2017-05-26 09:25:29 +00:00
|
|
|
---
|
2019-08-22 13:52:34 +00:00
|
|
|
## Controls Files.
|
2017-05-26 09:25:29 +00:00
|
|
|
# These are YAML files that hold all the details for running checks.
|
|
|
|
#
|
|
|
|
## Uncomment to use different control file paths.
|
2017-06-19 21:03:46 +00:00
|
|
|
# masterControls: ./cfg/master.yaml
|
|
|
|
# nodeControls: ./cfg/node.yaml
|
2017-05-26 09:25:29 +00:00
|
|
|
|
2017-08-30 17:36:00 +00:00
|
|
|
master:
|
2017-08-31 13:45:16 +00:00
|
|
|
components:
|
|
|
|
- apiserver
|
|
|
|
- scheduler
|
|
|
|
- controllermanager
|
2019-08-22 13:52:34 +00:00
|
|
|
- etcd
|
2017-08-31 13:45:16 +00:00
|
|
|
- flanneld
|
2017-08-31 16:39:40 +00:00
|
|
|
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
|
2017-08-31 13:45:16 +00:00
|
|
|
- kubernetes
|
2021-04-08 14:02:27 +00:00
|
|
|
- kubelet
|
2017-08-31 13:45:16 +00:00
|
|
|
|
|
|
|
kubernetes:
|
|
|
|
defaultconf: /etc/kubernetes/config
|
|
|
|
|
|
|
|
apiserver:
|
|
|
|
bins:
|
2017-08-30 17:36:00 +00:00
|
|
|
- "kube-apiserver"
|
|
|
|
- "hyperkube apiserver"
|
2019-03-07 11:18:06 +00:00
|
|
|
- "hyperkube kube-apiserver"
|
2017-08-30 17:36:00 +00:00
|
|
|
- "apiserver"
|
2021-03-24 16:06:54 +00:00
|
|
|
- "openshift start master api"
|
|
|
|
- "hypershift openshift-kube-apiserver"
|
2017-08-31 13:45:16 +00:00
|
|
|
confs:
|
2019-05-17 13:21:42 +00:00
|
|
|
- /etc/kubernetes/manifests/kube-apiserver.yaml
|
2020-03-03 17:03:21 +00:00
|
|
|
- /etc/kubernetes/manifests/kube-apiserver.yml
|
2019-05-17 13:21:42 +00:00
|
|
|
- /etc/kubernetes/manifests/kube-apiserver.manifest
|
2019-10-26 00:19:56 +00:00
|
|
|
- /var/snap/kube-apiserver/current/args
|
2020-03-16 12:37:32 +00:00
|
|
|
- /var/snap/microk8s/current/args/kube-apiserver
|
2021-03-24 16:06:54 +00:00
|
|
|
- /etc/origin/master/master-config.yaml
|
2019-05-17 13:21:42 +00:00
|
|
|
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
|
2017-08-31 13:45:16 +00:00
|
|
|
|
|
|
|
scheduler:
|
|
|
|
bins:
|
2017-08-30 17:36:00 +00:00
|
|
|
- "kube-scheduler"
|
|
|
|
- "hyperkube scheduler"
|
2019-03-07 11:18:06 +00:00
|
|
|
- "hyperkube kube-scheduler"
|
2017-08-30 17:36:00 +00:00
|
|
|
- "scheduler"
|
2021-03-24 16:06:54 +00:00
|
|
|
- "openshift start master controllers"
|
2019-05-17 13:21:42 +00:00
|
|
|
confs:
|
|
|
|
- /etc/kubernetes/manifests/kube-scheduler.yaml
|
2020-03-03 17:03:21 +00:00
|
|
|
- /etc/kubernetes/manifests/kube-scheduler.yml
|
2019-05-17 13:21:42 +00:00
|
|
|
- /etc/kubernetes/manifests/kube-scheduler.manifest
|
2019-10-26 00:19:56 +00:00
|
|
|
- /var/snap/kube-scheduler/current/args
|
2020-03-16 12:37:32 +00:00
|
|
|
- /var/snap/microk8s/current/args/kube-scheduler
|
2021-03-24 16:06:54 +00:00
|
|
|
- /etc/origin/master/scheduler.json
|
2019-05-17 13:21:42 +00:00
|
|
|
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
