diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bc751153b25de618b21764c72098495206d44cf4..031fd1ef6a202cd17923e0a1e995c4a04baa4529 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,6 +13,11 @@ on:
       - "*.md"
       - "LICENSE"
       - "NOTICE"
+env:
+  GO_VERSION: "1.16"
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
+
 jobs:
   build:
     name: Build
@@ -32,8 +37,28 @@ jobs:
         uses: codecov/codecov-action@v1
         with:
           file: ./coverage.txt
+      - name: Setup Kubernetes cluster (KIND)
+        uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+          name: kube-bench
+      - name: Test connection to Kubernetes cluster
+        run: |
+          kubectl cluster-info
+          kubectl describe node
+      - name: Apply jobs
+        run: kubectl apply -f job.yaml
       - name: Run integration tests
-        run: make integration-tests
+        run: |
+          kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s
+          kubectl logs job/kube-bench > ./test.data
+      - name: Compare output with expected output
+        uses: GuillaumeFalourd/diff-action@v1
+        with:
+          first_file_path: ./test.data
+          second_file_path: integration/testdata/Expected_output.data
+          expected_result: PASSED
       - name: Dry-run release snapshot
         uses: goreleaser/goreleaser-action@v2
         with:
diff --git a/.github/workflows/mkdocs-deploy.yaml b/.github/workflows/mkdocs-deploy.yaml
index 312904af1141219067d5c05f00999659f3795ba5..278b6a7ccea121dd8c6d49d648e8e4a3fe282998 100644
--- a/.github/workflows/mkdocs-deploy.yaml
+++ b/.github/workflows/mkdocs-deploy.yaml
@@ -1,3 +1,4 @@
+---
 # This is a manually triggered workflow to build and publish the MkDocs from the
 # main branch to GitHub pages at https://aquasecurity.github.io/kube-bench.
 name: Deploy documentation
diff --git a/integration/docker.go b/integration/docker.go
deleted file mode 100644
index 7cf2f39cf975e6e244f968d283dcac719e2bd6cd..0000000000000000000000000000000000000000
--- a/integration/docker.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package integration
-
-import (
-	"os"
-	"path/filepath"
-
-	"github.com/pkg/errors"
-
-	"sigs.k8s.io/kind/pkg/cluster"
-	clusternodes "sigs.k8s.io/kind/pkg/cluster/nodes"
-	"sigs.k8s.io/kind/pkg/container/docker"
-	"sigs.k8s.io/kind/pkg/fs"
-	"sigs.k8s.io/kind/pkg/util/concurrent"
-)
-
-func loadImageFromDocker(imageName string, kindCtx *cluster.Context) error {
-
-	// Check that the image exists locally and gets its ID, if not return error
-	_, err := docker.ImageID(imageName)
-	if err != nil {
-		return errors.Errorf("Image: %q not present locally", imageName)
-	}
-
-	selectedNodes, err := kindCtx.ListInternalNodes()
-	if err != nil {
-		return err
-	}
-
-	// Save the image into a tar
-	dir, err := fs.TempDir("", "image-tar")
-	if err != nil {
-		return errors.Wrap(err, "failed to create tempdir")
-	}
-	defer os.RemoveAll(dir)
-	imageTarPath := filepath.Join(dir, "image.tar")
-
-	err = docker.Save(imageName, imageTarPath)
-	if err != nil {
-		return err
-	}
-
-	// Load the image on the selected nodes
-	fns := []func() error{}
-	for _, selectedNode := range selectedNodes {
-		selectedNode := selectedNode // capture loop variable
-		fns = append(fns, func() error {
-			return loadImage(imageTarPath, &selectedNode)
-		})
-	}
-	return concurrent.UntilError(fns)
-}
-
-// loads an image tarball onto a node
-func loadImage(imageTarName string, node *clusternodes.Node) error {
-	f, err := os.Open(imageTarName)
-	if err != nil {
-		return errors.Wrap(err, "failed to open image")
-	}
-	defer f.Close()
-	return node.LoadImageArchive(f)
-}
diff --git a/integration/integration.go b/integration/integration.go
deleted file mode 100644
index 3dcee7a16ab128c9729c8902c494b98526374c19..0000000000000000000000000000000000000000
--- a/integration/integration.go
+++ /dev/null
@@ -1,142 +0,0 @@
-package integration
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"strings"
-	"time"
-
-	batchv1 "k8s.io/api/batch/v1"
-	apiv1 "k8s.io/api/core/v1"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	yaml "k8s.io/apimachinery/pkg/util/yaml"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/clientcmd"
-	"sigs.k8s.io/kind/pkg/cluster"
-	"sigs.k8s.io/kind/pkg/cluster/create"
-)
-
-func runWithKind(ctx *cluster.Context, clientset *kubernetes.Clientset, jobName, kubebenchYAML, kubebenchImg string, timeout time.Duration) (string, error) {
-	err := deployJob(clientset, kubebenchYAML, kubebenchImg)
-	if err != nil {
-		return "", err
-	}
-
-	p, err := findPodForJob(clientset, jobName, timeout)
-	if err != nil {
-		return "", err
-	}
-
-	output := getPodLogs(clientset, p)
-
-	err = clientset.BatchV1().Jobs(apiv1.NamespaceDefault).Delete(jobName, nil)
-	if err != nil {
-		return "", err
-	}
-
-	return output, nil
-}
-
-func setupCluster(clusterName, kindCfg string, duration time.Duration) (*cluster.Context, error) {
-	options := create.WithConfigFile(kindCfg)
-	toptions := create.WaitForReady(duration)
-	ctx := cluster.NewContext(clusterName)
-	if err := ctx.Create(options, toptions); err != nil {
-		return nil, err
-	}
-
-	return ctx, nil
-}
-
-func getClientSet(configPath string) (*kubernetes.Clientset, error) {
-	config, err := clientcmd.BuildConfigFromFlags("", configPath)
-	if err != nil {
-		return nil, err
-	}
-	clientset, err := kubernetes.NewForConfig(config)
-	if err != nil {
-		return nil, err
-	}
-
-	return clientset, nil
-}
-
-func deployJob(clientset *kubernetes.Clientset, kubebenchYAML, kubebenchImg string) error {
-	jobYAML, err := ioutil.ReadFile(kubebenchYAML)
-	if err != nil {
-		return err
-	}
-
-	decoder := yaml.NewYAMLOrJSONDecoder(bytes.NewReader(jobYAML), len(jobYAML))
-	job := &batchv1.Job{}
-	if err := decoder.Decode(job); err != nil {
-		return err
-	}
-	job.Spec.Template.Spec.Containers[0].Image = kubebenchImg
-
-	_, err = clientset.BatchV1().Jobs(apiv1.NamespaceDefault).Create(job)
-
-	return err
-}
-
-func findPodForJob(clientset *kubernetes.Clientset, jobName string, duration time.Duration) (*apiv1.Pod, error) {
-	failedPods := make(map[string]struct{})
-	selector := fmt.Sprintf("job-name=%s", jobName)
-	timeout := time.After(duration)
-	for {
-		time.Sleep(3 * time.Second)
-	podfailed:
-		select {
-		case <-timeout:
-			return nil, fmt.Errorf("podList - timed out: no Pod found for Job %s", jobName)
-		default:
-			pods, err := clientset.CoreV1().Pods(apiv1.NamespaceDefault).List(metav1.ListOptions{
-				LabelSelector: selector,
-			})
-			if err != nil {
-				return nil, err
-			}
-			fmt.Printf("Found (%d) pods\n", len(pods.Items))
-			for _, cp := range pods.Items {
-				if _, found := failedPods[cp.Name]; found {
-					continue
-				}
-
-				if strings.HasPrefix(cp.Name, jobName) {
-					fmt.Printf("pod (%s) - %#v\n", cp.Name, cp.Status.Phase)
-					if cp.Status.Phase == apiv1.PodSucceeded {
-						return &cp, nil
-					}
-
-					if cp.Status.Phase == apiv1.PodFailed {
-						fmt.Printf("pod (%s) - %s - retrying...\n", cp.Name, cp.Status.Phase)
-						fmt.Print(getPodLogs(clientset, &cp))
-						failedPods[cp.Name] = struct{}{}
-						break podfailed
-					}
-				}
-			}
-		}
-	}
-}
-
-func getPodLogs(clientset *kubernetes.Clientset, pod *apiv1.Pod) string {
-	podLogOpts := corev1.PodLogOptions{}
-	req := clientset.CoreV1().Pods(pod.Namespace).GetLogs(pod.Name, &podLogOpts)
-	podLogs, err := req.Stream()
-	if err != nil {
-		return "getPodLogs - error in opening stream"
-	}
-	defer podLogs.Close()
-
-	buf := new(bytes.Buffer)
-	_, err = io.Copy(buf, podLogs)
-	if err != nil {
-		return "getPodLogs - error in copy information from podLogs to buf"
-	}
-
-	return buf.String()
-}
diff --git a/integration/integration_test.go b/integration/integration_test.go
deleted file mode 100644
index a2a2c14f4e08246fb092a97cf7245cf497ca6f2c..0000000000000000000000000000000000000000
--- a/integration/integration_test.go
+++ /dev/null
@@ -1,150 +0,0 @@
-// +build integration
-
-package integration
-
-import (
-	"bufio"
-	"bytes"
-	"flag"
-	"fmt"
-	"io/ioutil"
-	"strings"
-	"testing"
-	"time"
-)
-
-var kubebenchImg = flag.String("kubebenchImg", "aquasec/kube-bench:latest", "kube-bench image used as part of this test")
-var timeout = flag.Duration("timeout", 10*time.Minute, "Test Timeout")
-
-func testCheckCISWithKind(t *testing.T, testdataDir string) {
-	flag.Parse()
-	fmt.Printf("kube-bench Container Image: %s\n", *kubebenchImg)
-
-	cases := []struct {
-		TestName      string
-		KubebenchYAML string
-		ExpectedFile  string
-		ExpectError   bool
-	}{
-		{
-			TestName:      "kube-bench",
-			KubebenchYAML: "../job.yaml",
-			ExpectedFile:  fmt.Sprintf("./testdata/%s/job.data", testdataDir),
-		},
-		{
-			TestName:      "kube-bench-node",
-			KubebenchYAML: "../job-node.yaml",
-			ExpectedFile:  fmt.Sprintf("./testdata/%s/job-node.data", testdataDir),
-		},
-		{
-			TestName:      "kube-bench-master",
-			KubebenchYAML: "../job-master.yaml",
-			ExpectedFile:  fmt.Sprintf("./testdata/%s/job-master.data", testdataDir),
-		},
-	}
-	ctx, err := setupCluster("kube-bench", fmt.Sprintf("./testdata/%s/add-tls-kind.yaml", testdataDir), *timeout)
-	if err != nil {
-		t.Fatalf("failed to setup KIND cluster error: %v", err)
-	}
-	defer func() {
-		ctx.Delete()
-	}()
-
-	if err := loadImageFromDocker(*kubebenchImg, ctx); err != nil {
-		t.Fatalf("failed to load kube-bench image from Docker to KIND error: %v", err)
-	}
-
-	clientset, err := getClientSet(ctx.KubeConfigPath())
-	if err != nil {
-		t.Fatalf("failed to connect to Kubernetes cluster error: %v", err)
-	}
-
-	for _, c := range cases {
-		t.Run(c.TestName, func(t *testing.T) {
-			resultData, err := runWithKind(ctx, clientset, c.TestName, c.KubebenchYAML, *kubebenchImg, *timeout)
-			if err != nil {
-				t.Errorf("unexpected error: %v", err)
-			}
-
-			c, err := ioutil.ReadFile(c.ExpectedFile)
-			if err != nil {
-				t.Error(err)
-			}
-
-			expectedData := strings.TrimSpace(string(c))
-			resultData = strings.TrimSpace(resultData)
-			if expectedData != resultData {
-				t.Errorf("expected results\n\nExpected\t(<)\nResult\t(>)\n\n%s\n\n", generateDiff(expectedData, resultData))
-			}
-		})
-	}
-}
-
-func TestCheckCIS16WithKind(t *testing.T) {
-	testCheckCISWithKind(t, "cis-1.6")
-}
-
-func TestCheckCIS120WithKind(t *testing.T) {
-	testCheckCISWithKind(t, "cis-1.20")
-}
-
-// This is simple "diff" between 2 strings containing multiple lines.
