-
Notifications
You must be signed in to change notification settings - Fork 519
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CIS benchmark checks for generating a Kubernetes compliance report #3239
Conversation
c8a6ebb
to
a584c87
Compare
This is great to see! I wrote a daemonset to run the bash script outlined here: https://github.com/aws-samples/containers-blog-maelstrom/tree/main/cis-bottlerocket-benchmark-eks/ Will there be an operator to accompany this or will it be up to users to invoke this client and report the status individually? |
Hey! Great questions. The plan is for the Bottlerocket and Kubernetes benchmarks to ultimately be exposed via So while it's possible to execute this command directly to get the output, the actual end user experience should be a little cleaner through |
91eccbe
to
8c2e4cb
Compare
Added |
4e8d702
to
41b4803
Compare
1437e3c
to
3428e07
Compare
This adds a multicall binary to be used as the common entry point for all Kubernetes CIS benchmark checks. Signed-off-by: Sean McGinnis <[email protected]>
This adds the 4.1.1 check to verify the kubelet service file has restrictive permissions. Signed-off-by: Sean McGinnis <[email protected]>
This adds the 4.1.2 check to make sure the kubelet service file ownership is root:root. Signed-off-by: Sean McGinnis <[email protected]>
This adds the 4.1.5 check to ensure the kubelet.conf file has restrictive permissions. Signed-off-by: Sean McGinnis <[email protected]>
This adds the 4.1.6 check to verify kubelet.conf is owned by root:root. Signed-off-by: Sean McGinnis <[email protected]>
This adds the 4.1.7 check to verify the kubelet CA file has restrictive permissions. Signed-off-by: Sean McGinnis <[email protected]>
This adds check 4.1.8 to verify the kubelet CA file is owned by root:root. Signed-off-by: Sean McGinnis <[email protected]>
This adds the 4.1.9 check to verify the kubelet configuration file has restrictive permissions. Signed-off-by: Sean McGinnis <[email protected]>
This adds check 4.1.10 to verify the kubelet config file is owned by root:root. Signed-off-by: Sean McGinnis <[email protected]>
This adds check 4.2.1 to verify anonymous auth is not enabled. Signed-off-by: Sean McGinnis <[email protected]>
This adds check 4.2.2 to verify authorization mode is not set to AlwaysAllow. Signed-off-by: Sean McGinnis <[email protected]>
This adds check 4.2.3 to verify clientCAFile is configured and points to an actual file. Signed-off-by: Sean McGinnis <[email protected]>
This adds the 4.2.4 to verify the readOnlyPort is not set to 0. Signed-off-by: Sean McGinnis <[email protected]>
This adds check 4.2.5 to verify streamingConnectionIdleTimeout is not set to 0. Signed-off-by: Sean McGinnis <[email protected]>
This adds check 4.2.6 to verify makeIPTablesUtilChains is true. Signed-off-by: Sean McGinnis <[email protected]>
This adds the check to make sure the server TLS certificates are configured correctly. Signed-off-by: Sean McGinnis <[email protected]>
This adds check 4.2.10 to verify rotateCertificates is not disabled. Signed-off-by: Sean McGinnis <[email protected]>
This adds check 4.2.11 to verify RotateKubeletServerCertificate is not disabled. Signed-off-by: Sean McGinnis <[email protected]>
This adds check 4.2.12 to check that kubelet is only configured to use secure cryptographic ciphers. Signed-off-by: Sean McGinnis <[email protected]>
This adds verification that podPidsLimit is configured to restrict the maximum number of PIDs allowed per-pod. Signed-off-by: Sean McGinnis <[email protected]>
This changes the 4.2.10 check to be a manual test response. This check does not apply to EKS or EKS-D since external IAM auth is used. This leaves the validation logic in place as we may want to use it in the future. For not EKS-related use cases, it may make sense to enable configuration of certificate rotation. If/when that is done, this check can be reenabled and updated to validate under the proper conditions. Signed-off-by: Sean McGinnis <[email protected]>
This adds handling for a "type" parameter to be passed along to the `/report/cis` endpoint to control what type of CIS report to generate. The default type is the Bottlerocket CIS benchmark report, with "kubernetes" being the only recognized other option. Signed-off-by: Sean McGinnis <[email protected]>
This adds the `cis-k8s` report subcommand to access the Kubernetes CIS report. It uses the standard CIS arguments of `-l` for level and `-f` for format. Signed-off-by: Sean McGinnis <[email protected]>
3428e07
to
8767ea0
Compare
This is beautiful. Thanks! |
Issue number:
Closes #2852
Description of changes:
This adds a set of CIS benchmark checks to
bloodhound
for the Kubernetes CIS benchmark.Still needs exposure through
apiserver
andapiclient
. The plumbing for CIS reports in general are still being worked on for the CIS Bottlerocket benchmark. Depending on timing, the wiring up of this benchmark will either be added to this PR in additional commits, or added as a follow up PR after this one merges.Testing done:
Ran new checks on
aws-k8s-1.26
node:Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.