1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-25 01:18:12 +00:00

Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (#1045)

* Update eks-1.0 to support CIS EKS Benchmark v1.0.1

* add "No remediation"

* rename eks-1.0 to eks-1.0.1

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
This commit is contained in:
Huang Huang 2021-11-18 16:42:53 +08:00 committed by GitHub
parent f8e0171c09
commit 6589eb16e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 107 additions and 198 deletions

View File

@ -244,7 +244,7 @@ version_mapping:
"1.18": "cis-1.6"
"1.19": "cis-1.20"
"1.20": "cis-1.20"
"eks-1.0": "eks-1.0"
"eks-1.0.1": "eks-1.0.1"
"gke-1.0": "gke-1.0"
"ocp-3.10": "rh-0.7"
"ocp-3.11": "rh-0.7"
@ -278,7 +278,7 @@ target_mapping:
- "etcd"
- "policies"
- "managedservices"
"eks-1.0":
"eks-1.0.1":
- "master"
- "node"
- "controlplane"

View File

@ -1,6 +1,6 @@
---
controls:
version: "eks-1.0"
version: "eks-1.0.1"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
@ -9,6 +9,6 @@ groups:
text: "Logging"
checks:
- id: 2.1.1
text: "Enable audit logs"
text: "Enable audit logs (Manual)"
remediation: "Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler."
scored: false

View File

@ -1,6 +1,6 @@
---
controls:
version: "eks-1.0"
version: "eks-1.0.1"
id: 5
text: "Managed Services"
type: "managedservices"
@ -9,78 +9,78 @@ groups:
text: "Image Registry and Image Scanning"
checks:
- id: 5.1.1
text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Not Scored)"
text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
- id: 5.1.2
text: "Minimize user access to Amazon ECR (Not Scored)"
text: "Minimize user access to Amazon ECR (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
- id: 5.1.3
text: "Minimize cluster access to read-only for Amazon ECR (Not Scored)"
text: "Minimize cluster access to read-only for Amazon ECR (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
- id: 5.1.4
text: "Minimize Container Registries to only those approved (Not Scored)"
text: "Minimize Container Registries to only those approved (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
- id: 5.2
text: "Identity and Access Management (IAM)"
checks:
- id: 5.2.1
text: "Prefer using dedicated Amazon EKS Service Accounts (Not Scored)"
text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
- id: 5.3
text: "AWS Key Management Service (AWS KMS)"
text: "AWS Key Management Service (KMS)"
checks:
- id: 5.3.1
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Not Scored)"
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
- id: 5.4
text: "Cluster Networking"
checks:
- id: 5.4.1
text: "Restrict Access to the Control Plane Endpoint (Not Scored)"
text: "Restrict Access to the Control Plane Endpoint (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
- id: 5.4.2
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Not Scored)"
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
- id: 5.4.3
text: "Ensure clusters are created with Private Nodes (Not Scored)"
text: "Ensure clusters are created with Private Nodes (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
- id: 5.4.4
text: "Ensure Network Policy is Enabled and set as appropriate (Not Scored)"
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
- id: 5.4.5
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Not Scored)"
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
@ -88,9 +88,9 @@ groups:
text: "Authentication and Authorization"
checks:
- id: 5.5.1
text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Not Scored)"
text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false
@ -98,7 +98,7 @@ groups:
text: "Other Cluster Configurations"
checks:
- id: 5.6.1
text: "Consider Fargate for running untrusted workloads (Not Scored)"
text: "Consider Fargate for running untrusted workloads (Manual)"
type: "manual"
remediation:
remediation: "No remediation"
scored: false

View File

@ -1,6 +1,6 @@
---
controls:
version: "eks-1.0"
version: "eks-1.0.1"
id: 1
text: "Control Plane Components"
type: "master"

