feat: add CIS GKE 1.9.0 configuration files and controls

.github/workflows/build.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Setup golangci-lint
         uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.5.0
+          version: v2.11.4
           args: --verbose --timeout 2m
   unit:
     name: Unit tests

.github/workflows/publish.yml

@@ -47,10 +47,11 @@ jobs:
           images: ${{ env.REP }}
           tag-semver: |
             {{version}}
-      - name: Extract variables from makefile (kubectl)
+      - name: Extract variables from makefile
         id: extract_vars
         run: |
           echo "KUBECTL_VERSION=$(grep -oP '^KUBECTL_VERSION\s*\?=\s*\K.*' makefile)" >> $GITHUB_ENV
+          echo "K8S_PKGS_VERSION=$(grep -oP '^K8S_PKGS_VERSION\s*\?=\s*\K.*' makefile)" >> $GITHUB_ENV
       - name: Build and push - Docker/ECR
         id: docker_build
         uses: docker/build-push-action@v7
@@ -81,7 +82,7 @@ jobs:
           file: Dockerfile.ubi
           build-args: |
             KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
-            KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
+            K8S_PKGS_VERSION=${{ env.K8S_PKGS_VERSION }}
           tags: |
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
             public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
@@ -101,7 +102,7 @@ jobs:
           file: Dockerfile.fips.ubi
           build-args: |
             KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
-            KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
+            K8S_PKGS_VERSION=${{ env.K8S_PKGS_VERSION }}
           tags: |
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips
             public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.26.1 AS build
+FROM golang:1.26.2 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
@@ -9,16 +9,6 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build && cp kube-bench /go/bin/kube-bench
 
-# Add kubectl to run policies checks
-ARG KUBECTL_VERSION TARGETARCH
-RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
-RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
-
-# Verify kubectl sha256sum
-RUN /bin/bash -c 'echo "$(<kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c -'
-
-RUN chmod +x /usr/local/bin/kubectl
-
 FROM alpine:3.23.3 AS run
 WORKDIR /opt/kube-bench/
 # add GNU ps for -C, -o cmd, --no-headers support and add findutils to get GNU xargs
@@ -41,12 +31,11 @@ RUN apk add gcompat
 RUN apk add jq
 
 # Add bash for running helper scripts
-RUN apk add bash
+RUN apk add --no-cache bash kubectl
 
 ENV PATH=$PATH:/usr/local/mount-from-host/bin:/go/bin
 
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
-COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
 COPY helper_scripts/check_files_owner_in_dir.sh /go/bin/

Dockerfile.fips.ubi

@@ -1,4 +1,4 @@
-FROM golang:1.26.1 AS build
+FROM golang:1.26.2 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
@@ -9,17 +9,9 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build-fips && cp kube-bench /go/bin/kube-bench
 
-# Add kubectl to run policies checks
-ARG KUBECTL_VERSION TARGETARCH
-RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
-RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
-# Verify kubectl sha256sum
-RUN /bin/bash -c 'echo "$(<kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c -'
-RUN chmod +x /usr/local/bin/kubectl
+FROM registry.access.redhat.com/ubi9/ubi-minimal AS run
 
-
-# ubi8-minimal base image for build with ubi standards
-FROM registry.access.redhat.com/ubi9/ubi-minimal as run
+ARG K8S_PKGS_VERSION=1.34
 
 RUN microdnf install -y yum findutils openssl \
   && yum -y update-minimal --security --sec-severity=Moderate --sec-severity=Important --sec-severity=Critical \
@@ -29,17 +21,23 @@ RUN microdnf install -y yum findutils openssl \
   && yum install -y procps \
   && yum update -y procps \
   && yum install jq -y \
+  && printf '%s\n' '[kubernetes]' 'name=Kubernetes' \
+       "baseurl=https://pkgs.k8s.io/core:/stable:/v${K8S_PKGS_VERSION}/rpm/" \
+       'enabled=1' 'gpgcheck=1' \
+       "gpgkey=https://pkgs.k8s.io/core:/stable:/v${K8S_PKGS_VERSION}/rpm/repodata/repomd.xml.key" \
+       > /etc/yum.repos.d/kubernetes.repo \
+  && yum install -y kubectl \
   && yum clean all \
   && microdnf remove yum || rpm -e -v yum \
-  && microdnf clean all
+  && microdnf clean all \
+  && /usr/bin/kubectl version --client
 