-// It's not a comprehensive diff between the 2 strings.
-// It does not inditcate when lines are deleted.
-func generateDiff(source, target string) string {
-	buf := new(bytes.Buffer)
-	ss := bufio.NewScanner(strings.NewReader(source))
-	ts := bufio.NewScanner(strings.NewReader(target))
-
-	emptySource := false
-	emptyTarget := false
-
-loop:
-	for ln := 1; ; ln++ {
-		var ll, rl string
-
-		sourceScan := ss.Scan()
-		if sourceScan {
-			ll = ss.Text()
-		}
-
-		targetScan := ts.Scan()
-		if targetScan {
-			rl = ts.Text()
-		}
-
-		switch {
-		case !sourceScan && !targetScan:
-			// no more lines
-			break loop
-		case sourceScan && targetScan:
-			if ll != rl {
-				fmt.Fprintf(buf, "line: %d\n", ln)
-				fmt.Fprintf(buf, "< %s\n", ll)
-				fmt.Fprintf(buf, "> %s\n", rl)
-			}
-		case !targetScan:
-			if !emptyTarget {
-				fmt.Fprintf(buf, "line: %d\n", ln)
-			}
-			fmt.Fprintf(buf, "< %s\n", ll)
-			emptyTarget = true
-		case !sourceScan:
-			if !emptySource {
-				fmt.Fprintf(buf, "line: %d\n", ln)
-			}
-			fmt.Fprintf(buf, "> %s\n", rl)
-			emptySource = true
-		}
-	}
-
-	if emptySource {
-		fmt.Fprintf(buf, "< [[NO MORE DATA]]")
-	}
-
-	if emptyTarget {
-		fmt.Fprintf(buf, "> [[NO MORE DATA]]")
-	}
-
-	return buf.String()
-}
diff --git a/integration/testdata/cis-1.6/job.data b/integration/testdata/Expected_output.data
similarity index 95%
rename from integration/testdata/cis-1.6/job.data
rename to integration/testdata/Expected_output.data
index c8e90f486ee043258ef9aa4e6c868daff6fe2f21..afd74a1bc312004d2d733a0aa9c6769a2be35761 100644
--- a/integration/testdata/cis-1.6/job.data
+++ b/integration/testdata/Expected_output.data
@@ -243,7 +243,7 @@ minimum.
 [WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
 [PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
 [PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
-[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
+[WARN] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
 
 == Remediations node ==
 4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
@@ -275,11 +275,22 @@ Based on your system, restart the kubelet service. For example:
 systemctl daemon-reload
 systemctl restart kubelet.service
 
+4.2.13 If using a Kubelet config file, edit the file to set TLSCipherSuites: to
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+or to a subset of these values.
+If using executable arguments, edit the kubelet service file
+/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
+set the --tls-cipher-suites parameter as follows, or to a subset of these values.
+--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+Based on your system, restart the kubelet service. For example:
+systemctl daemon-reload
+systemctl restart kubelet.service
+
 
 == Summary node ==
-20 checks PASS
+19 checks PASS
 1 checks FAIL
-2 checks WARN
+3 checks WARN
 0 checks INFO
 
 [INFO] 5 Kubernetes Policies
@@ -418,7 +429,8 @@ resources and that all new resources are created in a specific namespace.
 0 checks INFO
 
 == Summary total ==
-71 checks PASS
+70 checks PASS
 11 checks FAIL
-40 checks WARN
+41 checks WARN
 0 checks INFO
+
diff --git a/integration/testdata/cis-1.20/add-tls-kind.yaml b/integration/testdata/cis-1.20/add-tls-kind.yaml
deleted file mode 100644
index 5b5e2a0a06324529fdf0c1cfdaade6d3ab18c2d2..0000000000000000000000000000000000000000
--- a/integration/testdata/cis-1.20/add-tls-kind.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: kind.sigs.k8s.io/v1alpha3
-kind: Cluster
-networking:
-  apiServerAddress: "0.0.0.0"
-
-kubeadmConfigPatchesJson6902:
-  - group: kubelet.config.k8s.io
-    version: v1beta1
-    kind: KubeletConfiguration
-    patch: |
-      - op: add
-        path: /tlsCipherSuites
-        value: ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
-
-nodes:
-  # the control plane node config
-  - role: control-plane
-    image: "kindest/node:v1.20.0"
diff --git a/integration/testdata/cis-1.20/job-master.data b/integration/testdata/cis-1.20/job-master.data
deleted file mode 100644
index e6932dbd17de272d22b0f69d208543191bc4c217..0000000000000000000000000000000000000000
--- a/integration/testdata/cis-1.20/job-master.data
+++ /dev/null
@@ -1,185 +0,0 @@
-[INFO] 1 Master Node Security Configuration
-[INFO] 1.1 Master Node Configuration Files
-[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)
-[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
-[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)
-[PASS] 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)
-[WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)
-[WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)
-[PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)
-[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
-[PASS] 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)
-[PASS] 1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)
-[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)
-[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)
-[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)
-[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)
-[INFO] 1.2 API Server
-[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)
-[PASS] 1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)
-[PASS] 1.2.3 Ensure that the --kubelet-https argument is set to true (Automated)
-[PASS] 1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)
-[FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
-[PASS] 1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
-[PASS] 1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)
-[PASS] 1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)
-[WARN] 1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)
-[PASS] 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)
-[WARN] 1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)
-[WARN] 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
-[PASS] 1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)
-[PASS] 1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)
-[FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
-[PASS] 1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)
-[PASS] 1.2.17 Ensure that the --insecure-bind-address argument is not set (Automated)
-[PASS] 1.2.18 Ensure that the --insecure-port argument is set to 0 (Automated)
-[PASS] 1.2.19 Ensure that the --secure-port argument is not set to 0 (Automated)
-[FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated)
-[FAIL] 1.2.21 Ensure that the --audit-log-path argument is set (Automated)
-[FAIL] 1.2.22 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
-[FAIL] 1.2.23 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
-[FAIL] 1.2.24 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
-[WARN] 1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)
-[PASS] 1.2.26 Ensure that the --service-account-lookup argument is set to true (Automated)
-[PASS] 1.2.27 Ensure that the --service-account-key-file argument is set as appropriate (Automated)
-[PASS] 1.2.28 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)
-[PASS] 1.2.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)
-[PASS] 1.2.30 Ensure that the --client-ca-file argument is set as appropriate (Automated)
