diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml index 8f9c1ad..7292f17 100644 --- a/cfg/cis-1.5/master.yaml +++ b/cfg/cis-1.5/master.yaml @@ -997,12 +997,15 @@ groups: text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: + bin_op: or test_items: - flag: "--feature-gates" compare: - op: eq - value: "RotateKubeletServerCertificate=true" + op: nothave + value: "RotateKubeletServerCertificate=false" set: true + - flag: "--feature-gates" + set: false remediation: | Edit the Controller Manager pod specification file $controllermanagerconf on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml index 212abc0..04e8262 100644 --- a/cfg/cis-1.5/node.yaml +++ b/cfg/cis-1.5/node.yaml @@ -442,13 +442,17 @@ groups: audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: + bin_op: or test_items: - flag: RotateKubeletServerCertificate path: '{.featureGates.RotateKubeletServerCertificate}' set: true compare: - op: eq - value: true + op: nothave + value: false + - flag: RotateKubeletServerCertificate + path: '{.featureGates.RotateKubeletServerCertificate}' + set: false remediation: | Edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. diff --git a/cfg/cis-1.6/master.yaml b/cfg/cis-1.6/master.yaml index fa23948..cff11e9 100644 --- a/cfg/cis-1.6/master.yaml +++ b/cfg/cis-1.6/master.yaml @@ -918,11 +918,15 @@ groups: text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: + bin_op: or test_items: - flag: "--feature-gates" compare: - op: eq - value: "RotateKubeletServerCertificate=true" + op: nothave + value: "RotateKubeletServerCertificate=false" + set: true + - flag: "--feature-gates" + set: false remediation: | Edit the Controller Manager pod specification file $controllermanagerconf on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. diff --git a/cfg/cis-1.6/node.yaml b/cfg/cis-1.6/node.yaml index 8eedf41..c19810e 100644 --- a/cfg/cis-1.6/node.yaml +++ b/cfg/cis-1.6/node.yaml @@ -419,12 +419,16 @@ groups: audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: + bin_op: or test_items: - flag: RotateKubeletServerCertificate path: '{.featureGates.RotateKubeletServerCertificate}' compare: - op: eq - value: true + op: nothave + value: false + - flag: RotateKubeletServerCertificate + path: '{.featureGates.RotateKubeletServerCertificate}' + set: false remediation: | Edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. diff --git a/integration/testdata/cis-1.5/job-master.data b/integration/testdata/cis-1.5/job-master.data index da41747..bac56f1 100644 --- a/integration/testdata/cis-1.5/job-master.data +++ b/integration/testdata/cis-1.5/job-master.data @@ -63,7 +63,7 @@ [PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored) [PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored) [PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Scored) -[FAIL] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) +[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) [PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Scored) [INFO] 1.4 Scheduler [FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Scored) @@ -160,17 +160,13 @@ for example: on the master node and set the below parameter. --profiling=false -1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml -on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. ---feature-gates=RotateKubeletServerCertificate=true - 1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the master node and set the below parameter. --profiling=false == Summary == -44 checks PASS -11 checks FAIL +45 checks PASS +10 checks FAIL 10 checks WARN 0 checks INFO diff --git a/integration/testdata/cis-1.5/job-node.data b/integration/testdata/cis-1.5/job-node.data index 57e2155..540f538 100644 --- a/integration/testdata/cis-1.5/job-node.data +++ b/integration/testdata/cis-1.5/job-node.data @@ -22,7 +22,7 @@ [WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored) [FAIL] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Scored) -[FAIL] 4.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) +[PASS] 4.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) [PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored) == Remediations == @@ -55,16 +55,9 @@ Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service -4.2.12 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf -on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. ---feature-gates=RotateKubeletServerCertificate=true -Based on your system, restart the kubelet service. For example: -systemctl daemon-reload -systemctl restart kubelet.service - == Summary == -19 checks PASS -3 checks FAIL +20 checks PASS +2 checks FAIL 1 checks WARN 0 checks INFO diff --git a/integration/testdata/cis-1.5/job.data b/integration/testdata/cis-1.5/job.data index e3a6456..417f261 100644 --- a/integration/testdata/cis-1.5/job.data +++ b/integration/testdata/cis-1.5/job.data @@ -63,7 +63,7 @@ [PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored) [PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored) [PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Scored) -[FAIL] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) +[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) [PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Scored) [INFO] 1.4 Scheduler [FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Scored) @@ -160,18 +160,14 @@ for example: on the master node and set the below parameter. --profiling=false -1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml -on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. ---feature-gates=RotateKubeletServerCertificate=true - 1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the master node and set the below parameter. --profiling=false == Summary == -44 checks PASS -11 checks FAIL +45 checks PASS +10 checks FAIL 10 checks WARN 0 checks INFO [INFO] 2 Etcd Node Configuration @@ -235,7 +231,7 @@ minimum. [WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored) [FAIL] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Scored) -[FAIL] 4.