Add documentation about CIS hardening and compliance verification #4174
Comments
|
So after some discussion internally, our first step would be:
Running existing CIS benchmarks on Talos makes little sense, as they are |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Based on #957 it looks that at least some point target have been made Talos CIS compliance but I was not able find if those tests still run and that where results would be stored.
What I have found so far is that https://github.com/aquasecurity/kube-bench/blob/main/job.yaml need to be modified on way that these mounts are disabled (maybe it would make sense to include those as empty folders? ):
After that scan can be run and this was result on v0.11.5:
kube-bench_v0.11.5_result.log
Many of those tests fails because files are on different place (e.g. files on /etc/kubernetes/manifests/ contains "talos-" prefix).
However not everyone is ready for all CIS requirements (e.g. disabling root containers) so probably best option would be add option to enable CIS hardening (like RKE2 does) and probably that should be done on way that it is first added as option is which is disabled by default and then on some future version change it other way around (as many might miss that setting unless it is enabled by default).
Also some of those failing tests can be handled by just explaining them on documentation about how Talos does things differently.
The text was updated successfully, but these errors were encountered: