Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: aquasecurity/kube-bench
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v0.7.3
Choose a base ref
...
head repository: aquasecurity/kube-bench
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref
Loading
Showing with 10,088 additions and 1,488 deletions.
  1. +7 −7 .github/workflows/build.yml
  2. +1 −1 .github/workflows/mkdocs-deploy.yaml
  3. +11 −4 .github/workflows/publish.yml
  4. +3 −3 .github/workflows/release.yml
  5. +0 −2 .golangci.yaml
  6. +9 −1 .goreleaser.yml
  7. +35 −11 Dockerfile
  8. +24 −7 Dockerfile.fips.ubi
  9. +25 −8 Dockerfile.ubi
  10. +1 −1 cfg/ack-1.0/node.yaml
  11. +2 −0 cfg/cis-1.10/config.yaml
  12. +62 −0 cfg/cis-1.10/controlplane.yaml
  13. +135 −0 cfg/cis-1.10/etcd.yaml
  14. +917 −0 cfg/cis-1.10/master.yaml
  15. +478 −0 cfg/cis-1.10/node.yaml
  16. +559 −0 cfg/cis-1.10/policies.yaml
  17. +1 −1 cfg/cis-1.20/node.yaml
  18. +1 −1 cfg/cis-1.23/node.yaml
  19. +1 −1 cfg/cis-1.24-microk8s/node.yaml
  20. +0 −6 cfg/cis-1.24/master.yaml
  21. +1 −1 cfg/cis-1.24/node.yaml
  22. +1 −1 cfg/cis-1.5/node.yaml
  23. +1 −1 cfg/cis-1.6/node.yaml
  24. +3 −4 cfg/cis-1.7/master.yaml
  25. +1 −1 cfg/cis-1.7/node.yaml
  26. +3 −4 cfg/cis-1.8/master.yaml
  27. +1 −1 cfg/cis-1.8/node.yaml
  28. +2 −0 cfg/cis-1.9/config.yaml
  29. +62 −0 cfg/cis-1.9/controlplane.yaml
  30. +135 −0 cfg/cis-1.9/etcd.yaml
  31. +919 −0 cfg/cis-1.9/master.yaml
  32. +478 −0 cfg/cis-1.9/node.yaml
  33. +405 −0 cfg/cis-1.9/policies.yaml
  34. +41 −2 cfg/config.yaml
  35. +9 −0 cfg/eks-1.5.0/config.yaml
  36. +32 −0 cfg/eks-1.5.0/controlplane.yaml
  37. +227 −0 cfg/eks-1.5.0/managedservices.yaml
  38. +6 −0 cfg/eks-1.5.0/master.yaml
  39. +453 −0 cfg/eks-1.5.0/node.yaml
  40. +250 −0 cfg/eks-1.5.0/policies.yaml
  41. +9 −0 cfg/gke-1.6.0/config.yaml
  42. +20 −0 cfg/gke-1.6.0/controlplane.yaml
  43. +617 −0 cfg/gke-1.6.0/managedservices.yaml
  44. +6 −0 cfg/gke-1.6.0/master.yaml
  45. +506 −0 cfg/gke-1.6.0/node.yaml
  46. +238 −0 cfg/gke-1.6.0/policies.yaml
  47. +2 −1 cfg/k3s-cis-1.23/config.yaml
  48. +1 −1 cfg/k3s-cis-1.23/controlplane.yaml
  49. +7 −18 cfg/k3s-cis-1.23/etcd.yaml
  50. +37 −37 cfg/k3s-cis-1.23/master.yaml
  51. +9 −9 cfg/k3s-cis-1.23/node.yaml
  52. +31 −19 cfg/k3s-cis-1.24/config.yaml
  53. +1 −1 cfg/k3s-cis-1.24/controlplane.yaml
  54. +74 −78 cfg/k3s-cis-1.24/etcd.yaml
  55. +287 −258 cfg/k3s-cis-1.24/master.yaml
  56. +130 −162 cfg/k3s-cis-1.24/node.yaml
  57. +2 −2 cfg/k3s-cis-1.24/policies.yaml
  58. +30 −19 cfg/k3s-cis-1.7/config.yaml
  59. +1 −1 cfg/k3s-cis-1.7/controlplane.yaml
  60. +74 −78 cfg/k3s-cis-1.7/etcd.yaml
  61. +277 −277 cfg/k3s-cis-1.7/master.yaml
  62. +122 −154 cfg/k3s-cis-1.7/node.yaml
  63. +4 −22 cfg/k3s-cis-1.7/policies.yaml
  64. +54 −0 cfg/k3s-cis-1.8/config.yaml
  65. +62 −0 cfg/k3s-cis-1.8/controlplane.yaml
  66. +144 −0 cfg/k3s-cis-1.8/etcd.yaml
  67. +985 −0 cfg/k3s-cis-1.8/master.yaml
  68. +422 −0 cfg/k3s-cis-1.8/node.yaml
  69. +300 −0 cfg/k3s-cis-1.8/policies.yaml
  70. +1 −1 cfg/rh-1.0/node.yaml
  71. +2 −10 cfg/rke-cis-1.23/master.yaml
  72. +3 −3 cfg/rke-cis-1.23/node.yaml
  73. +2 −10 cfg/rke-cis-1.23/policies.yaml
  74. +6 −12 cfg/rke-cis-1.24/master.yaml
  75. +5 −5 cfg/rke-cis-1.24/node.yaml
  76. +0 −8 cfg/rke-cis-1.24/policies.yaml
  77. +9 −13 cfg/rke-cis-1.7/master.yaml
  78. +5 −3 cfg/rke-cis-1.7/node.yaml
  79. +1 −10 cfg/rke-cis-1.7/policies.yaml
  80. +1 −1 cfg/rke2-cis-1.23/node.yaml
  81. +16 −3 cfg/rke2-cis-1.24/master.yaml
  82. +2 −2 cfg/rke2-cis-1.24/node.yaml
  83. +1 −1 cfg/rke2-cis-1.7/node.yaml
  84. +1 −1 cfg/tkgi-1.2.53/node.yaml
  85. +1 −1 check/controls.go
  86. +1 −1 check/controls_test.go
  87. +1 −1 check/test.go
  88. +2 −2 check/test_test.go
  89. +11 −0 cmd/common_test.go
  90. +1 −1 cmd/run.go
  91. +3 −1 cmd/util.go
  92. +1 −1 cmd/util_test.go
  93. +7 −3 docs/architecture.md
  94. +12 −6 docs/installation.md
  95. +5 −1 docs/platforms.md
  96. +3 −2 docs/running.md
  97. +52 −49 go.mod
  98. +115 −116 go.sum
  99. +44 −0 helper_scripts/check_files_owner_in_dir.sh
  100. +1 −1 integration/testdata/Expected_output.data
  101. +4 −4 internal/findings/publisher.go
  102. +2 −2 job-eks.yaml
  103. +1 −1 job.yaml
  104. +12 −6 makefile
14 changes: 7 additions & 7 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -14,7 +14,7 @@ on:
- "LICENSE"
- "NOTICE"
env:
GO_VERSION: "1.21"
GO_VERSION: "1.23.6"
KIND_VERSION: "v0.11.1"
KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"