View File

@ -1,6 +1,6 @@
---
controls:
version: "eks-1.0"
version: "eks-1.0.1"
id: 3
text: "Worker Node Security Configuration"
type: "node"
@ -9,127 +9,62 @@ groups:
text: "Worker Node Configuration Files"
checks:
- id: 3.1.1
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on each worker node.
Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 644 $proxykubeconfig
scored: true
chmod 644 $kubeletkubeconfig
scored: false
- id: 3.1.2
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: root:root
set: true
remediation: |
Run the below command (based on the file location on your system) on each worker node.
For example, chown root:root $proxykubeconfig
scored: true
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletkubeconfig
scored: false
- id: 3.1.3
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "644"
set: true
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
- flag: "640"
set: true
compare:
op: eq
value: "640"
- flag: "600"
set: true
compare:
op: eq
value: "600"
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: |
Run the following command (using the config file location identied in the Audit step)
Run the following command (using the config file location identified in the Audit step)
chmod 644 $kubeletconf
scored: true
scored: false
- id: 3.1.4
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
- flag: root:root
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
Run the following command (using the config file location identified in the Audit step)
chown root:root $kubeletconf
scored: true
scored: false
- id: 3.2
text: "Kubelet"
checks:
- id: 3.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -153,7 +88,7 @@ groups:
scored: true
- id: 3.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -176,7 +111,7 @@ groups:
scored: true
- id: 3.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
text: "Ensure that the --client-ca-file argument is set as appropriate (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -194,10 +129,10 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
scored: false
- id: 3.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -217,10 +152,10 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
scored: false
- id: 3.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -245,10 +180,10 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
scored: false
- id: 3.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -271,7 +206,7 @@ groups:
scored: true
- id: 3.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) "
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) "
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -298,7 +233,7 @@ groups:
scored: true
- id: 3.2.8
text: "Ensure that the --hostname-override argument is not set (Scored)"
text: "Ensure that the --hostname-override argument is not set (Manual)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
@ -314,10 +249,10 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
scored: false
- id: 3.2.9
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)"
text: "Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -339,7 +274,7 @@ groups:
scored: false
- id: 3.2.10
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -364,10 +299,10 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
scored: false
- id: 3.2.11
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -385,4 +320,4 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
scored: false

View File

@ -1,6 +1,6 @@
---
controls:
version: "eks-1.0"
version: "eks-1.0.1"
id: 4
text: "Policies"
type: "policies"
@ -9,7 +9,7 @@ groups:
text: "RBAC and Service Accounts"
checks:
- id: 4.1.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
text: "Ensure that the cluster-admin role is only used where required (Manual)"
type: "manual"
remediation: |
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
@ -20,14 +20,14 @@ groups:
scored: false
- id: 4.1.2
text: "Minimize access to secrets (Not Scored)"
text: "Minimize access to secrets (Manual)"
type: "manual"
remediation: |
Where possible, remove get, list and watch access to secret objects in the cluster.
scored: false
- id: 4.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Not Scored)"
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
type: "manual"
remediation: |
Where possible replace any use of wildcards in clusterroles and roles with specific
@ -35,14 +35,14 @@ groups:
scored: false
- id: 4.1.4
text: "Minimize access to create pods (Not Scored)"
text: "Minimize access to create pods (Manual)"
type: "manual"
Remediation: |
Where possible, remove create access to pod objects in the cluster.
scored: false
- id: 4.1.5
text: "Ensure that default service accounts are not actively used. (Not Scored)"
text: "Ensure that default service accounts are not actively used. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
@ -52,7 +52,7 @@ groups:
scored: false
- id: 4.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Not Scored)"
text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
type: "manual"
remediation: |
Modify the definition of pods and service accounts which do not need to mount service
@ -63,7 +63,7 @@ groups:
text: "Pod Security Policies"
checks:
- id: 4.2.1
text: "Minimize the admission of privileged containers (Not Scored)"
text: "Minimize the admission of privileged containers (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that
@ -71,7 +71,7 @@ groups:
scored: false
- id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Not Scored)"
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -79,7 +79,7 @@ groups:
scored: false
- id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Not Scored)"
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -87,7 +87,7 @@ groups:
scored: false
- id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Not Scored)"
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -95,7 +95,7 @@ groups:
scored: false
- id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Not Scored)"
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -103,7 +103,7 @@ groups:
scored: false
- id: 4.2.6
text: "Minimize the admission of root containers (Not Scored)"
text: "Minimize the admission of root containers (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -112,7 +112,7 @@ groups:
scored: false
- id: 4.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Not Scored)"
text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -120,7 +120,7 @@ groups:
scored: false
- id: 4.2.8
text: "Minimize the admission of containers with added capabilities (Not Scored)"
text: "Minimize the admission of containers with added capabilities (Automated)"
type: "manual"
remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
@ -128,7 +128,7 @@ groups:
scored: false
- id: 4.2.9
text: "Minimize the admission of containers with capabilities assigned (Not Scored)"
text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual"
remediation: |
Review the use of capabilities in applications running on your cluster. Where a namespace
@ -140,14 +140,14 @@ groups:
text: "CNI Plugin"
checks:
- id: 4.3.1
text: "Ensure that the latest CNI version is used (Not Scored)"
text: "Ensure that the latest CNI version is used (Manual)"
type: "manual"
remediation: |
Review the documentation of AWS CNI plugin, and ensure latest CNI version is used.
scored: false
- id: 4.3.2
text: "Ensure that all Namespaces have Network Policies defined (Not Scored)"
text: "Ensure that all Namespaces have Network Policies defined (Automated)"
type: "manual"
remediation: |
Follow the documentation and create NetworkPolicy objects as you need them.
@ -157,7 +157,7 @@ groups:
text: "Secrets Management"
checks:
- id: 4.4.1
text: "Prefer using secrets as files over secrets as environment variables (Not Scored)"
text: "Prefer using secrets as files over secrets as environment variables (Manual)"
type: "manual"
remediation: |
If possible, rewrite application code to read secrets from mounted secret files, rather than
@ -165,7 +165,7 @@ groups:
scored: false
- id: 4.4.2
text: "Consider external secret storage (Not Scored)"
text: "Consider external secret storage (Manual)"
type: "manual"
remediation: |
Refer to the secrets management options offered by your cloud provider or a third-party
@ -176,7 +176,7 @@ groups:
text: "Extensible Admission Control"
checks:
- id: 4.5.1
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and setup image provenance.
@ -186,7 +186,7 @@ groups:
text: "General Policies"
checks:
- id: 4.6.1
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
text: "Create administrative boundaries between resources using namespaces (Manual)"
type: "manual"
remediation: |
Follow the documentation and create namespaces for objects in your deployment as you need
@ -194,33 +194,7 @@ groups:
scored: false
- id: 4.6.2
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual"
remediation: |
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
parameter to "--feature-gates=AllAlpha=true"
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
Based on your system, restart the kube-apiserver service. For example:
systemctl restart kube-apiserver.service
Use annotations to enable the docker/default seccomp profile in your pod definitions. An
example is as below:
apiVersion: v1
kind: Pod
metadata:
name: trustworthy-pod
annotations:
seccomp.security.alpha.kubernetes.io/pod: docker/default
spec:
containers:
- name: trustworthy-container
image: sotrustworthy:latest
scored: false
- id: 4.6.3
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
text: "Apply Security Context to Your Pods and Containers (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a
@ -228,8 +202,8 @@ groups:
Containers.
scored: false
- id: 4.6.4
text: "The default namespace should not be used (Not Scored)"
- id: 4.6.3
text: "The default namespace should not be used (Automated)"
type: "manual"
remediation: |
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes

