Kube-bench Incompatible with OKE: configuration is missing in "cfg/" for oke

[shreyansh2953]

Hi Kube-bench Team, @LaibaBareera @afdesk

We’re currently working on integrating Kube-bench into our Oracle Kubernetes Engine (OKE) environment to generate vulnerability reports for our worker nodes.

Environment: Oracle Kubernetes Engine (OKE)
Kube-bench Version: 0.1.17
App Version: 0.8.0
Command Used: ["kube-bench", "run", "--targets", "node", "--benchmark", "cis-1.24"]

While executing the above command, we encountered failures in certain checks.
Here’s a snapshot of the issue:

Upon investigation, we referred to the CIS Benchmark for OKE v1.7.0 provided by Oracle. The benchmark outlines several environment-specific configurations. A few examples include:

• File permissions should be set to 644
• Kubelet configuration file should be located at: /etc/kubernetes/kubelet-config.json
  

But in comman config.yaml under cfg folder provided by kube-bench we were unable to find the location( /etc/kubernetes/kubelet-config.json) :-

and we saw in cfg folder that aquasecurity team has developed the cfg for different cloud providers like aks-1.7 , eks-1.9 etc. compatible to that env

so can we expect the same development for OKE env so that in command we can use something like oke-1.7 for cis benchmarking

[LaibaBareera]

Hi,
Thanks for raising this and for the detailed context. You’re right — kube-bench currently provides cloud-specific configs for providers like EKS and AKS, but not yet for Oracle Kubernetes Engine (OKE).
We agree it makes sense to add OKE-specific configuration files (e.g. cfg/oke-1.7/…) so the benchmark aligns with OKE’s environment, and you can run it directly with:
kube-bench run --targets node --benchmark oke-1.7
We can take this up and work on adding support for OKE.
In the meantime, if you already have a draft config mapping from the Oracle CIS Benchmark, feel free to share it or open a PR — that will help us accelerate the work.

Thanks again for highlighting this gap!

[shreyansh2953]

Hi @LaibaBareera

Thanks for the quick response and for confirming that OKE-specific configuration support will be there, really appreciate the clarity!
unfortunately, currently we don't have any draft config mapping from the Oracle CIS Benchmark to share.
Would you be able to share a tentative ETA for when the OKE support might be added?
That would help us plan accordingly on our end.

[LaibaBareera]

Hi @shreyansh2953,
Thank you for confirming, and I completely understand why having an ETA would help with your planning. At the moment, we don’t have a finalized timeline for OKE support — the work will involve creating and validating the mapping from the Oracle CIS benchmark. We will add this to our backlog in few days and will prioritize it, but I can’t commit to a specific date right now.

We’ll share updates as soon as we have clearer progress. In the meantime, if you happen to explore or draft any OKE-specific mappings on your side, please do share — it could help us accelerate the work.