Continental Innovates with Rancher and Kubernetes
Available as of v2.5.4
Each Benchmark Version defines a set of test configuration files that define the CIS tests to be run by the kube-bench tool. The rancher-cis-benchmark application installs a few default Benchmark Versions which are listed under CIS Benchmark application menu.
rancher-cis-benchmark
But there could be some Kubernetes cluster setups that require custom configurations of the Benchmark tests. For example, the path to the Kubernetes config files or certs might be different than the standard location where the upstream CIS Benchmarks look for them.
It is now possible to create a custom Benchmark Version for running a cluster scan using the rancher-cis-benchmark application.
When a cluster scan is run, you need to select a Profile which points to a specific Benchmark Version.
Follow all the steps below to add a custom Benchmark Version and run a scan using it.
To create a custom benchmark version, first you need to create a ConfigMap containing the benchmark version’s config files and upload it to your Kubernetes cluster where you want to run the scan.
To prepare a custom benchmark version ConfigMap, suppose we want to add a custom Benchmark Version named foo.
foo
config.yaml
Add the Benchmark version name to the target_mapping section of the config.yaml:
target_mapping
target_mapping: "foo": - "master" - "node" - "controlplane" - "etcd" - "policies"
Upload this directory to your Kubernetes Cluster by creating a ConfigMap:
kubectl create configmap -n <namespace> foo --from-file=<path to directory foo>
To run a scan using your custom benchmark version, you need to add a new Profile pointing to this benchmark version.
foo-profile
Once the Profile pointing to your custom benchmark version foo has been created, you can create a new Scan to run the custom test configs in the Benchmark Version.
To run a scan,
Result: A report is generated with the scan results. To see the results, click the name of the scan that appears.