smira
commented
4 months ago So after some discussion internally, our first step would be:
- Go over existing CIS benchmarks, and make sure Talos has either integration or unit-test verifying it (if applies to Talos).
- If there's something that can be improved in Talos to comply with CIS, fix it.
Running existing CIS benchmarks on Talos makes little sense, as they are kubeadm based, and don't quite work for Talos.
Based on #957 it looks that at least some point target have been made Talos CIS compliance but I was not able find if those tests still run and that where results would be stored.
What I have found so far is that https://github.com/aquasecurity/kube-bench/blob/main/job.yaml need to be modified on way that these mounts are disabled (maybe it would make sense to include those as empty folders? ):
After that scan can be run and this was result on v0.11.5: kube-bench_v0.11.5_result.log
Many of those tests fails because files are on different place (e.g. files on /etc/kubernetes/manifests/ contains "talos-" prefix). However not everyone is ready for all CIS requirements (e.g. disabling root containers) so probably best option would be add option to enable CIS hardening (like RKE2 does) and probably that should be done on way that it is first added as option is which is disabled by default and then on some future version change it other way around (as many might miss that setting unless it is enabled by default).
Also some of those failing tests can be handled by just explaining them on documentation about how Talos does things differently.