arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-01-15 18:20:54 +00:00
Code Issues Releases Wiki Activity
438dc0922c
kube-bench/docs/architecture.md
Andy Pitcher 3a2348eba7
Add CIS Kubernetes CIS-1.10 for k8s v1.28 - v1.31 (#1753) 
* Create cis-1.10 yamls and Update info
	- Modify yaml versions from 1.9 to 1.10
	- Adapt configmap to cover cis-1.10
	- Adapt docs and cmd files

* Adapt master.yaml
	- 1.2.29 update cipher list to remove the following insecure ones (RC4-Based, 3DES-Based, RSA-Based AES CBC):
          TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
          TLS_RSA_WITH_3DES_EDE_CBC_SHA,
          TLS_RSA_WITH_AES_128_CBC_SHA256,
          TLS_RSA_WITH_AES_128_CBC_SHA,
          TLS_RSA_WITH_AES_256_CBC_SHA,
          TLS_RSA_WITH_RC4_128_SHA,
          TLS_ECDHE_RSA_WITH_RC4_128_SHA
          ticket: https://workbench.cisecurity.org/community/43/tickets/21760

* Adapt policies.yaml
	- 5.1.11 typo in sub-resource name 'certificatesigningrequest' https://workbench.cisecurity.org/tickets/21352
	- 5.2.2 new audit to verify if a container is privileged or not. https://workbench.cisecurity.org/tickets/20919
	- 5.2.3 new audit to verify the presence of hostPID opt-in across all pods. https://workbench.cisecurity.org/tickets/20919
	- 5.2.4 new audit to verify the presence of hostIPC opt-in across all pods. https://workbench.cisecurity.org/tickets/20923
	- 5.2.5 new audit to verify the presence of hostNetwork opt-in across all pods. https://workbench.cisecurity.org/tickets/20921
	- 5.2.6 new audit to verify the presence of 'allowPrivilegeEscalation' to true across all pods' container(s)
	- 5.2.6 the 'allowPrivilegeEscalation' setting is moved from 'spec' to 'securityContext' https://workbench.cisecurity.org/tickets/20922
	- 5.2.9 new audit to verify the presence of added capabilities across all pods' container(s)

* Fix 5.2.6 remediation
2025-01-13 11:18:15 +06:00

48 lines
2.9 KiB
Markdown
Raw Blame History

## Test config YAML representation
The tests (or "controls") are maintained in YAML documents. There are different versions of these test YAML files reflecting different [versions and platforms of the CIS Kubernetes Benchmark](./platforms.md). You will find more information about the test file YAML definitions in our [controls documentation](./controls.md).
## Kube-bench benchmarks
The test files for the various versions of Benchmarks can be found in directories
with same name as the Benchmark versions under the `cfg` directory next to the kube-bench executable,
for example `./cfg/cis-1.5` will contain all test files for [CIS Kubernetes Benchmark v1.5.1](https://workbench.cisecurity.org/benchmarks/4892) which are:
master.yaml, controlplane.yaml, node.yaml, etcd.yaml, policies.yaml and config.yaml
Check the contents of the benchmark directory under `cfg` to see which targets are available for that benchmark. Each file except `config.yaml` represents a target (also known as a `control` in other parts of this documentation).
The following table shows the valid targets based on the CIS Benchmark version.
| CIS Benchmark | Targets |
|----------------------|---------|
| cis-1.5 | master, controlplane, node, etcd, policies |
| cis-1.6 | master, controlplane, node, etcd, policies |
| cis-1.20 | master, controlplane, node, etcd, policies |
| cis-1.23 | master, controlplane, node, etcd, policies |
| cis-1.24 | master, controlplane, node, etcd, policies |
| cis-1.7 | master, controlplane, node, etcd, policies |
| cis-1.8 | master, controlplane, node, etcd, policies |
| cis-1.9 | master, controlplane, node, etcd, policies |
| cis-1.10 | master, controlplane, node, etcd, policies |
| gke-1.0 | master, controlplane, node, etcd, policies, managedservices |
| gke-1.2.0 | controlplane, node, policies, managedservices |
| gke-1.6.0 | controlplane, node, policies, managedservices |
| eks-1.0.1 | controlplane, node, policies, managedservices |
| eks-1.1.0 | controlplane, node, policies, managedservices |
| eks-1.2.0 | controlplane, node, policies, managedservices |
| eks-1.5.0 | controlplane, node, policies, managedservices |
| ack-1.0 | master, controlplane, node, etcd, policies, managedservices |
| aks-1.0 | controlplane, node, policies, managedservices |
| rh-0.7 | master,node|
| rh-1.0 | master, controlplane, node, etcd, policies |
| cis-1.6-k3s | master, controlplane, node, etcd, policies |
| cis-1.24-microk8s | master, controlplane, node, etcd, policies |
The following table shows the valid DISA STIG versions
| STIG | Targets |
|----------------------------|---------|
| eks-stig-kubernetes-v1r6 | master, controlplane, node, policies, managedservices |
Reference in New Issue View Git Blame Copy Permalink