mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-22 08:08:07 +00:00
Add support for various installation modes, hyperkube, kubeadm and kops.
Issue #17.
This commit is contained in:
parent
bd53529387
commit
2ee99eca64
@ -9,7 +9,7 @@ groups:
|
||||
checks:
|
||||
- id: 3.1.1
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
@ -23,7 +23,7 @@ groups:
|
||||
|
||||
- id: 3.1.2
|
||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--basic-auth-file"
|
||||
@ -35,7 +35,7 @@ groups:
|
||||
|
||||
- id: 3.1.3
|
||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-allow-any-token"
|
||||
@ -46,7 +46,7 @@ groups:
|
||||
|
||||
- id: 3.1.4
|
||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-bind-address"
|
||||
@ -57,7 +57,7 @@ groups:
|
||||
|
||||
- id: 3.1.5
|
||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-port"
|
||||
@ -71,7 +71,7 @@ groups:
|
||||
|
||||
- id: 3.1.6
|
||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
@ -88,7 +88,7 @@ groups:
|
||||
|
||||
- id: 3.1.7
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
@ -102,7 +102,7 @@ groups:
|
||||
|
||||
- id: 3.1.8
|
||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
@ -117,7 +117,7 @@ groups:
|
||||
|
||||
- id: 3.1.9
|
||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "admission-control"
|
||||
@ -131,7 +131,7 @@ groups:
|
||||
|
||||
- id: 3.1.10
|
||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-path"
|
||||
@ -142,7 +142,7 @@ groups:
|
||||
|
||||
- id: 3.1.11
|
||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxage"
|
||||
@ -156,7 +156,7 @@ groups:
|
||||
|
||||
- id: 3.1.12
|
||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxbackup"
|
||||
@ -170,7 +170,7 @@ groups:
|
||||
|
||||
- id: 3.1.13
|
||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxsize"
|
||||
@ -184,7 +184,7 @@ groups:
|
||||
|
||||
- id: 3.1.14
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--authorization-mode"
|
||||
@ -198,7 +198,7 @@ groups:
|
||||
|
||||
- id: 3.1.15
|
||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--token-auth-file"
|
||||
@ -210,7 +210,7 @@ groups:
|
||||
|
||||
- id: 3.1.16
|
||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-lookup"
|
||||
@ -224,7 +224,7 @@ groups:
|
||||
|
||||
- id: 3.1.17
|
||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-key-file"
|
||||
@ -235,7 +235,7 @@ groups:
|
||||
|
||||
- id: 3.1.18
|
||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
@ -252,7 +252,7 @@ groups:
|
||||
|
||||
- id: 3.1.19
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep federation-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $federationApiserver | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
@ -271,7 +271,7 @@ groups:
|
||||
checks:
|
||||
- id: 3.2.1
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep federation-controller-manager | grep -v grep"
|
||||
audit: "ps -ef | grep $federationControllerManager | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
|
228
cfg/master.yaml
228
cfg/master.yaml
@ -9,7 +9,7 @@ groups:
|
||||
checks:
|
||||
- id: 1.1.1
|
||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "allow-privileged"
|
||||
@ -17,13 +17,13 @@ groups:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/config file on the master node and set
|
||||
remediation: "Edit the $apiserverConf file on the master node and set
|
||||
the KUBE_ALLOW_PRIV parameter to \"--allow-privileged=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.2
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
@ -31,37 +31,37 @@ groups:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set
|
||||
remediation: "Edit the $apiserverConf file on the master node and set
|
||||
the KUBE_API_ARGS parameter to \"--anonymous-auth=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.3
|
||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--basic-auth-file"
|
||||
set: false
|
||||
remediation: "Follow the documentation and configure alternate mechanisms for
|
||||
authentication. Then, edit the $kubeConfDir/apiserver file on the master
|
||||
authentication. Then, edit the $apiserverConf file on the master
|
||||
node and remove the \"--basic-auth-file=<filename>\" argument from the
|
||||
KUBE_API_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.4
|
||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-allow-any-token"
|
||||
set: false
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and remove
|
||||
remediation: "Edit the $apiserverConf file on the master node and remove
|
||||
the --insecure-allow-any-token argument from the KUBE_API_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.5
|
||||
text: "Ensure that the --kubelet-https argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
@ -72,24 +72,24 @@ groups:
|
||||
set: true
|
||||
- flag: "--kubelet-https"
|
||||
set: false
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and remove
|
||||
remediation: "Edit the $apiserverConf file on the master node and remove
|
||||
the --kubelet-https argument from the KUBE_API_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.6
|
||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-bind-address"
|
||||
set: false
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and remove
|
||||
remediation: "Edit the $apiserverConf file on the master node and remove
|
||||
the --insecure-bind-address argument from the KUBE_API_ADDRESS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.7
|
||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-port"
|
||||
@ -97,13 +97,13 @@ groups:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set
|
||||
remediation: "Edit the $apiserverConf file on the master node and set
|
||||
--insecure-port=0 in the KUBE_API_PORT parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.8
|
||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
@ -114,14 +114,14 @@ groups:
|
||||
set: true
|
||||
- flag: "--secure-port"
|
||||
set: false
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and either
|
||||
remediation: "Edit the $apiserverConf file on the master node and either
|
||||
remove the --secure-port argument from the KUBE_API_ARGS parameter or set
|
||||
it to a different desired port."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.9
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
@ -129,13 +129,13 @@ groups:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--profiling=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.10
|
||||
