kube-bench v0.6.15 - Using CIS 1.7 - test 1.2.3 - Suggested better test

[tlb1galaxy]

Overview

Currently within the CIS 1.7 for test 1.2.3; the test is manual using ps -ef | grep kube-apiserver. Then a manual search for --disabled-admission-plugins=DenyServiceExternalIPs.

Could the test be refined to give a better result with: ps -ef | grep kube-apiserver | grep DenyServiceExternalIPs;echo $?

How did you run kube-bench?

1. Copy kube-bench/v0.6.15/job_master.yaml to local system
2. Run kubectl apply -f job_master.yaml

Environment

kube-bench: v0.6.15

Kubernetes: kubeadm install kubernetes v1.26.5

[loekalive]

From my perspective there are several issues with this test as it is in the current code base:

1. It's a manual test, but not of type manual, so in our automation it pops up as WARN regardless of state of the cluster;
2. Reading the description of DenyServiceExternalIPs I still feel very unsure of whether DenyServiceExternalIPs should be turned on or off, especially combined with the kube-bench remediation text: "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and remove the DenyServiceExternalIPs from enabled admission plugins."

Environment kube-bench: v0.7.0 kubernetes: v1.29.0 talos install: v1.6.0