7027b6b2ec
* Create cis-1.9 yamls and Update info
- policies.yaml
- 5.1.1 to 5.1.6 were adapted from Manual to Automated
- 5.1.3 got broken down into 5.1.3.1 and 5.1.3.2
- 5.1.6 got broken down into 5.1.6.1 and 5.1.6.2
- version was set to cis-1.9
- node.yaml master.yaml controlplane.yaml etcd.yaml
- version was set to cis-1.9
* Adapt master.yaml
- Expand 1.1.13/1.1.14 checks by adding super-admin.conf to the permission and ownership verification
- Remove 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
- Adjust numbering from 1.2.12 to 1.2.29
* Adjust policies.yaml
- Check 5.2.3 to 5.2.9 Title Automated to Manual
* Append node.yaml
- Create 4.3 kube-config group
- Create 4.3.1 Ensure that the kube-proxy metrics service is bound to localhost (Automated)
* Adjust policies 5.1.3 and 5.1.6
- Merge 5.1.3.1 and 5.1.3.2 into 5.1.3 (use role_is_compliant and clusterrole_is_compliant)
- Remove 5.1.6.1 and promote 5.1.6.2 to 5.1.6 since it natively covered 5.1.6.1 artifacts
* Add kubectl dependency and update publish
- Download kubectl (build stage) based on version and architecture
- Add binary checksum verification
- Use go env GOARCH for ARCH
2.7 KiB
Test config YAML representation
The tests (or "controls") are maintained in YAML documents. There are different versions of these test YAML files reflecting different versions and platforms of the CIS Kubernetes Benchmark. You will find more information about the test file YAML definitions in our controls documentation.
Kube-bench benchmarks
The test files for the various versions of Benchmarks can be found in directories
with same name as the Benchmark versions under the cfg directory next to the kube-bench executable,
for example ./cfg/cis-1.5 will contain all test files for CIS Kubernetes Benchmark v1.5.1 which are:
master.yaml, controlplane.yaml, node.yaml, etcd.yaml, policies.yaml and config.yaml
Check the contents of the benchmark directory under cfg to see which targets are available for that benchmark. Each file except config.yaml represents a target (also known as a control in other parts of this documentation).
The following table shows the valid targets based on the CIS Benchmark version.
| CIS Benchmark | Targets |
|---|---|
| cis-1.5 | master, controlplane, node, etcd, policies |
| cis-1.6 | master, controlplane, node, etcd, policies |
| cis-1.20 | master, controlplane, node, etcd, policies |
| cis-1.23 | master, controlplane, node, etcd, policies |
| cis-1.24 | master, controlplane, node, etcd, policies |
| cis-1.7 | master, controlplane, node, etcd, policies |
| cis-1.8 | master, controlplane, node, etcd, policies |
| cis-1.9 | master, controlplane, node, etcd, policies |
| gke-1.0 | master, controlplane, node, etcd, policies, managedservices |
| gke-1.2.0 | controlplane, node, policies, managedservices |
| eks-1.0.1 | controlplane, node, policies, managedservices |
| eks-1.1.0 | controlplane, node, policies, managedservices |
| eks-1.2.0 | controlplane, node, policies, managedservices |
| ack-1.0 | master, controlplane, node, etcd, policies, managedservices |
| aks-1.0 | controlplane, node, policies, managedservices |
| rh-0.7 | master,node |
| rh-1.0 | master, controlplane, node, etcd, policies |
| cis-1.6-k3s | master, controlplane, node, etcd, policies |
| cis-1.24-microk8s | master, controlplane, node, etcd, policies |
The following table shows the valid DISA STIG versions
| STIG | Targets |
|---|---|
| eks-stig-kubernetes-v1r6 | master, controlplane, node, policies, managedservices |