github/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2026-02-14 10:00:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CIS Kubernetes CIS-1.10 for k8s v1.28 - v1.31 (#1753)

Browse Source 
* Create cis-1.10 yamls and Update info
	- Modify yaml versions from 1.9 to 1.10
	- Adapt configmap to cover cis-1.10
	- Adapt docs and cmd files

* Adapt master.yaml
	- 1.2.29 update cipher list to remove the following insecure ones (RC4-Based, 3DES-Based, RSA-Based AES CBC):
          TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
          TLS_RSA_WITH_3DES_EDE_CBC_SHA,
          TLS_RSA_WITH_AES_128_CBC_SHA256,
          TLS_RSA_WITH_AES_128_CBC_SHA,
          TLS_RSA_WITH_AES_256_CBC_SHA,
          TLS_RSA_WITH_RC4_128_SHA,
          TLS_ECDHE_RSA_WITH_RC4_128_SHA
          ticket: https://workbench.cisecurity.org/community/43/tickets/21760

* Adapt policies.yaml
	- 5.1.11 typo in sub-resource name 'certificatesigningrequest' https://workbench.cisecurity.org/tickets/21352
	- 5.2.2 new audit to verify if a container is privileged or not. https://workbench.cisecurity.org/tickets/20919
	- 5.2.3 new audit to verify the presence of hostPID opt-in across all pods. https://workbench.cisecurity.org/tickets/20919
	- 5.2.4 new audit to verify the presence of hostIPC opt-in across all pods. https://workbench.cisecurity.org/tickets/20923
	- 5.2.5 new audit to verify the presence of hostNetwork opt-in across all pods. https://workbench.cisecurity.org/tickets/20921
	- 5.2.6 new audit to verify the presence of 'allowPrivilegeEscalation' to true across all pods' container(s)
	- 5.2.6 the 'allowPrivilegeEscalation' setting is moved from 'spec' to 'securityContext' https://workbench.cisecurity.org/tickets/20922
	- 5.2.9 new audit to verify the presence of added capabilities across all pods' container(s)

* Fix 5.2.6 remediation
This commit is contained in:
Andy Pitcher
2025-01-13 06:18:15 +01:00
committed by GitHub
parent 2cab7f9ecb
commit 3a2348eba7
10 changed files with 2166 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/common_test.go
View File

@@ -245,6 +245,8 @@ func TestMapToCISVersion(t *testing.T) {
{kubeVersion: "1.27", succeed: true, exp: "cis-1.9"},
{kubeVersion: "1.28", succeed: true, exp: "cis-1.9"},
{kubeVersion: "1.29", succeed: true, exp: "cis-1.9"},
{kubeVersion: "1.30", succeed: true, exp: "cis-1.10"},
{kubeVersion: "1.31", succeed: true, exp: "cis-1.10"},
{kubeVersion: "gke-1.2.0", succeed: true, exp: "gke-1.2.0"},
{kubeVersion: "ocp-3.10", succeed: true, exp: "rh-0.7"},
{kubeVersion: "ocp-3.11", succeed: true, exp: "rh-0.7"},