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--repair-malformed-updates"
|
||||
@ -143,13 +143,13 @@ groups:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--repair-malformed-updates=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.11
|
||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
@ -157,13 +157,13 @@ groups:
|
||||
op: nothave
|
||||
value: AlwaysAdmit
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to a value that does not include AlwaysAdmit"
|
||||
scored: true
|
||||
|
||||
- id: 1.1.12
|
||||
text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
@ -171,13 +171,13 @@ groups:
|
||||
op: has
|
||||
value: "AlwaysPullImages"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,AlwaysPullImages,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.13
|
||||
text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
@ -185,13 +185,13 @@ groups:
|
||||
op: has
|
||||
value: "DenyEscalatingExec"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,DenyEscalatingExec,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.14
|
||||
text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
@ -199,13 +199,13 @@ groups:
|
||||
op: has
|
||||
value: "SecurityContextDeny"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,SecurityContextDeny,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.15
|
||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "admission-control"
|
||||
@ -213,24 +213,24 @@ groups:
|
||||
op: has
|
||||
value: "NamespaceLifecycle"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=NamespaceLifecycle,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.16
|
||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-path"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--audit-log-path=<filename>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.17
|
||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxage"
|
||||
@ -238,13 +238,13 @@ groups:
|
||||
op: gte
|
||||
value: 30
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--audit-log-maxage=30\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.18
|
||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxbackup"
|
||||
@ -252,13 +252,13 @@ groups:
|
||||
op: gte
|
||||
value: 10
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--audit-log-maxbackup=10\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.19
|
||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxsize"
|
||||
@ -266,13 +266,13 @@ groups:
|
||||
op: gte
|
||||
value: 100
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--audit-log-maxsize=100\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.20
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--authorization-mode"
|
||||
@ -280,38 +280,38 @@ groups:
|
||||
op: nothave
|
||||
value: "AlwaysAllow"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to values other than \"--authorization-mode=AlwaysAllow\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.21
|
||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--token-auth-file"
|
||||
set: false
|
||||
remediation: "Follow the documentation and configure alternate mechanisms for authentication.
|
||||
Then, edit the $kubeConfDir/apiserver file on the master node and remove the
|
||||
Then, edit the $apiserverConf file on the master node and remove the
|
||||
\"--tokenauth-file=<filename>\" argument from the KUBE_API_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.22
|
||||
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--kubelet-certificate-authority"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and setup the TLS connection between
|
||||
the apiserver and kubelets. Then, edit the $kubeConfDir/apiserver file on the
|
||||
the apiserver and kubelets. Then, edit the $apiserverConf file on the
|
||||
master node and set the KUBE_API_ARGS parameter to
|
||||
\"--kubelet-certificate-authority=<ca-string>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.23
|
||||
text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
@ -320,14 +320,14 @@ groups:
|
||||
- flag: "--kubelet-client-key"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
|
||||
and kubelets. Then, edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
and kubelets. Then, edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--kubelet-clientcertificate=<path/to/client-certificate-file>\"
|
||||
and \"--kubelet-clientkey=<path/to/client-key-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.24
|
||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-lookup"
|
||||
@ -335,13 +335,13 @@ groups:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the KUBE_API_ARGS parameter
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the KUBE_API_ARGS parameter
|
||||
to \"--service-account-lookup=true\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.25
|
||||
text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
@ -350,24 +350,24 @@ groups:
|
||||
value: "PodSecurityPolicy"
|
||||
set: true
|
||||
remediation: "Follow the documentation and create Pod Security Policy objects as per your environment.
|
||||
Then, edit the $kubeConfDir/apiserver file on the master node and set the KUBE_ADMISSION_CONTROL
|
||||
Then, edit the $apiserverConf file on the master node and set the KUBE_ADMISSION_CONTROL
|
||||
parameter to \"--admission-control=...,PodSecurityPolicy,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.26
|
||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-key-file"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the KUBE_API_ARGS
|
||||
remediation: "Edit the $apiserverConf file on the master node and set the KUBE_API_ARGS
|
||||
parameter to \"--service-account-key-file=<filename>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.27
|
||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
@ -376,14 +376,14 @@ groups:
|
||||
- flag: "--etcd-keyfile"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
|
||||
and etcd. Then, edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
and etcd. Then, edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to include \"--etcd-certfile=<path/to/clientcertificate-file>\"
|
||||
and \"--etcd-keyfile=<path/to/client-key-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.28
|
||||
text: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
@ -392,13 +392,13 @@ groups:
|
||||
value: "ServiceAccount"
|
||||
set: true
|
||||
remediation: "Follow the documentation and create ServiceAccount objects as per your environment.
