Skip to content

Add support for CIS OpenShift 1.6 Benchmark #1682

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Add support for CIS OpenShift 1.6 Benchmark #1682

wants to merge 18 commits into from

Conversation

deebhatia
Copy link

@deebhatia deebhatia commented Sep 18, 2024
edited
Loading

This adds support of CIS OpenShift 1.6 Benchmark.

Closes #1457

CIS Benchmark Link

https://workbench.cisecurity.org/benchmarks/16094

CIS Blog mentioning the OpenShift 4.15 release version

https://www.cisecurity.org/insights/blog/cis-benchmarks-july-2024-update#CISRedHatOpenShiftContainerPlatformBenchmarkv1.6.0

Sample Run

Command Used

kube-bench run --json --version ocp-4.16

Report

1_6_results.json

@CLAassistant
Copy link

CLAassistant commented Sep 18, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@deebhatia deebhatia force-pushed the cis-openshift-1-6 branch 3 times, most recently from 2873eea to d2041f5 Compare October 14, 2024 17:45
@deebhatia
Copy link
Author

Hi @afdesk @mozillazg,
Can you please take some time and review it. :)

@afdesk
Copy link
Collaborator

afdesk commented Oct 23, 2024

Hi @deebhatia!
thanks for your contribution!
I'll take a look this week

@deebhatia
Copy link
Author

Hi @afdesk,

Can you please take some time out and review it?
Thanks in advance!

@deebhatia
Copy link
Author

Hi @afdesk @mozillazg, a gentle reminder for review.

mozillazg
mozillazg reviewed Jan 8, 2025
View reviewed changes
@afdesk afdesk added this to the v0.11.0 milestone Jan 15, 2025
@deebhatia
Copy link
Author

@afdesk @mozillazg Please retrigger the pending CI checks. The linting issues were solved.

@afdesk
Copy link
Collaborator

afdesk commented Mar 25, 2025

@deebhatia This branch is out-of-date with the base branch
Could you merge the main branch?
thanks!

@deebhatia
Copy link
Author

@deebhatia This branch is out-of-date with the base branch Could you merge the main branch? thanks!

@afdesk Thanks. Done.

@afdesk afdesk requested a review from mozillazg March 25, 2025 11:06
mozillazg
mozillazg reviewed Mar 29, 2025
View reviewed changes
job-ocp.yaml
- apiGroups:
- '*'
resources:
- '*'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ClusterRole defined in this file grants overly broad permissions by allowing access to all API groups and resources with 'get' and 'list' verbs. This violates the principle of least privilege. It's recommended to narrow down the permissions to only the specific API groups and resources that are necessary for the application to function correctly. For example, instead of apiGroups: '*' and resources: '*', specify only the required API groups and resources.

job-ocp.yaml
"--benchmark",
"rh-1.6",
]
image: docker.io/aquasec/kube-bench:latest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that job-ocp.yaml cannot use the specified image directly, as it relies on the oc command, which is not available in docker.io/aquasec/kube-bench:latest.
@afdesk should we replace the image with a placeholder like <kube-bench-image-include-oc-command> for flexibility, or update the kube-bench image to include the oc command?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as for me, an image will be better for using. we already have Dockerfile.ubi based on registry.access.redhat.com/ubi9/ubi-minimal. maybe we can use/update it.
but the image with a placeholder will be OK too.

@mozillazg mozillazg requested a review from afdesk March 29, 2025 04:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mozillazg mozillazg mozillazg left review comments

@anchal39 anchal39 anchal39 approved these changes

@afdesk afdesk Awaiting requested review from afdesk

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.11.0
Development

Successfully merging this pull request may close these issues.
5 participants
@deebhatia @CLAassistant @afdesk @mozillazg @anchal39