kube-bench/cfg/config.yaml

---
## Controls Files.
# These are YAML files that hold all the details for running checks.
#
## Uncomment to use different control file paths.
# masterControls: ./cfg/master.yaml
# nodeControls: ./cfg/node.yaml

master:
  components:
    - apiserver
    - scheduler
    - controllermanager
    - etcd
    - flanneld
    # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
    - kubernetes
    - kubelet

  kubernetes:
    defaultconf: /etc/kubernetes/config

  apiserver:
    bins:
      - "kube-apiserver"
      - "hyperkube apiserver"
      - "hyperkube kube-apiserver"
      - "apiserver"
      - "openshift start master api"
      - "hypershift openshift-kube-apiserver"
    confs:
      - /etc/kubernetes/manifests/kube-apiserver.yaml
      - /etc/kubernetes/manifests/kube-apiserver.yml
      - /etc/kubernetes/manifests/kube-apiserver.manifest
      - /var/snap/kube-apiserver/current/args
      - /var/snap/microk8s/current/args/kube-apiserver
      - /etc/origin/master/master-config.yaml
      - /etc/kubernetes/manifests/talos-kube-apiserver.yaml
      - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml
    defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml

  scheduler:
    bins:
      - "kube-scheduler"
      - "hyperkube scheduler"
      - "hyperkube kube-scheduler"
      - "scheduler"
      - "openshift start master controllers"
    confs:
      - /etc/kubernetes/manifests/kube-scheduler.yaml
      - /etc/kubernetes/manifests/kube-scheduler.yml
      - /etc/kubernetes/manifests/kube-scheduler.manifest
      - /var/snap/kube-scheduler/current/args
      - /var/snap/microk8s/current/args/kube-scheduler
      - /etc/origin/master/scheduler.json
      - /etc/kubernetes/manifests/talos-kube-scheduler.yaml
      - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml
    defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
    kubeconfig:
      - /etc/kubernetes/scheduler.conf
      - /var/lib/kube-scheduler/kubeconfig
      - /var/lib/kube-scheduler/config.yaml
      - /system/secrets/kubernetes/kube-scheduler/kubeconfig
    defaultkubeconfig: /etc/kubernetes/scheduler.conf

  controllermanager:
    bins:
      - "kube-controller-manager"
      - "kube-controller"
      - "hyperkube controller-manager"
      - "hyperkube kube-controller-manager"
      - "controller-manager"
      - "openshift start master controllers"
      - "hypershift openshift-controller-manager"
    confs:
      - /etc/kubernetes/manifests/kube-controller-manager.yaml
      - /etc/kubernetes/manifests/kube-controller-manager.yml
      - /etc/kubernetes/manifests/kube-controller-manager.manifest
      - /var/snap/kube-controller-manager/current/args
      - /var/snap/microk8s/current/args/kube-controller-manager
      - /etc/kubernetes/manifests/talos-kube-controller-manager.yaml
      - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml
    defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
    kubeconfig:
      - /etc/kubernetes/controller-manager.conf
      - /var/lib/kube-controller-manager/kubeconfig
      - /system/secrets/kubernetes/kube-controller-manager/kubeconfig
    defaultkubeconfig: /etc/kubernetes/controller-manager.conf

  etcd:
    optional: true
    bins:
      - "etcd"
      - "openshift start etcd"
    datadirs:
      - /var/lib/etcd/default.etcd
      - /var/lib/etcd/data.etcd
    confs:
      - /etc/kubernetes/manifests/etcd.yaml
      - /etc/kubernetes/manifests/etcd.yml
      - /etc/kubernetes/manifests/etcd.manifest
      - /etc/etcd/etcd.conf
      - /var/snap/etcd/common/etcd.conf.yml
      - /var/snap/etcd/common/etcd.conf.yaml
      - /var/snap/microk8s/current/args/etcd
      - /usr/lib/systemd/system/etcd.service
      - /var/lib/rancher/rke2/server/db/etcd/config
    defaultconf: /etc/kubernetes/manifests/etcd.yaml
    defaultdatadir: /var/lib/etcd/default.etcd

  flanneld:
    optional: true
    bins:
      - flanneld
    defaultconf: /etc/sysconfig/flanneld

  kubelet:
    optional: true
    bins:
      - "hyperkube kubelet"
      - "kubelet"

node:
  components:
    - kubelet
    - proxy
    # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
    - kubernetes

  kubernetes:
    defaultconf: "/etc/kubernetes/config"

