feat: add cis benchmark for gke v1.8.0 (#1958)

* add cis benchmark for gke v1.8.0

* fix linter error

* fix checks for managed services

Author: LaibaBareera

cfg/config.yaml

@@ -295,6 +295,7 @@ version_mapping:
   "gke-1.0": "gke-1.0"
   "gke-1.2.0": "gke-1.2.0"
   "gke-1.6.0": "gke-1.6.0"
+  "gke-1.8.0": "gke-1.8.0"
   "ocp-3.10": "rh-0.7"
   "ocp-3.11": "rh-0.7"
   "ocp-4.0": "rh-1.0"
@@ -408,6 +409,12 @@ target_mapping:
     - "controlplane"
     - "policies"
     - "managedservices"
+  "gke-1.8.0":
+    - "master"
+    - "node"
+    - "controlplane"
+    - "policies"
+    - "managedservices"
   "eks-1.0.1":
     - "master"
     - "node"

cfg/gke-1.8.0/config.yaml

@@ -0,0 +1,9 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml
+
+node:
+  proxy:
+    defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
+
+  kubelet:
+    defaultconf: "/etc/kubernetes/kubelet-config.yaml"

cfg/gke-1.8.0/controlplane.yaml

@@ -0,0 +1,6 @@
+---
+controls:
+version: "gke-1.8.0"
+id: 2
+text: "Control Plane Configuration"
+type: "controlplane"

cfg/gke-1.8.0/managedservices.yaml

@@ -0,0 +1,6 @@
+---
+controls:
+version: "gke-1.8.0"
+id: 1
+text: "Control Plane Components"
+type: "master"

cfg/gke-1.8.0/master.yaml

@@ -0,0 +1,65 @@
+---
+controls:
+version: "gke-1.8.0"
+id: 3
+text: "Worker Nodes"
+type: "node"
+groups:
+  - id: 3.1
+    text: "Worker Node Configuration Files"
+    checks:
+      - id: 3.1.1
+        text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Automated)"
+        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
+        tests:
+          test_items:
+            - flag: "permissions"
+              compare:
+                op: bitmask
+                value: "644"
+        remediation: |
+          Run the below command (based on the file location on your system) on each worker node.
+          For example,
+
+            chmod 644 $proxykubeconfig
+        scored: true
+
+      - id: 3.1.2
+        text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)"
+        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
+        tests:
+          test_items:
+            - flag: root:root
+        remediation: |
+          Run the below command (based on the file location on your system) on each worker node.
+          For example:
+
+            chown root:root $proxykubeconfig
+        scored: true
+
+      - id: 3.1.3
+        text: "Ensure that the kubelet configuration file has permissions set to 644 (Automated)"
+        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
+        tests:
+          test_items:
+            - flag: "permissions"
+              compare:
+                op: bitmask
+                value: "644"
+        remediation: |
+          Run the following command (using the kubelet config file location)
+
+            chmod 644 $kubeletconf
+        scored: true
+
+      - id: 3.1.4
+        text: "Ensure that the kubelet configuration file ownership is set to root:root (Automated)"
+        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
+        tests:
+          test_items:
+            - flag: root:root
+        remediation: |
+          Run the following command (using the config file location identied in the Audit step)
+
+            chown root:root $kubeletconf
+        scored: true