Add CIS benchmark checks for generating a Kubernetes compliance report #3239

This adds a multicall binary to be used as the common entry point for all Kubernetes CIS benchmark checks. Signed-off-by: Sean McGinnis <[email protected]>

This adds the 4.1.1 check to verify the kubelet service file has restrictive permissions. Signed-off-by: Sean McGinnis <[email protected]>

This adds the 4.1.2 check to make sure the kubelet service file ownership is root:root. Signed-off-by: Sean McGinnis <[email protected]>

This adds the 4.1.5 check to ensure the kubelet.conf file has restrictive permissions. Signed-off-by: Sean McGinnis <[email protected]>

This adds the 4.1.6 check to verify kubelet.conf is owned by root:root. Signed-off-by: Sean McGinnis <[email protected]>

This adds the 4.1.7 check to verify the kubelet CA file has restrictive permissions. Signed-off-by: Sean McGinnis <[email protected]>

This adds check 4.1.8 to verify the kubelet CA file is owned by root:root. Signed-off-by: Sean McGinnis <[email protected]>

This adds the 4.1.9 check to verify the kubelet configuration file has restrictive permissions. Signed-off-by: Sean McGinnis <[email protected]>

This adds check 4.1.10 to verify the kubelet config file is owned by root:root. Signed-off-by: Sean McGinnis <[email protected]>

This adds check 4.2.1 to verify anonymous auth is not enabled. Signed-off-by: Sean McGinnis <[email protected]>

This adds check 4.2.2 to verify authorization mode is not set to AlwaysAllow. Signed-off-by: Sean McGinnis <[email protected]>

This adds check 4.2.3 to verify clientCAFile is configured and points to an actual file. Signed-off-by: Sean McGinnis <[email protected]>

This adds the 4.2.4 to verify the readOnlyPort is not set to 0. Signed-off-by: Sean McGinnis <[email protected]>

This adds check 4.2.5 to verify streamingConnectionIdleTimeout is not set to 0. Signed-off-by: Sean McGinnis <[email protected]>

This adds check 4.2.6 to verify makeIPTablesUtilChains is true. Signed-off-by: Sean McGinnis <[email protected]>

This adds the check to make sure the server TLS certificates are configured correctly. Signed-off-by: Sean McGinnis <[email protected]>

This adds check 4.2.10 to verify rotateCertificates is not disabled. Signed-off-by: Sean McGinnis <[email protected]>

This adds check 4.2.11 to verify RotateKubeletServerCertificate is not disabled. Signed-off-by: Sean McGinnis <[email protected]>

This adds check 4.2.12 to check that kubelet is only configured to use secure cryptographic ciphers. Signed-off-by: Sean McGinnis <[email protected]>

This adds verification that podPidsLimit is configured to restrict the maximum number of PIDs allowed per-pod. Signed-off-by: Sean McGinnis <[email protected]>

This changes the 4.2.10 check to be a manual test response. This check does not apply to EKS or EKS-D since external IAM auth is used. This leaves the validation logic in place as we may want to use it in the future. For not EKS-related use cases, it may make sense to enable configuration of certificate rotation. If/when that is done, this check can be reenabled and updated to validate under the proper conditions. Signed-off-by: Sean McGinnis <[email protected]>

This adds handling for a "type" parameter to be passed along to the `/report/cis` endpoint to control what type of CIS report to generate. The default type is the Bottlerocket CIS benchmark report, with "kubernetes" being the only recognized other option. Signed-off-by: Sean McGinnis <[email protected]>

This adds the `cis-k8s` report subcommand to access the Kubernetes CIS report. It uses the standard CIS arguments of `-l` for level and `-f` for format. Signed-off-by: Sean McGinnis <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add CIS benchmark checks for generating a Kubernetes compliance report #3239

Add CIS benchmark checks for generating a Kubernetes compliance report #3239

Commits on Sep 5, 2023