  kubelet:
    cafile:
      - "/etc/kubernetes/pki/ca.crt"
      - "/etc/kubernetes/certs/ca.crt"
      - "/etc/kubernetes/cert/ca.pem"
      - "/var/snap/microk8s/current/certs/ca.crt"
      - "/var/lib/rancher/rke2/agent/server.crt"
      - "/var/lib/rancher/rke2/agent/client-ca.crt"
      - "/var/lib/rancher/k3s/agent/client-ca.crt"
    svc:
      # These paths must also be included
      #  in the 'confs' property below
      - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
      - "/etc/systemd/system/kubelet.service"
      - "/lib/systemd/system/kubelet.service"
      - "/etc/systemd/system/snap.kubelet.daemon.service"
      - "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"
      - "/etc/systemd/system/atomic-openshift-node.service"
      - "/etc/systemd/system/origin-node.service"
    bins:
      - "hyperkube kubelet"
      - "kubelet"
    kubeconfig:
      - "/etc/kubernetes/kubelet.conf"
      - "/etc/kubernetes/kubelet-kubeconfig.conf"
      - "/var/lib/kubelet/kubeconfig"
      - "/etc/kubernetes/kubelet-kubeconfig"
      - "/etc/kubernetes/kubelet/kubeconfig"
      - "/etc/kubernetes/ssl/kubecfg-kube-node.yaml"
      - "/var/snap/microk8s/current/credentials/kubelet.config"
      - "/etc/kubernetes/kubeconfig-kubelet"
      - "/var/lib/rancher/rke2/agent/kubelet.kubeconfig"
      - "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
      - "/var/lib/rancher/k3s/agent/kubelet.kubeconfig"
    confs:
      - "/etc/kubernetes/kubelet-config.yaml"
      - "/var/lib/kubelet/config.yaml"
      - "/var/lib/kubelet/config.yml"
      - "/etc/kubernetes/kubelet/kubelet-config.json"
      - "/etc/kubernetes/kubelet/config"
      - "/home/kubernetes/kubelet-config.yaml"
      - "/home/kubernetes/kubelet-config.yml"
      - "/etc/default/kubeletconfig.json"
      - "/etc/default/kubelet"
      - "/var/lib/kubelet/kubeconfig"
      - "/var/snap/kubelet/current/args"
      - "/var/snap/microk8s/current/args/kubelet"
      ## Due to the fact that the kubelet might be configured
      ## without a kubelet-config file, we use a work-around
      ## of pointing to the systemd service file (which can also
      ## hold kubelet configuration).
      ## Note: The following paths must match the one under 'svc'
      - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
      - "/etc/systemd/system/kubelet.service"
      - "/lib/systemd/system/kubelet.service"
      - "/etc/systemd/system/snap.kubelet.daemon.service"
      - "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"
      - "/etc/kubernetes/kubelet.yaml"
      - "/var/lib/rancher/rke2/agent/kubelet.kubeconfig"

    defaultconf: "/var/lib/kubelet/config.yaml"
    defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
    defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
    defaultcafile: "/etc/kubernetes/pki/ca.crt"

  proxy:
    optional: true
    bins:
      - "kube-proxy"
      - "hyperkube proxy"
      - "hyperkube kube-proxy"
      - "proxy"
      - "openshift start network"
    confs:
      - /etc/kubernetes/proxy
      - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
      - /etc/kubernetes/addons/kube-proxy-daemonset.yml
      - /var/snap/kube-proxy/current/args
      - /var/snap/microk8s/current/args/kube-proxy
    kubeconfig:
      - "/etc/kubernetes/kubelet-kubeconfig"
      - "/etc/kubernetes/kubelet-kubeconfig.conf"
      - "/etc/kubernetes/kubelet/config"
      - "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml"
      - "/var/lib/kubelet/kubeconfig"
      - "/var/snap/microk8s/current/credentials/proxy.config"
      - "/var/lib/rancher/rke2/agent/kubeproxy.kubeconfig"
      - "/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"
    svc:
      - "/lib/systemd/system/kube-proxy.service"
      - "/etc/systemd/system/snap.microk8s.daemon-proxy.service"
    defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
    defaultkubeconfig: "/etc/kubernetes/proxy.conf"

etcd:
  components:
    - etcd

  etcd:
    bins:
      - "etcd"
    datadirs:
      - /var/lib/etcd/default.etcd
      - /var/lib/etcd/data.etcd
    confs:
      - /etc/kubernetes/manifests/etcd.yaml
      - /etc/kubernetes/manifests/etcd.yml
      - /etc/kubernetes/manifests/etcd.manifest
      - /etc/etcd/etcd.conf
      - /var/snap/etcd/common/etcd.conf.yml
      - /var/snap/etcd/common/etcd.conf.yaml
      - /var/snap/microk8s/current/args/etcd
      - /usr/lib/systemd/system/etcd.service
      - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
      - /var/lib/rancher/k3s/server/db/etcd/config
    defaultconf: /etc/kubernetes/manifests/etcd.yaml
    defaultdatadir: /var/lib/etcd/default.etcd

controlplane:
  components:
    - apiserver

  apiserver:
    bins:
      - "kube-apiserver"
      - "hyperkube apiserver"
      - "hyperkube kube-apiserver"
      - "apiserver"

policies:
  components: []

managedservices:
  components: []

