-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CIS benchmark rke2 hardened fails in 5.3.1 with cilium as CNI #154
Comments
See a similar failure when the CNI is
|
@jtravee release note for 2.6.5:
|
Added to published notes! |
I validated this issue with both Cilium and Canal CNI. With Canal the test is passing but with Cilium it's failing. Anupama mentioned there that "Hardening guide template for RKE2 currently only supports CNI canal". |
IMO the issue is not that the |
Have updated the security scan to pass for all CNIs which support network policies. |
Validated on rancher v2.7-head(35388ea) Steps followed:
Result:
|
/backport v2.6.10 |
Just updated to rancher 2.6.5 and deployed cis benchmark 2.0.4. scanned the downstream cluster and got an error for 5.3.1 (cni does not support network policies).
This is a false positive as cilium does support and has enabled network policies.
Seems this is the root cause https://github.com/rancher/security-scan/blob/9116bbe07914478ca79e0756a4798fa41a49a95e/package/cfg/rke2-cis-1.6-hardened/policies.yaml#L200
Could we get this "fixed" in a way that is also accepts cilium and probably all other CNIs that are available and supported for RKE2 and that have support for network policies?
The text was updated successfully, but these errors were encountered: