next to the kube-bench executable,
for example `./cfg/cis-1.5` will contain all test files for [CIS Kubernetes Benchmark v1.5.1](https://workbench.cisecurity.org/benchmarks/4892) which are:
master.yaml, controlplane.yaml, node.yaml, etcd.yaml, policies.yaml and config.yaml

Check the contents of the benchmark directory under `cfg` to see which targets are available for that benchmark. Each file except `config.yaml` represents a target (also known as a `control` in other parts of this documentation).

The following table shows the valid targets based on the CIS Benchmark version.

| CIS Benchmark        | Targets |
|----------------------|---------|
| cis-1.5              | master, controlplane, node, etcd, policies |
| cis-1.6              | master, controlplane, node, etcd, policies |
| cis-1.20             | master, controlplane, node, etcd, policies |
| cis-1.23             | master, controlplane, node, etcd, policies |
| cis-1.24             | master, controlplane, node, etcd, policies |
| cis-1.7              | master, controlplane, node, etcd, policies |
| cis-1.8              | master, controlplane, node, etcd, policies |
| cis-1.9              | master, controlplane, node, etcd, policies |
| cis-1.10             | master, controlplane, node, etcd, policies |
| gke-1.0              | master, controlplane, node, etcd, policies, managedservices |
| gke-1.2.0            | controlplane, node, policies, managedservices |
| gke-1.6.0            | controlplane, node, policies, managedservices |
| eks-1.0.1            | controlplane, node, policies, managedservices |
| eks-1.1.0            | controlplane, node, policies, managedservices |
| eks-1.2.0            | controlplane, node, policies, managedservices |
| eks-1.5.0            | controlplane, node, policies, managedservices |
| ack-1.0              | master, controlplane, node, etcd, policies, managedservices |
| aks-1.0              | controlplane, node, policies, managedservices |
| rh-0.7               | master,node|
| rh-1.0               | master, controlplane, node, etcd, policies |
| rh-1.6               | master, controlplane, node, etcd, policies |
| cis-1.6-k3s          | master, controlplane, node, etcd, policies |
| cis-1.24-microk8s    | master, controlplane, node, etcd, policies |

The following table shows the valid DISA STIG versions

| STIG                       | Targets |
|----------------------------|---------|
| eks-stig-kubernetes-v1r6   | master, controlplane, node, policies, managedservices |
mkdocs support and update docs (#884) * Delete README.md * Edit readme and separate into different files * Update README.md * Update Running.md * Update CONTRIBUTING.md * Create Contributing.md * Add files via upload * Update Index.md * Rename Flags and Commands.md to Flags_and_commands.md * Rename Index.md to index.md * Create mkdocs.yml * Delete images directory * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Create mkdocs-dev.yaml * Create mkdocs-latest.yaml * Update mkdocs.yml * Update mkdocs.yml * Update mkdocs.yml Add yamllint --- * Make it yamllint comply * Make Yamllint comply * Make Yamllint comply * Change description Co-authored-by: Itay Shakury <itay@itaysk.com> * Fix syntax Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update example for test files * Update contributing * Delete Contributing.md * Update Flags_and_commands.md * Change syntax and add source * Update Platforms.md * lower case file names * lower case file names * Lower case file names * Lower case file names * Lower case file names * Lower case file names * Add note about inspect master in some platforms * Add quick start * Lower case files names * Lower case files names * Fixing typo * Remove section about old ocp * Fix typos Co-authored-by: Itay Shakury <itay@itaysk.com> 2021-06-09 08:17:16 +00:00			`## Test config YAML representation`

			`The tests (or "controls") are maintained in YAML documents. There are different versions of these test YAML files reflecting different [versions and platforms of the CIS Kubernetes Benchmark](./platforms.md). You will find more information about the test file YAML definitions in our [controls documentation](./controls.md).`

