Update CIS Kubernetes Benchmark to v1.7.0 for RKE2 v1.25/26/27

[Jamison1]

Upon setting up RKE2 v1.25.8+rke2r1 I discovered the latest RKE2 CIS profile is v1.23 which was developed for K8s v1.23. That benchmark was last updated by CIS on 5/13/2022 as v1.0.1 of the v1.23 Benchmark and is not intended for K8s v1.25. Additionally, it looks like K8s v1.23 EOL was February 2023.

Describe the solution you'd like
Is it possible to add the correct CIS profile for RKE2 v1.25/26/27? The correct CIS Benchmark appears from the list below to be v1.7.0 and not v1.23

The naming convention from the Center for Internet Security could be better. Its confusing, so I've posted the latest 4 descriptions that match RKE2 versions of CIS Benchmarks and K8s:

CIS Benchmark v1.6.1 for K8s v1.18 Last updated 10/01/2020
CIS Benchmark v1.23 for K8s v1.23 Last updated 5/13/2022
CIS Benchmark v1.24 for K8s v1.24 Last updated 9/21/2022
CIS Benchmark v1.7.0 for K8s v1.25 Last updated 3/20/2023

The benchmarks are available as pdf files through normal searching on GitHub, etc.

There are ~12 rule changes between v1.23 and v1.7.0
Rules: 1.2.3, 1.2.16, 3.1.2, 3.1.3, 4.2.6, 4.2.8, 4.2.13, 5.1.9, 5.1.10, 5.1.11, 5.1.12 & 5.1.13.

It remains to be seen if the return to the original benchmark versioning implies that v1.7.0 will cover anything beyond K8s v1.25 with EOL suggested in October 2023.

Previous benchmarks ending with 1.6.1 each covered up to 3 major releases (1.6.1 covered K8s v1.16 - v1.18) so its possible that v1.7.0 could cover K8s v1.25 - v1.27. Would be great if CIS addressed this.

Describe alternatives you've considered
According to Pod Security Policy for RKE2 v1.25, CIS profile v1.23 needs to be used to enforce restricted mode.

Ive considered installing RKE2 v1.25.8+rke2r1 with CIS profile v1.23. If one takes that path, how would you update the benchmark to v1.7.0 after installation and ensure that v1.7.0 is the Benchmark enforced throughout Rancher products?

It appears that cis-1.23 is the only benchmark recognized by Rancher products for RKE2 v1.25.X.

Additional context
K8s version deprecation is fast moving by design. This makes it difficult for open source projects to keep up with other areas such as CIS Benchmarks.

Some Infrastructure maintainers may simply check the CIS Benchmark box with v1.23 on a K8s v1.25 install and move to the next task.

My reasons for using RKE2 goes beyond checking boxes however, and I would like to keep up with the correct/current CIS Benchmark using open source products.

[dereknola]

All issues around cis-1.7 support have been resolved at this point. using the cis-1.23 profile will provide you with a cis-1.7 compliant cluster of rke2 v1.25+. What remains to be done is change the name of the profile, which is was handled in #4708 and will be backported to all 1.25, 1.26, 1.27 in time for the September patch releases.

[rancher-max]

Moving this back to Working as it has not yet been backported (ref: https://github.com/rancher/rke2/blob/release-1.25/pkg/rke2/rke2.go#L67)

[aganesh-suse]

Validated on master branch with commit a52b3ab

Environment Details

Infrastructure

• Cloud
• Hosted

Node(s) CPU architecture, OS, and Version:

cat /etc/os-release | grep PRETTY
PRETTY_NAME="Ubuntu 22.04.2 LTS"

Cluster Configuration:

HA: 3 server, 1 agent

Config.yaml:

token: secret
write-kubeconfig-mode: "0644"
node-external-ip: 1.1.1.1
profile: "cis"

Testing Steps

1. Copy config.yaml

$ sudo mkdir -p /etc/rancher/rke2 && sudo cp config.yaml /etc/rancher/rke2

2. Install RKE2

curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_COMMIT='a52b3abf608e45d31c04589c1fc118e065ea06e4' INSTALL_RKE2_TYPE='server' INSTALL_RKE2_METHOD=tar sh -

3. Follow https://docs.rke2.io/security/hardening_guide

$ sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
$ sudo cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf 
$ cat /etc/sysctl.d/60-rke2-cis.conf 
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
$ sudo systemctl restart systemd-sysctl 
$ sudo systemctl enable --now rke2-server
or 
$ sudo systemctl enable --now rke2-agent