 WORKDIR /opt/kube-bench/
 
-ENV PATH=$PATH:/usr/local/mount-from-host/bin 
+ENV PATH=$PATH:/usr/local/mount-from-host/bin
 
 COPY LICENSE /licenses/LICENSE
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
-COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
 COPY helper_scripts/check_files_owner_in_dir.sh /go/bin

Dockerfile.ubi

@@ -1,4 +1,4 @@
-FROM golang:1.26.1 AS build
+FROM golang:1.26.2 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
@@ -9,17 +9,9 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build && cp kube-bench /go/bin/kube-bench
 
-# Add kubectl to run policies checks
-ARG KUBECTL_VERSION TARGETARCH
-RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
-RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
-# Verify kubectl sha256sum
-RUN /bin/bash -c 'echo "$(<kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c -'
-RUN chmod +x /usr/local/bin/kubectl
+FROM registry.access.redhat.com/ubi9/ubi-minimal AS run
 
-
-# ubi8-minimal base image for build with ubi standards
-FROM registry.access.redhat.com/ubi9/ubi-minimal as run
+ARG K8S_PKGS_VERSION=1.34
 
 RUN microdnf install -y yum findutils openssl \
   && yum -y update-minimal --security --sec-severity=Moderate --sec-severity=Important --sec-severity=Critical \
@@ -29,17 +21,23 @@ RUN microdnf install -y yum findutils openssl \
   && yum install -y procps \
   && yum update -y procps \
   && yum install jq -y \
+  && printf '%s\n' '[kubernetes]' 'name=Kubernetes' \
+       "baseurl=https://pkgs.k8s.io/core:/stable:/v${K8S_PKGS_VERSION}/rpm/" \
+       'enabled=1' 'gpgcheck=1' \
+       "gpgkey=https://pkgs.k8s.io/core:/stable:/v${K8S_PKGS_VERSION}/rpm/repodata/repomd.xml.key" \
+       > /etc/yum.repos.d/kubernetes.repo \
+  && yum install -y kubectl \
   && yum clean all \
   && microdnf remove yum || rpm -e -v yum \
-  && microdnf clean all
+  && microdnf clean all \
+  && /usr/bin/kubectl version --client
 
 WORKDIR /opt/kube-bench/
 
 ENV PATH=$PATH:/usr/local/mount-from-host/bin
 
 COPY LICENSE /licenses/LICENSE
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
-COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
 COPY helper_scripts/check_files_owner_in_dir.sh /go/bin

cfg/config.yaml

@@ -308,6 +308,7 @@ version_mapping:
   "gke-1.2.0": "gke-1.2.0"
   "gke-1.6.0": "gke-1.6.0"
   "gke-1.8.0": "gke-1.8.0"
+  "gke-1.9.0": "gke-1.9.0"
   "ocp-3.10": "rh-0.7"
   "ocp-3.11": "rh-0.7"
   "ocp-4.0": "rh-1.0"
@@ -435,6 +436,12 @@ target_mapping:
     - "controlplane"
     - "policies"
     - "managedservices"
+  "gke-1.9.0":
+    - "master"
+    - "node"
+    - "controlplane"
+    - "policies"
+    - "managedservices"
   "eks-1.0.1":
     - "master"
     - "node"

cfg/gke-1.9.0/config.yaml

@@ -0,0 +1,9 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml
+
+node:
+  proxy:
+    defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
+
+  kubelet:
+    defaultconf: "/etc/kubernetes/kubelet-config.yaml"

cfg/gke-1.9.0/controlplane.yaml

@@ -0,0 +1,6 @@
+---
+controls:
+version: "gke-1.9.0"
+id: 2
+text: "Control Plane Configuration"
+type: "controlplane"