Group Discussion : CIS Benchmarks, BDD Testing and Tools Provisioning

[mcleo-d]

Description

During 19th November 2020 #79, @peterrhysthomas, @abdullahgarcia, @leefaus, @eddie-knight and @jamilmina1 discussed if teams are running CIS benchmarking against implemented services and whether there are other BBD test mechanisms.

Action

To schedule a discussion group to explore the subject further and report to the main CSC project group. Notes on the original conversation include ...

• CIS benchmark tools being explored for GCP. Is there wider group experience?
• Benchmarking tools don't have the data required, so teams are assuming outcomes based on retrospective experiences.
• Config scanning prior to deploy so evidence is documented that tests have run against known standards.
• Continuous feedback that IAC is meeting the benchmark as requests for evidence made with small changes.
• @eddie-knight contributes to https://github.com/citihub/probr, which could help resolve the problem.

Scheduled Group Meeting

Meeting scheduled with CSC project group for Wednesday 25th November @11:30am ET / 4:30pm GMT on the FINOS Community WebEx. All are invited to join.

[mcleo-d]

The following Cloud Service Certification group members met on Wednesday 25th November @11:30am ET / 4:30pm GMT

Name	GitHub Profile	Firm
Lee Faus	@leefaus	Armory
Alfred Tommy	@alfredtommy	Searce
Paul Jones	--	CitiHub
Eric Tice	@erictice	Wipro
Abdullah Garcia	@abdullahgarcia	JPMC
Jamil Mina	@jamilmina1	Red Hat
Eddie Knight	@eddie-knight	CitiHub

Discussion Points

• The outcome of the discussion should extend EPIC EPIC - Kubernetes Services #64 to provide an end-to-end example for GCP GKE definition (GCP GKE definition #65) - @alfredtommy
• @leefaus exploring Ansible, Pulumi and Terraform
• Service Accelerator Templates describe the output of cloud service once executed rather than the IaC script itself.
• If BDD expected to test the cloud service, each module would need testing once up and running. They might also need to be extended to return a status to the BDD script itself. Only the cloud service can provide this information.
• BDD tooling will depend upon the best practice we would like to test.
• BDD tests could be written for IaC defined using Open Policy Agent - https://www.openpolicyagent.org/
• CitiHub creating https://github.com/citihub/probr for writing Gherkin style IaC tests
• kube-bench runs CIS Benchmarks against worker nodes
  • https://www.eksworkshop.com/intermediate/300_cis_eks_benchmark/ssh-into-node/

Outcomes

• @leefaus and @eddie-knight to collaborate on Probr and OPA driven tests for GCP GKE definition (GCP GKE definition #65) using a single scenario defined in kubernetes.md. Spikes to target next CSC meeting on Thursday December 3rd @ 3pm GMT / 11am ET.

[iantivey]

Late to the party here, but we have a couple of things that might offer some assistance for this issue -

1. For AKS, we have transposed the GKE CIS Benchmarks onto AKS and have almost complete coverage of the relevant items, plus some additional tests that aren't covered by GKE. Some of the implementations run OPA under the covers. We've tried a few iterations and have now settled on a standardised way to spec the rego policies and BDD feature files.
2. We have the Probr Kubernetes pack running against a GKE instance in our demo environment. We believe this demonstrates the value of using Probr for testing, because we're able to use the same code to test against both Azure and Google services without any changes to the code, even though the implementations of the controls are quite different (e.g. Azure implements pod security using Azure Policy, Google use Kube PodSecurityPolicy).

[mcleo-d]

Thanks for the information above @iantivey 🚀

I'm going to tag @eddie-knight as he's keeping CSC informed on the benefits of Probr and is working close on the approach with @leefaus. Here's a link to @leefaus' conftest PR #91

Can the information above be used to create Probr integration stories with @eddie-knight as we move from Sprint 2 into Sprint 3?

Let me know your thoughts 💭

James.

[mcleo-d]

@leefaus - The Armory CCLA is now signed and you have been added to the FINOS CLA Bot. You are also free to move forward according to the following comment ... #119 (comment)

cc @eddie-knight

[mcleo-d]

Closed as superseded by #91, #62, #128