Compare commits

...

4 Commits

Author SHA1 Message Date
Lihi Zitzer
aabe7beb1e DEVOPS-1623: Add preflight tests 2025-07-03 10:51:46 +03:00
Josh-aqua
93b0cfa256 Update platforms.md (#1896)
Fix typos and improved some wording
2025-06-25 12:40:49 +06:00
afdesk
b8c5fbb44b release: prepare v0.11.1 (#1895) 2025-06-17 19:48:43 +06:00
afdesk
20a26a02b2 chore: use kubectl 1.34.0-alpha.1 (#1894) 2025-06-17 19:26:44 +06:00
4 changed files with 31 additions and 12 deletions

View File

@@ -90,6 +90,27 @@ jobs:
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}
- name: Redhat Operator certification preflight tests
run: |
targetImage=${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
preflightVersion=1.14.0
localArch=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac)
curl -LOs https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/${preflightVersion}/preflight-linux-${localArch}
chmod +x ./preflight-linux-${localArch}
sudo mv ./preflight-linux-${localArch} /usr/local/bin/preflight
out = $(preflight check container ${targetImage} --docker-config ~/.docker/config.json)
# Try to extract the .passed value using jq
passed=$(echo "out" | jq -r 'select(.passed != null) | .passed')
# Check if the value exists and is true
if [[ "$passed" == "true" ]]; then
echo "Command succeeded"
else
echo "Command failed"
exit 1
fi
- name: Build and push fips ubi image - Docker/ECR
id: docker_build_fips_ubi
uses: docker/build-push-action@v6

View File

@@ -1,15 +1,15 @@
## CIS Kubernetes Benchmark support
kube-bench supports running tests for Kubernetes.
Most of our supported benchmarks are defined in one of the following:
[CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/)
[STIG Document Library](https://public.cyber.mil/stigs/downloads)
kube-bench runs industry standard benchmark tests for Kubernetes.
Most of our supported benchmarks are defined in either of the following:
* [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/)
* [STIG Document Library](https://public.cyber.mil/stigs/downloads)
Some defined by other hardenening guides.
Other benchmarks are defined by hardening guides.
| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|---------------------|
|:------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------|:--------------------|
| CIS | [1.5.1](https://workbench.cisecurity.org/benchmarks/4892) | cis-1.5 | 1.15 |
| CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16-1.18 |
| CIS | [1.20](https://workbench.cisecurity.org/benchmarks/6246) | cis-1.20 | 1.19-1.21 |
@@ -28,10 +28,8 @@ Some defined by other hardenening guides.
| CIS | [EKS 1.5.0](https://workbench.cisecurity.org/benchmarks/17733) | eks-1.5.0 | EKS |
| CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK |
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
| CIS | [AKS 1.7.0](https://workbench.cisecurity.org/benchmarks/
20359)
| aks-1.7 | AKS |
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
| CIS | [AKS 1.7.0](https://workbench.cisecurity.org/benchmarks/20359) | aks-1.7 | AKS |
| RHEL | Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- |
| CIS | [1.6.0-k3s](https://docs.rancher.cn/docs/k3s/security/self-assessment/_index) | cis-1.6-k3s | k3s v1.16-v1.24 |
| DISA | [Kubernetes Ver 1, Rel 6](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip) | eks-stig-kubernetes-v1r6 | EKS |

View File

@@ -11,7 +11,7 @@ spec:
spec:
containers:
- command: ["kube-bench"]
image: docker.io/aquasec/kube-bench:v0.11.0
image: docker.io/aquasec/kube-bench:v0.11.1
name: kube-bench
volumeMounts:
- name: var-lib-cni

View File

@@ -11,7 +11,7 @@ uname := $(shell uname -s)
BUILDX_PLATFORM ?= linux/amd64,linux/arm64,linux/arm,linux/ppc64le,linux/s390x
DOCKER_ORGS ?= aquasec public.ecr.aws/aquasecurity
GOARCH ?= $@
KUBECTL_VERSION ?= 1.33.0
KUBECTL_VERSION ?= 1.34.0-alpha.1
ARCH ?= $(shell go env GOARCH)
ifneq ($(findstring Microsoft,$(shell uname -r)),)