-[PASS] 1.2.31 Ensure that the --etcd-cafile argument is set as appropriate (Automated)
-[WARN] 1.2.32 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)
-[WARN] 1.2.33 Ensure that encryption providers are appropriately configured (Manual)
-[WARN] 1.2.34 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)
-[INFO] 1.3 Controller Manager
-[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)
-[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
-[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)
-[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)
-[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)
-[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
-[PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
-[INFO] 1.4 Scheduler
-[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)
-[PASS] 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
-
-== Remediations master ==
-1.1.9 Run the below command (based on the file location on your system) on the master node.
-For example,
-chmod 644 <path/to/cni/files>
-
-1.1.10 Run the below command (based on the file location on your system) on the master node.
-For example,
-chown root:root <path/to/cni/files>
-
-1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
-from the below command:
-ps -ef | grep etcd
-Run the below command (based on the etcd data directory found above).
-For example, chown etcd:etcd /var/lib/etcd
-
-1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---anonymous-auth=false
-
-1.2.5 Follow the Kubernetes documentation and setup the TLS connection between
-the apiserver and kubelets. Then, edit the API server pod specification file
-/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
---kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
---kubelet-certificate-authority=<ca-string>
-
-1.2.9 Follow the Kubernetes documentation and set the desired limits in a configuration file.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-and set the below parameters.
---enable-admission-plugins=...,EventRateLimit,...
---admission-control-config-file=<path/to/configuration/file>
-
-1.2.11 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to include
-AlwaysPullImages.
---enable-admission-plugins=...,AlwaysPullImages,...
-
-1.2.12 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to include
-SecurityContextDeny, unless PodSecurityPolicy is already in place.
---enable-admission-plugins=...,SecurityContextDeny,...
-
-1.2.15 Follow the documentation and create Pod Security Policy objects as per your environment.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to a
-value that includes PodSecurityPolicy:
---enable-admission-plugins=...,PodSecurityPolicy,...
-Then restart the API Server.
-
-1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---profiling=false
-
-1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-path parameter to a suitable path and
-file where you would like audit logs to be written, for example:
---audit-log-path=/var/log/apiserver/audit.log
-
-1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
---audit-log-maxage=30
-
-1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
-value.
---audit-log-maxbackup=10
-
-1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
-For example, to set it as 100 MB:
---audit-log-maxsize=100
-
-1.2.25 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-and set the below parameter as appropriate and if needed.
-For example,
---request-timeout=300s
-
-1.2.32 Follow the Kubernetes documentation and configure a EncryptionConfig file.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
-
-1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file.
-In this file, choose aescbc, kms or secretbox as the encryption provider.
-
-1.2.34 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM
-_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM
-_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM
-_SHA384
-
-1.3.1 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
-for example:
---terminated-pod-gc-threshold=10
-
-1.3.2 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node and set the below parameter.
---profiling=false
-
-1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file
-on the master node and set the below parameter.
---profiling=false
-
-
-== Summary master ==
-43 checks PASS
-10 checks FAIL
-11 checks WARN
-0 checks INFO
-
-== Summary total ==
-43 checks PASS
-10 checks FAIL
-11 checks WARN
-0 checks INFO
diff --git a/integration/testdata/cis-1.20/job-node.data b/integration/testdata/cis-1.20/job-node.data
deleted file mode 100644
index a1b2adb5950a1d12fde4f212f94b63544188a595..0000000000000000000000000000000000000000
--- a/integration/testdata/cis-1.20/job-node.data
+++ /dev/null
@@ -1,73 +0,0 @@
-[INFO] 4 Worker Node Security Configuration
-[INFO] 4.1 Worker Node Configuration Files
-[FAIL] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)
-[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)
-[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
-[PASS] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
-[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)
-[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)
-[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)
-[PASS] 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)
-[PASS] 4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)
-[INFO] 4.2 Kubelet
-[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)
-[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
-[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)
-[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)
-[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)
-[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)
-[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)
-[PASS] 4.2.8 Ensure that the --hostname-override argument is not set (Manual)
-[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
-[WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
-[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
-[PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
-[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
-
-== Remediations node ==
-4.1.1 Run the below command (based on the file location on your system) on the each worker node.
-For example,
-chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
-
-4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
-If using command line arguments, edit the kubelet service file
-/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
-set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
---protect-kernel-defaults=true
-Based on your system, restart the kubelet service. For example:
-systemctl daemon-reload
-systemctl restart kubelet.service
-
-4.2.9 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
-If using command line arguments, edit the kubelet service file
-/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
-set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
-Based on your system, restart the kubelet service. For example:
-systemctl daemon-reload
-systemctl restart kubelet.service
-
-4.2.10 If using a Kubelet config file, edit the file to set tlsCertFile to the location
-of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
-to the location of the corresponding private key file.