4. Verify that with "profile: cis" generic entry in config.yaml, pods and nodes get running successfully.

Validation Results:

• rke2 version used for validation:

rke2 -v
rke2 version v1.28.2+dev.a52b3abf (a52b3abf608e45d31c04589c1fc118e065ea06e4)
go version go1.20.8 X:boringcrypto

Cluster Status:

$ kubectl get nodes
NAME               STATUS   ROLES                       AGE    VERSION
ip-1               Ready    control-plane,etcd,master   151m   v1.28.2+rke2r1
ip-2               Ready    control-plane,etcd,master   153m   v1.28.2+rke2r1
ip-3               Ready    <none>                      145m   v1.28.2+rke2r1
ip-4               Ready    control-plane,etcd,master   148m   v1.28.2+rke2r1

$ kubectl get pods -A
NAMESPACE     NAME                                                   READY   STATUS      RESTARTS   AGE
kube-system   cloud-controller-manager-ip-1                          1/1     Running     0          151m
kube-system   cloud-controller-manager-ip-2                          1/1     Running     0          154m
kube-system   cloud-controller-manager-ip-4                          1/1     Running     0          147m
kube-system   etcd-ip-1                                              1/1     Running     0          150m
kube-system   etcd-ip-2                                              1/1     Running     0          154m
kube-system   etcd-ip-4                                              1/1     Running     0          147m
kube-system   helm-install-rke2-canal-f689k                          0/1     Completed   0          154m
kube-system   helm-install-rke2-coredns-ntwwh                        0/1     Completed   0          154m
kube-system   helm-install-rke2-ingress-nginx-v644z                  0/1     Completed   0          154m
kube-system   helm-install-rke2-metrics-server-bkv42                 0/1     Completed   0          154m
kube-system   helm-install-rke2-snapshot-controller-c4xgl            0/1     Completed   1          154m
kube-system   helm-install-rke2-snapshot-controller-crd-5ncnt        0/1     Completed   0          154m
kube-system   helm-install-rke2-snapshot-validation-webhook-krfk8    0/1     Completed   0          154m
kube-system   kube-apiserver-ip-1                                    1/1     Running     0          150m
kube-system   kube-apiserver-ip-2                                    1/1     Running     0          153m
kube-system   kube-apiserver-ip-4                                    1/1     Running     0          148m
kube-system   kube-controller-manager-ip-1                           1/1     Running     0          151m
kube-system   kube-controller-manager-ip-2                           1/1     Running     0          154m
kube-system   kube-controller-manager-ip-4                           1/1     Running     0          147m
kube-system   kube-proxy-ip-1                                        1/1     Running     0          150m
kube-system   kube-proxy-ip-2                                        1/1     Running     0          154m
kube-system   kube-proxy-ip-172-31-29-144                            1/1     Running     0          146m
kube-system   kube-proxy-ip-4                                        1/1     Running     0          147m
kube-system   kube-scheduler-ip-1                                    1/1     Running     0          151m
kube-system   kube-scheduler-ip-2                                    1/1     Running     0          154m
kube-system   kube-scheduler-ip-4                                    1/1     Running     0          147m
kube-system   rke2-canal-fqm8g                                       2/2     Running     0          146m
kube-system   rke2-canal-lmfpm                                       2/2     Running     0          152m
kube-system   rke2-canal-pd9kk                                       2/2     Running     0          148m
kube-system   rke2-canal-ptcx4                                       2/2     Running     0          153m
kube-system   rke2-coredns-rke2-coredns-67f86d96c-fzp85              1/1     Running     0          151m
kube-system   rke2-coredns-rke2-coredns-67f86d96c-qd9wt              1/1     Running     0          153m
kube-system   rke2-coredns-rke2-coredns-autoscaler-d97d9cd9f-4nk8m   1/1     Running     0          153m
kube-system   rke2-ingress-nginx-controller-2t284                    1/1     Running     0          147m
kube-system   rke2-ingress-nginx-controller-7bpqb                    1/1     Running     0          146m
kube-system   rke2-ingress-nginx-controller-ndtxx                    1/1     Running     0          152m
kube-system   rke2-ingress-nginx-controller-nf5xr                    1/1     Running     0          150m
kube-system   rke2-metrics-server-c6fb46b64-f88jl                    1/1     Running     0          153m
kube-system   rke2-snapshot-controller-59cc9cd8f4-c2fbm              1/1     Running     0          153m
kube-system   rke2-snapshot-validation-webhook-54c5989b65-9m7gk      1/1     Running     0          153m