|
2020-10-18 15:10:29 +00:00
|
|
|
kubeconfig:
|
|
|
|
- /etc/kubernetes/scheduler.conf
|
2021-04-08 14:02:27 +00:00
|
|
|
- /var/lib/kube-scheduler/kubeconfig
|
|
|
|
- /var/lib/kube-scheduler/config.yaml
|
2020-10-29 08:46:50 +00:00
|
|
|
defaultkubeconfig: /etc/kubernetes/scheduler.conf
|
2017-08-31 13:45:16 +00:00
|
|
|
|
|
|
|
controllermanager:
|
|
|
|
bins:
|
2017-08-30 17:36:00 +00:00
|
|
|
- "kube-controller-manager"
|
2019-06-28 15:58:23 +00:00
|
|
|
- "kube-controller"
|
2017-08-30 17:36:00 +00:00
|
|
|
- "hyperkube controller-manager"
|
2019-03-07 11:18:06 +00:00
|
|
|
- "hyperkube kube-controller-manager"
|
2017-08-30 17:36:00 +00:00
|
|
|
- "controller-manager"
|
2021-03-24 16:06:54 +00:00
|
|
|
- "openshift start master controllers"
|
|
|
|
- "hypershift openshift-controller-manager"
|
2017-08-31 13:45:16 +00:00
|
|
|
confs:
|
2019-05-17 13:21:42 +00:00
|
|
|
- /etc/kubernetes/manifests/kube-controller-manager.yaml
|
2020-03-03 17:03:21 +00:00
|
|
|
- /etc/kubernetes/manifests/kube-controller-manager.yml
|
2019-05-17 13:21:42 +00:00
|
|
|
- /etc/kubernetes/manifests/kube-controller-manager.manifest
|
2019-10-26 00:19:56 +00:00
|
|
|
- /var/snap/kube-controller-manager/current/args
|
2020-03-16 12:37:32 +00:00
|
|
|
- /var/snap/microk8s/current/args/kube-controller-manager
|
2019-05-17 13:21:42 +00:00
|
|
|
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
|
2020-10-18 15:10:29 +00:00
|
|
|
kubeconfig:
|
|
|
|
- /etc/kubernetes/controller-manager.conf
|
2021-04-08 14:02:27 +00:00
|
|
|
- /var/lib/kube-controller-manager/kubeconfig
|
2020-10-29 08:46:50 +00:00
|
|
|
defaultkubeconfig: /etc/kubernetes/controller-manager.conf
|
2017-08-31 13:45:16 +00:00
|
|
|
|
|
|
|
etcd:
|
|
|
|
optional: true
|
|
|
|
bins:
|
|
|
|
- "etcd"
|
2021-03-24 16:06:54 +00:00
|
|
|
- "openshift start etcd"
|
2017-08-31 13:45:16 +00:00
|
|
|
confs:
|
2019-05-17 13:21:42 +00:00
|
|
|
- /etc/kubernetes/manifests/etcd.yaml
|
2020-03-03 17:03:21 +00:00
|
|
|
- /etc/kubernetes/manifests/etcd.yml
|
2019-05-17 13:21:42 +00:00
|
|
|
- /etc/kubernetes/manifests/etcd.manifest
|
2017-08-30 17:36:00 +00:00
|
|
|
- /etc/etcd/etcd.conf
|
2019-10-26 00:19:56 +00:00
|
|
|
- /var/snap/etcd/common/etcd.conf.yml
|
2020-03-03 17:03:21 +00:00
|
|
|
- /var/snap/etcd/common/etcd.conf.yaml
|
2020-03-16 12:37:32 +00:00
|
|
|
- /var/snap/microk8s/current/args/etcd
|
2020-11-16 12:50:15 +00:00
|
|
|
- /usr/lib/systemd/system/etcd.service
|
2019-05-17 13:21:42 +00:00
|
|
|
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
2017-08-31 13:45:16 +00:00
|
|
|
|
|
|
|
flanneld:
|
|
|
|
optional: true
|
|
|
|
bins:
|
|
|
|
- flanneld
|
|
|
|
defaultconf: /etc/sysconfig/flanneld
|
|
|
|
|
2021-04-08 14:02:27 +00:00
|
|
|
kubelet:
|
|
|
|
optional: true
|
|
|
|
bins:
|
|
|
