Skip to content

Commit

Permalink
Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s
Browse files Browse the repository at this point in the history 
Based on the information furnished in Self-Assessment and Hardening Guides for Rancher | Rancher ,
kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.
For the rancher benchmark scripts - we have followed https://github.com/rancher/security-scan/tree/master/package/cfg
  • Loading branch information
@KiranBodipi
KiranBodipi committed Oct 26, 2023
1 parent d70459b commit d2fe885
Show file tree
Hide file tree
Showing 64 changed files with 19,981 additions and 1 deletion.
93 changes: 93 additions & 0 deletions cfg/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ master:
- "apiserver"
- "openshift start master api"
- "hypershift openshift-kube-apiserver"
- "containerd"
confs:
- /etc/kubernetes/manifests/kube-apiserver.yaml
- /etc/kubernetes/manifests/kube-apiserver.yml
Expand All @@ -36,6 +37,7 @@ master:
- /var/snap/microk8s/current/args/kube-apiserver
- /etc/origin/master/master-config.yaml
- /etc/kubernetes/manifests/talos-kube-apiserver.yaml
- /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml

scheduler:
Expand All @@ -45,6 +47,7 @@ master:
- "hyperkube kube-scheduler"
- "scheduler"
- "openshift start master controllers"
- "containerd"
confs:
- /etc/kubernetes/manifests/kube-scheduler.yaml
- /etc/kubernetes/manifests/kube-scheduler.yml
Expand All @@ -53,6 +56,7 @@ master:
- /var/snap/microk8s/current/args/kube-scheduler
- /etc/origin/master/scheduler.json
- /etc/kubernetes/manifests/talos-kube-scheduler.yaml
- /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
kubeconfig:
- /etc/kubernetes/scheduler.conf
Expand All @@ -70,13 +74,15 @@ master:
- "controller-manager"
- "openshift start master controllers"
- "hypershift openshift-controller-manager"
- "containerd"
confs:
- /etc/kubernetes/manifests/kube-controller-manager.yaml
- /etc/kubernetes/manifests/kube-controller-manager.yml
- /etc/kubernetes/manifests/kube-controller-manager.manifest
- /var/snap/kube-controller-manager/current/args
- /var/snap/microk8s/current/args/kube-controller-manager
- /etc/kubernetes/manifests/talos-kube-controller-manager.yaml
- /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
kubeconfig:
- /etc/kubernetes/controller-manager.conf
Expand All @@ -101,6 +107,7 @@ master:
- /var/snap/etcd/common/etcd.conf.yaml
- /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service
- /var/lib/rancher/rke2/server/db/etcd/config
defaultconf: /etc/kubernetes/manifests/etcd.yaml
defaultdatadir: /var/lib/etcd/default.etcd

Expand All @@ -115,6 +122,7 @@ master:
bins:
- "hyperkube kubelet"
- "kubelet"
- "containerd"

node:
components:
Expand All @@ -132,6 +140,9 @@ node:
- "/etc/kubernetes/certs/ca.crt"
- "/etc/kubernetes/cert/ca.pem"
- "/var/snap/microk8s/current/certs/ca.crt"
- "/var/lib/rancher/rke2/agent/server.crt"
- "/var/lib/rancher/rke2/agent/client-ca.crt"
- "/var/lib/rancher/k3s/agent/client-ca.crt"
svc:
# These paths must also be included
# in the 'confs' property below
Expand All @@ -145,14 +156,19 @@ node:
bins:
- "hyperkube kubelet"
- "kubelet"
- "containerd"
kubeconfig:
- "/etc/kubernetes/kubelet.conf"
- "/etc/kubernetes/kubelet-kubeconfig.conf"
- "/var/lib/kubelet/kubeconfig"
- "/etc/kubernetes/kubelet-kubeconfig"
- "/etc/kubernetes/kubelet/kubeconfig"
- "/etc/kubernetes/ssl/kubecfg-kube-node.yaml"
- "/var/snap/microk8s/current/credentials/kubelet.config"
- "/etc/kubernetes/kubeconfig-kubelet"
- "/var/lib/rancher/rke2/agent/kubelet.kubeconfig"
- "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
- "/var/lib/rancher/k3s/agent/kubelet.kubeconfig"
confs:
- "/etc/kubernetes/kubelet-config.yaml"
- "/var/lib/kubelet/config.yaml"
Expand All @@ -177,6 +193,8 @@ node:
- "/etc/systemd/system/snap.kubelet.daemon.service"
- "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"
- "/etc/kubernetes/kubelet.yaml"
- "/var/lib/rancher/rke2/agent/kubelet.kubeconfig"

