Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s #1523

Merged
merged 27 commits into from
Nov 26, 2023
Merged

Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s #1523

merged 27 commits into from
Nov 26, 2023

Conversation

KiranBodipi
Copy link
Contributor

Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions , kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
Benchmark files are taken from here https://github.com/rancher/security-scan/tree/master/package/cfg

KiranBodipi and others added 24 commits May 31, 2023 17:33
@KiranBodipi
add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
48ad15c 
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
@KiranBodipi
Merge branch 'main' into main
2f61dc1
@KiranBodipi
add Support VMware Tanzu(TKGI) Benchmarks v1.2.53
7be067c 
with this change, we are adding
1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53
2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks.
3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster
Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397
@KiranBodipi
add support VMware Tanzu(TKGI) Benchmarks v1.2.53
5ca84a8 
fixed all the yaml lint errors
@chen-keinan @KiranBodipi
release: prepare v0.6.15 (aquasecurity#1455)
237705a 
Signed-off-by: chenk <[email protected]>
@dependabot @KiranBodipi
build(deps): bump golang from 1.19.4 to 1.20.4 (aquasecurity#1436)
8931d37 
Bumps golang from 1.19.4 to 1.20.4.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @chen-keinan @KiranBodipi
build(deps): bump actions/setup-go from 3 to 4 (aquasecurity#1402)
b8e25ad 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: chenk <[email protected]>
@andypitcher @KiranBodipi
Fix test_items in cis-1.7 - node - 4.2.12 (aquasecurity#1469)
44325de 
Related issue: aquasecurity#1468
@andypitcher @KiranBodipi
Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (aquasecurity#1472)
9abc03f
@deven0t @KiranBodipi
chore: add fips compliant images (aquasecurity#1473)
22b5df3 
For fips complaince we need to generate fips compliant images.
As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips
@chen-keinan @KiranBodipi
release: prepare v0.6.16-rc (aquasecurity#1476)
649d5ad 
* release: prepare v0.6.16-rc

Signed-off-by: chenk <[email protected]>

* release: prepare v0.6.16-rc

Signed-off-by: chenk <[email protected]>

---------

Signed-off-by: chenk <[email protected]>
@chen-keinan @KiranBodipi
release: prepare v0.6.16 official (aquasecurity#1479)
7041ee9 
Signed-off-by: chenk <[email protected]>
@guillermotti @chen-keinan @KiranBodipi
Update job.yaml (aquasecurity#1477)
63ab667 
* Update job.yaml

Fix on typo for image version

* chore: sync with upstream

Signed-off-by: chenk <[email protected]>

---------

Signed-off-by: chenk <[email protected]>
Co-authored-by: chenk <[email protected]>
@chen-keinan @KiranBodipi
release: prepare v0.6.17 (aquasecurity#1480)
fa171d7 
Signed-off-by: chenk <[email protected]>
@sfc-gh-jelsesiy @KiranBodipi
Bump docker base images (aquasecurity#1465)
b7ed3c5 
During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE.

```
grype aquasec/kube-bench:v0.6.15
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [73 packages]
 ✔ Scanning image...       [4 vulnerabilities]
   ├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible
   └── 4 fixed
NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
libssl3     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
openssl     3.1.0-r4   3.1.1-r0  apk   CVE-2023-2650  High
```

The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly
@dependabot @KiranBodipi
build(deps): bump golang from 1.20.4 to 1.20.6 (aquasecurity#1475)
7a71cf7 
Bumps golang from 1.20.4 to 1.20.6.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@KiranBodipi
Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
fe172aa 
Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
@KiranBodipi
Merge branch 'main' into kb-cis-support-rancher
7eb142f
@KiranBodipi
RKE/RKE2 CIS Benchmarks
73f2387 
Updated the order of checks for RKE and RKE2 Platforms.
@KiranBodipi
fixed vulnerabilities|upgraded package golang.org/x/net to version v0…
8529fb9 
….17.0
@KiranBodipi
Error handling for RKE Detection Pre-requisites
91e13e5
@KiranBodipi
Merge branch 'aquasecurity:main' into kb-cis-support-rancher
d2f8a98
@KiranBodipi
Based on the information furnished in https://ranchermanager.docs.ran…
b36129c 
…cher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.

updated documentation specific to added rancher platforms
@KiranBodipi
Merge branch 'main' into kb-cis-support-rancher
a8b67fa
@KiranBodipi
Copy link
Contributor Author

Hey @mozillazg @chen-keinan could you kindly assist in reviewing current PR instead of #1513, as it was accidentally closed. Thanks.

mozillazg
mozillazg requested changes Nov 18, 2023
View reviewed changes
Copy link
Collaborator

@mozillazg mozillazg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution! I've added some comments. Please check them when you get a chance. Thanks!

cfg/config.yaml Outdated Show resolved Hide resolved
cmd/util.go Outdated Show resolved Hide resolved
@KiranBodipi
addressed review comments
bf258a6 
1.Implemented IsRKE functionality in kube-bench
2. Removed containerd from global level config and accommodated in individual config file
3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24)
@mozillazg
Copy link
Collaborator

@KiranBodipi Could you please resolve the conflict? Thanks!

mozillazg
mozillazg approved these changes Nov 24, 2023
View reviewed changes
Copy link
Collaborator

@mozillazg mozillazg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks for your contribution!

@chen-keinan chen-keinan merged commit f8fe5ee into aquasecurity:main Nov 26, 2023
5 checks passed
@neu7ron2
Copy link

The k3s checks don't work properly (if you have used a stand alone K3s instance), for instance
1.1.11 audit check is trying to call some custom script file "check_for_k3s_etcd.sh 1.1.11" which doesn't exist.
Also other check like "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' " takes minutes to complete so should be cached once and reused.

@dereknola dereknola mentioned this pull request Apr 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mozillazg mozillazg mozillazg approved these changes

@chen-keinan chen-keinan chen-keinan approved these changes

@deven0t deven0t deven0t approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@KiranBodipi @mozillazg @neu7ron2 @chen-keinan @deven0t @andypitcher @guillermotti @sfc-gh-jelsesiy