Adding GKE-1.6.0 CIS benchmark #1677
Conversation
|
|
|
Hi @deboshree-b, just FIY: there is a PR #1672 from last week that is also trying to add GKE 1.6.0 CIS benchmark. |
| Recommendation 5.8.1. | ||
| scored: false | ||
|
|
||
| - id: 2.2 |
There was a problem hiding this comment.
There is no more section 2.2. in GKE 1.6.0: https://workbench.cisecurity.org/benchmarks/16093/sections/2382179
| - flag: "permissions" | ||
| compare: | ||
| op: bitmask | ||
| value: "644" |
| value: "644" | ||
| remediation: | | ||
| Run the following command (using the config file location identied in the Audit step) | ||
| chmod 644 /var/lib/kubelet/config.yaml |
| scored: true | ||
|
|
||
| - id: 3.2.7 | ||
| text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated)" |
There was a problem hiding this comment.
the argument is called --eventRecordQPS and not event-qps: https://workbench.cisecurity.org/sections/2737106/recommendations/4429347
There was a problem hiding this comment.
I know it's actually the --event-qps argument as per the kubelet docs: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
| @@ -278,11 +279,13 @@ version_mapping: | |||
| "1.24": "cis-1.24" | |||
| "1.25": "cis-1.7" | |||
| "1.26": "cis-1.8" | |||
| "oke-1.26": "oke-1.26" | |||
There was a problem hiding this comment.
it seems oke-1.26 doesn't relevant GKE-1.6.0, right?
or did i miss something?
|
@deboshree-b thanks for your contribution! |
|
#1672 is already merged, so if need we should update the current configs/policies. |
The benchmarks are derived using this file
CIS Google Kubernetes Engine (GKE) Benchmark v1.6.0 PDF.pdf