CIS benchmark rke2 hardened fails in 5.3.1 with cilium as CNI

[Martin-Weiss]

Just updated to rancher 2.6.5 and deployed cis benchmark 2.0.4. scanned the downstream cluster and got an error for 5.3.1 (cni does not support network policies).

This is a false positive as cilium does support and has enabled network policies.

Seems this is the root cause https://github.com/rancher/security-scan/blob/9116bbe07914478ca79e0756a4798fa41a49a95e/package/cfg/rke2-cis-1.6-hardened/policies.yaml#L200

Could we get this "fixed" in a way that is also accepts cilium and probably all other CNIs that are available and supported for RKE2 and that have support for network policies?

[anupama2501]

See a similar failure when the CNI is canal, cis operator: 2.0.4

NAME         CLUSTERSCANPROFILE              TOTAL   PASS   FAIL   SKIP   WARN   NOT APPLICABLE   LASTRUNTIMESTAMP       CRONSCHEDULE
scan-mjqrf   rke2-cis-1.5-profile-hardened   122     84     1      0      27     10               2022-05-03T19:48:33Z   
scan-q5d7t   rke2-cis-1.6-profile-hardened   122     90     1      0      25     6                2022-05-03T19:48:12Z   

5.3.1 has failed 	for 1.5_hardened and 1.6_hardened..
5.3.1	Ensure that the CNI in use supports Network Policies (Not Scored) 

[anupama2501]

@jtravee release note for 2.6.5:

Hardening guide template for RKE2 currently only supports CNI canal

[jtravee]

@jtravee release note for 2.6.5:

Hardening guide template for RKE2 currently only supports CNI canal

Added to published notes!

[rayandas]

I validated this issue with both Cilium and Canal CNI. With Canal the test is passing but with Cilium it's failing. Anupama mentioned there that "Hardening guide template for RKE2 currently only supports CNI canal".

[macedogm]

IMO the issue is not that the hardening guide template for RKE2 currently only supports CNI canal, but actually that our provided CIS profile is only checking for Canal, see https://github.com/rancher/security-scan/blob/master/package/cfg/rke2-cis-1.6-hardened/policies.yaml#L195-L200 . So even if Cilium supports network policy, the CIS check will not check for it. That's why the hardening guide only mentions Canal for the moment. When the CIS check is fixed/improved, we can then update the hardening guide.

[mitulshah-suse]

Have updated the security scan to pass for all CNIs which support network policies.

[rishabhmsra]

Validated on rancher v2.7-head(35388ea)
Downstream cluster : RKE2 hardened cluster(1-cp, 1-etcd, 1-w) -> v1.24.4+rke2r1

Steps followed:

• Provisioned RKE2 hardened clusters using below CNI ->
  • canal
  • cilium
  • calico
  • multus,canal
  • multus,cilium
  • multus,calico
• Installed CIS benchmark chart 3.0.0-rc2 with following image versions on all the downstream clusters.

image:
  cisoperator:
    repository: rancher/cis-operator
    tag: v1.0.10-rc1
  securityScan:
    repository: rancher/security-scan
    tag: v0.2.9-rc1
  sonobuoy:
    repository: rancher/mirrored-sonobuoy-sonobuoy
    tag: v0.56.7

• Ran the scan using rke2-cis-1.23-profile-hardened profile.

Result:

• 5.3.1 passed on all the clusters.

[mitulshah-suse]

/backport v2.6.10