Add k3s-cis-1.11 benchmark configuration

[jbenzel]

Summary

Adds CIS Kubernetes Benchmark v1.11 configuration for K3s clusters (versions 1.29-1.34).

Changes

• Added cfg/k3s-cis-1.11/ directory with complete benchmark configuration
  • config.yaml (component settings)
  • master.yaml (60 control plane checks - Sections 1.1-1.4)
  • etcd.yaml (7 etcd checks - Section 2)
  • controlplane.yaml (3 control plane config checks - Section 3)
  • node.yaml (25 worker node checks - Sections 4.1-4.3)
  • policies.yaml (35 policy checks - Sections 5.1-5.6)
• Updated cfg/config.yaml with k3s-cis-1.11 version and target mappings

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ jbenzel
❌ benzeljd
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[afdesk]

@jbenzel thanks for your contribution! it's really nice!

[afdesk]

@jbenzel could you fix linter issue pls?

also It seems we need to update util.go here:

kube-bench/cmd/util.go

Line 558 in 76804bf

case "k3s":

@LaibaBareera WDYT?

[afdesk]

@LaibaBareera could you pls take a look too when you have time?

[afdesk]

@jbenzel thanks!
could you sign license/cla?

[andypitcher]

ref: https://github.com/rancher/security-scan/tree/main/package/cfg/k3s-cis-1.11

cc @dereknola

[LaibaBareera]

Thanks for your contribution.

[LaibaBareera]

@jbenzel, I noticed this check is marked as "skipped". Could you clarify why? Instead of skipping it, you could set the type to "manual".

[LaibaBareera]

If you set the type to "manual", you don’t need to include the test— it can be skipped automatically.

[andypitcher]

@jbenzel @benzeljd I have a quick question about the origin of your PR (being one of the maintainer of the k3s/rke2/rke official profiles)

Was this created entirely independently, or was any of it adapted from existing code using the recent security-scan project k3s-cis-1.11 ? If it utilizes or is based on some prior work, please ensure a clear reference is added (e.g., in a comment or the PR description) to align with attribution requirements of its license.

Thanks for your contribution !

[ShashankSanil]

@jbenzel The current audit logic only checks the latest Running kubelet entry from journalctl, and if that log does not contain the --anonymous-auth flag, the check immediately falls back to the default value.

This is problematic for k3s because a kubelet flag may not always appear in the last log entry, even though it is still configured correctly in the kubelet config file ($kubeletconf). In such cases, kubebench will produce a false failure.

To avoid this, the audit logic should behave as follows:

If logs are present and the flag is found in the log, use that value.

If logs are present but the flag is not found, fall back to checking the kubelet config file.

If logs are not present at all, also check the config file.

Only if both sources are missing should we assume the default value.

This matches how other kubelet checks in kubebench behave and ensures correctness for k3s environments where kubelet args are sometimes set in config rather than in runtime logs.

I recommend updating the audit command accordingly to avoid false negatives.