Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s #1513
Conversation
KiranBodipi
force-pushed
the
kb-cis-support-rancher
branch
2 times, most recently
from
d2fe885 to
90ea48d
Compare
|
@KiranBodipi The build is failing due to a YAML linting error. Can you fix the error and rebuild? |
KiranBodipi
force-pushed
the
kb-cis-support-rancher
branch
7 times, most recently
from
cb4e526 to
7eb142f
Compare
cmd/util.go
Outdated
| case "1.25", "1.26", "1.27": | ||
| return "k3s-cis-1.7" | ||
| } | ||
| case "rancher": |
There was a problem hiding this comment.
I think it should be rancher1
There was a problem hiding this comment.
In our logic, we are always adding rancher1 to RKE gitVersion eg: v1.26.8-rancher1.
Once it goes through getPlatformInfoFromVersion logic, it always yields "rancher"
You can check the example here - https://go.dev/play/p/x2IdtlQfov4
cmd/util_test.go
Outdated
| { | ||
| name: "rancher1", | ||
| args: args{ | ||
| platform: Platform{Name: "rancher", Version: "1.27"}, |
cmd/util.go
Outdated
| @@ -290,13 +295,23 @@ Alternatively, you can specify the version with --version | |||
| ` | |||
|
|
|||
| func getKubeVersion() (*KubeVersion, error) { | |||
| kubeConfig, err := rest.InClusterConfig() | |||
There was a problem hiding this comment.
rest.InClusterConfig() returns error, but it doesn't handle the errors adequately. Consider adding appropriate error handling to provide better feedback to users when issues occur.
cmd/util.go
Outdated
| @@ -290,13 +295,23 @@ Alternatively, you can specify the version with --version | |||
| ` | |||
|
|
|||
| func getKubeVersion() (*KubeVersion, error) { | |||
| kubeConfig, err := rest.InClusterConfig() | |||
| k8sClient, err := kubernetes.NewForConfig(kubeConfig) | |||
|
@chen-keinan @mozillazg can you review the changes. Benchmark files are taken from here https://github.com/rancher/security-scan/tree/master/package/cfg |
|
I will complete the review before next Monday. |
KiranBodipi
force-pushed
the
kb-cis-support-rancher
branch
from
9722774 to
63055a7
Compare
Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions , kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions.