Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AKS 1.5.0 CIS benchmark #1678

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

AKS 1.5.0 CIS benchmark #1678

wants to merge 16 commits into from

Conversation

deboshree-b
Copy link

rootxrishabh and others added 16 commits May 10, 2024 16:39
@rootxrishabh
Added yamls for OKE
2ad0aa1 
Signed-off-by: rootxrishabh <risrock02@gmail.com>
@rootxrishabh
Merge pull request #2 from nirmata/add-oke-support
a8dda72 
Added yamls for OKE
@rootxrishabh
Crawl paths from ENVs
2148409 
Signed-off-by: rootxrishabh <rishabh.soni@nirmata.com>
@rootxrishabh
Fixed typos
a70243f
@rootxrishabh
Update config.yaml
5414877
@rootxrishabh
changes made
6ed1721
@rootxrishabh
Merge pull request #3 from nirmata/error-testing-oke
45dfc51 
Fixed issues with oke cluster testing
@rootxrishabh
Merge pull request #4 from nirmata/add-oke-support
01ea8f8 
Merge Add oke support to Main
@deboshree-b
NDEV-20011 : adding CIS GKE-1.6.0 benchmarks
75ead54
@deboshree-b
NDEV-20011 : initial commit for other benchmarks
96a8081
@deboshree-b
Revert "NDEV-20011 : initial commit for other benchmarks"
2668e26 
This reverts commit 96a8081.
@deboshree-b
Revert "NDEV-20011 : adding CIS GKE-1.6.0 benchmarks"
e85614e 
This reverts commit 75ead54.
@deboshree-b
NDEV-20011 : adding gke 1.6.0 benchmark
f55346b
@deboshree-b
NDEV-20011 : adding type and test for scored = true benchmarks
1388da7
@deboshree-b
NDEV-20011 : adding gke-1.6.0 in config.yaml
5e7030f
@deboshree-b
NDEV-20011 : adding AKS 1.5.0 benchmarks
39dd50c
@CLAassistant
Copy link

CLAassistant commented Sep 15, 2024
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ rootxrishabh
❌ deboshree-b
You have signed the CLA already but the status is still pending? Let us recheck it.

Magier
Magier reviewed Sep 16, 2024
View reviewed changes
cfg/aks-1.5.0/policies.yaml
scored: false

- id: 4.2
text: "Pod Security Policies"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was renamed to Pod Security Standards: https://workbench.cisecurity.org/benchmarks/15692/sections/2312375

Magier
Magier reviewed Sep 16, 2024
View reviewed changes
cfg/aks-1.5.0/policies.yaml
- id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New (full) remediation text:

Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.
To enable PSA for a namespace in your cluster, set the pod-security.kubernetes.io/enforce label with the policy value you want to enforce.

`kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted`

The above command enforces the restricted policy for the NAMESPACE namespace.
You can also enable Pod Security Admission for all your namespaces. For example:

`kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline`

Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

Magier
Magier reviewed Sep 16, 2024
View reviewed changes
cfg/aks-1.5.0/policies.yaml
- id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New (full) remediation text:

Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostPID` containers.

Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

Magier
Magier reviewed Sep 16, 2024
View reviewed changes
cfg/aks-1.5.0/policies.yaml
- id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New (full) remediation text:

Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostIPC` containers.

Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

Magier
Magier reviewed Sep 16, 2024
View reviewed changes
cfg/aks-1.5.0/policies.yaml
- id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New (full) remediation text:

Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostNetwork` containers.

Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

Magier
Magier reviewed Sep 16, 2024
View reviewed changes
cfg/aks-1.5.0/policies.yaml
- id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New (full) remediation text:

Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with `.spec.allowPrivilegeEscalation` set to `true`.

Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Magier Magier Magier left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@deboshree-b @CLAassistant @Magier @rootxrishabh