Overhaul of K3s scans

[dereknola]

Background

• An effort to overhaul the K3s and RKE2 scans is being undertaken in the rancher/security-scan repo. These changes are being upstreamed into the kube-bench project.
• This is a combination of the following PRs:
  • https://github.com/rancher/security-scan/pull/221
  • https://github.com/rancher/security-scan/pull/219
  • https://github.com/rancher/security-scan/pull/228
  • https://github.com/rancher/security-scan/pull/232

    Changes

• Overhaul existing K3s v1.24 and v1.7 scans, ensuring that
  • All checks have proper remeditation sections that give specific details on K3s, not just the general CIS scans
  • All checks use the Automated and Manual correctly, identifiying what K3s by default will handle, and when user action in needed.
  • All checks have proper audit sections that work. Several were written wrong.
• Add K3s cis 1.8 scan with the same overhaul

Verification

k3s-cis-1.24

Tested on v1.24.17+k3s1 with the following config.yaml (standard hardening config from docs)

#/etc/rancher/k3s/config.yaml
cluster-init: true
protect-kernel-defaults: true
secrets-encryption: true
kube-controller-manager-arg:
  - 'terminated-pod-gc-threshold=10'
kubelet-arg:
  - 'streaming-connection-idle-timeout=5m'
  - 'make-iptables-util-chains=true'
  - 'event-qps=0'
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
kube-apiserver-arg:
  - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
  - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
  - 'audit-log-maxage=30'
  - 'audit-log-maxbackup=10'
  - 'audit-log-maxsize=100'
  - 'enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy'

Master	PR

k3s-cis-1.7

Tested on v1.25+k3s4 with the following config.yaml (standard hardening config from docs)

cluster-init: true
protect-kernel-defaults: true
secrets-encryption: true
kube-controller-manager-arg:
  - 'terminated-pod-gc-threshold=10'
kubelet-arg:
  - 'streaming-connection-idle-timeout=5m'
  - 'make-iptables-util-chains=true'
  - 'event-qps=0'
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
kube-apiserver-arg:
  - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
  - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
  - 'audit-log-maxage=30'
  - 'audit-log-maxbackup=10'
  - 'audit-log-maxsize=100'
  - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'

Master	PR

k3s-cis-1.8

Tested on v1.28.11+k3s1 with the same config as k3s-cis-1.7

Note: CIS-1.9 scans are on the TODO for RKE2 and K3s, they should be incoming within the next month or two.

[dereknola]

@chen-keinan can I get a review/merge on this when you have time.

[mozillazg]

@chen-keinan can I get a review/merge on this when you have time.

@dereknola Unfortunately, Chen is no longer working on aquasecurity. We are waiting for a new aquasecurity team member who has permission to review/merge PRs. That may take more than one week.

[deven0t]

Hi @itaysk can you help merging this PR. Thanks cc @sm171190

[deven0t]

@dereknola we need to rebase this branch. Please do it, so it can be merged

[itaysk]

@afdesk can you please look at this and merge?

[afdesk]

yes, sure. I took a look at this PR.