Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update job.yaml #1477

Merged
merged 3 commits into from
Jul 25, 2023
Merged

Update job.yaml #1477

merged 3 commits into from
Jul 25, 2023

Conversation

guillermotti
Copy link
Contributor

Fix on typo for image version

Fix on typo for image version
@CLAassistant
Copy link

CLAassistant commented Jul 24, 2023

CLA assistant check
All committers have signed the CLA.

@chen-keinan chen-keinan merged commit c8cabc4 into aquasecurity:main Jul 25, 2023
4 checks passed
KiranBodipi pushed a commit to KiranBodipi/kube-bench that referenced this pull request Nov 2, 2023
* Update job.yaml

Fix on typo for image version

* chore: sync with upstream

Signed-off-by: chenk <[email protected]>

---------

Signed-off-by: chenk <[email protected]>
Co-authored-by: chenk <[email protected]>
chen-keinan added a commit that referenced this pull request Nov 26, 2023
* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397

* add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397

* release: prepare v0.6.15 (#1455)

Signed-off-by: chenk <[email protected]>

* build(deps): bump golang from 1.19.4 to 1.20.4 (#1436)

Bumps golang from 1.19.4 to 1.20.4.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump actions/setup-go from 3 to 4 (#1402)

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <[email protected]>

* Fix test_items in cis-1.7 - node - 4.2.12 (#1469)

Related issue: #1468

* Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472)

* chore: add fips compliant images (#1473)

For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips

* release: prepare v0.6.16-rc (#1476)

* release: prepare v0.6.16-rc

Signed-off-by: chenk <[email protected]>

* release: prepare v0.6.16-rc

Signed-off-by: chenk <[email protected]>

---------

Signed-off-by: chenk <[email protected]>

* release: prepare v0.6.16 official (#1479)

Signed-off-by: chenk <[email protected]>

* Update job.yaml (#1477)

* Update job.yaml

Fix on typo for image version

* chore: sync with upstream

Signed-off-by: chenk <[email protected]>

---------

Signed-off-by: chenk <[email protected]>
Co-authored-by: chenk <[email protected]>

* release: prepare v0.6.17 (#1480)

Signed-off-by: chenk <[email protected]>

* Bump docker base images (#1465)

During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.

```
grype aquasec/kube-bench:v0.6.15
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [73 packages]
 ✔ Scanning image...       [4 vulnerabilities]
   ├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
   └── 4 fixed
NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
libssl3     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
openssl     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
```

The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly

* build(deps): bump golang from 1.20.4 to 1.20.6 (#1475)

Bumps golang from 1.20.4 to 1.20.6.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.

* RKE/RKE2 CIS Benchmarks
Updated the order of checks for RKE and RKE2 Platforms.

* fixed vulnerabilities|upgraded package golang.org/x/net to version v0.17.0

* Error handling for RKE Detection Pre-requisites

* Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
updated documentation specific to added rancher platforms

* addressed review comments
1.Implemented IsRKE functionality in kube-bench
2. Removed containerd from global level config and accommodated in individual config file
3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)

* Removed unncessary dependency - kubernetes-provider-detector

---------

Signed-off-by: chenk <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: chenk <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andy Pitcher <[email protected]>
Co-authored-by: Devendra Turkar <[email protected]>
Co-authored-by: Guille Vigil <[email protected]>
Co-authored-by: Jonas-Taha El Sesiy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants