Description
Currently, kube-bench does not correctly determine the appropriate CIS version for RKE versions greater than 1.27. The selection logic is limited to platform.Version: 1.23-1.27:
|
case "rancher": |
|
switch platform.Version { |
|
case "1.23": |
|
return "rke-cis-1.23" |
|
case "1.24": |
|
return "rke-cis-1.24" |
|
case "1.25", "1.26", "1.27": |
|
return "rke-cis-1.7" |
|
} |
|
case "rke2r": |
|
switch platform.Version { |
|
case "1.23": |
|
return "rke2-cis-1.23" |
|
case "1.24": |
|
return "rke2-cis-1.24" |
|
case "1.25", "1.26", "1.27": |
|
return "rke2-cis-1.7" |
while newer versions default to predefined mappings:
Kubernetes 1.28-1.29 → CIS 1.9
Kubernetes 1.30-1.31 → CIS 1.10
|
"1.28": "cis-1.9" |
|
"1.29": "cis-1.9" |
|
"1.30": "cis-1.10" |
|
"1.31": "cis-1.10" |
This approach may not always be accurate, and we should handle such cases more gracefully
Proposed Solution
We should check for a latest CIS benchmark for the latest RKE versions.
Description
Currently, kube-bench does not correctly determine the appropriate CIS version for RKE versions greater than 1.27. The selection logic is limited to platform.Version: 1.23-1.27:
kube-bench/cmd/util.go
Lines 522 to 538 in a38a3c5
while newer versions default to predefined mappings:
Kubernetes 1.28-1.29 → CIS 1.9
Kubernetes 1.30-1.31 → CIS 1.10
kube-bench/cfg/config.yaml
Lines 284 to 287 in 2de22f8
This approach may not always be accurate, and we should handle such cases more gracefully
Proposed Solution
We should check for a latest CIS benchmark for the latest RKE versions.