|
||||
Then, edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
Then, edit the $apiserverConf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,ServiceAccount,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.29
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
@ -407,32 +407,32 @@ groups:
|
||||
- flag: "--tls-private-key-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
|
||||
Then, edit the $kubeConfDir/apiserver file on the master node and set the KUBE_API_ARGS parameter to
|
||||
Then, edit the $apiserverConf file on the master node and set the KUBE_API_ARGS parameter to
|
||||
include \"--tls-cert-file=<path/to/tls-certificatefile>\" and
|
||||
\"--tls-private-key-file=<path/to/tls-key-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.30
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--client-ca-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
|
||||
Then, edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
Then, edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to include \"--client-ca-file=<path/to/client-ca-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.31
|
||||
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeApiserver | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--etcd-cafile"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
|
||||
and etcd. Then, edit the $kubeConfDir/apiserver file on the master node and set the
|
||||
and etcd. Then, edit the $apiserverConf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to include \"--etcd-cafile=<path/to/ca-file>\""
|
||||
scored: true
|
||||
|
||||
@ -441,7 +441,7 @@ groups:
|
||||
checks:
|
||||
- id: 1.2.1
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep kube-scheduler | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeScheduler | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
@ -449,7 +449,7 @@ groups:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/scheduler file on the master node and set the KUBE_SCHEDULER_ARGS
|
||||
remediation: "Edit the $schedulerConf file on the master node and set the KUBE_SCHEDULER_ARGS
|
||||
parameter to \"--profiling=false\""
|
||||
scored: true
|
||||
|
||||
@ -458,18 +458,18 @@ groups:
|
||||
checks:
|
||||
- id: 1.3.1
|
||||
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--terminated-pod-gc-threshold"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and set the
|
||||
remediation: "Edit the $controllerManagerConf file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--terminated-pod-gcthreshold=<appropriate-number>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.3.2
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
@ -477,25 +477,25 @@ groups:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and set the
|
||||
remediation: "Edit the $controllerManagerConf file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--profiling=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.3.3
|
||||
text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)"
|
||||
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-experimental-approve-all-kubelet-csrs-for-group"
|
||||
set: false
|
||||
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and remove
|
||||
remediation: "Edit the $controllerManagerConf file on the master node and remove
|
||||
the -insecure-experimental-approve-all-kubelet-csrs-for-group argument from the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter"
|
||||
scored: true
|
||||
|
||||
- id: 1.3.4
|
||||
text: "Ensure that the --use-service-account-credentials argument is set"
|
||||
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--use-service-account-credentials"
|
||||
@ -503,29 +503,29 @@ groups:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and set the
|
||||
remediation: "Edit the $controllerManagerConf file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true"
|
||||
scored: true
|
||||
|
||||
- id: 1.3.5
|
||||
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-private-key-file"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and set the
|
||||
remediation: "Edit the $controllerManagerConf file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to --service-account-private-keyfile=<filename>"
|
||||
scored: true
|
||||
|
||||
- id: 1.3.6
|
||||
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeControllerManager | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--root-ca-file"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and set the
|
||||
remediation: "Edit the $controllerManagerConf file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
|
||||
scored: true
|
||||
|
||||
@ -534,126 +534,124 @@ groups:
|
||||
checks:
|
||||
- id: 1.4.1
|
||||
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "if test -e $kubeConfDir/apiserver; then stat -c %a $kubeConfDir/apiserver; fi"
|
||||
audit: "if test -e $apiserverConf; then stat -c %a $apiserverConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "644"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chmod 644 $kubeConfDir/apiserver"
|
||||
\nFor example, chmod 644 $apiserverConf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.2
|
||||
text: "Ensure that the apiserver file ownership is set to root:root (Scored)"
|
||||
audit: "if test -e $kubeConfDir/apiserver; then stat -c %U:%G $kubeConfDir/apiserver; fi"
|
||||
audit: "if test -e $apiserverConf; then stat -c %U:%G $apiserverConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chown root:root $kubeConfDir/apiserver"
|
||||
\nFor example, chown root:root $apiserverConf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.3
|
||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "if test -e $kubeConfDir/config; then stat -c %a $kubeConfDir/config; fi"
|
||||
audit: "if test -e $kubeConfig; then stat -c %a $kubeConfig; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "644"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chmod 644 $kubeConfDir/config"
|
||||
\nFor example, chmod 644 $kubeConfig"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.4
|
||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||
audit: "if test -e $kubeConfDir/config; then stat -c %U:%G $kubeConfDir/config; fi"
|
||||
audit: "if test -e $kubeConfig; then stat -c %U:%G $kubeConfig; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chown root:root $kubeConfDir/config"
|
||||
\nFor example, chown root:root $kubeConfig"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.5
|
||||
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "if test -e $kubeConfDir/scheduler; then stat -c %a $kubeConfDir/scheduler; fi"
|
||||
audit: "if test -e $schedulerConf; then stat -c %a $schedulerConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "644"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chmod 644 $kubeConfDir/scheduler"
|
||||
\nFor example, chmod 644 $schedulerConf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.6
|
||||
text: "Ensure that the scheduler file ownership is set to root:root (Scored)"
|
||||
audit: "if test -e $kubeConfDir/scheduler; then stat -c %U:%G $kubeConfDir/scheduler; fi"
|
||||
audit: "if test -e $schedulerConf; then stat -c %U:%G $schedulerConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chown root:root $kubeConfDir/scheduler"
|
||||
\nFor example, chown root:root $schedulerConf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.7
|
||||
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "if test -e $etcdConfDir/etcd.conf; then stat -c %a $etcdConfDir/etcd.conf; fi"
|
||||
audit: "if test -e $$etcdConf; then stat -c %a $$etcdConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "644"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chmod 644 $etcdConfDir/etcd.conf"
|
||||
\nFor example, chmod 644 $$etcdConf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.8
|
||||
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
|
||||
audit: "if test -e $etcdConfDir/etcd.conf; then stat -c %U:%G $etcdConfDir/etcd.conf; fi"
|
||||
audit: "if test -e $$etcdConf; then stat -c %U:%G $$etcdConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chown root:root $etcdConfDir/etcd.conf"
|
||||
\nFor example, chown root:root $$etcdConf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.9
|
||||
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "if test -e /etc/sysconfig/flanneld; then stat -c %a /etc/sysconfig/flanneld; fi"
|
||||
audit: "if test -e $$flanneldConf; then stat -c %a $$flanneldConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "644"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chmod 644 /etc/sysconfig/flanneld"
|
||||
\nFor example, chmod 644 $$flanneldConf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.10
|
||||
text: "Ensure that the flanneld file ownership is set to root:root (Scored)"
|
||||
audit: "if test -e /etc/sysconfig/flanneld; then stat -c %U:%G /etc/sysconfig/flanneld; fi"
|
||||
audit: "if test -e $$flanneldConf; then stat -c %U:%G $$flanneldConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chown root:root /etc/sysconfig/flanneld"
|
||||
\nFor example, chown root:root $$flanneldConf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.11
|
||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
||||
# audit: ps -ef | grep etcd | grep -v grep | sed 's,.*--data-dir=\(.*\)\s*.*,\1,' | xargs stat -c %a
|
||||
audit: "ps -ef | grep etcd | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a"
|
||||
# audit: xargs stat -c %a /etc/etcd
|
||||
audit: "ps -ef | grep $etcd | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "700"
|
||||
set: true
|
||||
remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
|
||||
from the below command:\n
|
||||
ps -ef | grep etcd\n
|
||||
ps -ef | grep $etcd\n
|
||||
Run the below command (based on the etcd data directory found above). For example,\n
|
||||
chmod 700 /var/lib/etcd/default.etcd"
|
||||
scored: true
|
||||
@ -663,7 +661,7 @@ groups:
|
||||
checks:
|
||||
- id: 1.5.1
|
||||
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep etcd | grep -v grep"
|
||||
audit: "ps -ef | grep $etcd | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--cert-file"
|
||||
@ -675,7 +673,7 @@ groups:
|
||||
|
||||
- id: 1.5.2
|
||||
text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep etcd | grep -v grep"
|
||||
audit: "ps -ef | grep $etcd | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--client-cert-auth"
|
||||
@ -683,7 +681,7 @@ groups:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the etcd envrironment file (for example, $etcdConfDir/etcd.conf) on the
|
||||
remediation: "Edit the etcd envrironment file (for example, $$etcdConf) on the
|
||||
etcd server node and set the ETCD_CLIENT_CERT_AUTH parameter to \"true\".