|
- "hyperkube kubelet"
|
|
|
|
- "kubelet"
|
|
|
|
|
2017-08-30 17:36:00 +00:00
|
|
|
node:
|
2017-08-31 13:45:16 +00:00
|
|
|
components:
|
|
|
|
- kubelet
|
|
|
|
- proxy
|
2017-08-31 16:39:40 +00:00
|
|
|
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
|
|
|
|
- kubernetes
|
|
|
|
|
|
|
|
kubernetes:
|
2019-08-22 13:52:34 +00:00
|
|
|
defaultconf: "/etc/kubernetes/config"
|
2017-08-31 13:45:16 +00:00
|
|
|
|
|
|
|
kubelet:
|
2019-07-10 09:43:15 +00:00
|
|
|
cafile:
|
|
|
|
- "/etc/kubernetes/pki/ca.crt"
|
2019-08-22 13:52:34 +00:00
|
|
|
- "/etc/kubernetes/certs/ca.crt"
|
2019-08-28 08:27:56 +00:00
|
|
|
- "/etc/kubernetes/cert/ca.pem"
|
2020-03-16 12:37:32 +00:00
|
|
|
- "/var/snap/microk8s/current/certs/ca.crt"
|
2020-01-06 09:18:25 +00:00
|
|
|
svc:
|
2019-08-28 08:27:56 +00:00
|
|
|
# These paths must also be included
|
|
|
|
# in the 'confs' property below
|
2019-08-22 13:52:34 +00:00
|
|
|
- "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
|
|
|
|
- "/etc/systemd/system/kubelet.service"
|
2019-08-28 08:27:56 +00:00
|
|
|
- "/lib/systemd/system/kubelet.service"
|
2019-10-26 00:19:56 +00:00
|
|
|
- "/etc/systemd/system/snap.kubelet.daemon.service"
|
2020-03-16 12:37:32 +00:00
|
|
|
- "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"
|
2021-03-24 16:06:54 +00:00
|
|
|
- "/etc/systemd/system/atomic-openshift-node.service"
|
|
|
|
- "/etc/systemd/system/origin-node.service"
|
2017-08-31 13:45:16 +00:00
|
|
|
bins:
|
2017-08-30 17:36:00 +00:00
|
|
|
- "hyperkube kubelet"
|
|
|
|
- "kubelet"
|
2019-08-22 13:52:34 +00:00
|
|
|
kubeconfig:
|
|
|
|
- "/etc/kubernetes/kubelet.conf"
|
|
|
|
- "/var/lib/kubelet/kubeconfig"
|
2019-08-28 08:27:56 +00:00
|
|
|
- "/etc/kubernetes/kubelet-kubeconfig"
|
2021-06-08 09:23:43 +00:00
|
|
|
- "/etc/kubernetes/kubelet/kubeconfig"
|
2020-03-16 12:37:32 +00:00
|
|
|
- "/var/snap/microk8s/current/credentials/kubelet.config"
|
2019-05-13 17:20:57 +00:00
|
|
|
confs:
|
2021-08-30 13:02:26 +00:00
|
|
|
- "/etc/kubernetes/kubelet-config.yaml"
|
2019-05-13 17:20:57 +00:00
|
|
|
- "/var/lib/kubelet/config.yaml"
|
2020-03-03 17:03:21 +00:00
|
|
|
- "/var/lib/kubelet/config.yml"
|
2019-05-13 17:20:57 +00:00
|
|
|
- "/etc/kubernetes/kubelet/kubelet-config.json"
|
2021-06-08 09:23:43 +00:00
|
|
|
- "/etc/kubernetes/kubelet/config"
|
2019-06-04 14:14:43 +00:00
|
|
|
- "/home/kubernetes/kubelet-config.yaml"
|
2020-03-03 17:03:21 +00:00
|
|
|
- "/home/kubernetes/kubelet-config.yml"
|
2021-05-11 09:37:25 +00:00
|
|
|
- "/etc/default/kubeletconfig.json"
|
2019-08-22 13:52:34 +00:00
|
|
|
- "/etc/default/kubelet"
|
2019-10-14 14:37:10 +00:00
|
|
|
- "/var/lib/kubelet/kubeconfig"
|
2019-10-26 00:19:56 +00:00
|
|
|
- "/var/snap/kubelet/current/args"
|
2020-03-16 12:37:32 +00:00
|
|
|
- "/var/snap/microk8s/current/args/kubelet"
