Example Constraints Violating CIS Benchmark

Question

Example Constraints Violating CIS Benchmark

redcatsec opened this issue a year ago · comments

Overview:
create an example set of constraints that violate the CIS (Center for Internet Security) benchmark for Kubernetes. The purpose is to leverage these constraints within the fuzzing tool to generate resources that simulate non-compliant Pods.

Objective:
define a set of constraints that are considered "very bad" according to the CIS benchmark. These constraints will be used by the fuzzing tool to generate resources that test the resiliency and security of the Kubernetes admission controller.

Proposed Constraints:
To initiate the discussion, I propose the following example constraints that are expected to violate the CIS benchmark:

AllowPrivilegeEscalation: true
HostIPC: true
HostNetwork: true
HostPID: true
AllowPrivileged: true
Privileged: true
or more ..

redcat security commented a year ago

thanx

Benjamin Koltermann · Answer 1 · Fri Jul 14 2023 16:46:53 GMT+0800 (China Standard Time)

Hi @aasyria,

We are currently working on adding constrain files for sample Benchmarks, like CIS. I will ping you once we added these constrains.

Benjamin Koltermann · Answer 2 · Fri Jul 14 2023 17:01:41 GMT+0800 (China Standard Time)

We will use CIS Kubernetes V1.24 for the first Implementation.

tunn3l · Answer 3 · Tue Jul 18 2023 03:02:15 GMT+0800 (China Standard Time)

Hello @aasyria,

That's a great idea :) I've added a sample pod CIS 1.24 constraints on the main branch directly. Feel free to open a pull request to add some of your own!