@@ -32,10 +32,10 @@ jobs:
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
- name: Setup golangci-lint
uses: golangci/golangci-lint-action@v4
uses: golangci/golangci-lint-action@v6
with:
version: latest
args: --verbose
version: v1.61
args: --verbose --timeout 2m
unit:
name: Unit tests
runs-on: ubuntu-latest
@@ -49,7 +49,7 @@ jobs:
- name: Run unit tests
run: make tests
- name: Upload code coverage
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@v5
with:
file: ./coverage.txt
e2e:
@@ -63,7 +63,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Kubernetes cluster (KIND)
uses: engineerd/setup-kind@v0.5.0
uses: engineerd/setup-kind@v0.6.2
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
@@ -95,7 +95,7 @@ jobs:
with:
fetch-depth: 0
- name: Dry-run release snapshot
uses: goreleaser/goreleaser-action@v5
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: v1.7.0
2 changes: 1 addition & 1 deletion .github/workflows/mkdocs-deploy.yaml
Original file line number Diff line number Diff line change
@@ -20,7 +20,7 @@ jobs:
with:
fetch-depth: 0
persist-credentials: true
- uses: actions/setup-python@v4
- uses: actions/setup-python@v5
with:
python-version: 3.x
- run: |
15 changes: 11 additions & 4 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ env:
ALIAS: aquasecurity
DOCKERHUB_ALIAS: aquasec
REP: kube-bench