|
2019-08-28 08:27:56 +00:00
|
|
|
## Due to the fact that the kubelet might be configured
|
|
|
|
## without a kubelet-config file, we use a work-around
|
|
|
|
## of pointing to the systemd service file (which can also
|
|
|
|
## hold kubelet configuration).
|
|
|
|
## Note: The following paths must match the one under 'svc'
|
|
|
|
- "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
|
|
|
|
- "/etc/systemd/system/kubelet.service"
|
|
|
|
- "/lib/systemd/system/kubelet.service"
|
2019-10-26 00:19:56 +00:00
|
|
|
- "/etc/systemd/system/snap.kubelet.daemon.service"
|
2020-03-16 12:37:32 +00:00
|
|
|
- "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"
|
2019-02-27 22:08:57 +00:00
|
|
|
defaultconf: "/var/lib/kubelet/config.yaml"
|
2019-02-27 21:28:02 +00:00
|
|
|
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
|
2019-02-27 22:08:57 +00:00
|
|
|
defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
|
2019-07-10 09:43:15 +00:00
|
|
|
defaultcafile: "/etc/kubernetes/pki/ca.crt"
|
2017-10-15 12:39:29 +00:00
|
|
|
|
2017-08-31 13:45:16 +00:00
|
|
|
proxy:
|
2019-10-08 10:53:39 +00:00
|
|
|
optional: true
|
2017-08-31 13:45:16 +00:00
|
|
|
bins:
|
2017-08-30 17:36:00 +00:00
|
|
|
- "kube-proxy"
|
|
|
|
- "hyperkube proxy"
|
2019-08-28 15:53:48 +00:00
|
|
|
- "hyperkube kube-proxy"
|
2017-08-30 17:36:00 +00:00
|
|
|
- "proxy"
|
2021-03-24 16:06:54 +00:00
|
|
|
- "openshift start network"
|
2017-08-31 13:45:16 +00:00
|
|
|
confs:
|
2017-08-30 17:36:00 +00:00
|
|
|
- /etc/kubernetes/proxy
|
|
|
|
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
2020-03-03 17:03:21 +00:00
|
|
|
- /etc/kubernetes/addons/kube-proxy-daemonset.yml
|
2019-10-26 00:19:56 +00:00
|
|
|
- /var/snap/kube-proxy/current/args
|
2020-03-16 12:37:32 +00:00
|
|
|
- /var/snap/microk8s/current/args/kube-proxy
|
2019-08-28 08:27:56 +00:00
|
|
|
kubeconfig:
|
2019-11-27 15:30:29 +00:00
|
|
|
- "/etc/kubernetes/kubelet-kubeconfig"
|
2021-06-08 09:23:43 +00:00
|
|
|
- "/etc/kubernetes/kubelet/config"
|
2019-11-27 15:30:29 +00:00
|
|
|
- "/var/lib/kubelet/kubeconfig"
|
2020-03-16 12:37:32 +00:00
|
|
|
- "/var/snap/microk8s/current/credentials/proxy.config"
|
2019-08-28 08:27:56 +00:00
|
|
|
svc:
|
|
|
|
- "/lib/systemd/system/kube-proxy.service"
|
2020-03-16 12:37:32 +00:00
|
|
|
- "/etc/systemd/system/snap.microk8s.daemon-proxy.service"
|
2019-05-13 17:20:57 +00:00
|
|
|
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
2019-11-05 21:31:27 +00:00
|
|
|
defaultkubeconfig: "/etc/kubernetes/proxy.conf"
|
|
|
|
|
2019-12-05 20:55:44 +00:00
|
|
|
etcd:
|
|
|
|
components:
|
|
|
|
- etcd
|
2020-01-06 09:18:25 +00:00
|
|
|
|
2019-12-05 20:55:44 +00:00
|
|
|
etcd:
|
|
|
|
bins:
|
|
|
|
- "etcd"
|
|
|
|
confs:
|
|
|
|
- /etc/kubernetes/manifests/etcd.yaml
|
2020-03-03 17:03:21 +00:00
|
|
|
- /etc/kubernetes/manifests/etcd.yml
|
2019-12-05 20:55:44 +00:00
