ING RKE2-CIS-1.24 CHECKS #1685
ING RKE2-CIS-1.24 CHECKS #1685
Conversation
|
Saurabh Misra seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
Hi guys! |
| @@ -318,6 +319,7 @@ groups: | |||
| For example, | |||
| chmod -R 600 /var/lib/rancher/rke2/server/tls/*.crt | |||
| scored: false | |||
| type: manual | |||
There was a problem hiding this comment.
it seems this check (1.1.20) is automated by the docs.
and text field contains a mistake.
There was a problem hiding this comment.
@afdesk I was referring to https://docs.rke2.io/security/cis_self_assessment124#1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual. Here 1.1.10,1.1.20 and 1.1.21 are mentioned as manual
Would you like me to revert the change?
There was a problem hiding this comment.
in this doc: 1.1.20 is manual: https://docs.rke2.io/security/cis_self_assessment124#1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual
but 1.1.21 is automated... https://docs.rke2.io/security/cis_self_assessment124#1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated
I'd like to clarify the correct source at first.
| @@ -159,6 +159,7 @@ groups: | |||
| For example, | |||
| chown root:root <path/to/cni/files> | |||
| scored: false | |||
| type: manual | |||
There was a problem hiding this comment.
it's a bit strange. because the same test for RKE1 is automated.
and audit shows commands for check...
There was a problem hiding this comment.
cfg/rke2-cis-1.24/node.yaml
Outdated
| @@ -432,14 +432,14 @@ groups: | |||
| - flag: RotateKubeletServerCertificate | |||
| path: '{.featureGates.RotateKubeletServerCertificate}' | |||
| set: false | |||
| type: skip | |||
There was a problem hiding this comment.
I can see that check 1.3.6 isn't applicable for RKE2: the docs
but 4.2.12 is manual check and should pass: 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
maybe we shouldn't skip it?
There was a problem hiding this comment.
There was a problem hiding this comment.
|
@sm171190 could you sign CLA for tests? |
sm171190
force-pushed
the
sa-fixing-rke-cis-1.24-checks
branch
from
278639e
to
5805d20
Compare
In this change we are making 2 changes: 1. Seom CIS-1.24 checks(1.3.6 , 4.2.12 are not relevant for RKE clusters). So we will skip them. 2. SomeCIS-1.24 tests(1.1.10,1.1.20) are manual checks yet they don't have the type correctly set causing KB to run them with all automated tests.
sm171190
force-pushed
the
sa-fixing-rke-cis-1.24-checks
branch
from
5805d20
to
ba6cb26
Compare
| @@ -335,6 +337,7 @@ groups: | |||
| For example, | |||
| chmod -R 600 /var/lib/rancher/rke2/server/tls/*.key | |||
| scored: false | |||
| type: manual | |||
There was a problem hiding this comment.
based on docs.rke2.io, 1.1.21 is automated: https://docs.rke2.io/security/cis_self_assessment124#1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated
Do you think we should ignore it?
| @@ -432,6 +432,7 @@ groups: | |||
| - flag: RotateKubeletServerCertificate | |||
| path: '{.featureGates.RotateKubeletServerCertificate}' | |||
| set: false | |||
| type: manual | |||
There was a problem hiding this comment.
|
and tests can't be passed without CLA |
|
also it makes sense to update the PR description, and add a link to the docs there. |
|
just note |
In this change we are making 2 changes:
Some checks are being skipped(1.3.6,4.2.12)as they are not applicable for an RKE2 cluster
checks 1.3.6 and 4.2.12 check whether the cluster has been configured with the flags to rotate TLS certificates. However, RKE Internally handles certificate rotation : Rotate certificates for RKE2 provisioned clusters rancher/dashboard#4485