kube-bench on managed node groups in EKS

[SB-MFJ]

About a month ago started running into the following error and finally got around to poking at it:

error looking for file /etc/kubernetes/pki/ca.crt: stat /etc/kubernetes/pki/ca.crt: permission denied

The bench runs as a cronjob with host_pid.

the folder is locked down tight (ran from kube-bench pod):

/usr/local/bin $ stat /etc/kubernetes/pki
  File: /etc/kubernetes/pki
  Size: 100             Blocks: 0          IO Block: 4096   directory
Device: 2eh/46d Inode: 1           Links: 2
Access: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-11-17 22:25:17.084000010 +0000
Modify: 2022-11-17 22:25:19.816000059 +0000
Change: 2022-11-17 22:25:19.816000059 +0000

The cluster node group is ran off a launch template with no other modifications and I don't see something that would let me chmod the permissions. Doing this manually also wouldn't make sense since a node group update or scaling would throw this out of wack quick.

Using latest pod image, command:
kube-bench run --targets node --benchmark eks-1.0.1
following host mounts:

• "/var/lib/kubelet"
• "/etc/systemd"
• "/etc/kubernetes"
• "/usr/bin"

cluster info:
buildDate: "2022-10-24T20:35:40Z"
compiler: gc
gitCommit: 55bd5d5cb7d32bc35e4e050f536181196fb8c6f7
gitTreeState: clean
gitVersion: v1.23.13-eks-fb459a0
goVersion: go1.17.13
major: "1"
minor: 23+
platform: linux/amd64

is there just a newer version of the benchmark I'm not using?

Thank you!