|
||||
Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service)
|
||||
and configure the startup parameter for --clientcert-auth and set it to \"${ETCD_CLIENT_CERT_AUTH}\""
|
||||
@ -691,7 +689,7 @@ groups:
|
||||
|
||||
- id: 1.5.3
|
||||
text: "Ensure that the --auto-tls argument is not set to true (Scored)"
|
||||
audit: "ps -ef | grep etcd | grep -v grep"
|
||||
audit: "ps -ef | grep $etcd | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
@ -701,7 +699,7 @@ groups:
|
||||
compare:
|
||||
op: neq
|
||||
value: true
|
||||
remediation: "Edit the etcd environment file (for example, $etcdConfDir/etcd.conf) on the etcd server
|
||||
remediation: "Edit the etcd environment file (for example, $$etcdConf) on the etcd server
|
||||
node and comment out the ETCD_AUTO_TLS parameter. Edit the etcd startup file (for example,
|
||||
/etc/systemd/system/multiuser.target.wants/etcd.service) and remove the startup parameter
|
||||
for --auto-tls."
|
||||
@ -709,7 +707,7 @@ groups:
|
||||
|
||||
- id: 1.5.4
|
||||
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep etcd | grep -v grep"
|
||||
audit: "ps -ef | grep $etcd | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--peer-cert-file"
|
||||
@ -724,7 +722,7 @@ groups:
|
||||
|
||||
- id: 1.5.5
|
||||
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep etcd | grep -v grep"
|
||||
audit: "ps -ef | grep $etcd | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--peer-client-cert-auth"
|
||||
@ -734,7 +732,7 @@ groups:
|
||||
set: true
|
||||
remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only
|
||||
one etcd server in your environment then this recommendation is not applicable.
|
||||
Edit the etcd environment file (for example, $etcdConfDir/etcd.conf) on the etcd server node
|
||||
Edit the etcd environment file (for example, $$etcdConf) on the etcd server node
|
||||
and set the ETCD_PEER_CLIENT_CERT_AUTH parameter to \"true\". Edit the etcd startup file
|
||||
(for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the
|
||||
startup parameter for --peer-client-cert-auth and set it to \"${ETCD_PEER_CLIENT_CERT_AUTH}\""
|
||||
@ -742,7 +740,7 @@ groups:
|
||||
|
||||
- id: 1.5.6
|
||||
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
|
||||
audit: "ps -ef | grep etcd | grep -v grep"
|
||||
audit: "ps -ef | grep $etcd | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
@ -755,7 +753,7 @@ groups:
|
||||
set: true
|
||||
remediation: "Note: This recommendation is applicable only for etcd clusters.
|
||||
If you are using only one etcd server in your environment then this recommendation is
|
||||
not applicable. Edit the etcd environment file (for example, $etcdConfDir/etcd.conf)
|
||||
not applicable. Edit the etcd environment file (for example, $$etcdConf)
|
||||
on the etcd server node and comment out the ETCD_PEER_AUTO_TLS parameter.
|
||||
Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service)
|
||||
and remove the startup parameter for --peer-auto-tls."
|
||||
@ -763,12 +761,12 @@ groups:
|
||||
|
||||
- id: 1.5.7
|
||||
text: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep etcd | grep -v grep"
|
||||
audit: "ps -ef | grep $etcd | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--wal-dir"
|
||||
set: true
|
||||
remediation: "Edit the etcd environment file (for example, $etcdConfDir/etcd.conf) on the etcd server node
|
||||
remediation: "Edit the etcd environment file (for example, $$etcdConf) on the etcd server node
|
||||
and set the ETCD_WAL_DIR parameter as appropriate. Edit the etcd startup file (for example,
|
||||
/etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for
|
||||
--wal-dir and set it to \"${ETCD_WAL_DIR}\""
|
||||
@ -776,7 +774,7 @@ groups:
|
||||
|
||||
- id: 1.5.8
|
||||
text: "Ensure that the --max-wals argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep etcd | grep -v grep"
|
||||
audit: "ps -ef | grep $etcd | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--max-wals"
|
||||
@ -784,7 +782,7 @@ groups:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the etcd environment file (for example, $etcdConfDir/etcd.conf) on the etcd server node
|
||||
remediation: "Edit the etcd environment file (for example, $$etcdConf) on the etcd server node
|
||||
and set the ETCD_MAX_WALS parameter to 0. Edit the etcd startup file (for example,
|
||||
/etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter
|
||||
for --max-wals and set it to \"${ETCD_MAX_WALS}\"."