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) +[PASS] 4.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) [PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored) == Remediations == @@ -268,17 +264,10 @@ Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service -4.2.12 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf -on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. ---feature-gates=RotateKubeletServerCertificate=true -Based on your system, restart the kubelet service. For example: -systemctl daemon-reload -systemctl restart kubelet.service - == Summary == -19 checks PASS -3 checks FAIL +20 checks PASS +2 checks FAIL 1 checks WARN 0 checks INFO [INFO] 5 Kubernetes Policies diff --git a/integration/testdata/cis-1.6/job-master.data b/integration/testdata/cis-1.6/job-master.data index ffdc510..570b530 100644 --- a/integration/testdata/cis-1.6/job-master.data +++ b/integration/testdata/cis-1.6/job-master.data @@ -63,7 +63,7 @@ [PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated) [PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated) [PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated) -[FAIL] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated) +[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated) [PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated) [INFO] 1.4 Scheduler [FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated) @@ -163,17 +163,13 @@ for example: on the master node and set the below parameter. --profiling=false -1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml -on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. ---feature-gates=RotateKubeletServerCertificate=true - 1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the master node and set the below parameter. --profiling=false == Summary == -44 checks PASS -11 checks FAIL +45 checks PASS +10 checks FAIL 10 checks WARN 0 checks INFO diff --git a/integration/testdata/cis-1.6/job-node.data b/integration/testdata/cis-1.6/job-node.data index 80daa4a..db7d064 100644 --- a/integration/testdata/cis-1.6/job-node.data +++ b/integration/testdata/cis-1.6/job-node.data @@ -22,7 +22,7 @@ [WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual) [WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual) [PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual) -[WARN] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual) +[PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual) [PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual) == Remediations == @@ -55,16 +55,9 @@ Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service -4.2.12 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf -on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. ---feature-gates=RotateKubeletServerCertificate=true -Based on your system, restart the kubelet service. For example: -systemctl daemon-reload -systemctl restart kubelet.service - == Summary == -19 checks PASS +20 checks PASS 1 checks FAIL -3 checks WARN +2 checks WARN 0 checks INFO diff --git a/integration/testdata/cis-1.6/job.data b/integration/testdata/cis-1.6/job.data index 04a1c55..4208c1d 100644 --- a/integration/testdata/cis-1.6/job.data +++ b/integration/testdata/cis-1.6/job.data @@ -63,7 +63,7 @@ [PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated) [PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated) [PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated) -[FAIL] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated) +[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated) [PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated) [INFO] 1.4 Scheduler [FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated) @@ -163,18 +163,14 @@ for example: on the master node and set the below parameter. --profiling=false -1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml -on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. ---feature-gates=RotateKubeletServerCertificate=true - 1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the master node and set the below parameter. --profiling=false == Summary == -44 checks PASS -11 checks FAIL +45 checks PASS +10 checks FAIL 10 checks WARN 0 checks INFO [INFO] 2 Etcd Node Configuration @@ -238,7 +234,7 @@ minimum. [WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual) [WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual) [PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual) -[WARN] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual) +[PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual) [PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual) == Remediations == @@ -271,18 +267,11 @@ Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service -4.2.12 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf -on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. ---feature-gates=RotateKubeletServerCertificate=true -Based on your system, restart the kubelet service. For example: -systemctl daemon-reload -systemctl restart kubelet.service - == Summary == -19 checks PASS +20 checks PASS 1 checks FAIL -3 checks WARN +2 checks WARN 0 checks INFO [INFO] 5 Kubernetes Policies [INFO] 5.1 RBAC and Service Accounts