Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rke2] - enable cis-profile, add configuration for CIS hardening #263

Merged
merged 1 commit into from
Apr 24, 2024
Merged

[rke2] - enable cis-profile, add configuration for CIS hardening #263

merged 1 commit into from
Apr 24, 2024

Conversation

AshleyDumaine
Copy link
Member

@AshleyDumaine AshleyDumaine commented Apr 18, 2024
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it: Enables the CIS profile for the RKE2 flavor and adds some extra configuration for CIS hardening. Unfortunately we can't use "cis" for RKE2 1.29 due to a CRD validation issue where that is not present in the enum. I've opened a PR upstream for that in the meantime.

With an RKE2 cluster provisioned by CAPL with these changes, I ran a scan on it after installing the rancher-cis-benchmark helm chart:

    lastRunScanProfileName: rke2-cis-1.8-profile-hardened
    lastRunTimestamp: "2024-04-23T15:36:42Z"
    observedGeneration: 1
    summary:
      fail: 0
      notApplicable: 11
      pass: 71
      skip: 0
      total: 130
      warn: 48

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests

@AshleyDumaine AshleyDumaine added documentation Improvements or additions to documentation rke2 Pull requests pertaining to the rke2 flavor labels Apr 18, 2024
@codecov Codecov
Copy link

codecov bot commented Apr 18, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 54.42%. Comparing base (d833668) to head (5eb3074).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #263   +/-   ##
=======================================
  Coverage   54.42%   54.42%           
=======================================
  Files          27       27           
  Lines        1560     1560           
=======================================
  Hits          849      849           
  Misses        663      663           
  Partials       48       48

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@AshleyDumaine AshleyDumaine marked this pull request as ready for review April 23, 2024 17:53
@AshleyDumaine AshleyDumaine changed the title [rke2] - enable cis-profile [rke2] - enable cis-profile, add configuration for CIS hardening Apr 23, 2024
@AshleyDumaine AshleyDumaine merged commit 3ff0933 into main Apr 24, 2024
9 checks passed
@AshleyDumaine AshleyDumaine deleted the rke2-cis-profile branch April 24, 2024 14:56
amold1 pushed a commit that referenced this pull request May 17, 2024
@AshleyDumaine
enable cis-profile and protect-kernel-defaults (#263)
4f4d345
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eljohnson92 eljohnson92 eljohnson92 approved these changes

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation rke2 Pull requests pertaining to the rke2 flavor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AshleyDumaine @eljohnson92