Support k3s.io kubernetes distribution

[thejan2009]

I've recently worked on assessing CIS benchmark compliance of the latest release of k3s.io kubernetes distribution. Mostly copied commands from their CIS Self Assessment Guide into custom rules to make it at least partially automated.

I'm trying to figure out if there is any interest to include these rules in kube-bench and also to estimate how much effort that would take.

The following questions need to be answered first:

• k3s is a single binary containing k8s components that are usually standalone programs (e.g. kube-apiserver, kube-controller-manager, kube-scheduler). As a result we can't ps | grep for these programs. Instead the Self Assessment Guide linked above suggests parsing k3s service logs and finding the arguments there.

  -        audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
  +        audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1"

  I couldn't get journalctl to run in the provided container image because of shared library conflicts, so I had to resort to running the kube-bench on the host from deb package.
• Some of the benchmark rules are not applicable because k3s is a single command. I commented them out, but I'm wondering if that's the right approach.
• k3s can be ran without etcd. In the Self Assessment Guide they provide a script to fake the answers in that case. That should probably be handled properly in the rules instead.

[chen-keinan]

@thejan2009 kube-bench is mainly about the official cis benchmark specs, however you can always add a profile for you need, many of our users are doing so.
regarding not applicated test, its either should be skipped (type = skip) as they are not relevant or mark state as WARN for manual review