			`## Kube-bench benchmarks`

			`The test files for the various versions of Benchmarks can be found in directories`
feat: CIS EKS 1.5.0 (#1653) * feat(cfg): add EKS 1.5.0 * fix(cfg): target map * fix: update eks job * fix: target mapping * feat: use CIS EKS 1.5.0 by default * fix: scored in node.yaml Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> * doc: add CIS EKS 1.5.0 Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> --------- Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> 2025-01-10 09:18:50 +00:00			with same name as the Benchmark versions under the `cfg` directory next to the kube-bench executable,
mkdocs support and update docs (#884) * Delete README.md * Edit readme and separate into different files * Update README.md * Update Running.md * Update CONTRIBUTING.md * Create Contributing.md * Add files via upload * Update Index.md * Rename Flags and Commands.md to Flags_and_commands.md * Rename Index.md to index.md * Create mkdocs.yml * Delete images directory * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Create mkdocs-dev.yaml * Create mkdocs-latest.yaml * Update mkdocs.yml * Update mkdocs.yml * Update mkdocs.yml Add yamllint --- * Make it yamllint comply * Make Yamllint comply * Make Yamllint comply * Change description Co-authored-by: Itay Shakury <itay@itaysk.com> * Fix syntax Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update example for test files * Update contributing * Delete Contributing.md * Update Flags_and_commands.md * Change syntax and add source * Update Platforms.md * lower case file names * lower case file names * Lower case file names * Lower case file names * Lower case file names * Lower case file names * Add note about inspect master in some platforms * Add quick start * Lower case files names * Lower case files names * Fixing typo * Remove section about old ocp * Fix typos Co-authored-by: Itay Shakury <itay@itaysk.com> 2021-06-09 08:17:16 +00:00			for example `./cfg/cis-1.5` will contain all test files for [CIS Kubernetes Benchmark v1.5.1](https://workbench.cisecurity.org/benchmarks/4892) which are:
feat: CIS EKS 1.5.0 (#1653) * feat(cfg): add EKS 1.5.0 * fix(cfg): target map * fix: update eks job * fix: target mapping * feat: use CIS EKS 1.5.0 by default * fix: scored in node.yaml Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> * doc: add CIS EKS 1.5.0 Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> --------- Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> 2025-01-10 09:18:50 +00:00			`master.yaml, controlplane.yaml, node.yaml, etcd.yaml, policies.yaml and config.yaml`
mkdocs support and update docs (#884) * Delete README.md * Edit readme and separate into different files * Update README.md * Update Running.md * Update CONTRIBUTING.md * Create Contributing.md * Add files via upload * Update Index.md * Rename Flags and Commands.md to Flags_and_commands.md * Rename Index.md to index.md * Create mkdocs.yml * Delete images directory * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Create mkdocs-dev.yaml * Create mkdocs-latest.yaml * Update mkdocs.yml * Update mkdocs.yml * Update mkdocs.yml Add yamllint --- * Make it yamllint comply * Make Yamllint comply * Make Yamllint comply * Change description Co-authored-by: Itay Shakury <itay@itaysk.com> * Fix syntax Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update example for test files * Update contributing * Delete Contributing.md * Update Flags_and_commands.md * Change syntax and add source * Update Platforms.md * lower case file names * lower case file names * Lower case file names * Lower case file names * Lower case file names * Lower case file names * Add note about inspect master in some platforms * Add quick start * Lower case files names * Lower case files names * Fixing typo * Remove section about old ocp * Fix typos Co-authored-by: Itay Shakury <itay@itaysk.com> 2021-06-09 08:17:16 +00:00
feat: CIS EKS 1.5.0 (#1653) * feat(cfg): add EKS 1.5.0 * fix(cfg): target map * fix: update eks job * fix: target mapping * feat: use CIS EKS 1.5.0 by default * fix: scored in node.yaml Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> * doc: add CIS EKS 1.5.0 Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> --------- Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> 2025-01-10 09:18:50 +00:00			Check the contents of the benchmark directory under `cfg` to see which targets are available for that benchmark. Each file except `config.yaml` represents a target (also known as a `control` in other parts of this documentation).
mkdocs support and update docs (#884) * Delete README.md * Edit readme and separate into different files * Update README.md * Update Running.md * Update CONTRIBUTING.md * Create Contributing.md * Add files via upload * Update Index.md * Rename Flags and Commands.md to Flags_and_commands.md * Rename Index.md to index.md * Create mkdocs.yml * Delete images directory * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Create mkdocs-dev.yaml * Create mkdocs-latest.yaml * Update mkdocs.yml * Update mkdocs.yml * Update mkdocs.yml Add yamllint --- * Make it yamllint comply * Make Yamllint comply * Make Yamllint comply * Change description Co-authored-by: Itay Shakury <itay@itaysk.com> * Fix syntax Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update example for test files * Update contributing * Delete Contributing.md * Update Flags_and_commands.md * Change syntax and add source * Update Platforms.md * lower case file names * lower case file names * Lower case file names * Lower case file names * Lower case file names * Lower case file names * Add note about inspect master in some platforms * Add quick start * Lower case files names * Lower case files names * Fixing typo * Remove section about old ocp * Fix typos Co-authored-by: Itay Shakury <itay@itaysk.com> 2021-06-09 08:17:16 +00:00
			`The following table shows the valid targets based on the CIS Benchmark version.`
Add docs for cis v1.20 (#914) Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com> 2021-06-20 09:56:56 +00:00
feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro (#1510) 2023-11-20 10:59:32 +00:00			`\| CIS Benchmark \| Targets \|`