|
||||
@ -792,7 +790,7 @@ groups:
|
||||
|
||||
- id: 1.5.9
|
||||
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
|
||||
audit: "ps -ef | grep etcd | grep -v grep"
|
||||
audit: "ps -ef | grep $etcd | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--trusted-ca-file"
|
||||
|
@ -9,7 +9,7 @@ groups:
|
||||
checks:
|
||||
- id: 2.1.1
|
||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--allow-privileged"
|
||||
@ -17,13 +17,13 @@ groups:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/config file on each node and set the KUBE_ALLOW_PRIV
|
||||
remediation: "Edit the $kubeConfig file on each node and set the KUBE_ALLOW_PRIV
|
||||
parameter to \"--allow-privileged=false\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.2
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
@ -31,13 +31,13 @@ groups:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/kubelet file on the master node and set the
|
||||
remediation: "Edit the $kubeletConf file on the master node and set the
|
||||
KUBELET_ARGS parameter to \"--anonymous-auth=false\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.3
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--authorization-mode"
|
||||
@ -45,25 +45,25 @@ groups:
|
||||
op: nothave
|
||||
value: "AlwaysAllow"
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/kubelet file on each node and set the
|
||||
remediation: "Edit the $kubeletConf file on each node and set the
|
||||
KUBELET_ARGS parameter to \"--authorization-mode=Webhook\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.4
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--client-ca-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and setup the TLS connection between
|
||||
the apiserver and kubelets. Then, edit the $kubeConfDir/kubelet file on each node
|
||||
the apiserver and kubelets. Then, edit the $kubeletConf file on each node
|
||||
and set the KUBELET_ARGS parameter to \"--client-ca-file=<path/to/client-ca-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.5
|
||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--read-only-port"
|
||||
@ -71,13 +71,13 @@ groups:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/kubelet file on each node and set the KUBELET_ARGS
|
||||
remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--read-only-port=0\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.6
|
||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--streaming-connection-idle-timeout"
|
||||
@ -85,13 +85,13 @@ groups:
|
||||
op: gt
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/kubelet file on each node and set the KUBELET_ARGS
|
||||
remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--streaming-connection-idle-timeout=<appropriate-timeout-value>\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.7
|
||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--protect-kernel-defaults"
|
||||
@ -99,13 +99,13 @@ groups:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/kubelet file on each node and set the KUBELET_ARGS
|
||||
remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--protect-kernel-defaults=true\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.8
|
||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
@ -116,13 +116,13 @@ groups:
|
||||
set: true
|
||||
- flag: "--make-iptables-util-chains"
|
||||
set: false
|
||||
remediation: "Edit the $kubeConfDir/kubelet file on each node and remove the
|
||||
remediation: "Edit the $kubeletConf file on each node and remove the
|
||||
--make-iptables-util-chains argument from the KUBELET_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 2.1.9
|
||||
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--keep-terminated-pod-volumes"
|
||||
@ -130,24 +130,24 @@ groups:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/kubelet file on each node and set the KUBELET_ARGS
|
||||
remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--keep-terminated-pod-volumes=false\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.10
|
||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--hostname-override"
|
||||
set: false
|
||||
remediation: "Edit the $kubeConfDir/kubelet file on each node and set the KUBELET_HOSTNAME
|
||||
remediation: "Edit the $kubeletConf file on each node and set the KUBELET_HOSTNAME
|
||||
parameter to \"\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.11
|
||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--event-qps"
|
||||
@ -155,13 +155,13 @@ groups:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/kubelet file on each node and set the KUBELET_ARGS
|
||||
remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--event-qps=0\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.12
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--tls-cert-file"
|
||||
@ -169,14 +169,14 @@ groups:
|
||||
- flag: "--tls-private-key-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
|
||||
Then, edit the $kubeConfDir/kubelet file on the master node and set the KUBELET_ARGS
|
||||
Then, edit the $kubeletConf file on the master node and set the KUBELET_ARGS
|
||||
parameter to include \"--tls-cert-file=<path/to/tls-certificate-file>\" and
|
||||
\"--tls-private-key-file=<path/to/tls-key-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.13
|
||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
||||
audit: "ps -ef | grep $kubeletBin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--cadvisor-port"
|
||||
@ -184,7 +184,7 @@ groups:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeConfDir/kubelet file on each node and set the KUBELET_ARGS parameter
|
||||
remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS parameter
|
||||
to \"--cadvisor-port=0\""
|
||||
scored: true
|
||||
|
||||
@ -193,66 +193,66 @@ groups:
|
||||
checks:
|
||||
- id: 2.2.1
|
||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "if test -e $kubeConfDir/config; then stat -c %a $kubeConfDir/config; fi"
|
||||
audit: "if test -e $kubeConfig; then stat -c %a $kubeConfig; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "644"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chmod 644 $kubeConfDir/config"
