Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro #1510

Merged
merged 2 commits into from
Nov 20, 2023
Merged

feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro #1510

merged 2 commits into from
Nov 20, 2023

Conversation

bschimke95
Copy link
Contributor

kube-bench is the main security benchmark in k8s. This PR adds the configs required for the benchmark check to verify CIS-1.24 for microk8s.

This requires the microk8s addon cis-hardening to be enabled which is available from version 1.28.
Alternatively, the hardening can manually be applied and verified following the tutorial and steps here: https://microk8s.io/docs/how-to-cis-harden

test environment

➜ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.3 LTS
Release:	22.04
Codename:	jammy

➜ sudo microk8s version                              
MicroK8s v1.28.1 revision 5916

➜ sudo microk8s enable cis-hardening
Infer repository core for addon cis-hardening
Enabling RBAC
Infer repository core for addon rbac
Enabling RBAC
Reconfiguring apiserver
Restarting apiserver
RBAC is enabled
Copy extra files
Downloading kube-bench
Stopping services
Setting file permissions
Setting API server arguments
Setting controller manager arguments
Setting kubelet arguments
Starting services

CIS hardening configuration has been applied. All microk8s commands require sudo from now on.
Remember to enable this addon on nodes joining the custer.
Inspect the CIS benchmark results with:

  sudo microk8s kube-bench

kube-bench results

https://pastebin.com/7GfwetfC

@CLAassistant
Copy link

CLAassistant commented Oct 18, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@mozillazg mozillazg self-requested a review October 20, 2023 12:03
mozillazg
mozillazg approved these changes Oct 21, 2023
View reviewed changes
Copy link
Collaborator

@mozillazg mozillazg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks for your contribution!

@mozillazg
Copy link
Collaborator

@chen-keinan ping~

@chen-keinan
Copy link
Contributor

@bschimke95 could you please rebase your branch with upstream

@bschimke95
Copy link
Contributor Author

@chen-keinan done

@chen-keinan chen-keinan merged commit fac90f7 into aquasecurity:main Nov 20, 2023
5 checks passed
damejeras pushed a commit to castai/kube-bench that referenced this pull request Nov 20, 2023
@bschimke95 @damejeras
feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro (a…
53bc122 
…quasecurity#1510)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mozillazg mozillazg mozillazg approved these changes

@chen-keinan chen-keinan chen-keinan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bschimke95 @CLAassistant @mozillazg @chen-keinan