version_mapping:
  "1.15": "cis-1.5"
  "1.16": "cis-1.6"
  "1.17": "cis-1.6"
  "1.18": "cis-1.6"
  "1.19": "cis-1.20"
  "1.20": "cis-1.20"
  "1.21": "cis-1.20"
  "1.22": "cis-1.23"
  "1.23": "cis-1.23"
  "1.24": "cis-1.24"
  "1.25": "cis-1.7"
  "1.26": "cis-1.8"
  "eks-1.0.1": "eks-1.0.1"
  "eks-1.1.0": "eks-1.1.0"
  "eks-1.2.0": "eks-1.2.0"
  "gke-1.0": "gke-1.0"
  "gke-1.2.0": "gke-1.2.0"
  "ocp-3.10": "rh-0.7"
  "ocp-3.11": "rh-0.7"
  "ocp-4.0": "rh-1.0"
  "aks-1.0": "aks-1.0"
  "ack-1.0": "ack-1.0"
  "cis-1.6-k3s": "cis-1.6-k3s"
  "cis-1.24-microk8s": "cis-1.24-microk8s"
  "tkgi-1.2.53": "tkgi-1.2.53"
  "k3s-cis-1.7": "k3s-cis-1.7"
  "k3s-cis-1.23": "k3s-cis-1.23"
  "k3s-cis-1.24": "k3s-cis-1.24"
  "rke-cis-1.7": "rke-cis-1.7"
  "rke-cis-1.23": "rke-cis-1.23"
  "rke-cis-1.24": "rke-cis-1.24"
  "rke2-cis-1.7": "rke2-cis-1.7"
  "rke2-cis-1.23": "rke2-cis-1.23"
  "rke2-cis-1.24": "rke2-cis-1.24"

target_mapping:
  "cis-1.5":
    - "master"
    - "node"
    - "controlplane"
    - "etcd"
    - "policies"
  "cis-1.6":
    - "master"
    - "node"
    - "controlplane"
    - "etcd"
    - "policies"
  "cis-1.6-k3s":
    - "master"
    - "node"
    - "controlplane"
    - "etcd"
    - "policies"
  "cis-1.20":
    - "master"
    - "node"
    - "controlplane"
    - "etcd"
    - "policies"
  "cis-1.23":
    - "master"
    - "node"
    - "controlplane"
    - "etcd"
    - "policies"
  "cis-1.24":
    - "master"
    - "node"
    - "controlplane"
    - "etcd"
    - "policies"
  "cis-1.24-microk8s":
    - "master"
    - "etcd"
    - "node"
    - "controlplane"
    - "policies"
  "cis-1.7":
    - "master"
    - "node"
    - "controlplane"
    - "etcd"
    - "policies"
  "cis-1.8":
    - "master"
    - "node"
    - "controlplane"
    - "etcd"
    - "policies"
  "gke-1.0":
    - "master"
    - "node"
    - "controlplane"
    - "etcd"
    - "policies"
    - "managedservices"
  "gke-1.2.0":
    - "master"
    - "node"
    - "controlplane"
    - "policies"
    - "managedservices"
  "eks-1.0.1":
    - "master"
    - "node"
    - "controlplane"
    - "policies"
    - "managedservices"
  "eks-1.1.0":
    - "master"
    - "node"
    - "controlplane"
    - "policies"
    - "managedservices"
  "eks-1.2.0":
    - "master"
    - "node"
    - "controlplane"
    - "policies"
    - "managedservices"
  "rh-0.7":
    - "master"
    - "node"
  "aks-1.0":
    - "master"
    - "node"
    - "controlplane"
    - "policies"
    - "managedservices"
  "ack-1.0":
    - "master"
    - "node"
    - "controlplane"
    - "etcd"
    - "policies"
    - "managedservices"
  "rh-1.0":
    - "master"
    - "node"
    - "controlplane"
    - "policies"
    - "etcd"
  "eks-stig-kubernetes-v1r6":
    - "node"
    - "controlplane"
    - "policies"
    - "managedservices"
  "tkgi-1.2.53":
    - "master"
    - "etcd"
    - "controlplane"
    - "node"
    - "policies"
  "k3s-cis-1.7":
    - "master"
    - "etcd"
    - "controlplane"
    - "node"
    - "policies"
  "k3s-cis-1.23":
    - "master"
    - "etcd"
    - "controlplane"
    - "node"
    - "policies"
  "k3s-cis-1.24":
    - "master"
    - "etcd"
    - "controlplane"
    - "node"
    - "policies"
  "rke-cis-1.7":
    - "master"
    - "etcd"
    - "controlplane"
    - "node"
    - "policies"
  "rke-cis-1.23":
    - "master"
    - "etcd"
    - "controlplane"
    - "node"
    - "policies"
  "rke-cis-1.24":
    - "master"
    - "etcd"
    - "controlplane"
    - "node"
    - "policies"
  "rke2-cis-1.7":
    - "master"
    - "etcd"
    - "controlplane"
    - "node"
    - "policies"
  "rke2-cis-1.23":
    - "master"
    - "etcd"
    - "controlplane"
    - "node"
    - "policies"
  "rke2-cis-1.24":
    - "master"
    - "etcd"
    - "controlplane"
    - "node"
    - "policies"