Wrong scan results in aws eks after upgrading from k8s 1.26 to 1.27

[fendrifirasleminnov]

After doing an upgrade we are starting to see the following errors in cis scan report :

• "description":"Ensure that the --protect-kernel-defaults argument is set to true (Automated)","remediation":"If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
• "description":"Ensure that the Anonymous Auth is Not Enabled (Automated)","remediation":"If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false.
• "description":"Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)","remediation":"If using a Kubelet config file, edit the file to set authorization: mode to Webhook.

After verifiying our cluster config this is the output :

cat /etc/kubernetes/kubelet/kubelet-config.json

{
  "kind": "KubeletConfiguration",
  "apiVersion": "kubelet.config.k8s.io/v1beta1",
  "address": "0.0.0.0",
  "authentication": {
    "anonymous": {
      "enabled": false
    },
    "webhook": {
      "cacheTTL": "2m0s",
      "enabled": true
    },
    "x509": {
      "clientCAFile": "/etc/kubernetes/pki/ca.crt"
    }
  },
  "authorization": {
    "mode": "Webhook",
    "webhook": {
      "cacheAuthorizedTTL": "5m0s",
      "cacheUnauthorizedTTL": "30s"
    }
  },
  "clusterDomain": "cluster.local",
  "hairpinMode": "hairpin-veth",
  "readOnlyPort": 0,
  "cgroupDriver": "systemd",
  "cgroupRoot": "/",
  "featureGates": {
    "RotateKubeletServerCertificate": true,
    "KubeletCredentialProviders": true
  },
  "protectKernelDefaults": true,
  "serializeImagePulls": false,
  "serverTLSBootstrap": true,
  "tlsCipherSuites": [
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_RSA_WITH_AES_128_GCM_SHA256"
  ],
  "clusterDNS": [
    "172.20.0.10"
  ],
  "evictionHard": {
    "memory.available": "100Mi",
    "nodefs.available": "10%",
    "nodefs.inodesFree": "5%"
  },
  "kubeReserved": {
    "cpu": "90m",
    "ephemeral-storage": "1Gi",
    "memory": "893Mi"
  },
  "providerID": "aws:///eu-central-1c/i-0b97a1bacfe797151",
  "systemReservedCgroup": "/system",
  "kubeReservedCgroup": "/runtime"
}

All 3 issues in the report are not correct

[andypitcher]

Hey @fendrifirasleminnov, apologies for the late answer.

Would you mind sharing the following info:

• CIS profile used
• Rancher version used
• security-scan version
• cis-operator scan version
• k8s cluster distro you're scanning and its version

Thanks !

[andypitcher]

@fendrifirasleminnov I'm closing this issue since we lack activity, feel free to answer if you are still facing the same problems. Make sure also to provide the information listed in the last comment.