ci: Add CIS benchmark check

jimmidyson · jimmidyson · commit 198889322ae7 · 2025-05-15T10:41:37.000+01:00
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -67,7 +67,6 @@ jobs:
           - {"provider": "Nutanix", "kubernetesMinor": "v1.30", "kubernetesVersion": "v1.30.10", "baseOS": "rocky-9.5"}
           - {"provider": "Nutanix", "kubernetesMinor": "v1.31", "kubernetesVersion": "v1.31.4", "baseOS": "rocky-9.5"}
           - {"provider": "Nutanix", "kubernetesMinor": "v1.32", "kubernetesVersion": "v1.32.3", "baseOS": "rocky-9.5"}
-          - {"provider": "Docker", "kubernetesMinor": "v1.30", "kubernetesVersion": "v1.30.12"}
           - {"provider": "Docker", "kubernetesMinor": "v1.31", "kubernetesVersion": "v1.31.8"}
           - {"provider": "Docker", "kubernetesMinor": "v1.32", "kubernetesVersion": "v1.32.4"}
           - {"provider": "Docker", "kubernetesMinor": "v1.33", "kubernetesVersion": "v1.33.0"}
@@ -116,6 +115,37 @@ jobs:
       contents: read
       checks: write
 
+  cis-benchmark:
+    needs:
+      - "lint-gha"
+      - "lint-go"
+      - "lint-test-helm"
+      - "pre-commit"
+      - "unit-test"
+    strategy:
+      matrix:
+        config:
+          - {"provider": "Nutanix", "kubernetesMinor": "v1.32", "kubernetesVersion": "v1.32.3", "baseOS": "rocky-9.5"}
+          - {"provider": "Docker", "kubernetesMinor": "v1.33", "kubernetesVersion": "v1.33.0"}
+          # Uncomment below once we have the ability to run e2e tests on other providers from GHA.
+          # - {"provider": "AWS", "kubernetesMinor": "v1.29", "kubernetesVersion": "v1.29.6"}
+      fail-fast: false
+    name: CIS Benchmark (${{ matrix.config.provider }} provider, Kubernetes ${{ matrix.config.kubernetesMinor }})
+    uses: ./.github/workflows/e2e.yml
+    with:
+      focus: Quick start
+      provider: ${{ matrix.config.provider }}
+      kubernetes-version: ${{ matrix.config.kubernetesVersion }}
+      runs-on: ${{ matrix.config.provider == 'Nutanix' && 'self-hosted-ncn-dind' || 'ubuntu-22.04' }}
+      base-os:  ${{ matrix.config.provider == 'Nutanix' && matrix.config.baseOS || '' }}
+      run-cis-benchmark: true
+      extra-labels: "cni:Cilium && addonStrategy:HelmAddon"
+    secrets: inherit
+    permissions:
+      contents: read
+      checks: write
+
+
   lint-go:
     runs-on: ubuntu-22.04
     strategy:
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -14,6 +14,9 @@ on:
       focus:
         description: e2e tests to focus
         type: string
+      extra-labels:
+        description: Extra labels to pass to the e2e tests
+        type: string
       runs-on:
         description: The runner to run the e2e tests on
         type: string
@@ -26,6 +29,10 @@ on:
         description: The OS image to use for the machine template
         type: string
         required: false
+      run-cis-benchmark:
+        description: Whether to run the CIS benchmark tests
+        type: boolean
+        default: false
 