jobs:
publish:
name: Publish
@@ -46,17 +47,21 @@ jobs:
images: ${{ env.REP }}
tag-semver: |
{{version}}
- name: Extract variables from makefile (kubectl)
id: extract_vars
run: |
echo "KUBECTL_VERSION=$(grep -oP '^KUBECTL_VERSION\s*\?=\s*\K.*' makefile)" >> $GITHUB_ENV
- name: Build and push - Docker/ECR
id: docker_build
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
builder: ${{ steps.buildx.outputs.name }}
push: true
build-args: |
KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
tags: |
${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
@@ -67,7 +72,7 @@ jobs:

- name: Build and push ubi image - Docker/ECR
id: docker_build_ubi
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@@ -76,6 +81,7 @@ jobs:
file: Dockerfile.ubi
build-args: |
KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
tags: |
${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
@@ -86,7 +92,7 @@ jobs:

- name: Build and push fips ubi image - Docker/ECR
id: docker_build_fips_ubi
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@@ -95,6 +101,7 @@ jobs:
file: Dockerfile.fips.ubi
build-args: |
KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
tags: |
${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips
public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips
6 changes: 3 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -5,7 +5,7 @@ on:
tags:
- "v*"
env:
GO_VERSION: "1.21"
GO_VERSION: "1.23.6"
KIND_VERSION: "v0.11.1"
KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"

@@ -25,7 +25,7 @@ jobs:
- name: Run unit tests
run: make tests
- name: Setup Kubernetes cluster (KIND)
uses: engineerd/setup-kind@v0.5.0
uses: engineerd/setup-kind@v0.6.2
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
@@ -44,7 +44,7 @@ jobs:
second_file_path: integration/testdata/Expected_output.data
expected_result: PASSED
- name: Release
uses: goreleaser/goreleaser-action@v5
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: v1.7.0
2 changes: 0 additions & 2 deletions .golangci.yaml
Original file line number Diff line number Diff line change
@@ -2,11 +2,9 @@
linters:
disable-all: true
enable:
- deadcode
- gocyclo
- gofmt
- goimports
- govet
- misspell
- typecheck
- varcheck
10 changes: 9 additions & 1 deletion .goreleaser.yml
Original file line number Diff line number Diff line change
@@ -2,10 +2,15 @@
project_name: kube-bench
env:
- GO111MODULE=on
- CGO_ENABLED=0
- KUBEBENCH_CFG=/etc/kube-bench/cfg
builds:
- main: main.go
- main: .
binary: kube-bench
tags:
- osusergo
- netgo
- static_build
goos:
- linux
- darwin
@@ -19,6 +24,9 @@ builds:
- 6
- 7
ldflags:
- "-s"
- "-w"
- "-extldflags '-static'"
- "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion={{.Version}}"
- "-X github.com/aquasecurity/kube-bench/cmd.cfgDir={{.Env.KUBEBENCH_CFG}}"
# Archive customization
46 changes: 35 additions & 11 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.22.1 AS build
FROM golang:1.23.6 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./
@@ -9,11 +9,22 @@ COPY internal/ internal/
ARG KUBEBENCH_VERSION
RUN make build && cp kube-bench /go/bin/kube-bench

FROM alpine:3.19.1 AS run
# Add kubectl to run policies checks
ARG KUBECTL_VERSION TARGETARCH
RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"

# Verify kubectl sha256sum
RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -'

RUN chmod +x /usr/local/bin/kubectl

FROM alpine:3.21.2 AS run
WORKDIR /opt/kube-bench/
# add GNU ps for -C, -o cmd, and --no-headers support
# add GNU ps for -C, -o cmd, --no-headers support and add findutils to get GNU xargs
# https://github.com/aquasecurity/kube-bench/issues/109
RUN apk --no-cache add procps
# https://github.com/aquasecurity/kube-bench/issues/1656
RUN apk --no-cache add procps findutils

# Upgrading apk-tools to remediate CVE-2021-36159 - https://snyk.io/vuln/SNYK-ALPINE314-APKTOOLS-1533752
# https://github.com/aquasecurity/kube-bench/issues/943
@@ -29,21 +40,34 @@ RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/s
RUN apk add gcompat
RUN apk add jq