-If using command line arguments, edit the kubelet service file
-/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
-set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
---tls-cert-file=<path/to/tls-certificate-file>
---tls-private-key-file=<path/to/tls-key-file>
-Based on your system, restart the kubelet service. For example:
-systemctl daemon-reload
-systemctl restart kubelet.service
-
-
-== Summary node ==
-19 checks PASS
-2 checks FAIL
-2 checks WARN
-0 checks INFO
-
-== Summary total ==
-19 checks PASS
-2 checks FAIL
-2 checks WARN
-0 checks INFO
\ No newline at end of file
diff --git a/integration/testdata/cis-1.20/job.data b/integration/testdata/cis-1.20/job.data
deleted file mode 100644
index b135904ef81715812f5fab009102a9384d089eae..0000000000000000000000000000000000000000
--- a/integration/testdata/cis-1.20/job.data
+++ /dev/null
@@ -1,418 +0,0 @@
-[INFO] 1 Master Node Security Configuration
-[INFO] 1.1 Master Node Configuration Files
-[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)
-[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
-[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)
-[PASS] 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)
-[WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)
-[WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)
-[PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)
-[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
-[PASS] 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)
-[PASS] 1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)
-[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)
-[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)
-[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)
-[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)
-[INFO] 1.2 API Server
-[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)
-[PASS] 1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)
-[PASS] 1.2.3 Ensure that the --kubelet-https argument is set to true (Automated)
-[PASS] 1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)
-[FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
-[PASS] 1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
-[PASS] 1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)
-[PASS] 1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)
-[WARN] 1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)
-[PASS] 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)
-[WARN] 1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)
-[WARN] 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
-[PASS] 1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)
-[PASS] 1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)
-[FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
-[PASS] 1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)
-[PASS] 1.2.17 Ensure that the --insecure-bind-address argument is not set (Automated)
-[PASS] 1.2.18 Ensure that the --insecure-port argument is set to 0 (Automated)
-[PASS] 1.2.19 Ensure that the --secure-port argument is not set to 0 (Automated)
-[FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated)
-[FAIL] 1.2.21 Ensure that the --audit-log-path argument is set (Automated)
-[FAIL] 1.2.22 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
-[FAIL] 1.2.23 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
-[FAIL] 1.2.24 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
-[WARN] 1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)
-[PASS] 1.2.26 Ensure that the --service-account-lookup argument is set to true (Automated)
-[PASS] 1.2.27 Ensure that the --service-account-key-file argument is set as appropriate (Automated)
-[PASS] 1.2.28 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)
-[PASS] 1.2.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)
-[PASS] 1.2.30 Ensure that the --client-ca-file argument is set as appropriate (Automated)
-[PASS] 1.2.31 Ensure that the --etcd-cafile argument is set as appropriate (Automated)
-[WARN] 1.2.32 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)
-[WARN] 1.2.33 Ensure that encryption providers are appropriately configured (Manual)
-[WARN] 1.2.34 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)
-[INFO] 1.3 Controller Manager
-[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)
-[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
-[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)
-[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)
-[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)
-[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
-[PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
-[INFO] 1.4 Scheduler
-[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)
-[PASS] 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
-
-== Remediations master ==
-1.1.9 Run the below command (based on the file location on your system) on the master node.
-For example,
-chmod 644 <path/to/cni/files>
-
-1.1.10 Run the below command (based on the file location on your system) on the master node.
-For example,
-chown root:root <path/to/cni/files>
-
-1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
-from the below command:
-ps -ef | grep etcd
-Run the below command (based on the etcd data directory found above).
-For example, chown etcd:etcd /var/lib/etcd
-
-1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---anonymous-auth=false
-
-1.2.5 Follow the Kubernetes documentation and setup the TLS connection between
-the apiserver and kubelets. Then, edit the API server pod specification file
-/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
---kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
---kubelet-certificate-authority=<ca-string>
-
-1.2.9 Follow the Kubernetes documentation and set the desired limits in a configuration file.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-and set the below parameters.
---enable-admission-plugins=...,EventRateLimit,...
---admission-control-config-file=<path/to/configuration/file>
-
-1.2.11 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to include
-AlwaysPullImages.
---enable-admission-plugins=...,AlwaysPullImages,...
-
-1.2.12 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to include
-SecurityContextDeny, unless PodSecurityPolicy is already in place.
---enable-admission-plugins=...,SecurityContextDeny,...
-
-1.2.15 Follow the documentation and create Pod Security Policy objects as per your environment.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to a
-value that includes PodSecurityPolicy:
---enable-admission-plugins=...,PodSecurityPolicy,...
-Then restart the API Server.
-
-1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---profiling=false
-
-1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-path parameter to a suitable path and
-file where you would like audit logs to be written, for example:
---audit-log-path=/var/log/apiserver/audit.log
-
-1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
---audit-log-maxage=30
-
-1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
-value.
---audit-log-maxbackup=10
-
-1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
-For example, to set it as 100 MB:
---audit-log-maxsize=100
-
-1.2.25 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-and set the below parameter as appropriate and if needed.
-For example,
---request-timeout=300s
-
-1.2.32 Follow the Kubernetes documentation and configure a EncryptionConfig file.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
-
-1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file.
-In this file, choose aescbc, kms or secretbox as the encryption provider.
-
-1.2.34 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM
-_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM
-_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM
-_SHA384
-
-1.3.1 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
-for example:
---terminated-pod-gc-threshold=10
-
-1.3.2 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node and set the below parameter.
---profiling=false
-
-1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file
-on the master node and set the below parameter.
