CIS Benchmark recommends use of weak ciphers

[pjbgf]

What steps did you take and what happened:

CIS Benchmark recommends the use of TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256, which are both considered weak ciphers.
Target rules:

4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers

A new ticket was created for the recommendations to be updated.

In the meantime, it would be great if kube-bench was updated to the benefit of its users.

What did you expect to happen:
Use of TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256 should fail the checks.

Environment

kube-bench: latest/master
Kubernetes: all

Anything else you would like to add:

TLS_RSA* ciphers are vulnerable to the robot attack. The Kubernetes Security Audit also recommend against its use.

[lizrice]

We have test files that reflect different versions of the CIS benchmark, and we want those files to reflect the benchmark as closely as possible. We wait until the CIS benchmark is updated before we take changes like this into the test files.

That said, I agree with the idea of recommending not to use these ciphers, and there have been other cases where the benchmark recommendations are incorrect or outdated (pending a new version).

I am wondering about having an additional set of test files, called something like edge or community (instead of cis-1.x) where we could include improvements like this. The benefit is that we can bring changes to the community more quickly. The downside is that having a choice of tests to run could simply be confusing. We would also need to think carefully about how we document and keep track of the differences between this new set of tests and the “official” ones that reflect a published benchmark or hardening guide.

Thoughts?