@ -186,8 +186,9 @@ groups:
scored : true
- id : 1.1 .12
text : " Ensure that the admission control plugin DenyEscalatingExec is set (Scored)"
text : " [DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
audit : "ps -ef | grep $apiserverbin | grep -v grep"
type : skip
tests:
test_items:
- flag : "--enable-admission-plugins"
@ -200,7 +201,7 @@ groups:
on the master node and set the --enable-admission-plugins parameter to a
value that includes DenyEscalatingExec.
--enable-admission-plugins=...,DenyEscalatingExec,...
scored : tru e
scored : fals e
- id : 1.1 .13
text : "Ensure that the admission control plugin SecurityContextDeny is set (Scored)"
@ -559,19 +560,19 @@ groups:
scored : true
- id : 1.1 .34
text : "Ensure that the --experimental-encryption-provider-config argument is
set as appropriate (Scored)"
text : "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)"
audit : "ps -ef | grep $apiserverbin | grep -v grep"
type : "manual"
tests:
test_items:
- flag : "--e xperimental-e ncryption-provider-config"
- flag : "--e ncryption-provider-config"
set : true
remediation : |
Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file $apiserverconf on the
master node and set the --e xperimental-e ncryption-provider-config parameter
master node and set the --e ncryption-provider-config parameter
to the path of that file:
--e xperimental-e ncryption-provider-config=</path/to/EncryptionConfig/File>
--e ncryption-provider-config=</path/to/EncryptionConfig/File>
scored : true
- id : 1.1 .35