fix: update checks 5.1.1, 5.1.2 and 5.1.4 for CIS 1.9 / CIS 1.10 (#1989)

* Fix the issue 1982

* remove the type manual and revert changes of test in each check

* fix linter error

* changed scored to false for check 5.1.3, 5.1.5, 5.1.6

cfg/cis-1.10/policies.yaml

@@ -33,7 +33,7 @@ groups:
           Where possible, first bind users to a lower privileged role and then remove the
           clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]
           Condition: is_compliant is false if rolename is not cluster-admin and rolebinding is cluster-admin.
-        scored: true
+        scored: false
 
       - id: 5.1.2
         text: "Minimize access to secrets (Automated)"
@@ -46,7 +46,7 @@ groups:
                 value: no
         remediation: |
           Where possible, remove get, list and watch access to Secret objects in the cluster.
-        scored: true
+        scored: false
 
       - id: 5.1.3
         text: "Minimize wildcard use in Roles and ClusterRoles (Automated)"
@@ -93,7 +93,7 @@ groups:
           objects or actions.
           Condition: role_is_compliant is false if ["*"] is found in rules.
           Condition: clusterrole_is_compliant is false if ["*"] is found in rules.
-        scored: true
+        scored: false
 
       - id: 5.1.4
         text: "Minimize access to create pods (Automated)"
@@ -107,7 +107,7 @@ groups:
                 value: no
         remediation: |
           Where possible, remove create access to pod objects in the cluster.
-        scored: true
+        scored: false
       - id: 5.1.5
         text: "Ensure that default service accounts are not actively used (Automated)"
         audit: |
@@ -125,7 +125,7 @@ groups:
           to the Kubernetes API server.
           Modify the configuration of each default service account to include this value
           `automountServiceAccountToken: false`.
-        scored: true
+        scored: false
 
       - id: 5.1.6
         text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)"
@@ -158,7 +158,7 @@ groups:
           Condition: Pod is_compliant to true when
             - ServiceAccount is automountServiceAccountToken: false and Pod is automountServiceAccountToken: false or notset
             - ServiceAccount is automountServiceAccountToken: true notset and Pod is automountServiceAccountToken: false
-        scored: true
+        scored: false
 
       - id: 5.1.7
         text: "Avoid use of system:masters group (Manual)"

cfg/cis-1.9/policies.yaml

@@ -33,7 +33,7 @@ groups:
           Where possible, first bind users to a lower privileged role and then remove the
           clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]
           Condition: is_compliant is false if rolename is not cluster-admin and rolebinding is cluster-admin.
-        scored: true
+        scored: false
 
       - id: 5.1.2
         text: "Minimize access to secrets (Automated)"
@@ -46,7 +46,7 @@ groups:
                 value: no
         remediation: |
           Where possible, remove get, list and watch access to Secret objects in the cluster.
-        scored: true
+        scored: false
 
       - id: 5.1.3
         text: "Minimize wildcard use in Roles and ClusterRoles (Automated)"
@@ -93,7 +93,7 @@ groups:
           objects or actions.
           Condition: role_is_compliant is false if ["*"] is found in rules.
           Condition: clusterrole_is_compliant is false if ["*"] is found in rules.
-        scored: true
+        scored: false
 
       - id: 5.1.4
         text: "Minimize access to create pods (Automated)"
@@ -107,7 +107,7 @@ groups:
                 value: no
         remediation: |
           Where possible, remove create access to pod objects in the cluster.
-        scored: true
+        scored: false
       - id: 5.1.5
         text: "Ensure that default service accounts are not actively used (Automated)"
         audit: |
@@ -125,7 +125,7 @@ groups:
           to the Kubernetes API server.
           Modify the configuration of each default service account to include this value
           `automountServiceAccountToken: false`.
-        scored: true
+        scored: false
 
       - id: 5.1.6
         text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)"
@@ -158,7 +158,7 @@ groups:
           Condition: Pod is_compliant to true when
             - ServiceAccount is automountServiceAccountToken: false and Pod is automountServiceAccountToken: false or notset
             - ServiceAccount is automountServiceAccountToken: true notset and Pod is automountServiceAccountToken: false
-        scored: true
+        scored: false
 
       - id: 5.1.7
         text: "Avoid use of system:masters group (Manual)"