View File

@ -438,8 +438,8 @@ func TestValidTargets(t *testing.T) {
expected: true,
},
{
name: "eks-1.0 valid",
benchmark: "eks-1.0",
name: "eks-1.0.1 valid",
benchmark: "eks-1.0.1",
targets: []string{"node", "policies", "controlplane", "managedservices"},
expected: true,
},

View File

@ -455,7 +455,7 @@ func getPlatformBenchmarkVersion(platform string) string {
glog.V(3).Infof("getPlatformBenchmarkVersion platform: %s", platform)
switch platform {
case "eks":
return "eks-1.0"
return "eks-1.0.1"
case "gke":
return "gke-1.0"
case "aliyun":

View File

@ -578,7 +578,7 @@ func Test_getPlatformBenchmarkVersion(t *testing.T) {
args: args{
platform: "eks",
},
want: "eks-1.0",
want: "eks-1.0.1",
},
{
name: "gke",

View File

@ -19,7 +19,7 @@ The following table shows the valid targets based on the CIS Benchmark version.
| cis-1.6| master, controlplane, node, etcd, policies |
|cis-1.20| master, controlplane, node, etcd, policies |
| gke-1.0| master, controlplane, node, etcd, policies, managedservices |
| eks-1.0| controlplane, node, policies, managedservices |
| eks-1.0.1| controlplane, node, policies, managedservices |
| ack-1.0| master, controlplane, node, etcd, policies, managedservices |
| rh-0.7| master,node|
| rh-1.0| master, controlplane, node, etcd, policies |

View File

@ -11,7 +11,7 @@ Some defined by other hardenening guides.
| CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16-1.18 |
| CIS | [1.20](https://workbench.cisecurity.org/benchmarks/6246) | cis-1.20 | 1.19-1.20 |
| CIS | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
| CIS | [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS |
| CIS | [EKS 1.0.1](https://workbench.cisecurity.org/benchmarks/6041) | eks-1.0.1 | EKS |
| CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK |
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |

View File

@ -33,7 +33,7 @@ spec:
# Push the image to your ECR and then refer to it here
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0", "--asff"]
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1", "--asff"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
@ -45,7 +45,7 @@ spec:
mountPath: /etc/kubernetes
readOnly: true
- name: kube-bench-eks-config
mountPath: "/opt/kube-bench/cfg/eks-1.0/config.yaml"
mountPath: "/opt/kube-bench/cfg/eks-1.0.1/config.yaml"
subPath: config.yaml
readOnly: true
restartPolicy: Never

View File

@ -13,7 +13,7 @@ spec:
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: aquasec/kube-bench:latest
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0"]
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet