Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add proper remediation info for K3s 4.2.XX sections #219

Merged
merged 6 commits into from
Jul 30, 2024
Merged

Add proper remediation info for K3s 4.2.XX sections #219

merged 6 commits into from
Jul 30, 2024

Conversation

dereknola
Copy link
Member

@dereknola dereknola commented Jul 16, 2024
edited
Loading

Changes

  • Fix newline spacing issues in k3s cis-1.8 versions.
  • Add missing "permissions=" output expected for 4.1.3 and 4.1.5
  • Add remediation for 4.2.XX sections of the K3s scans
    • Fixes incorrect audit, remove grep for specific flags when it is valid for the flag to not exist
    • Remove "skips" for 4.2.9 in hardened versions, we are skipping checks that we pass and comply with
    • Add K3s specific remediation info for most of the sections.

Verification (Section 4 Only)

Config for k3s (Note the last line is different for psa vs psp)

cluster-init: true
protect-kernel-defaults: true
secrets-encryption: true
kube-controller-manager-arg:
 - 'terminated-pod-gc-threshold=10'
 - 'use-service-account-credentials=true'
kubelet-arg:
 - 'streaming-connection-idle-timeout=5m'
 - 'make-iptables-util-chains=true'
 - 'event-qps=0'
 - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
kube-apiserver-arg:
 - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
 - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
 - 'audit-log-maxage=30'
 - 'audit-log-maxbackup=10'
 - 'audit-log-maxsize=100'
 - 'enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy'

K3s-cis-1.24-hardened (v1.24.17+k3s1)

old new
image image

K3s-cis-1.7-hardened (v1.25.16+k3s4)

old new
image image

K3s-cis-1.8-hardened (v1.28.11+k3s1)

old new
image image

@dereknola
Fix newline spacing for k3s-cis-1.8
658d52b 
Signed-off-by: Derek Nola <derek.nola@suse.com>
@dereknola dereknola requested a review from a team as a code owner July 16, 2024 21:53
@dereknola dereknola force-pushed the k3s_425_4212 branch 3 times, most recently from 89c299d to 9b4d028 Compare July 17, 2024 17:58
dereknola added 2 commits July 17, 2024 11:03
@dereknola
Add proper K3s remediation information for 4.2.XX section
8f3feac 
Signed-off-by: Derek Nola <derek.nola@suse.com>
@dereknola
yaml lint fixes
8497deb 
Signed-off-by: Derek Nola <derek.nola@suse.com>
andypitcher
andypitcher requested changes Jul 18, 2024
View reviewed changes
package/cfg/k3s-cis-1.24-hardened/node.yaml Show resolved Hide resolved
package/cfg/k3s-cis-1.24-permissive/node.yaml Outdated Show resolved Hide resolved
package/cfg/k3s-cis-1.24-permissive/node.yaml Outdated Show resolved Hide resolved
package/cfg/k3s-cis-1.24-hardened/node.yaml Outdated Show resolved Hide resolved
package/cfg/k3s-cis-1.24-permissive/node.yaml Outdated Show resolved Hide resolved
package/cfg/k3s-cis-1.8-hardened/node.yaml Show resolved Hide resolved
package/cfg/k3s-cis-1.8-permissive/node.yaml Show resolved Hide resolved
package/cfg/k3s-cis-1.7-permissive/node.yaml Outdated Show resolved Hide resolved
package/cfg/k3s-cis-1.8-hardened/node.yaml Outdated Show resolved Hide resolved
package/cfg/k3s-cis-1.8-permissive/node.yaml Outdated Show resolved Hide resolved
andypitcher
andypitcher requested changes Jul 18, 2024
View reviewed changes
package/cfg/k3s-cis-1.24-hardened/node.yaml Outdated Show resolved Hide resolved
package/cfg/k3s-cis-1.24-hardened/node.yaml Outdated Show resolved Hide resolved
andypitcher
andypitcher previously approved these changes Jul 18, 2024
View reviewed changes
@dereknola dereknola mentioned this pull request Jul 22, 2024
Merged
pjbgf
pjbgf requested changes Jul 30, 2024
View reviewed changes
package/cfg/k3s-cis-1.8-permissive/node.yaml Outdated Show resolved Hide resolved
package/cfg/k3s-cis-1.8-permissive/node.yaml Outdated Show resolved Hide resolved
package/cfg/k3s-cis-1.7-hardened/node.yaml Show resolved Hide resolved
package/cfg/k3s-cis-1.7-hardened/node.yaml Show resolved Hide resolved
dereknola added 3 commits July 30, 2024 09:14
@dereknola
Add missing "permission" check for 4.1.3/4.1.5
b61dec5 
Signed-off-by: Derek Nola <derek.nola@suse.com>
@dereknola
Address more feedback from rancher#221
d5a32a5 
Signed-off-by: Derek Nola <derek.nola@suse.com>
@dereknola
Fix kubelet typo
67eb3ab 
Signed-off-by: Derek Nola <derek.nola@suse.com>
@pjbgf pjbgf merged commit 926c997 into rancher:master Jul 30, 2024
8 checks passed
@dereknola dereknola deleted the k3s_425_4212 branch July 31, 2024 18:59
@dereknola dereknola mentioned this pull request Jul 31, 2024
Merged
@dereknola dereknola mentioned this pull request Aug 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pjbgf pjbgf pjbgf approved these changes

@andypitcher andypitcher andypitcher left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dereknola @pjbgf @andypitcher