bottlerocket-os · rpkelly · Sep 10, 2025 · Sep 9, 2025 · Sep 9, 2025 · Oct 22, 2025
diff --git a/packages/os/br03040101.json b/packages/os/br03040101.json
@@ -0,0 +1,5 @@
+{
+  "reason": "Test requires iptables FORWARD chain configuration that conflicts with Kubernetes networking architecture. Kubernetes manages its own iptables rules through kube-proxy and CNI plugins.",
+  "reference": "https://github.com/bottlerocket-os/bottlerocket-core-kit/issues/540",
+  "status": "SKIP"
+}
diff --git a/packages/os/k8s04021000.json b/packages/os/k8s04021000.json
@@ -0,0 +1,5 @@
+{
+    "reason": "IAM (external) auth is used on Bottlerocket, so certificate rotation does not apply. See EKS CIS Benchmark.",
+    "reference": "https://docs.aws.amazon.com/eks/latest/userguide/security-iam.html",
+    "status": "PASS"
+}
diff --git a/packages/os/os.spec b/packages/os/os.spec
@@ -34,6 +34,8 @@ Source19: host-containers-toml
 Source20: bottlerocket-fips-checks-metadata-json
 Source21: bootstrap-commands-toml
 Source22: dbus-1-system.toml
+Source23: br03040101.json
+Source24: k8s04021000.json
 
 # 1xx sources: systemd units
 Source100: apiserver.service
@@ -397,6 +399,7 @@ Conflicts: %{_cross_os}image-feature(no-host-containers)
 %package -n %{_cross_os}bloodhound
 Summary: Compliance check framework
 Requires: (%{_cross_os}bloodhound-k8s if %{_cross_os}variant-runtime(k8s))
+Requires: (%{_cross_os}bloodhound-k8s-overrides if %{_cross_os}variant-runtime(k8s))
 Requires: (%{_cross_os}bloodhound-fips if %{_cross_os}image-feature(fips))
 %description -n %{_cross_os}bloodhound
 %{summary}.
@@ -407,6 +410,12 @@ Requires: (%{_cross_os}bloodhound and %{_cross_os}variant-runtime(k8s))
 %description -n %{_cross_os}bloodhound-k8s
 %{summary}.
 
+%package -n %{_cross_os}bloodhound-k8s-overrides
+Summary: CIS Test overrides for Kubernetes variants
+Requires: (%{_cross_os}bloodhound and %{_cross_os}variant-runtime(k8s))
+%description -n %{_cross_os}bloodhound-k8s-overrides
+%{summary}.
+
 %package -n %{_cross_os}bloodhound-fips
 Summary: Compliance checks for FIPS
 Requires: (%{_cross_os}bloodhound and %{_cross_os}image-feature(fips))
@@ -662,6 +671,7 @@ for p in \
     %{buildroot}%{_cross_libexecdir}/cis-checks/bottlerocket/${p}
 done
 install -m 0644 %{S:11} %{buildroot}%{_cross_libexecdir}/cis-checks/bottlerocket/metadata.json
+install -m 0644 %{S:23} %{buildroot}%{_cross_libexecdir}/cis-checks/bottlerocket/br03040101.json
 
 mkdir -p %{buildroot}%{_cross_libexecdir}/fips-checks/bottlerocket
 for p in \
@@ -686,6 +696,7 @@ for p in \
     %{buildroot}%{_cross_libexecdir}/cis-checks/kubernetes/${p}
 done
 install -m 0644 %{S:13} %{buildroot}%{_cross_libexecdir}/cis-checks/kubernetes/metadata.json
+install -m 0644 %{S:24} %{buildroot}%{_cross_libexecdir}/cis-checks/kubernetes/k8s04021000.json
 
 for p in apiclient ; do
   install -p -m 0755 %{__cargo_outdir_static}/${p} %{buildroot}%{_cross_bindir}
@@ -927,11 +938,16 @@ install -p -m 0644 %{S:400} %{S:401} %{S:402} %{buildroot}%{_cross_licensedir}
 %{_cross_bindir}/bloodhound
 %{_cross_bindir}/bottlerocket-cis-checks
 %{_cross_libexecdir}/cis-checks/bottlerocket
+%exclude %{_cross_libexecdir}/cis-checks/bottlerocket/br03040101.json
 
 %files -n %{_cross_os}bloodhound-k8s
 %{_cross_bindir}/kubernetes-cis-checks
 %{_cross_libexecdir}/cis-checks/kubernetes
 
+%files -n %{_cross_os}bloodhound-k8s-overrides
+%{_cross_libexecdir}/cis-checks/bottlerocket/br03040101.json
+%{_cross_libexecdir}/cis-checks/kubernetes/k8s04021000.json
+
 %files -n %{_cross_os}bloodhound-fips
 %{_cross_bindir}/bottlerocket-fips-checks
 %{_cross_libexecdir}/fips-checks/bottlerocket

diff --git a/sources/bloodhound/src/bin/kubernetes-cis-checks/checks.rs b/sources/bloodhound/src/bin/kubernetes-cis-checks/checks.rs
@@ -631,8 +631,6 @@ impl Checker for K8S04021200Checker {
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-            "TLS_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_RSA_WITH_AES_128_GCM_SHA256",
         ]
         .into_iter()
         .collect();

diff --git a/sources/bloodhound/src/bin/kubernetes-cis-checks/main.rs b/sources/bloodhound/src/bin/kubernetes-cis-checks/main.rs
@@ -60,13 +60,7 @@ fn main() {
             level: 2,
         }),
         "k8s04020900" => Box::new(K8S04020900Checker {}),
-        // IAM (external) auth is used, so certificate rotation does not apply. See EKS CIS Benchmark.
-        "k8s04021000" => Box::new(ManualChecker {
-            name: cmd_name.to_string(),
-            title: "Ensure that the --rotate-certificates argument is not set to false (not valid for Bottlerocket)".to_string(),
-            id: "4.2.10".to_string(),
-            level: 1,
-        }),
+        "k8s04021000" => Box::new(K8S04021000Checker {}),
         "k8s04021100" => Box::new(K8S04021100Checker {}),
         "k8s04021200" => Box::new(K8S04021200Checker {}),
         "k8s04021300" => Box::new(K8S04021300Checker {}),