ENV PATH=$PATH:/usr/local/mount-from-host/bin
# Add bash for running helper scripts
RUN apk add bash

ENV PATH=$PATH:/usr/local/mount-from-host/bin:/go/bin

COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
COPY entrypoint.sh .
COPY cfg/ cfg/
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin/
RUN chmod a+x /go/bin/check_files_owner_in_dir.sh
ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"]

# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE
ARG VCS_REF
ARG KUBEBENCH_VERSION

LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.name="kube-bench" \
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0"
org.label-schema.name="kube-bench" \
org.label-schema.vendor="Aqua Security Software Ltd." \
org.label-schema.version=$KUBEBENCH_VERSION \
org.label-schema.release=$KUBEBENCH_VERSION \
org.label-schema.summary="Aqua security server" \
org.label-schema.maintainer="admin@aquasec.com" \
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0"
31 changes: 24 additions & 7 deletions Dockerfile.fips.ubi
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.22.1 AS build
FROM golang:1.23.6 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./
@@ -9,6 +9,14 @@ COPY internal/ internal/
ARG KUBEBENCH_VERSION
RUN make build-fips && cp kube-bench /go/bin/kube-bench

# Add kubectl to run policies checks
ARG KUBECTL_VERSION TARGETARCH
RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
# Verify kubectl sha256sum
RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -'
RUN chmod +x /usr/local/bin/kubectl


# ubi8-minimal base image for build with ubi standards
FROM registry.access.redhat.com/ubi9/ubi-minimal as run
@@ -31,19 +39,28 @@ ENV PATH=$PATH:/usr/local/mount-from-host/bin

COPY LICENSE /licenses/LICENSE
COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
COPY entrypoint.sh .
COPY cfg/ cfg/
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"]


# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE
ARG VCS_REF
ARG KUBEBENCH_VERSION

LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.name="kube-bench" \
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0"
org.label-schema.name="kube-bench" \
org.label-schema.vendor="Aqua Security Software Ltd." \
org.label-schema.version=$KUBEBENCH_VERSION \
org.label-schema.release=$KUBEBENCH_VERSION \
org.label-schema.summary="Aqua security server" \
org.label-schema.maintainer="admin@aquasec.com" \
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0"
33 changes: 25 additions & 8 deletions Dockerfile.ubi
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.22.1 AS build
FROM golang:1.23.6 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./
@@ -9,6 +9,14 @@ COPY internal/ internal/
ARG KUBEBENCH_VERSION
RUN make build && cp kube-bench /go/bin/kube-bench

# Add kubectl to run policies checks
ARG KUBECTL_VERSION TARGETARCH
RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
# Verify kubectl sha256sum
RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -'
RUN chmod +x /usr/local/bin/kubectl


# ubi8-minimal base image for build with ubi standards
FROM registry.access.redhat.com/ubi9/ubi-minimal as run
@@ -27,23 +35,32 @@ RUN microdnf install -y yum findutils openssl \

WORKDIR /opt/kube-bench/

ENV PATH=$PATH:/usr/local/mount-from-host/bin
ENV PATH=$PATH:/usr/local/mount-from-host/bin

COPY LICENSE /licenses/LICENSE
COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
COPY entrypoint.sh .
COPY cfg/ cfg/
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"]


# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE
ARG VCS_REF
ARG KUBEBENCH_VERSION

LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.name="kube-bench" \
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0"
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0" \
vendor="Aqua Security Software Ltd." \
maintainer="Aqua Security Software Ltd." \
version=$KUBEBENCH_VERSION \
release=$KUBEBENCH_VERSION \
summary="Aqua Security Kube-bench." \
description="Run the CIS Kubernetes Benchmark tests"
2 changes: 1 addition & 1 deletion cfg/ack-1.0/node.yaml
Original file line number Diff line number Diff line change
@@ -377,7 +377,7 @@ groups:
op: valid_elements
value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to
If using a Kubelet config file, edit the file to set tlsCipherSuites: to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values.
If using executable arguments, edit the kubelet service file
2 changes: 2 additions & 0 deletions cfg/cis-1.10/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
## Version-specific settings that override the values in cfg/config.yaml
Loading