---profiling=false
-
-
-== Summary master ==
-43 checks PASS
-10 checks FAIL
-11 checks WARN
-0 checks INFO
-
-[INFO] 2 Etcd Node Configuration
-[INFO] 2 Etcd Node Configuration Files
-[PASS] 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)
-[PASS] 2.2 Ensure that the --client-cert-auth argument is set to true (Automated)
-[PASS] 2.3 Ensure that the --auto-tls argument is not set to true (Automated)
-[PASS] 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)
-[PASS] 2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)
-[PASS] 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)
-[PASS] 2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)
-
-== Summary etcd ==
-7 checks PASS
-0 checks FAIL
-0 checks WARN
-0 checks INFO
-
-[INFO] 3 Control Plane Configuration
-[INFO] 3.1 Authentication and Authorization
-[WARN] 3.1.1 Client certificate authentication should not be used for users (Manual)
-[INFO] 3.2 Logging
-[WARN] 3.2.1 Ensure that a minimal audit policy is created (Manual)
-[WARN] 3.2.2 Ensure that the audit policy covers key security concerns (Manual)
-
-== Remediations controlplane ==
-3.1.1 Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
-implemented in place of client certificates.
-
-3.2.1 Create an audit policy file for your cluster.
-
-3.2.2 Consider modification of the audit policy in use on the cluster to include these items, at a
-minimum.
-
-
-== Summary controlplane ==
-0 checks PASS
-0 checks FAIL
-3 checks WARN
-0 checks INFO
-
-[INFO] 4 Worker Node Security Configuration
-[INFO] 4.1 Worker Node Configuration Files
-[FAIL] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)
-[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)
-[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
-[PASS] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
-[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)
-[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)
-[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)
-[PASS] 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)
-[PASS] 4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)
-[INFO] 4.2 Kubelet
-[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)
-[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
-[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)
-[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)
-[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)
-[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)
-[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)
-[PASS] 4.2.8 Ensure that the --hostname-override argument is not set (Manual)
-[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
-[WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
-[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
-[PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
-[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
-
-== Remediations node ==
-4.1.1 Run the below command (based on the file location on your system) on the each worker node.
-For example,
-chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
-
-4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
-If using command line arguments, edit the kubelet service file
-/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
-set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
---protect-kernel-defaults=true
-Based on your system, restart the kubelet service. For example:
-systemctl daemon-reload
-systemctl restart kubelet.service
-
-4.2.9 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
-If using command line arguments, edit the kubelet service file
-/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
-set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
-Based on your system, restart the kubelet service. For example:
-systemctl daemon-reload
-systemctl restart kubelet.service
-
-4.2.10 If using a Kubelet config file, edit the file to set tlsCertFile to the location
-of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
-to the location of the corresponding private key file.
-If using command line arguments, edit the kubelet service file
-/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
-set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
---tls-cert-file=<path/to/tls-certificate-file>
---tls-private-key-file=<path/to/tls-key-file>
-Based on your system, restart the kubelet service. For example:
-systemctl daemon-reload
-systemctl restart kubelet.service
-
-
-== Summary node ==
-19 checks PASS
-2 checks FAIL
-2 checks WARN
-0 checks INFO
-
-[INFO] 5 Kubernetes Policies
-[INFO] 5.1 RBAC and Service Accounts
-[WARN] 5.1.1 Ensure that the cluster-admin role is only used where required (Manual)
-[WARN] 5.1.2 Minimize access to secrets (Manual)
-[WARN] 5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)
-[WARN] 5.1.4 Minimize access to create pods (Manual)
-[WARN] 5.1.5 Ensure that default service accounts are not actively used. (Manual)
-[WARN] 5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)
-[WARN] 5.1.7 Avoid use of system:masters group (Manual)
-[WARN] 5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)
-[INFO] 5.2 Pod Security Policies
-[WARN] 5.2.1 Minimize the admission of privileged containers (Automated)
-[WARN] 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Automated)
-[WARN] 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Automated)
-[WARN] 5.2.4 Minimize the admission of containers wishing to share the host network namespace (Automated)
-[WARN] 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Automated)
-[WARN] 5.2.6 Minimize the admission of root containers (Automated)
-[WARN] 5.2.7 Minimize the admission of containers with the NET_RAW capability (Automated)
-[WARN] 5.2.8 Minimize the admission of containers with added capabilities (Automated)
-[WARN] 5.2.9 Minimize the admission of containers with capabilities assigned (Manual)
-[INFO] 5.3 Network Policies and CNI
-[WARN] 5.3.1 Ensure that the CNI in use supports Network Policies (Manual)
-[WARN] 5.3.2 Ensure that all Namespaces have Network Policies defined (Manual)
-[INFO] 5.4 Secrets Management
-[WARN] 5.4.1 Prefer using secrets as files over secrets as environment variables (Manual)
-[WARN] 5.4.2 Consider external secret storage (Manual)
-[INFO] 5.5 Extensible Admission Control
-[WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)
-[INFO] 5.7 General Policies
-[WARN] 5.7.1 Create administrative boundaries between resources using namespaces (Manual)
-[WARN] 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)
-[WARN] 5.7.3 Apply Security Context to Your Pods and Containers (Manual)
-[WARN] 5.7.4 The default namespace should not be used (Manual)
-
-== Remediations policies ==
-5.1.1 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
-if they need this role or if they could use a role with fewer privileges.
-Where possible, first bind users to a lower privileged role and then remove the
-clusterrolebinding to the cluster-admin role :
-kubectl delete clusterrolebinding [name]
-
-5.1.2 Where possible, remove get, list and watch access to secret objects in the cluster.
-
-5.1.3 Where possible replace any use of wildcards in clusterroles and roles with specific
-objects or actions.
-
-5.1.4 Where possible, remove create access to pod objects in the cluster.
-
-5.1.5 Create explicit service accounts wherever a Kubernetes workload requires specific access
-to the Kubernetes API server.
-Modify the configuration of each default service account to include this value
-automountServiceAccountToken: false
-
-5.1.6 Modify the definition of pods and service accounts which do not need to mount service
-account tokens to disable it.