defaultconf: "/var/lib/kubelet/config.yaml"
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
Expand All @@ -190,6 +208,7 @@ node:
- "hyperkube kube-proxy"
- "proxy"
- "openshift start network"
- "containerd"
confs:
- /etc/kubernetes/proxy
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
Expand All @@ -200,8 +219,11 @@ node:
- "/etc/kubernetes/kubelet-kubeconfig"
- "/etc/kubernetes/kubelet-kubeconfig.conf"
- "/etc/kubernetes/kubelet/config"
- "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml"
- "/var/lib/kubelet/kubeconfig"
- "/var/snap/microk8s/current/credentials/proxy.config"
- "/var/lib/rancher/rke2/agent/kubeproxy.kubeconfig"
- "/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"
svc:
- "/lib/systemd/system/kube-proxy.service"
- "/etc/systemd/system/snap.microk8s.daemon-proxy.service"
Expand All @@ -215,6 +237,7 @@ etcd:
etcd:
bins:
- "etcd"
- "containerd"
datadirs:
- /var/lib/etcd/default.etcd
- /var/lib/etcd/data.etcd
Expand All @@ -227,6 +250,8 @@ etcd:
- /var/snap/etcd/common/etcd.conf.yaml
- /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service
- /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
- /var/lib/rancher/k3s/server/db/etcd/config
defaultconf: /etc/kubernetes/manifests/etcd.yaml
defaultdatadir: /var/lib/etcd/default.etcd

Expand All @@ -240,6 +265,7 @@ controlplane:
- "hyperkube apiserver"
- "hyperkube kube-apiserver"
- "apiserver"
- "containerd"

policies:
components: []
Expand Down Expand Up @@ -271,6 +297,16 @@ version_mapping:
"ack-1.0": "ack-1.0"
"cis-1.6-k3s": "cis-1.6-k3s"
"tkgi-1.2.53": "tkgi-1.2.53"
"k3s-cis-1.7":
- "k3s-cis-1.7"
"k3s-cis-1.23": "k3s-cis-1.23"
"k3s-cis-1.24": "k3s-cis-1.24"
"rke-cis-1.7": "rke-cis-1.7"
"rke-cis-1.23": "rke-cis-1.23"
"rke-cis-1.24": "rke-cis-1.24"
"rke2-cis-1.7": "rke2-cis-1.7"
"rke2-cis-1.23": "rke2-cis-1.23"
"rke2-cis-1.24": "rke2-cis-1.24"

target_mapping:
"cis-1.5":
Expand Down Expand Up @@ -379,3 +415,60 @@ target_mapping:
- "controlplane"
- "node"
- "policies"
"k3s-cis-1.7":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"1.7-hardened":
- "tkgi-1.2.53"
- "gke-1.2.0"
"k3s-cis-1.23":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"k3s-cis-1.24":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke-cis-1.7":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke-cis-1.23":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke-cis-1.24":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke2-cis-1.7":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke2-cis-1.23":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"rke2-cis-1.24":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
46 changes: 46 additions & 0 deletions cfg/k3s-cis-1.23/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
## Version-specific settings that override the values in cfg/config.yaml

master:
components:
- apiserver
- scheduler
- controllermanager
- etcd
- policies

apiserver:
bins:
- containerd

scheduler:
bins:
- containerd

controllermanager:
bins:
- containerd

etcd:
bins:
- containerd

node:
components:
- kubelet
- proxy

kubelet:
bins:
- containerd
defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig
defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt

proxy:
bins:
- containerd
defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig

policies:
components:
- policies
47 changes: 47 additions & 0 deletions cfg/k3s-cis-1.23/controlplane.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
controls:
version: "k3s-cis-1.23"
id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 3.1
text: "Authentication and Authorization"
checks:
- id: 3.1.1
text: "Client certificate authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates.
scored: false

- id: 3.2
text: "Logging"
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Manual)"
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'"
type: "manual"
tests:
test_items:
- flag: "--audit-policy-file"
set: true
remediation: |
Create an audit policy file for your cluster.
scored: false

- id: 3.2.2
text: "Ensure that the audit policy covers key security concerns (Manual)"
type: "manual"
remediation: |
Review the audit policy provided for the cluster and ensure that it covers
at least the following areas,
- Access to Secrets managed by the cluster. Care should be taken to only
log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in
order to avoid risk of logging sensitive data.
- Modification of Pod and Deployment objects.
- Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`.
For most requests, minimally logging at the Metadata level is recommended
(the most basic level of logging).
scored: false
Loading

0 comments on commit d2fe885

Please sign in to comment.