mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-29 11:28:14 +00:00
7027b6b2ec
* Create cis-1.9 yamls and Update info - policies.yaml - 5.1.1 to 5.1.6 were adapted from Manual to Automated - 5.1.3 got broken down into 5.1.3.1 and 5.1.3.2 - 5.1.6 got broken down into 5.1.6.1 and 5.1.6.2 - version was set to cis-1.9 - node.yaml master.yaml controlplane.yaml etcd.yaml - version was set to cis-1.9 * Adapt master.yaml - Expand 1.1.13/1.1.14 checks by adding super-admin.conf to the permission and ownership verification - Remove 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) - Adjust numbering from 1.2.12 to 1.2.29 * Adjust policies.yaml - Check 5.2.3 to 5.2.9 Title Automated to Manual * Append node.yaml - Create 4.3 kube-config group - Create 4.3.1 Ensure that the kube-proxy metrics service is bound to localhost (Automated) * Adjust policies 5.1.3 and 5.1.6 - Merge 5.1.3.1 and 5.1.3.2 into 5.1.3 (use role_is_compliant and clusterrole_is_compliant) - Remove 5.1.6.1 and promote 5.1.6.2 to 5.1.6 since it natively covered 5.1.6.1 artifacts * Add kubectl dependency and update publish - Download kubectl (build stage) based on version and architecture - Add binary checksum verification - Use go env GOARCH for ARCH
36 lines
6.6 KiB
Markdown
36 lines
6.6 KiB
Markdown
|
|
## CIS Kubernetes Benchmark support
|
|
|
|
kube-bench supports running tests for Kubernetes.
|
|
Most of our supported benchmarks are defined in one of the following:
|
|
[CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/)
|
|
[STIG Document Library](https://public.cyber.mil/stigs/downloads)
|
|
|
|
Some defined by other hardenening guides.
|
|
|
|
| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|
|
|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|---------------------|
|
|
| CIS | [1.5.1](https://workbench.cisecurity.org/benchmarks/4892) | cis-1.5 | 1.15 |
|
|
| CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16-1.18 |
|
|
| CIS | [1.20](https://workbench.cisecurity.org/benchmarks/6246) | cis-1.20 | 1.19-1.21 |
|
|
| CIS | [1.23](https://workbench.cisecurity.org/benchmarks/7532) | cis-1.23 | 1.22-1.23 |
|
|
| CIS | [1.24](https://workbench.cisecurity.org/benchmarks/10873) | cis-1.24 | 1.24 |
|
|
| CIS | [1.7](https://workbench.cisecurity.org/benchmarks/11107) | cis-1.7 | 1.25 |
|
|
| CIS | [1.8](https://workbench.cisecurity.org/benchmarks/12958) | cis-1.8 | 1.26 |
|
|
| CIS | [1.9](https://workbench.cisecurity.org/benchmarks/16828) | cis-1.9 | 1.27-1.29 |
|
|
| CIS | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
|
|
| CIS | [GKE 1.2.0](https://workbench.cisecurity.org/benchmarks/7534) | gke-1.2.0 | GKE |
|
|
| CIS | [EKS 1.0.1](https://workbench.cisecurity.org/benchmarks/6041) | eks-1.0.1 | EKS |
|
|
| CIS | [EKS 1.1.0](https://workbench.cisecurity.org/benchmarks/6248) | eks-1.1.0 | EKS |
|
|
| CIS | [EKS 1.2.0](https://workbench.cisecurity.org/benchmarks/9681) | eks-1.2.0 | EKS |
|
|
| CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK |
|
|
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
|
|
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
|
|
| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- |
|
|
| CIS | [1.6.0-k3s](https://docs.rancher.cn/docs/k3s/security/self-assessment/_index) | cis-1.6-k3s | k3s v1.16-v1.24 |
|
|
| DISA | [Kubernetes Ver 1, Rel 6](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip) | eks-stig-kubernetes-v1r6 | EKS |
|
|
| CIS | [TKGI 1.2.53](https://network.pivotal.io/products/p-compliance-scanner#/releases/1248397) | tkgi-1.2.53 | vmware |
|
|
| CIS | [1.7.0-rke](https://ranchermanager.docs.rancher.com/v2.7/reference-guides/rancher-security/hardening-guides/rke1-hardening-guide/rke1-self-assessment-guide-with-cis-v1.7-k8s-v1.25-v1.26-v1.27) | rke-cis-1.7 | rke v1.25-v1.27 |
|
|
| CIS | [1.7.0-rke2](https://ranchermanager.docs.rancher.com/v2.7/reference-guides/rancher-security/hardening-guides/rke2-hardening-guide/rke2-self-assessment-guide-with-cis-v1.7-k8s-v1.25-v1.26-v1.27) | rke2-cis-1.6 | rke2 v1.25-v1.27 |
|
|
| CIS | [1.7.0-k3s](https://ranchermanager.docs.rancher.com/v2.7/reference-guides/rancher-security/hardening-guides/k3s-hardening-guide/k3s-self-assessment-guide-with-cis-v1.7-k8s-v1.25-v1.26-v1.27) | k3s-cis-1.7 | k3s v1.25-v1.27 |
|