Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for CIS OpenShift 1.6 Benchmark #1682

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
+2,432 −6
Open

Add support for CIS OpenShift 1.6 Benchmark #1682

Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
291074e
Add support for CIS Openshift 1.6
deebhatia Aug 31, 2024
b7b566d
Update all TCs in node.yaml
deebhatia Sep 1, 2024
f8d3aae
Update all TCs in etcd.yaml
deebhatia Sep 1, 2024
2f50de2
Update all TCs in policies.yaml; fix command in rh-1.0 as well
deebhatia Sep 2, 2024
e510a33
Update all TCs in master.yaml
deebhatia Sep 17, 2024
1a2de30
Fixes for node TCs
deebhatia Sep 17, 2024
77a1f3a
Fixes for node and etcd TCs
deebhatia Sep 17, 2024
3bce117
Revert incorrect changes done in rh-1.0 etcd TCs
deebhatia Sep 17, 2024
1ae58e3
Add fixes in master TCs and docs
deebhatia Sep 17, 2024
ff650d0
Add fixes in node and etcd TCs
deebhatia Sep 18, 2024
50a8736
Fix test
deebhatia Sep 18, 2024
4984b11
Add job template for OCP
deebhatia Sep 19, 2024
c8d2de5
Add accidentally removed gke entry
deebhatia Oct 14, 2024
308839d
Merge branch 'upstream-main' into cis-openshift-1-6
deebhatia Jan 29, 2025
040c137
Add other resources needed for kube-bench pod
deebhatia Jan 29, 2025
4ba6a0c
Add command with ocp benchmark selected
deebhatia Jan 29, 2025
9a9adcd
Resolve linting issues in YAML file
deebhatia Feb 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add other resources needed for kube-bench pod
@deebhatia
deebhatia committed Jan 29, 2025
commit 040c137c9d1aae4763692cf88e2b46a2c69e47c8
79 changes: 78 additions & 1 deletion job-ocp.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,92 @@
---
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the difference between job-ocp.yaml and job.yaml?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few additional volume mounts "/etc/group" and "/etc/passwd" and service account token mounting

serviceAccountName: kube-bench
automountServiceAccountToken: true

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@deebhatia Do we need to include the dependent ServiceAccount and RBAC resources in this YAML file?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mozillazg, thanks for the suggestion. I have included all the resources needed for the job to work fine in same YAML file.

apiVersion: v1
kind: Namespace
metadata:
name: kube-bench
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: kube-bench
name: kube-bench-sa
namespace: kube-bench
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kube-bench
name: kube-bench-cluster-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- 'get'
- 'list'
- apiGroups:
- '*'
resources:
- 'pods/exec'
verbs:
- 'create'
- apiGroups:
- '*'
resources:
- 'pods'
- 'namespaces'
verbs:
- 'create'
- 'delete'
- 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kube-bench
name: kube-bench-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kube-bench-cluster-role
subjects:
- kind: ServiceAccount
name: kube-bench-sa
# It is mandatory to give namespace here and it doesn't pick the one mentioned in kubeconfig file.
namespace: kube-bench
# In kube-bench pod for Openshift, oc cli creates random namespaces to deploy debug pods for CIS checks.
# So, it will need privileged access.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kube-bench
name: kube-bench-privileged
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:privileged
subjects:
- kind: ServiceAccount
name: kube-bench-sa
namespace: kube-bench
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
namespace: kube-bench
spec:
template:
metadata:
labels:
app: kube-bench
spec:
serviceAccountName: kube-bench
serviceAccountName: kube-bench-sa
automountServiceAccountToken: true
containers:
- command: ["kube-bench"]