			`\|----------------------\|---------\|`
			`\| cis-1.5 \| master, controlplane, node, etcd, policies \|`
			`\| cis-1.6 \| master, controlplane, node, etcd, policies \|`
			`\| cis-1.20 \| master, controlplane, node, etcd, policies \|`
			`\| cis-1.23 \| master, controlplane, node, etcd, policies \|`
			`\| cis-1.24 \| master, controlplane, node, etcd, policies \|`
			`\| cis-1.7 \| master, controlplane, node, etcd, policies \|`
support CIS Kubernetes Benchmark v1.8.0 (#1527) * support CIS Kubernetes Benchmark v1.8.0 * update version info 2023-12-02 07:59:30 +00:00			`\| cis-1.8 \| master, controlplane, node, etcd, policies \|`
Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617) * Create cis-1.9 yamls and Update info - policies.yaml - 5.1.1 to 5.1.6 were adapted from Manual to Automated - 5.1.3 got broken down into 5.1.3.1 and 5.1.3.2 - 5.1.6 got broken down into 5.1.6.1 and 5.1.6.2 - version was set to cis-1.9 - node.yaml master.yaml controlplane.yaml etcd.yaml - version was set to cis-1.9 * Adapt master.yaml - Expand 1.1.13/1.1.14 checks by adding super-admin.conf to the permission and ownership verification - Remove 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) - Adjust numbering from 1.2.12 to 1.2.29 * Adjust policies.yaml - Check 5.2.3 to 5.2.9 Title Automated to Manual * Append node.yaml - Create 4.3 kube-config group - Create 4.3.1 Ensure that the kube-proxy metrics service is bound to localhost (Automated) * Adjust policies 5.1.3 and 5.1.6 - Merge 5.1.3.1 and 5.1.3.2 into 5.1.3 (use role_is_compliant and clusterrole_is_compliant) - Remove 5.1.6.1 and promote 5.1.6.2 to 5.1.6 since it natively covered 5.1.6.1 artifacts * Add kubectl dependency and update publish - Download kubectl (build stage) based on version and architecture - Add binary checksum verification - Use go env GOARCH for ARCH 2024-06-26 12:53:57 +00:00			`\| cis-1.9 \| master, controlplane, node, etcd, policies \|`
Merge branch 'upstream-main' into cis-openshift-1-6 2025-01-29 17:51:20 +00:00			`\| cis-1.10 \| master, controlplane, node, etcd, policies \|`
feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro (#1510) 2023-11-20 10:59:32 +00:00			`\| gke-1.0 \| master, controlplane, node, etcd, policies, managedservices \|`
			`\| gke-1.2.0 \| controlplane, node, policies, managedservices \|`
Add GKE 1.6 CIS benchmark for GCP environment (#1672) * Add config entries for GKE 1.6 controls * Add gke1.6 control plane recommendations * Add gke-1.6.0 worker node recommendations * Add gke-1.6.0 policy recommendations * Add managed services and policy recommendation * Add master recommendations * Fix formatting across gke-1.6.0 files * Add gke-1.6.0 benchmark selection based on k8s version * Workaround: hardcode kubelet config path for gke-1.6.0 * Fix tests for makeIPTablesUtilChaings * Change scored field for all node tests to true * Fix kubelet file permission to check for --------- Co-authored-by: afdesk <work@afdesk.com> 2024-10-11 04:49:35 +00:00			`\| gke-1.6.0 \| controlplane, node, policies, managedservices \|`
feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro (#1510) 2023-11-20 10:59:32 +00:00			`\| eks-1.0.1 \| controlplane, node, policies, managedservices \|`
			`\| eks-1.1.0 \| controlplane, node, policies, managedservices \|`
			`\| eks-1.2.0 \| controlplane, node, policies, managedservices \|`
feat: CIS EKS 1.5.0 (#1653) * feat(cfg): add EKS 1.5.0 * fix(cfg): target map * fix: update eks job * fix: target mapping * feat: use CIS EKS 1.5.0 by default * fix: scored in node.yaml Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> * doc: add CIS EKS 1.5.0 Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> --------- Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> 2025-01-10 09:18:50 +00:00			`\| eks-1.5.0 \| controlplane, node, policies, managedservices \|`
feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro (#1510) 2023-11-20 10:59:32 +00:00			`\| ack-1.0 \| master, controlplane, node, etcd, policies, managedservices \|`
			`\| aks-1.0 \| controlplane, node, policies, managedservices \|`
			`\| rh-0.7 \| master,node\|`
			`\| rh-1.0 \| master, controlplane, node, etcd, policies \|`
Merge branch 'upstream-main' into cis-openshift-1-6 2025-01-29 17:51:20 +00:00			`\| rh-1.6 \| master, controlplane, node, etcd, policies \|`
feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro (#1510) 2023-11-20 10:59:32 +00:00			`\| cis-1.6-k3s \| master, controlplane, node, etcd, policies \|`
			`\| cis-1.24-microk8s \| master, controlplane, node, etcd, policies \|`
mkdocs support and update docs (#884) * Delete README.md * Edit readme and separate into different files * Update README.md * Update Running.md * Update CONTRIBUTING.md * Create Contributing.md * Add files via upload * Update Index.md * Rename Flags and Commands.md to Flags_and_commands.md * Rename Index.md to index.md * Create mkdocs.yml * Delete images directory * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Create mkdocs-dev.yaml * Create mkdocs-latest.yaml * Update mkdocs.yml * Update mkdocs.yml * Update mkdocs.yml Add yamllint --- * Make it yamllint comply * Make Yamllint comply * Make Yamllint comply * Change description Co-authored-by: Itay Shakury <itay@itaysk.com> * Fix syntax Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update example for test files * Update contributing * Delete Contributing.md * Update Flags_and_commands.md * Change syntax and add source * Update Platforms.md * lower case file names * lower case file names * Lower case file names * Lower case file names * Lower case file names * Lower case file names * Add note about inspect master in some platforms * Add quick start * Lower case files names * Lower case files names * Fixing typo * Remove section about old ocp * Fix typos Co-authored-by: Itay Shakury <itay@itaysk.com> 2021-06-09 08:17:16 +00:00
Adding eks-stig-kubernetes-v1r6 (#1266) * Adding eks-stig-kubernetes-v1r6 * Fixing lint errors * Reformatting texts * Removing pinned docker tag * Updating Expected Stig Output Co-authored-by: EC2 Default User <ec2-user@ip-10-0-44-222.ec2.internal> 2022-09-14 14:40:48 +00:00			`The following table shows the valid DISA STIG versions`

