1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-25 01:18:12 +00:00
kube-bench/cfg/tkgi-1.2.53/etcd.yaml

122 lines
4.5 KiB
YAML
Raw Normal View History

---
controls:
version: "tkgi-1.2.53"
id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
- id: 2
text: "Etcd Node Configuration Files"
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate"
audit: ps -ef | grep etcd | grep -- "--cert-file=/var/vcap/jobs/etcd/config/etcd.crt" | grep -- "--key-file=/var/vcap/jobs/etcd/config/etcd.key"
type: manual
tests:
bin_op: and
test_items:
- flag: "--cert-file"
- flag: "--key-file"
remediation: |
Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters.
--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>
scored: false
- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true"
audit: ps -ef | grep etcd | grep -- "--client\-cert\-auth"
tests:
test_items:
- flag: "--client-cert-auth"
compare:
op: eq
value: true
remediation: |
Edit the etcd pod specification file etcd config on the master
node and set the below parameter.
--client-cert-auth="true"
scored: true
- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true"
audit: ps -ef | grep etcd | grep -v -- "--auto-tls"
tests:
test_items:
- flag: "--auto-tls"
compare:
op: eq
value: true
set: false
remediation: |
Edit the etcd pod specification file etcd config on the master
node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false
scored: true
- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate"
audit: ps -ef | grep etcd | grep -- "--peer-cert-file=/var/vcap/jobs/etcd/config/peer.crt" | grep -- "--peer-key-file=/var/vcap/jobs/etcd/config/peer.key"
type: manual
tests:
bin_op: and
test_items:
- flag: "--peer-cert-file"
- flag: "--peer-key-file"
remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster.
Then, edit the etcd pod specification file etcd config on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
scored: false
- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true"
audit: ps -ef | grep etcd | grep -- "--peer\-client\-cert\-auth"
tests:
test_items:
- flag: "--peer-client-cert-auth"
compare:
op: eq
value: true
remediation: |
Edit the etcd pod specification file etcd config on the master
node and set the below parameter.
--peer-client-cert-auth=true
scored: true
- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true"
audit: ps -ef | grep etcd | grep -v -- "--peer-auto-tls"
tests:
test_items:
- flag: "--peer-auto-tls"
compare:
op: eq
value: true
set: false
remediation: |
Edit the etcd pod specification file etcd config on the master
node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false
scored: true
- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd"
audit: diff /var/vcap/jobs/kube-apiserver/config/kubernetes-ca.pem /var/vcap/jobs/etcd/config/etcd-ca.crt | grep -c"^>" | grep -v "^0$"
type: manual
tests:
test_items:
- flag: "--trusted-ca-file"
remediation: |
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file etcd config on the
master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file>
scored: false