 jobs:
   e2e-test:
@@ -78,7 +85,7 @@ jobs:
           df -h
 
       - name: Run e2e tests
-        run: devbox run -- make e2e-test E2E_LABEL='provider:${{ inputs.provider }}' E2E_SKIP='${{ inputs.skip }}' E2E_FOCUS='${{ inputs.focus }}' E2E_VERBOSE=true
+        run: devbox run -- make e2e-test E2E_LABEL='provider:${{ inputs.provider }}${{format(' {0} {1}', inputs.extra-labels != '' && '&&' || '', inputs.extra-labels)}}' E2E_SKIP='${{ inputs.skip }}' E2E_FOCUS='${{ inputs.focus }}' E2E_VERBOSE=true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -95,6 +102,13 @@ jobs:
           KUBERNETES_VERSION_NUTANIX: ${{ inputs.kubernetes-version }}
           KINDEST_IMAGE_TAG: ${{ inputs.kubernetes-version }}
           E2E_KUBERNETES_VERSION: ${{ inputs.kubernetes-version }}
+          RUN_CIS_BENCHMARK: ${{ inputs.run-cis-benchmark }}
+
+      - name: Add job summary for CIS benchmark
+        if: inputs.run-cis-benchmark
+        run: |
+          echo "## CIS Benchmark" >>"${GITHUB_STEP_SUMMARY}"
+          cat test/e2e/cis-benchmark-report.txt >>"${GITHUB_STEP_SUMMARY}"
 
       - if: success() || failure() # always run even if the previous step fails
         name: Publish e2e test report
diff --git a/devbox.json b/devbox.json
@@ -31,6 +31,7 @@
     "rsync@latest",
     "setup-envtest@latest",
     "shfmt@latest",
+    "trivy@latest",
     "yamale@latest",
     "yamllint@latest",
     "yq-go@latest",
diff --git a/devbox.lock b/devbox.lock
@@ -1720,6 +1720,54 @@
         }
       }
     },
+    "trivy@latest": {
+      "last_modified": "2025-04-28T01:45:31Z",
+      "resolved": "github:NixOS/nixpkgs/29335f23bea5e34228349ea739f31ee79e267b88#trivy",
+      "source": "devbox-search",
+      "version": "0.61.1",
+      "systems": {
+        "aarch64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/4s34i0ml8hxficr4v7csyigg4dy2pxhp-trivy-0.61.1",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/4s34i0ml8hxficr4v7csyigg4dy2pxhp-trivy-0.61.1"
+        },
+        "aarch64-linux": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/7ggs35rbylfxapxswngs0pvpisqj3cjz-trivy-0.61.1",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/7ggs35rbylfxapxswngs0pvpisqj3cjz-trivy-0.61.1"
+        },
+        "x86_64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/fs9lzjqj925m9kqvlgvvrs4q4lq6f0ps-trivy-0.61.1",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/fs9lzjqj925m9kqvlgvvrs4q4lq6f0ps-trivy-0.61.1"
+        },
+        "x86_64-linux": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/vcqkzvwxzxij69i2jaxmfkx4zl0ywlv6-trivy-0.61.1",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/vcqkzvwxzxij69i2jaxmfkx4zl0ywlv6-trivy-0.61.1"
+        }
+      }
+    },
     "yamale@latest": {
       "last_modified": "2025-03-11T17:52:14Z",
       "resolved": "github:NixOS/nixpkgs/0d534853a55b5d02a4ababa1d71921ce8f0aee4c#yamale",
diff --git a/test/e2e/quick_start_test.go b/test/e2e/quick_start_test.go
@@ -8,6 +8,8 @@ package e2e
 import (
 	"fmt"
 	"os"
+	"os/exec"
+	"path/filepath"
 	"slices"
 	"strconv"
 	"strings"
@@ -307,6 +309,34 @@ var _ = Describe("Quick start", func() {
 														),
 													},
 												)
+
+												if os.Getenv("RUN_CIS_BENCHMARK") == "true" {
+													By("Running CIS benchmark against workload cluster")
+
+													trivyCmd := exec.Command( //nolint:gosec // Only used for testing so safe here.
+														"trivy",
+														"k8s",
+														"--compliance=k8s-cis-1.23",
+														"--disable-node-collector",
+														"--report=summary",
+														fmt.Sprintf(
+															"--output=%s",
+															filepath.Join(
+																os.Getenv("GIT_REPO_ROOT"),
+																"cis-benchmark-report.txt",
+															),
+														),
+														fmt.Sprintf(
+															"--kubeconfig=%s",
+															workloadProxy.GetKubeconfigPath(),
+														),
+													)
+
+													trivyCmd.Stdout = GinkgoWriter
+													trivyCmd.Stderr = GinkgoWriter
+
+													Expect(trivyCmd.Run()).To(Succeed(), "CIS benchmark failed")
+												}
 											},
 										}
 									})