|
||||
\nFor example, chmod 644 $kubeConfig"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.2
|
||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||
audit: "if test -e $kubeConfDir/config; then stat -c %U:%G $kubeConfDir/config; fi"
|
||||
audit: "if test -e $kubeConfig; then stat -c %U:%G $kubeConfig; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chown root:root $kubeConfDir/config"
|
||||
\nFor example, chown root:root $kubeConfig"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.3
|
||||
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "if test -e $kubeConfDir/kubelet; then stat -c %a $kubeConfDir/kubelet; fi"
|
||||
audit: "if test -e $kubeletConf; then stat -c %a $kubeletConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "644"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chmod 644 $kubeConfDir/kubelet"
|
||||
\nFor example, chmod 644 $kubeletConf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.4
|
||||
text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
|
||||
audit: "if test -e $kubeConfDir/kubelet; then stat -c %U:%G $kubeConfDir/kubelet; fi"
|
||||
audit: "if test -e $kubeletConf; then stat -c %U:%G $kubeletConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chown root:root $kubeConfDir/kubelet"
|
||||
\nFor example, chown root:root $kubeletConf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.5
|
||||
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "if test -e $kubeConfDir/proxy; then stat -c %a $kubeConfDir/proxy; fi"
|
||||
audit: "if test -e $kubeProxyConf; then stat -c %a $kubeProxyConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "644"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chmod 644 $kubeConfDir/proxy"
|
||||
\nFor example, chmod 644 $kubeProxyConf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.6
|
||||
text: "Ensure that the proxy file ownership is set to root:root (Scored)"
|
||||
audit: "if test -e $kubeConfDir/proxy; then stat -c %U:%G $kubeConfDir/proxy; fi"
|
||||
audit: "if test -e $kubeProxyConf; then stat -c %U:%G $kubeProxyConf; fi"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chown root:root $kubeConfDir/proxy"
|
||||
\nFor example, chown root:root $kubeProxyConf"
|
||||
scored: true
|
||||
|
@ -96,7 +96,6 @@ func (c *Check) Run(verbose bool) {
|
||||
cs := c.Commands
|
||||
|
||||
// Initialize command pipeline
|
||||
// cs[0].Stderr = os.Stderr
|
||||
cs[n-1].Stdout = &out
|
||||
i := 1
|
||||
|
||||
@ -113,7 +112,6 @@ func (c *Check) Run(verbose bool) {
|
||||
),
|
||||
)
|
||||
|
||||
// cs[i].Stderr = os.Stderr
|
||||
i++
|
||||
}
|
||||
|
||||
@ -150,7 +148,7 @@ func (c *Check) Run(verbose bool) {
|
||||
i++
|
||||
}
|
||||
|
||||
if verbose {
|
||||
if verbose && errmsgs != "" {
|
||||
fmt.Fprintf(os.Stderr, "%s\n", errmsgs)
|
||||
}
|
||||
|
||||
|
207
cmd/common.go
207
cmd/common.go
@ -27,16 +27,13 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
errmsgs string
|
||||
errmsgs string
|
||||
kubeMasterBin map[string]string
|
||||
kubeMasterConf map[string]string
|
||||
|
||||
kubeMasterBin = []string{"kube-apiserver", "kube-scheduler", "kube-controller-manager"}
|
||||
xMasterBin = []string{"etcd", "flanneld"}
|
||||
kubeMasterConf = []string{}
|
||||
|
||||
kubeNodeBin = []string{"kubelet"}
|
||||
kubeNodeConf = []string{}
|
||||
|
||||
kubeFederatedBin = []string{"federation-apiserver", "federation-controller-manager"}
|
||||
kubeNodeBin map[string]string
|
||||
kubeNodeConf map[string]string
|
||||
kubeFederatedBin map[string]string
|
||||
|
||||
// TODO: Consider specifying this in config file.
|
||||
kubeVersion = "1.6"
|
||||
@ -64,6 +61,121 @@ func runChecks(t check.NodeType) {
|
||||
var summary check.Summary
|
||||
var file string
|
||||
|
||||
// Set up binary and configuration.
|
||||
switch installation {
|
||||
default:
|
||||
fallthrough
|
||||
case "kops":
|
||||
// Master
|
||||
kubeMasterBin = map[string]string{
|
||||
"apiserver": "apiserver",
|
||||
"scheduler": "scheduler",
|
||||
"controller-manager": "controller-manager",
|
||||
"etcd": "etcd",
|
||||
"flanneld": "flanneld",
|
||||
}
|
||||
|
||||
kubeMasterConf = map[string]string{
|
||||
"apiserver": "/etc/kubernetes/apiserver",
|
||||
"scheduler": "/etc/kubernetes/scheduler",
|
||||
"controller-manager": "/etc/kubernetes/controller-manager",
|
||||
"config": "/etc/kubernetes/config",
|
||||
"etcd": "/etc/etcd/etcd.conf",
|
||||
"flanneld": "/etc/sysconfig/flanneld",
|
||||
}
|
||||
|
||||
// Node
|
||||
kubeNodeBin = map[string]string{
|
||||
"kubelet": "kubelet",
|
||||
"proxy": "proxy",
|
||||
}
|
||||
|
||||
kubeNodeConf = map[string]string{
|
||||
"kubelet": "/etc/kubernetes/kubelet",
|
||||
"proxy": "/etc/kubernetes/proxy",
|
||||
}
|
||||
|
||||
// Federated
|
||||
kubeFederatedBin = map[string]string{
|
||||
"apiserver": "federation-apiserver",
|
||||
"controller-manager": "federation-controller-manager",
|
||||
}
|
||||
|
||||
case "hyperkube":
|
||||
// Master
|
||||
kubeMasterBin = map[string]string{
|
||||
"apiserver": "hyperkube apiserver",
|
||||
"scheduler": "hyperkube scheduler",
|
||||
"controller-manager": "hyperkube controller-manager",
|
||||
"etcd": "etcd",
|
||||
"flanneld": "flanneld",
|
||||
}
|
||||
|
||||
kubeMasterConf = map[string]string{
|
||||
"apiserver": "/etc/kubernetes/apiserver",
|
||||
"scheduler": "/etc/kubernetes/scheduler",
|
||||
"controller-manager": "/etc/kubernetes/controller-manager",
|
||||
"config": "/etc/kubernetes/config",
|
||||
"etcd": "/etc/etcd/etcd.conf",
|
||||
"flanneld": "/etc/sysconfig/flanneld",
|
||||
}
|
||||
|
||||
// Node
|
||||
kubeNodeBin = map[string]string{
|
||||
"kubelet": "hyperkube kubelet",
|
||||
"proxy": "hyperkube kube-proxy",
|
||||
}
|
||||
|
||||
kubeNodeConf = map[string]string{
|
||||
"kubelet": "/etc/kubernetes/kubelet",
|
||||
"proxy": "/etc/kubernetes/proxy",
|
||||
}
|
||||
|
||||
// Federated
|
||||
kubeFederatedBin = map[string]string{
|
||||
"apiserver": "federation-apiserver",
|
||||
"controller-manager": "federation-controller-manager",
|
||||
}
|
||||
case "kubeadm":
|
||||
// TODO: Complete config and binary file list for kubeadm.