			`\| STIG \| Targets \|`
			`\|----------------------------\|---------\|`
			`\| eks-stig-kubernetes-v1r6 \| master, controlplane, node, policies, managedservices \|`

mkdocs support and update docs (#884) * Delete README.md * Edit readme and separate into different files * Update README.md * Update Running.md * Update CONTRIBUTING.md * Create Contributing.md * Add files via upload * Update Index.md * Rename Flags and Commands.md to Flags_and_commands.md * Rename Index.md to index.md * Create mkdocs.yml * Delete images directory * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Create mkdocs-dev.yaml * Create mkdocs-latest.yaml * Update mkdocs.yml * Update mkdocs.yml * Update mkdocs.yml Add yamllint --- * Make it yamllint comply * Make Yamllint comply * Make Yamllint comply * Change description Co-authored-by: Itay Shakury <itay@itaysk.com> * Fix syntax Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update example for test files * Update contributing * Delete Contributing.md * Update Flags_and_commands.md * Change syntax and add source * Update Platforms.md * lower case file names * lower case file names * Lower case file names * Lower case file names * Lower case file names * Lower case file names * Add note about inspect master in some platforms * Add quick start * Lower case files names * Lower case files names * Fixing typo * Remove section about old ocp * Fix typos Co-authored-by: Itay Shakury <itay@itaysk.com> 2021-06-09 08:17:16 +00:00