Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding GKE-1.6.0 CIS benchmark #1677

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

Adding GKE-1.6.0 CIS benchmark #1677

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
2ad0aa1
Added yamls for OKE
rootxrishabh May 10, 2024
a8dda72
Merge pull request #2 from nirmata/add-oke-support
rootxrishabh May 10, 2024
2148409
Crawl paths from ENVs
rootxrishabh Jun 10, 2024
a70243f
Fixed typos
rootxrishabh Jun 10, 2024
5414877
Update config.yaml
rootxrishabh Jun 11, 2024
6ed1721
changes made
rootxrishabh Jun 11, 2024
45dfc51
Merge pull request #3 from nirmata/error-testing-oke
rootxrishabh Jun 11, 2024
01ea8f8
Merge pull request #4 from nirmata/add-oke-support
rootxrishabh Jun 13, 2024
75ead54
NDEV-20011 : adding CIS GKE-1.6.0 benchmarks
deboshree-b Aug 16, 2024
96a8081
NDEV-20011 : initial commit for other benchmarks
deboshree-b Aug 26, 2024
2668e26
Revert "NDEV-20011 : initial commit for other benchmarks"
deboshree-b Aug 26, 2024
e85614e
Revert "NDEV-20011 : adding CIS GKE-1.6.0 benchmarks"
deboshree-b Aug 26, 2024
f55346b
NDEV-20011 : adding gke 1.6.0 benchmark
deboshree-b Sep 10, 2024
1388da7
NDEV-20011 : adding type and test for scored = true benchmarks
deboshree-b Sep 10, 2024
5e7030f
NDEV-20011 : adding gke-1.6.0 in config.yaml
deboshree-b Sep 10, 2024
083b002
NDEV-20011 : updating test for gke 1.6.0 - 4.1.4 benchmark
deboshree-b Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions cfg/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ node:
- "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
- "/var/lib/rancher/k3s/agent/kubelet.kubeconfig"
confs:
- "/etc/kubernetes/kubelet-config.json"
- "/etc/kubernetes/kubelet-config.yaml"
- "/var/lib/kubelet/config.yaml"
- "/var/lib/kubelet/config.yml"
Expand Down Expand Up @@ -278,11 +279,13 @@ version_mapping:
"1.24": "cis-1.24"
"1.25": "cis-1.7"
"1.26": "cis-1.8"
"oke-1.26": "oke-1.26"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems oke-1.26 doesn't relevant GKE-1.6.0, right?
or did i miss something?

"eks-1.0.1": "eks-1.0.1"
"eks-1.1.0": "eks-1.1.0"
"eks-1.2.0": "eks-1.2.0"
"gke-1.0": "gke-1.0"
"gke-1.2.0": "gke-1.2.0"
"gke-1.6.0": "gke-1.6.0"
"ocp-3.10": "rh-0.7"
"ocp-3.11": "rh-0.7"
"ocp-4.0": "rh-1.0"
Expand Down Expand Up @@ -369,6 +372,12 @@ target_mapping:
- "controlplane"
- "policies"
- "managedservices"
"gke-1.6.0":
- "master"
- "node"
- "controlplane"
- "policies"
- "managedservices"
"eks-1.0.1":
- "master"
- "node"
Expand Down Expand Up @@ -474,3 +483,5 @@ target_mapping:
- "controlplane"
- "node"
- "policies"
"oke-1.26":
- "node"
2 changes: 2 additions & 0 deletions cfg/gke-1.6.0/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
## Version-specific settings that override the values in cfg/config.yaml
35 changes: 35 additions & 0 deletions cfg/gke-1.6.0/controlplane.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
---
controls:
version: "gke-1.6.0"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 2.1
text: "Authentication and Authorization"
checks:
- id: 2.1.1
text: "Client certificate authentication should not be used for users (Automated)"
audit: "kubectl get secrets --namespace kube-system -o json"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates.
You can remediate the availability of client certificates in your GKE cluster. See
Recommendation 5.8.1.
scored: false

- id: 2.2
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no more section 2.2. in GKE 1.6.0: https://workbench.cisecurity.org/benchmarks/16093/sections/2382179

text: "Logging"
type: skip
checks:
- id: 2.2.1
text: "Ensure that a minimal audit policy is created (Manual)"
type: "manual"
remediation: "This control cannot be modified in GKE."
scored: false

- id: 2.2.2
text: "Ensure that the audit policy covers key security concerns (Manual)"
type: "manual"
remediation: "This control cannot be modified in GKE."
scored: false
Loading