|
||||
|
||||
// Master
|
||||
kubeMasterBin = map[string]string{
|
||||
"apiserver": "hyperkube",
|
||||
"scheduler": "hyperkube",
|
||||
"controller-manager": "hyperkube",
|
||||
"etcd": "etcd",
|
||||
"flanneld": "flanneld",
|
||||
}
|
||||
|
||||
kubeMasterConf = map[string]string{
|
||||
"apiserver": "/etc/kubernetes/admin.conf",
|
||||
"scheduler": "/etc/kubernetes/scheduler.conf",
|
||||
"controller-manager": "/etc/kubernetes/controller-manager.conf",
|
||||
"config": "/etc/kubernetes/config",
|
||||
"etcd": "/etc/etcd/etcd.conf",
|
||||
"flanneld": "/etc/sysconfig/flanneld",
|
||||
}
|
||||
|
||||
// Node
|
||||
kubeNodeBin = map[string]string{
|
||||
"kubelet": "hyperkube",
|
||||
"proxy": "hyperkube",
|
||||
}
|
||||
|
||||
kubeNodeConf = map[string]string{
|
||||
"kubelet": "/etc/kubernetes/kubelet.conf",
|
||||
"proxy": "/etc/kubernetes/proxy.conf",
|
||||
}
|
||||
|
||||
// Federated
|
||||
kubeFederatedBin = map[string]string{
|
||||
"apiserver": "federation-apiserver",
|
||||
"controller-manager": "federation-controller-manager",
|
||||
}
|
||||
}
|
||||
|
||||
// Run kubernetes installation validation checks.
|
||||
warns := verifyNodeType(t)
|
||||
|
||||
switch t {
|
||||
@ -82,9 +194,31 @@ func runChecks(t check.NodeType) {
|
||||
}
|
||||
|
||||
// Variable substitutions. Replace all occurrences of variables in controls file.
|
||||
s := strings.Replace(string(in), "$kubeConfDir", viper.Get("kubeConfDir").(string), -1)
|
||||
s = strings.Replace(s, "$etcdConfDir", viper.Get("etcdConfDir").(string), -1)
|
||||
s = strings.Replace(s, "$flanneldConfDir", viper.Get("flanneldConfDir").(string), -1)
|
||||
// Master
|
||||
s := strings.Replace(string(in), "$kubeApiserver", kubeMasterBin["apiserver"], -1)
|
||||
s = strings.Replace(s, "$apiserverConf", kubeMasterConf["apiserver"], -1)
|
||||
|
||||
s = strings.Replace(s, "$kubeScheduler", kubeMasterBin["scheduler"], -1)
|
||||
s = strings.Replace(s, "$schedulerConf", kubeMasterConf["scheduler"], -1)
|
||||
|
||||
s = strings.Replace(s, "$kubeControllerManager", kubeMasterBin["controller-manager"], -1)
|
||||
s = strings.Replace(s, "$controllerManagerConf", kubeMasterConf["controller-manager"], -1)
|
||||
|
||||
s = strings.Replace(s, "$etcd", kubeMasterBin["etcd"], -1)
|
||||
s = strings.Replace(s, "$flanneld", kubeMasterBin["flanneld"], -1)
|
||||
|
||||
s = strings.Replace(s, "$kubeConfig", kubeMasterConf["config"], -1)
|
||||
s = strings.Replace(s, "$etcdConf", kubeMasterConf["etcd"], -1)
|
||||
s = strings.Replace(s, "$flanneldConf", kubeMasterConf["flanneld"], -1)
|
||||
|
||||
// Node
|
||||
s = strings.Replace(s, "$kubeletBin", kubeNodeBin["kubelet"], -1)
|
||||
s = strings.Replace(s, "$kubeletConf", kubeNodeConf["kubelet"], -1)
|
||||
s = strings.Replace(s, "$kubeProxyConf", kubeNodeConf["proxy"], -1)
|
||||
|
||||
// Federated
|
||||
s = strings.Replace(s, "$federationApiserver", kubeFederatedBin["apiserver"], -1)
|
||||
s = strings.Replace(s, "$federationControllerManager", kubeFederatedBin["controller-manager"], -1)
|
||||
|
||||
controls, err := check.NewControls(t, []byte(s))
|
||||
if err != nil {
|
||||
@ -95,15 +229,12 @@ func runChecks(t check.NodeType) {
|
||||
if groupList != "" && checkList == "" {
|
||||
ids := cleanIDs(groupList)
|
||||
summary = controls.RunGroup(verbose, ids...)