-
-5.1.7 Remove the system:masters group from all users in the cluster.
-
-5.1.8 Where possible, remove the impersonate, bind and escalate rights from subjects.
-
-5.2.1 Create a PSP as described in the Kubernetes documentation, ensuring that
-the .spec.privileged field is omitted or set to false.
-
-5.2.2 Create a PSP as described in the Kubernetes documentation, ensuring that the
-.spec.hostPID field is omitted or set to false.
-
-5.2.3 Create a PSP as described in the Kubernetes documentation, ensuring that the
-.spec.hostIPC field is omitted or set to false.
-
-5.2.4 Create a PSP as described in the Kubernetes documentation, ensuring that the
-.spec.hostNetwork field is omitted or set to false.
-
-5.2.5 Create a PSP as described in the Kubernetes documentation, ensuring that the
-.spec.allowPrivilegeEscalation field is omitted or set to false.
-
-5.2.6 Create a PSP as described in the Kubernetes documentation, ensuring that the
-.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
-UIDs not including 0.
-
-5.2.7 Create a PSP as described in the Kubernetes documentation, ensuring that the
-.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
-
-5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless
-it is set to an empty array.
-
-5.2.9 Review the use of capabilites in applications running on your cluster. Where a namespace
-contains applicaions which do not require any Linux capabities to operate consider adding
-a PSP which forbids the admission of containers which do not drop all capabilities.
-
-5.3.1 If the CNI plugin in use does not support network policies, consideration should be given to
-making use of a different plugin, or finding an alternate mechanism for restricting traffic
-in the Kubernetes cluster.
-
-5.3.2 Follow the documentation and create NetworkPolicy objects as you need them.
-
-5.4.1 if possible, rewrite application code to read secrets from mounted secret files, rather than
-from environment variables.
-
-5.4.2 Refer to the secrets management options offered by your cloud provider or a third-party
-secrets management solution.
-
-5.5.1 Follow the Kubernetes documentation and setup image provenance.
-
-5.7.1 Follow the documentation and create namespaces for objects in your deployment as you need
-them.
-
-5.7.2 Use security context to enable the docker/default seccomp profile in your pod definitions.
-An example is as below:
-  securityContext:
-    seccompProfile:
-      type: RuntimeDefault
-
-5.7.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a
-suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
-Containers.
-
-5.7.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
-resources and that all new resources are created in a specific namespace.
-
-
-== Summary policies ==
-0 checks PASS
-0 checks FAIL
-26 checks WARN
-0 checks INFO
-
-== Summary total ==
-69 checks PASS
-12 checks FAIL
-42 checks WARN
-0 checks INFO
diff --git a/integration/testdata/cis-1.6/add-tls-kind.yaml b/integration/testdata/cis-1.6/add-tls-kind.yaml
deleted file mode 100644
index d81fdb34e97c3de76d69a9cb2227ff63834042eb..0000000000000000000000000000000000000000
--- a/integration/testdata/cis-1.6/add-tls-kind.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: kind.sigs.k8s.io/v1alpha3
-kind: Cluster
-networking:
-  apiServerAddress: "0.0.0.0"
-
-kubeadmConfigPatchesJson6902:
-  - group: kubelet.config.k8s.io
-    version: v1beta1
-    kind: KubeletConfiguration
-    patch: |
-      - op: add
-        path: /tlsCipherSuites
-        value: ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
-
-nodes:
-  # the control plane node config
-  - role: control-plane
-    image: "kindest/node:v1.18.0"
diff --git a/integration/testdata/cis-1.6/job-master.data b/integration/testdata/cis-1.6/job-master.data
deleted file mode 100644
index 01fd194227beec7a15791ed94294a877ab9c36fa..0000000000000000000000000000000000000000
--- a/integration/testdata/cis-1.6/job-master.data
+++ /dev/null
@@ -1,186 +0,0 @@
-[INFO] 1 Master Node Security Configuration
-[INFO] 1.1 Master Node Configuration Files
-[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)
-[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
-[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)
-[PASS] 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)
-[WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)
-[WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)
-[PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)
-[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
-[PASS] 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)
-[PASS] 1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)
-[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)
-[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)
-[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)
-[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)
-[INFO] 1.2 API Server
-[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)
-[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Automated)
-[PASS] 1.2.3 Ensure that the --token-auth-file parameter is not set (Automated)
-[PASS] 1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)
-[PASS] 1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)
-[FAIL] 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
-[PASS] 1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
-[PASS] 1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)
-[PASS] 1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)
-[WARN] 1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)
-[PASS] 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)
-[WARN] 1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)
-[WARN] 1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
-[PASS] 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)
-[PASS] 1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)
-[FAIL] 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
-[PASS] 1.2.17 Ensure that the admission control plugin NodeRestriction is set (Automated)
-[PASS] 1.2.18 Ensure that the --insecure-bind-address argument is not set (Automated)
-[PASS] 1.2.19 Ensure that the --insecure-port argument is set to 0 (Automated)
-[PASS] 1.2.20 Ensure that the --secure-port argument is not set to 0 (Automated)
-[FAIL] 1.2.21 Ensure that the --profiling argument is set to false (Automated)
-[FAIL] 1.2.22 Ensure that the --audit-log-path argument is set (Automated)
-[FAIL] 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
-[FAIL] 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
-[FAIL] 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
-[WARN] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Automated)
-[PASS] 1.2.27 Ensure that the --service-account-lookup argument is set to true (Automated)
-[PASS] 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Automated)
-[PASS] 1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)
-[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)
-[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Automated)
-[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Automated)
-[WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)
-[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Manual)
-[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)
-[INFO] 1.3 Controller Manager
-[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)
-[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
-[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)
-[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)
-[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)
-[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
-[PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
-[INFO] 1.4 Scheduler
-[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)
-[PASS] 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
-
-== Remediations master ==
-1.1.9 Run the below command (based on the file location on your system) on the master node.
