Closed mogul closed 2 years ago
I just noticed this:
The EKS Benchmark is applicable to EC2 nodes (both managed and self managed) where you’re responsible for security configurations of Kubernetes components. This benchmark is, however, not applicable to Amazon EKS on AWS Fargate as you do not own or manage Kubernetes component configurations when using AWS Fargate.
Since the control plane is AWS' responsibility and we run no nodes, I guess there's no value in running the benchmark for us and we don't need to do this story...?
Here's a nice blog post on how to run the CISbenchmark from within the cluster; it provides a ready-to-go manifest and instructions for getting the results.
kube-bench
doesn't even run in Fargate, at least without further tweaking:
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2021-04-28T00:28:26Z"
message: 'Pod not supported on Fargate: fields not supported: HostPID, volumes
not supported: var-lib-kubelet is of an unsupported volume Type, etc-systemd
is of an unsupported volume Type, etc-kubernetes is of an unsupported volume
Type'
reason: POD_UNSUPPORTED_ON_FARGATE
status: "False"
type: PodScheduled
phase: Pending
qosClass: BestEffort
I'll do some further digging, but I'm increasingly thinking that the CIS benchmark doesn't apply to us...
Confirmed, everything kube-bench checks under EKS is related to nodes. I'll remove mention of it from our SSP.
Moving this to Done
rather than closing it, as a record that we did our due diligence to determine that the CIS benchmark does not apply to our configuration.
Reopening since we're now using Managed Node Groups instead of Fargate and we want to demonstrate that we are maintaining this baseline.
Here's an up to date walkthrough of running the CIS EKS benchmark, including how to ensure the results are propagated to AWS Security Hub.
Excellent video demonstrating Starboard. I'm going to give this a try.
We've successfully run benchmarks by implementing @mogul's solution
We have also extracted the EKS CIS Benchmark reports from starboard using both (1) the Stock Amazon AMI and (2) the GSA-Hardened AMI.
User Story
In order to give auditors confidence that provisioned EKS clusters are following best-practices, we should be able to demonstrate that a provisioned cluster can pass the CIS EKS benchmark.
Acceptance Criteria
tree
kubectl plugin \ WHEN I usekubectl tree
on pods and nodes \ THEN I see resources that containing scanning results are presentkubectl get CISKubeBenchReport <nodename> -o wide
\ THEN I see a report indicating no tests failedkubectl get CISKubeBenchReport <nodename> -o yaml
\ THEN I see a detailed reportmake clean build up demo-up demo-test
\ THEN I see that there is a test for a CISKubeBenchReport with zero FAIL resultsBackground
[Any helpful contextual notes or links to artifacts/evidence, if needed]
See also this GSA ISE hardening guide for EKS
Security Considerations (required)
This change will ensure that any new deployment of the eks-brokerpak will only deploy CIS-compliant instances of AWS EKS. This will bolster confidence in the configuration of the EKS instances we create.
Sketch
starboard-operator
Note that AWS Security Hub can ingest kube-bench results. We may want to set this up if it turns out that we need to continuously report on existing instances, but it's probably out of scope for this story. Let's wait to see if it's required, and write that separate story when it's time.