|
||||
|
||||
} else if checkList != "" && groupList == "" {
|
||||
ids := cleanIDs(checkList)
|
||||
summary = controls.RunChecks(verbose, ids...)
|
||||
|
||||
} else if checkList != "" && groupList != "" {
|
||||
fmt.Fprintf(os.Stderr, "group option and check option can't be used together\n")
|
||||
os.Exit(1)
|
||||
|
||||
} else {
|
||||
summary = controls.RunGroup(verbose)
|
||||
}
|
||||
@ -141,34 +272,20 @@ func verifyNodeType(t check.NodeType) []string {
|
||||
// Always clear out error messages.
|
||||
errmsgs = ""
|
||||
|
||||
// Set up and check for config files.
|
||||
kubeConfDir = viper.Get("kubeConfDir").(string)
|
||||
etcdConfDir = viper.Get("etcdConfDir").(string)
|
||||
flanneldConfDir = viper.Get("flanneldConfDir").(string)
|
||||
|
||||
kubeMasterConf = append(kubeMasterConf, kubeConfDir+"/apiserver")
|
||||
kubeMasterConf = append(kubeMasterConf, kubeConfDir+"/scheduler")
|
||||
kubeMasterConf = append(kubeMasterConf, kubeConfDir+"/controller-manager")
|
||||
kubeMasterConf = append(kubeMasterConf, kubeConfDir+"/config")
|
||||
kubeMasterConf = append(kubeMasterConf, etcdConfDir+"/etcd.conf")
|
||||
kubeMasterConf = append(kubeMasterConf, flanneldConfDir+"/flanneld")
|
||||
|
||||
kubeNodeConf = append(kubeNodeConf, kubeConfDir+"/kubelet")
|
||||
kubeNodeConf = append(kubeNodeConf, kubeConfDir+"/proxy")
|
||||
|
||||
switch t {
|
||||
case check.MASTER:
|
||||
w = append(w, verifyBin(kubeMasterBin)...)
|
||||
w = append(w, verifyBin(xMasterBin)...)
|
||||
w = append(w, verifyConf(kubeMasterConf)...)
|
||||
w = append(w, verifyKubeVersion(kubeMasterBin[0])...)
|
||||
w = append(w, verifyBin(values(kubeMasterBin))...)
|
||||
w = append(w, verifyConf(values(kubeMasterConf))...)
|
||||
w = append(w, verifyKubeVersion(kubeMasterBin["apiserver"])...)
|
||||
case check.NODE:
|
||||
w = append(w, verifyBin(kubeNodeBin)...)
|
||||
w = append(w, verifyConf(kubeNodeConf)...)
|
||||
w = append(w, verifyKubeVersion(kubeNodeBin[0])...)
|
||||
case check.FEDERATED:
|
||||
w = append(w, verifyBin(kubeFederatedBin)...)
|
||||
w = append(w, verifyKubeVersion(kubeFederatedBin[0])...)
|
||||
w = append(w, verifyBin(values(kubeNodeBin))...)
|
||||
w = append(w, verifyConf(values(kubeNodeConf))...)
|
||||
w = append(w, verifyKubeVersion(kubeNodeBin["kubelet"])...)
|
||||
/*
|
||||
case check.FEDERATED:
|
||||
w = append(w, verifyBin(kubeFederatedBin)...)
|
||||
w = append(w, verifyKubeVersion(kubeFederatedBin[0])...)
|
||||
*/
|
||||
}
|
||||
|
||||
if verbose {
|
||||
@ -282,7 +399,7 @@ func verifyKubeVersion(b string) []string {
|
||||
out, err := cmd.Output()
|
||||
errmsgs += handleError(
|
||||
err,
|
||||
fmt.Sprintf("verifyKubeVersion: failed"),
|
||||
fmt.Sprintf("verifyKubeVersion: failed\nCommand:%s", cmd.Args),
|
||||
)
|
||||
|
||||
matched := strings.Contains(string(out), kubeVersion)
|
||||
@ -292,3 +409,11 @@ func verifyKubeVersion(b string) []string {
|
||||
|
||||
return w
|
||||
}
|
||||
|
||||
// values returns the values in a string map.
|
||||
func values(m map[string]string) (vals []string) {
|
||||
for _, v := range m {
|
||||
vals = append(vals, v)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
15
cmd/root.go
15
cmd/root.go
@ -38,7 +38,8 @@ var (
|
||||
etcdConfDir string
|
||||
flanneldConfDir string
|
||||
|
||||
verbose bool
|
||||
verbose bool
|
||||
installation string
|
||||
)
|
||||
|
||||
// RootCmd represents the base command when called without any subcommands
|
||||
@ -61,13 +62,21 @@ func init() {
|
||||
cobra.OnInitialize(initConfig)
|
||||
|
||||
RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")
|
||||
RootCmd.PersistentFlags().StringVarP(&checkList,
|
||||
RootCmd.PersistentFlags().StringVar(
|
||||
&installation,
|
||||
"installation",
|
||||
"default",
|
||||
"Specify how kubernetes cluster was installed. Possible values are default,hyperkube,kops,kubeadm",
|
||||
)
|
||||
RootCmd.PersistentFlags().StringVarP(
|
||||
&checkList,
|
||||
"check",
|
||||
"c",
|
||||
"",
|
||||
`A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"`,
|
||||
)
|
||||
RootCmd.PersistentFlags().StringVarP(&groupList,
|
||||
RootCmd.PersistentFlags().StringVarP(
|
||||
&groupList,
|
||||
"group",
|
||||
"g",
|
||||
"",
|
||||
|
Loading…
Reference in New Issue
Block a user