-For example,
-chmod 644 <path/to/cni/files>
-
-1.1.10 Run the below command (based on the file location on your system) on the master node.
-For example,
-chown root:root <path/to/cni/files>
-
-1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
-from the below command:
-ps -ef | grep etcd
-Run the below command (based on the etcd data directory found above).
-For example, chown etcd:etcd /var/lib/etcd
-
-1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---anonymous-auth=false
-
-1.2.6 Follow the Kubernetes documentation and setup the TLS connection between
-the apiserver and kubelets. Then, edit the API server pod specification file
-/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
---kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
---kubelet-certificate-authority=<ca-string>
-
-1.2.10 Follow the Kubernetes documentation and set the desired limits in a configuration file.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-and set the below parameters.
---enable-admission-plugins=...,EventRateLimit,...
---admission-control-config-file=<path/to/configuration/file>
-
-1.2.12 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to include
-AlwaysPullImages.
---enable-admission-plugins=...,AlwaysPullImages,...
-
-1.2.13 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to include
-SecurityContextDeny, unless PodSecurityPolicy is already in place.
---enable-admission-plugins=...,SecurityContextDeny,...
-
-1.2.16 Follow the documentation and create Pod Security Policy objects as per your environment.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to a
-value that includes PodSecurityPolicy:
---enable-admission-plugins=...,PodSecurityPolicy,...
-Then restart the API Server.
-
-1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---profiling=false
-
-1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-path parameter to a suitable path and
-file where you would like audit logs to be written, for example:
---audit-log-path=/var/log/apiserver/audit.log
-
-1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
---audit-log-maxage=30
-
-1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
-value.
---audit-log-maxbackup=10
-
-1.2.25 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
-For example, to set it as 100 MB:
---audit-log-maxsize=100
-
-1.2.26 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-and set the below parameter as appropriate and if needed.
-For example,
---request-timeout=300s
-
-1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
-
-1.2.34 Follow the Kubernetes documentation and configure a EncryptionConfig file.
-In this file, choose aescbc, kms or secretbox as the encryption provider.
-
-1.2.35 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM
-_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM
-_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM
-_SHA384
-
-1.3.1 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
-for example:
---terminated-pod-gc-threshold=10
-
-1.3.2 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node and set the below parameter.
---profiling=false
-
-1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file
-on the master node and set the below parameter.
---profiling=false
-
-
-== Summary master ==
-44 checks PASS
-10 checks FAIL
-11 checks WARN
-0 checks INFO
-
-== Summary total ==
-44 checks PASS
-10 checks FAIL
-11 checks WARN
-0 checks INFO
diff --git a/integration/testdata/cis-1.6/job-node.data b/integration/testdata/cis-1.6/job-node.data
deleted file mode 100644
index 3668703fe9c71e0f3099b0214bc38a73956162e4..0000000000000000000000000000000000000000
--- a/integration/testdata/cis-1.6/job-node.data
+++ /dev/null
@@ -1,69 +0,0 @@
-[INFO] 4 Worker Node Security Configuration
-[INFO] 4.1 Worker Node Configuration Files
-[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)
-[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)
-[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
-[PASS] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)
-[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)
-[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)
-[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)
-[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)
-[PASS] 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)
-[PASS] 4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)
-[INFO] 4.2 Kubelet
-[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)
-[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
-[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)
-[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)
-[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)
-[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)
-[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)
-[PASS] 4.2.8 Ensure that the --hostname-override argument is not set (Manual)
-[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
-[WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
-[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
-[PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
-[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
-
-== Remediations node ==
-4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
-If using command line arguments, edit the kubelet service file
-/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
-set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
---protect-kernel-defaults=true
-Based on your system, restart the kubelet service. For example:
-systemctl daemon-reload
-systemctl restart kubelet.service
-
-4.2.9 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
-If using command line arguments, edit the kubelet service file
-/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
-set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
-Based on your system, restart the kubelet service. For example:
-systemctl daemon-reload
-systemctl restart kubelet.service
-
-4.2.10 If using a Kubelet config file, edit the file to set tlsCertFile to the location
-of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
-to the location of the corresponding private key file.
-If using command line arguments, edit the kubelet service file
-/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
-set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
---tls-cert-file=<path/to/tls-certificate-file>
---tls-private-key-file=<path/to/tls-key-file>
-Based on your system, restart the kubelet service. For example:
-systemctl daemon-reload
-systemctl restart kubelet.service
-
-
-== Summary node ==
-20 checks PASS
-1 checks FAIL
-2 checks WARN
-0 checks INFO
-
-== Summary total ==
-20 checks PASS
-1 checks FAIL
-2 checks WARN
-0 checks INFO
\ No newline at end of file
diff --git a/job.yaml b/job.yaml
index a79af59879becef7297b158c8d69f21ef03609ee..739fb9b785f674bcc732e287ccc6310c41747dae 100644
--- a/job.yaml
+++ b/job.yaml
@@ -12,7 +12,7 @@ spec:
       hostPID: true
       containers:
         - name: kube-bench
-          image: aquasec/kube-bench:latest
+          image: aquasec/kube-bench:0.6.3
           command: ["kube-bench"]
           volumeMounts:
             - name: var-lib-etcd
diff --git a/makefile b/makefile
index 515ce6d947e1e577ea702b21c2f220f79ab94d46..a93908b996febeee3a56f7659aa506956a9984a1 100644
--- a/makefile
+++ b/makefile
@@ -59,10 +59,6 @@ build-docker:
 tests:
 	GO111MODULE=on go test -vet all -short -race -timeout 30s -coverprofile=coverage.txt -covermode=atomic ./...
 
-# integration tests using kind
-integration-tests: build-docker
-	GO111MODULE=on go test ./integration/... -v -tags integration -timeout 1200s -args -kubebenchImg=$(IMAGE_NAME)
-
 # creates a kind cluster to be used for development.
 HAS_KIND := $(shell command -v kind;)
 kind-test-cluster: