Feature: Update to 1.4.1 (#24)

jaredledvina · chris-rock · commit 66dabc15fe09 · 2019-10-07T12:17:00.000+02:00
* README - State 1.4.1

Signed-off-by: Jared Ledvina &lt;jared@techsmix.net&gt;

* 1.4.1 - 2.1.11 is now deprecated

Signed-off-by: Jared Ledvina &lt;jared@techsmix.net&gt;

* 1.4.1 - 1.1.12 is now deprecated

Signed-off-by: Jared Ledvina &lt;jared@techsmix.net&gt;
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # CIS Kubernetes Benchmark - InSpec Profile
 
 ## Description
-This profile implements the [CIS Kubernetes 1.4.0 Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
+This profile implements the [CIS Kubernetes 1.4.1 Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
 
 ## Attributes
 
diff --git a/controls/1_1_master_node_api_server.rb b/controls/1_1_master_node_api_server.rb
@@ -180,9 +180,9 @@
 end
 
 control 'cis-kubernetes-benchmark-1.1.12' do
-  title 'Ensure that the admission control plugin DenyEscalatingExec is set'
-  desc "Deny execution of `exec` and `attach` commands in privileged pods.\n\nRationale: Setting admission control policy to `DenyEscalatingExec` denies `exec` and `attach` commands to pods that run with escalated privileges that allow host access. This includes pods that run as privileged, have access to the host IPC namespace, and have access to the host PID namespace."
-  impact 1.0
+  title '[Deprecated] Ensure that the admission control plugin DenyEscalatingExec is set'
+  desc "[Deprecated] Deny execution of `exec` and `attach` commands in privileged pods.\n\nRationale: Setting admission control policy to `DenyEscalatingExec` denies `exec` and `attach` commands to pods that run with escalated privileges that allow host access. This includes pods that run as privileged, have access to the host IPC namespace, and have access to the host PID namespace."
+  impact 0.0
 
   tag cis: 'kubernetes:1.1.12'
   tag level: 1
diff --git a/controls/2_1_worker_node_kubelet.rb b/controls/2_1_worker_node_kubelet.rb
@@ -158,9 +158,9 @@
 end
 
 control 'cis-kubernetes-benchmark-2.1.11' do
-  title 'Ensure that the --cadvisor-port argument is set to 0'
-  desc "Disable cAdvisor.\n\nRationale: cAdvisor provides potentially sensitive data and there's currently no way to block access to it using anything other than iptables. It does not require authentication/authorization to connect to the cAdvisor port. Hence, you should disable the port.\n**Note** The cAdvisor port setting was deprecated in Kubernetes v1.10 and will be removed in v1.12."
-  impact 1.0
+  title '[Deprecated] Ensure that the --cadvisor-port argument is set to 0'
+  desc "[Deprecated] Disable cAdvisor.\n\nRationale: cAdvisor provides potentially sensitive data and there's currently no way to block access to it using anything other than iptables. It does not require authentication/authorization to connect to the cAdvisor port. Hence, you should disable the port.\n**Note** The cAdvisor port setting was deprecated in Kubernetes v1.10 and will be removed in v1.12."
+  impact 0.0
 
   tag cis: 'kubernetes:2.1.11'
   tag level: 1