|
|
|
- /etc/kubernetes/manifests/etcd.manifest
|
|
|
|
- /etc/etcd/etcd.conf
|
|
|
|
- /var/snap/etcd/common/etcd.conf.yml
|
2020-03-03 17:03:21 +00:00
|
|
|
- /var/snap/etcd/common/etcd.conf.yaml
|
2020-03-16 12:37:32 +00:00
|
|
|
- /var/snap/microk8s/current/args/etcd
|
2020-11-16 12:50:15 +00:00
|
|
|
- /usr/lib/systemd/system/etcd.service
|
2019-12-05 20:55:44 +00:00
|
|
|
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
|
|
|
|
|
|
|
controlplane:
|
2020-11-02 07:41:07 +00:00
|
|
|
components:
|
|
|
|
- apiserver
|
|
|
|
|
|
|
|
apiserver:
|
|
|
|
bins:
|
|
|
|
- "kube-apiserver"
|
|
|
|
- "hyperkube apiserver"
|
|
|
|
- "hyperkube kube-apiserver"
|
|
|
|
- "apiserver"
|
2019-12-05 20:55:44 +00:00
|
|
|
|
|
|
|
policies:
|
|
|
|
components: []
|
|
|
|
|
2020-03-03 14:51:48 +00:00
|
|
|
managedservices:
|
|
|
|
components: []
|
2019-12-05 20:55:44 +00:00
|
|
|
|
2019-11-05 21:31:27 +00:00
|
|
|
version_mapping:
|
2019-12-05 20:55:44 +00:00
|
|
|
"1.15": "cis-1.5"
|
2020-09-17 15:54:43 +00:00
|
|
|
"1.16": "cis-1.6"
|
|
|
|
"1.17": "cis-1.6"
|
|
|
|
"1.18": "cis-1.6"
|
2021-06-16 17:55:04 +00:00
|
|
|
"1.19": "cis-1.20"
|
|
|
|
"1.20": "cis-1.20"
|
2020-08-03 19:38:37 +00:00
|
|
|
"eks-1.0": "eks-1.0"
|
2020-03-03 14:51:48 +00:00
|
|
|
"gke-1.0": "gke-1.0"
|
2019-11-05 21:31:27 +00:00
|
|
|
"ocp-3.10": "rh-0.7"
|
2019-12-09 14:07:44 +00:00
|
|
|
"ocp-3.11": "rh-0.7"
|
2021-05-02 16:31:03 +00:00
|
|
|
"ocp-4.0": "rh-1.0"
|
2020-11-16 12:35:57 +00:00
|
|
|
"aks-1.0": "aks-1.0"
|
2021-05-11 08:52:24 +00:00
|
|
|
"ack-1.0": "ack-1.0"
|
2020-08-30 07:16:21 +00:00
|
|
|
|
|
|
|
target_mapping:
|
|
|
|
"cis-1.5":
|
|
|
|
- "master"
|
|
|
|
- "node"
|
|
|
|
- "controlplane"
|
|
|
|
- "etcd"
|
|
|
|
- "policies"
|
2020-09-17 15:54:43 +00:00
|
|
|
"cis-1.6":
|
|
|
|
- "master"
|
|
|
|
- "node"
|
|
|
|
- "controlplane"
|
|
|
|
- "etcd"
|
|
|
|
- "policies"
|
2021-06-16 17:55:04 +00:00
|
|
|
"cis-1.20":
|
|
|
|
- "master"
|
|
|
|
- "node"
|
|
|
|
- "controlplane"
|
|
|
|
- "etcd"
|
|
|
|
- "policies"
|
2020-08-30 07:16:21 +00:00
|
|
|
"gke-1.0":
|
|
|
|
- "master"
|
|
|
|
- "node"
|
|
|
|
- "controlplane"
|
|
|
|
- "etcd"
|
|
|
|
- "policies"
|
|
|
|
- "managedservices"
|
|
|
|
"eks-1.0":
|
|
|
|
- "master"
|
|
|
|
- "node"
|
|
|
|
- "controlplane"
|
|
|
|
- "policies"
|
|
|
|
- "managedservices"
|
|
|
|
"rh-0.7":
|
|
|
|
- "master"
|
|
|
|
- "node"
|
2020-11-16 12:35:57 +00:00
|
|
|
"aks-1.0":
|
|
|
|
- "master"
|
|
|
|
- "node"
|
|
|
|
- "controlplane"
|
|
|
|
- "policies"
|
|
|
|
- "managedservices"
|
2021-05-11 08:52:24 +00:00
|
|
|
"ack-1.0":
|
|
|
|
- "master"
|
|
|
|
- "node"
|
|
|
|
- "controlplane"
|
|
|
|
- "etcd"
|
|
|
|
- "policies"
|
|
|
|
- "managedservices"
|
2021-05-02 16:31:03 +00:00
|
|
|
"rh-1.0":
|
|
|
|
- "master"
|
|
|
|
- "node"
|
|
|
|
- "controlplane"
|
|
|
|
- "policies"
|
|
|
|
- "etcd"
|