Add CIS benchmark checks for generating a Kubernetes compliance report

[stmcginnis]

Issue number:

Closes #2852

Description of changes:

This adds a set of CIS benchmark checks to bloodhound for the Kubernetes CIS benchmark.

Still needs exposure through apiserver and apiclient. The plumbing for CIS reports in general are still being worked on for the CIS Bottlerocket benchmark. Depending on timing, the wiring up of this benchmark will either be added to this PR in additional commits, or added as a follow up PR after this one merges.

Testing done:

Ran new checks on aws-k8s-1.26 node:

[ssm-user@control]$ apiclient report cis-k8s
Benchmark name:  CIS Kubernetes Benchmark (Worker Node)
Version:         v1.7.1
Reference:       https://www.cisecurity.org/benchmark/kubernetes
Benchmark level: 1
Start time:      2023-07-18T15:09:51.451720655Z

[PASS] 4.1.1     Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automatic)
[PASS] 4.1.2     Ensure that the kubelet service file ownership is set to root:root (Automatic)
[SKIP] 4.1.3     If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
[SKIP] 4.1.4     If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
[PASS] 4.1.5     Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automatic)
[PASS] 4.1.6     Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automatic)
[PASS] 4.1.7     Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automatic)
[PASS] 4.1.8     Ensure that the client certificate authorities file ownership is set to root:root (Automatic)
[PASS] 4.1.9     If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automatic)
[PASS] 4.1.10    If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Automatic)
[PASS] 4.2.1     Ensure that the --anonymous-auth argument is set to false (Automatic)
[PASS] 4.2.2     Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automatic)
[PASS] 4.2.3     Ensure that the --client-ca-file argument is set as appropriate (Automatic)
[PASS] 4.2.4     Verify that the --read-only-port argument is set to 0 (Automatic)
[PASS] 4.2.5     Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automatic)
[PASS] 4.2.6     Ensure that the --make-iptables-util-chains argument is set to true (Automatic)
[SKIP] 4.2.7     Ensure that the --hostname-override argument is not set (not valid for Bottlerocket) (Manual)
[PASS] 4.2.9     Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automatic)
[SKIP] 4.2.10    Ensure that the --rotate-certificates argument is not set to false (not valid for Bottlerocket) (Manual)
[PASS] 4.2.11    Verify that the RotateKubeletServerCertificate argument is set to true (Automatic)
[PASS] 4.2.12    Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automatic)
[PASS] 4.2.13    Ensure that a limit is set on pod PIDs (Automatic)

Passed:          18
Failed:          0
Skipped:         4
Total checks:    22

Compliance check result: PASS

[ssm-user@control]$ apiclient report cis-k8s -l 2
Benchmark name:  CIS Kubernetes Benchmark (Worker Node)
Version:         v1.7.1
Reference:       https://www.cisecurity.org/benchmark/kubernetes
Benchmark level: 2
Start time:      2023-07-18T15:10:15.191556058Z

[PASS] 4.1.1     Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automatic)
...

[ssm-user@control]$ apiclient report cis-k8sh
Missing or unknown subcommand for 'report'
...

apiclient report cis-k8s -l 2 -f json
{
  "level": 2,
  "total": 23,
  "passed": 18,
  "skipped": 5,
  "failed": 0,
  "status": "PASS",
  "timestamp": "2023-07-18T15:10:32.352887194Z",
  "name": "CIS Kubernetes Benchmark (Worker Node)",
  "version": "v1.7.1",
  "url": "https://www.cisecurity.org/benchmark/kubernetes",
  "results": {
    "k8s04010100": {
      "name": "k8s04010100",
      "id": "4.1.1",
      "level": 1,
      "title": "Ensure that the kubelet service file permissions are set to 644 or more restrictive",
      "mode": "Automatic",
      "status": "PASS",
      "error": ""
    },
   ...
}

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[maxres-ch]

This is great to see! I wrote a daemonset to run the bash script outlined here: https://github.com/aws-samples/containers-blog-maelstrom/tree/main/cis-bottlerocket-benchmark-eks/

Will there be an operator to accompany this or will it be up to users to invoke this client and report the status individually?

[stmcginnis]

Will there be an operator to accompany this or will it be up to users to invoke this client and report the status individually?

Hey! Great questions. The plan is for the Bottlerocket and Kubernetes benchmarks to ultimately be exposed via apiclient. That work is still in progress, with the apiserver updates happening here, and the last step of wiring in to apiclient coming once that is done.

So while it's possible to execute this command directly to get the output, the actual end user experience should be a little cleaner through apiclient report cis-k8s (or something like that).

[stmcginnis]

Added apiserver and apiclient parts of the complete implementation and rebased on develop to resolve conflicts.

[grodriguezl]

This is beautiful. Thanks!