3a2348eba7
* Create cis-1.10 yamls and Update info
- Modify yaml versions from 1.9 to 1.10
- Adapt configmap to cover cis-1.10
- Adapt docs and cmd files
* Adapt master.yaml
- 1.2.29 update cipher list to remove the following insecure ones (RC4-Based, 3DES-Based, RSA-Based AES CBC):
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA
ticket: https://workbench.cisecurity.org/community/43/tickets/21760
* Adapt policies.yaml
- 5.1.11 typo in sub-resource name 'certificatesigningrequest' https://workbench.cisecurity.org/tickets/21352
- 5.2.2 new audit to verify if a container is privileged or not. https://workbench.cisecurity.org/tickets/20919
- 5.2.3 new audit to verify the presence of hostPID opt-in across all pods. https://workbench.cisecurity.org/tickets/20919
- 5.2.4 new audit to verify the presence of hostIPC opt-in across all pods. https://workbench.cisecurity.org/tickets/20923
- 5.2.5 new audit to verify the presence of hostNetwork opt-in across all pods. https://workbench.cisecurity.org/tickets/20921
- 5.2.6 new audit to verify the presence of 'allowPrivilegeEscalation' to true across all pods' container(s)
- 5.2.6 the 'allowPrivilegeEscalation' setting is moved from 'spec' to 'securityContext' https://workbench.cisecurity.org/tickets/20922
- 5.2.9 new audit to verify the presence of added capabilities across all pods' container(s)
* Fix 5.2.6 remediation
2.9 KiB
Test config YAML representation
The tests (or "controls") are maintained in YAML documents. There are different versions of these test YAML files reflecting different versions and platforms of the CIS Kubernetes Benchmark. You will find more information about the test file YAML definitions in our controls documentation.
Kube-bench benchmarks
The test files for the various versions of Benchmarks can be found in directories
with same name as the Benchmark versions under the cfg directory next to the kube-bench executable,
for example ./cfg/cis-1.5 will contain all test files for CIS Kubernetes Benchmark v1.5.1 which are:
master.yaml, controlplane.yaml, node.yaml, etcd.yaml, policies.yaml and config.yaml
Check the contents of the benchmark directory under cfg to see which targets are available for that benchmark. Each file except config.yaml represents a target (also known as a control in other parts of this documentation).
The following table shows the valid targets based on the CIS Benchmark version.
| CIS Benchmark | Targets |
|---|---|
| cis-1.5 | master, controlplane, node, etcd, policies |
| cis-1.6 | master, controlplane, node, etcd, policies |
| cis-1.20 | master, controlplane, node, etcd, policies |
| cis-1.23 | master, controlplane, node, etcd, policies |
| cis-1.24 | master, controlplane, node, etcd, policies |
| cis-1.7 | master, controlplane, node, etcd, policies |
| cis-1.8 | master, controlplane, node, etcd, policies |
| cis-1.9 | master, controlplane, node, etcd, policies |
| cis-1.10 | master, controlplane, node, etcd, policies |
| gke-1.0 | master, controlplane, node, etcd, policies, managedservices |
| gke-1.2.0 | controlplane, node, policies, managedservices |
| gke-1.6.0 | controlplane, node, policies, managedservices |
| eks-1.0.1 | controlplane, node, policies, managedservices |
| eks-1.1.0 | controlplane, node, policies, managedservices |
| eks-1.2.0 | controlplane, node, policies, managedservices |
| eks-1.5.0 | controlplane, node, policies, managedservices |
| ack-1.0 | master, controlplane, node, etcd, policies, managedservices |
| aks-1.0 | controlplane, node, policies, managedservices |
| rh-0.7 | master,node |
| rh-1.0 | master, controlplane, node, etcd, policies |
| cis-1.6-k3s | master, controlplane, node, etcd, policies |
| cis-1.24-microk8s | master, controlplane, node, etcd, policies |
The following table shows the valid DISA STIG versions
| STIG | Targets |
|---|---|
| eks-stig-kubernetes-v1r6 | master, controlplane, node, policies, managedservices |