mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2026-02-14 10:00:14 +00:00
e3becc9f19
First yamls and Update info - Modify yaml versions from 1.10 to 1.11 - Adapt configmap to cover cis-1.11 - Adapt docs and cmd files - Fix version_mapping in global configMap and common_test.go: Kuberversion for cis-1.11 - doc: improve version mapping in platforms Adapt master.yaml - modify: 1.1.20 https://workbench.cisecurity.org/benchmarks/19519/tickets/24017 permissions changed from 600 to 644 - create: 1.2.30 Ensure that the --service-account-extend-token-expiration parameter is set to false (Automated) Adapt node.yaml - Add: 4.2.14 Ensure that the --seccomp-default parameter is set to true (Manual) - Add: 4.2.15 Ensure that the --IPAddressDeny is set to any (Manual) - this check is to be removed in CIS-1.1.12, I suggest we discard it. - Modify: 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual) - (changed from 600 to 644) https://workbench.cisecurity.org/community/43/discussions/11786 - Modify: 4.2.4 Verify that if defined, readOnlyPort is set to 0 (Manual) - Added "if defined" Adapt policies.yaml - Modify: 5.1.1 to 5.1.6 from (Automated) to (Manual) - Modify: section titled "General Policies" was renumbered from 5.7 in v1.10 to 5.6
7.9 KiB
7.9 KiB
CIS Kubernetes Benchmark support
kube-bench runs industry standard benchmark tests for Kubernetes. Most of our supported benchmarks are defined in either of the following:
Other benchmarks are defined by hardening guides.
| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|---|---|---|---|
| CIS | 1.5.1 | cis-1.5 | 1.15 |
| CIS | 1.6.0 | cis-1.6 | 1.16-1.18 |
| CIS | 1.20 | cis-1.20 | 1.19-1.21 |
| CIS | 1.23 | cis-1.23 | 1.22-1.23 |
| CIS | 1.24 | cis-1.24 | 1.24 |
| CIS | 1.7 | cis-1.7 | 1.25 |
| CIS | 1.8 | cis-1.8 | 1.26 |
| CIS | 1.9 | cis-1.9 | 1.27 |
| CIS | 1.10 | cis-1.10 | 1.28 |
| CIS | 1.11 | cis-1.11 | 1.29-1.32 |
| CIS | GKE 1.0.0 | gke-1.0 | GKE |
| CIS | GKE 1.2.0 | gke-1.2.0 | GKE |
| CIS | GKE 1.6.0 | gke-1.6.0 | GKE |
| CIS | EKS 1.0.1 | eks-1.0.1 | EKS |
| CIS | EKS 1.1.0 | eks-1.1.0 | EKS |
| CIS | EKS 1.2.0 | eks-1.2.0 | EKS |
| CIS | EKS 1.5.0 | eks-1.5.0 | EKS |
| CIS | ACK 1.0.0 | ack-1.0 | ACK |
| CIS | AKS 1.0.0 | aks-1.0 | AKS |
| CIS | AKS 1.7.0 | aks-1.7 | AKS |
| RHEL | Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
| CIS | OCP4 1.1.0 | rh-1.0 | OCP 4.1- |
| CIS | 1.6.0-k3s | cis-1.6-k3s | k3s v1.16-v1.24 |
| DISA | Kubernetes Ver 1, Rel 6 | eks-stig-kubernetes-v1r6 | EKS |
| CIS | TKGI 1.2.53 | tkgi-1.2.53 | vmware |
| CIS | 1.7.0-rke | rke-cis-1.7 | rke v1.25-v1.27 |
| CIS | 1.7.0-rke2 | rke2-cis-1.6 | rke2 v1.25-v1.27 |
| CIS | 1.7.0-k3s | k3s-cis-1.7 | k3s v1.25-v1.27 |