e3becc9f19
First yamls and Update info - Modify yaml versions from 1.10 to 1.11 - Adapt configmap to cover cis-1.11 - Adapt docs and cmd files - Fix version_mapping in global configMap and common_test.go: Kuberversion for cis-1.11 - doc: improve version mapping in platforms Adapt master.yaml - modify: 1.1.20 https://workbench.cisecurity.org/benchmarks/19519/tickets/24017 permissions changed from 600 to 644 - create: 1.2.30 Ensure that the --service-account-extend-token-expiration parameter is set to false (Automated) Adapt node.yaml - Add: 4.2.14 Ensure that the --seccomp-default parameter is set to true (Manual) - Add: 4.2.15 Ensure that the --IPAddressDeny is set to any (Manual) - this check is to be removed in CIS-1.1.12, I suggest we discard it. - Modify: 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual) - (changed from 600 to 644) https://workbench.cisecurity.org/community/43/discussions/11786 - Modify: 4.2.4 Verify that if defined, readOnlyPort is set to 0 (Manual) - Added "if defined" Adapt policies.yaml - Modify: 5.1.1 to 5.1.6 from (Automated) to (Manual) - Modify: section titled "General Policies" was renumbered from 5.7 in v1.10 to 5.6
3.1 KiB
Test config YAML representation
The tests (or "controls") are maintained in YAML documents. There are different versions of these test YAML files reflecting different versions and platforms of the CIS Kubernetes Benchmark. You will find more information about the test file YAML definitions in our controls documentation.
Kube-bench benchmarks
The test files for the various versions of Benchmarks can be found in directories
with same name as the Benchmark versions under the cfg directory next to the kube-bench executable,
for example ./cfg/cis-1.5 will contain all test files for CIS Kubernetes Benchmark v1.5.1 which are:
master.yaml, controlplane.yaml, node.yaml, etcd.yaml, policies.yaml and config.yaml
Check the contents of the benchmark directory under cfg to see which targets are available for that benchmark. Each file except config.yaml represents a target (also known as a control in other parts of this documentation).
The following table shows the valid targets based on the CIS Benchmark version.
| CIS Benchmark | Targets |
|---|---|
| cis-1.5 | master, controlplane, node, etcd, policies |
| cis-1.6 | master, controlplane, node, etcd, policies |
| cis-1.20 | master, controlplane, node, etcd, policies |
| cis-1.23 | master, controlplane, node, etcd, policies |
| cis-1.24 | master, controlplane, node, etcd, policies |
| cis-1.7 | master, controlplane, node, etcd, policies |
| cis-1.8 | master, controlplane, node, etcd, policies |
| cis-1.9 | master, controlplane, node, etcd, policies |
| cis-1.10 | master, controlplane, node, etcd, policies |
| cis-1.11 | master, controlplane, node, etcd, policies |
| gke-1.0 | master, controlplane, node, etcd, policies, managedservices |
| gke-1.2.0 | controlplane, node, policies, managedservices |
| gke-1.6.0 | controlplane, node, policies, managedservices |
| eks-1.0.1 | controlplane, node, policies, managedservices |
| eks-1.1.0 | controlplane, node, policies, managedservices |
| eks-1.2.0 | controlplane, node, policies, managedservices |
| eks-1.5.0 | controlplane, node, policies, managedservices |
| ack-1.0 | master, controlplane, node, etcd, policies, managedservices |
| aks-1.0 | controlplane, node, policies, managedservices |
| aks-1.7 | controlplane, node, policies, managedservices |
| rh-0.7 | master,node |
| rh-1.0 | master, controlplane, node, etcd, policies |
| cis-1.6-k3s | master, controlplane, node, etcd, policies |
| cis-1.24-microk8s | master, controlplane, node, etcd, policies |
The following table shows the valid DISA STIG versions
| STIG | Targets |
|---|---|
| eks-stig-kubernetes-v1r6 | master, controlplane, node, policies, managedservices |