mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2026-03-01 01:00:22 +00:00
Compare commits
4 Commits
v0.11.0
...
lihiz_pref
| Author | SHA1 | Date | |
|---|---|---|---|
|
aabe7beb1e | ||
|
93b0cfa256 | ||
|
b8c5fbb44b | ||
|
|
20a26a02b2 |
21
.github/workflows/publish.yml
vendored
21
.github/workflows/publish.yml
vendored
@@ -90,6 +90,27 @@ jobs:
|
||||
- name: Image digest
|
||||
run: echo ${{ steps.docker_build.outputs.digest }}
|
||||
|
||||
- name: Redhat Operator certification preflight tests
|
||||
run: |
|
||||
targetImage=${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
|
||||
preflightVersion=1.14.0
|
||||
localArch=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac)
|
||||
|
||||
curl -LOs https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/${preflightVersion}/preflight-linux-${localArch}
|
||||
chmod +x ./preflight-linux-${localArch}
|
||||
sudo mv ./preflight-linux-${localArch} /usr/local/bin/preflight
|
||||
out = $(preflight check container ${targetImage} --docker-config ~/.docker/config.json)
|
||||
# Try to extract the .passed value using jq
|
||||
passed=$(echo "out" | jq -r 'select(.passed != null) | .passed')
|
||||
|
||||
# Check if the value exists and is true
|
||||
if [[ "$passed" == "true" ]]; then
|
||||
echo "Command succeeded"
|
||||
else
|
||||
echo "Command failed"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Build and push fips ubi image - Docker/ECR
|
||||
id: docker_build_fips_ubi
|
||||
uses: docker/build-push-action@v6
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
|
||||
## CIS Kubernetes Benchmark support
|
||||
|
||||
kube-bench supports running tests for Kubernetes.
|
||||
Most of our supported benchmarks are defined in one of the following:
|
||||
[CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/)
|
||||
[STIG Document Library](https://public.cyber.mil/stigs/downloads)
|
||||
kube-bench runs industry standard benchmark tests for Kubernetes.
|
||||
Most of our supported benchmarks are defined in either of the following:
|
||||
* [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/)
|
||||
* [STIG Document Library](https://public.cyber.mil/stigs/downloads)
|
||||
|
||||
Some defined by other hardenening guides.
|
||||
Other benchmarks are defined by hardening guides.
|
||||
|
||||
| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|
||||
|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|---------------------|
|
||||
|:------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------|:--------------------|
|
||||
| CIS | [1.5.1](https://workbench.cisecurity.org/benchmarks/4892) | cis-1.5 | 1.15 |
|
||||
| CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16-1.18 |
|
||||
| CIS | [1.20](https://workbench.cisecurity.org/benchmarks/6246) | cis-1.20 | 1.19-1.21 |
|
||||
@@ -28,10 +28,8 @@ Some defined by other hardenening guides.
|
||||
| CIS | [EKS 1.5.0](https://workbench.cisecurity.org/benchmarks/17733) | eks-1.5.0 | EKS |
|
||||
| CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK |
|
||||
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
|
||||
| CIS | [AKS 1.7.0](https://workbench.cisecurity.org/benchmarks/
|
||||
20359)
|
||||
| aks-1.7 | AKS |
|
||||
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
|
||||
| CIS | [AKS 1.7.0](https://workbench.cisecurity.org/benchmarks/20359) | aks-1.7 | AKS |
|
||||
| RHEL | Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
|
||||
| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- |
|
||||
| CIS | [1.6.0-k3s](https://docs.rancher.cn/docs/k3s/security/self-assessment/_index) | cis-1.6-k3s | k3s v1.16-v1.24 |
|
||||
| DISA | [Kubernetes Ver 1, Rel 6](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip) | eks-stig-kubernetes-v1r6 | EKS |
|
||||
|
||||
2
job.yaml
2
job.yaml
@@ -11,7 +11,7 @@ spec:
|
||||
spec:
|
||||
containers:
|
||||
- command: ["kube-bench"]
|
||||
image: docker.io/aquasec/kube-bench:v0.11.0
|
||||
image: docker.io/aquasec/kube-bench:v0.11.1
|
||||
name: kube-bench
|
||||
volumeMounts:
|
||||
- name: var-lib-cni
|
||||
|
||||
2
makefile
2
makefile
@@ -11,7 +11,7 @@ uname := $(shell uname -s)
|
||||
BUILDX_PLATFORM ?= linux/amd64,linux/arm64,linux/arm,linux/ppc64le,linux/s390x
|
||||
DOCKER_ORGS ?= aquasec public.ecr.aws/aquasecurity
|
||||
GOARCH ?= $@
|
||||
KUBECTL_VERSION ?= 1.33.0
|
||||
KUBECTL_VERSION ?= 1.34.0-alpha.1
|
||||
ARCH ?= $(shell go env GOARCH)
|
||||
|
||||
ifneq ($(findstring Microsoft,$(shell uname -r)),)
|
||||
|
||||
Reference in New Issue
Block a user