Update cis-benchmark action to support cis-1.10

charmcraft.yaml

@@ -358,7 +358,7 @@ actions:
           archive integrity when downloaded.
       release:
         type: string
-        default: https://github.com/aquasecurity/kube-bench/releases/download/v0.6.8/kube-bench_0.6.8_linux_amd64.tar.gz#sha256=5f9c5231949bd022a6993f5297cc05bb80a1b7c36a43cefed0a8c8af26778863
+        default: https://github.com/aquasecurity/kube-bench/releases/download/v0.11.2/kube-bench_0.11.2_linux_amd64.tar.gz#sha256=26ecc7074560c761bd9fbc0f9dd4bb6b951b092c32654d96864607482e79ae42
         description: |-
           Archive containing the 'kube-bench' binary to run. The default value
           points to a stable upstream release. When using a custom URL, append

requirements.txt

@@ -3,7 +3,6 @@ charm-lib-interface-external-cloud-provider @ git+https://github.com/charmed-kub
 charm-lib-interface-kube-dns @ git+https://github.com/charmed-kubernetes/charm-lib-interface-kube-dns@main
 charm-lib-interface-kubernetes-cni @ git+https://github.com/charmed-kubernetes/charm-lib-interface-kubernetes-cni@main
 charm-lib-interface-tokens @ git+https://github.com/charmed-kubernetes/charm-lib-interface-tokens@main
-charm-lib-kubernetes-snaps @ git+https://github.com/charmed-kubernetes/charm-lib-kubernetes-snaps@main
 charm-lib-node-base @ git+https://github.com/charmed-kubernetes/layer-kubernetes-node-base@3d7b34bd10aa5ef8dfca4f671a6e4757ec6c153a#subdirectory=ops
 interface_hacluster @ git+https://github.com/charmed-kubernetes/charm-interface-hacluster@main
 ops.interface_tls_certificates @ git+https://github.com/charmed-kubernetes/interface-tls-certificates@main#subdirectory=ops
@@ -12,6 +11,7 @@ ops.interface_gcp @ git+https://github.com/charmed-kubernetes/interface-gcp-inte
 ops.interface_azure @ git+https://github.com/charmed-kubernetes/interface-azure-integration@main#subdirectory=ops
 aiohttp == 3.7.4
 cosl==0.0.47
+charms.kubernetes-snaps == 0.0.0
 charms.reconciler == 0.0.0
 charms.contextual-status == 0.0.0
 jinja2 == 3.1.3

src/actions/cis_benchmark.py

@@ -53,8 +53,9 @@ def run(self, test_num: int, test_remediation: str) -> int:
             cmd = shlex.split(self.command)
             try:
                 out = subprocess.check_output(cmd)
-            except subprocess.CalledProcessError:
-                raise ActionError(f"Test {test_num}: failed to run: {cmd}")
+            except subprocess.CalledProcessError as e:
+                log.error("Test %s: failed to run: %s\nError: %s", test_num, e.cmd, e.output)
+                raise ActionError(f"Test {test_num}: failed to run: {e.cmd}\nError: {e.output}")
             else:
                 log.info("Test %s: applied remedy: %s\nOutput: %s", test_num, cmd, out)
             return 1
@@ -68,15 +69,20 @@ def run(self, test_num: int, test_remediation: str) -> int:
 }
 ADMISSION_PLUGINS = {
     "enable-admission-plugins": (
-        "PersistentVolumeLabel",
-        "PodSecurityPolicy,AlwaysPullImages",
+        "AlwaysPullImages",
+        "DenyServiceExternalIPs",
         "NodeRestriction",
     )
 }
 DANGEROUS = {
     "0.0.0": Remedy("cli", 'echo "this is fine"', None),
     # etcd (no known warnings with a default install)
     # k8s-control-plane
+    "1.1.1": Remedy("cli", "chmod 600 /var/snap/kube-*/current/args", None),
+    "1.1.5": Remedy("cli", "chmod 600 /root/cdk/kube-scheduler-config.yaml", None),
+    "1.1.15": Remedy("cli", "chmod 600 /root/cdk/kubeschedulerconfig", None),
+    "1.1.17": Remedy("cli", "chmod 600 /root/cdk/kubecontrollermanagerconfig", None),
+    "1.1.20": Remedy("cli", "chmod -R 600 /root/cdk/*.crt", None),
     "1.1.21": Remedy("cli", "chmod -R 600 /root/cdk/*.key", None),
     "1.2.9": Remedy("manual", None, None),
     "1.2.11": Remedy("kv", "kube-apiserver", ADMISSION_PLUGINS),
@@ -291,7 +297,7 @@ def report(self, event: ops.ActionEvent, log_format="text"):
 
         # Node type is different depending on the charm
         app = self.charm.meta.name or "unknown"
-        version = "cis-1.23"
+        version = "cis-1.10"
         if "control-plane" in app:
             # must refer to this as upstream kube-bench tests do
             # wokeignore:rule=master
@@ -329,13 +335,11 @@ def report(self, event: ops.ActionEvent, log_format="text"):
         # When making a summary, we also have a verbose report. Set action output
         # so operators can see everything related to this run.
         try:
-            out = subprocess.check_output(
-                summary_cmd, universal_newlines=True, stderr=subprocess.DEVNULL
-            )
+            out = subprocess.check_output(summary_cmd, universal_newlines=True)
         except subprocess.CalledProcessError:
             raise ActionError(f"Failed to run: {summary_cmd}")
         else:
-            fetch_cmd = f"juju scp {self.charm.unit}:{log_file} ."
+            fetch_cmd = f"juju scp {self.charm.unit.name}:{log_file} ."
             event.set_results({"cmd": summary_cmd, "report": fetch_cmd, "summary": out})
 
         return log or None