From 3e5d02e920da08777d295a952e22a798509b7a7c Mon Sep 17 00:00:00 2001
From: Roberto Rojas <robertojrojas@gmail.com>
Date: Wed, 28 Aug 2019 04:27:56 -0400
Subject: [PATCH] fixes issue #386 (#397)

* fixes issue #386

* Correct typo
---
 cfg/1.11/node.yaml |  3 +++
 cfg/1.13/node.yaml |  3 +++
 cfg/config.yaml    | 19 ++++++++++++++++++-
 job-iks.yaml       | 33 +++++++++++++++++++++++++++++++++
 4 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 job-iks.yaml

diff --git a/cfg/1.11/node.yaml b/cfg/1.11/node.yaml
index 0110cfc..1e1a0fe 100644
--- a/cfg/1.11/node.yaml
+++ b/cfg/1.11/node.yaml
@@ -267,12 +267,15 @@ groups:
     text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
     audit: "ps -fC $kubeletbin"
     tests:
+      bin_op: or
       test_items:
       - flag: "--rotate-certificates"
         compare:
           op: eq
           value: true
         set: true
+      - flag: "--rotate-certificates"
+        set: false
     remediation: |
       If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
       If using command line arguments, edit the kubelet service file $kubeletsvc 
diff --git a/cfg/1.13/node.yaml b/cfg/1.13/node.yaml
index 928e76e..fdb8590 100644
--- a/cfg/1.13/node.yaml
+++ b/cfg/1.13/node.yaml
@@ -249,12 +249,15 @@ groups:
     text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
     audit: "ps -fC $kubeletbin"
     tests:
+      bin_op: or
       test_items:
       - flag: "--rotate-certificates"
         compare:
           op: eq
           value: true
         set: true
+      - flag: "--rotate-certificates"
+        set: false
     remediation: |
       If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
       If using command line arguments, edit the kubelet service file $kubeletsvc 
diff --git a/cfg/config.yaml b/cfg/config.yaml
index d8d559e..b6b7133 100644
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@@ -84,20 +84,33 @@ node:
     cafile:
       - "/etc/kubernetes/pki/ca.crt"
       - "/etc/kubernetes/certs/ca.crt"
-    svc:
+      - "/etc/kubernetes/cert/ca.pem"
+    svc: 
+      # These paths must also be included
+      #  in the 'confs' property below
       - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
       - "/etc/systemd/system/kubelet.service"
+      - "/lib/systemd/system/kubelet.service"
     bins:
       - "hyperkube kubelet"
       - "kubelet"
     kubeconfig:
       - "/etc/kubernetes/kubelet.conf"
       - "/var/lib/kubelet/kubeconfig"
+      - "/etc/kubernetes/kubelet-kubeconfig"
     confs:
       - "/var/lib/kubelet/config.yaml"
       - "/etc/kubernetes/kubelet/kubelet-config.json"
       - "/home/kubernetes/kubelet-config.yaml"
       - "/etc/default/kubelet"
+      ## Due to the fact that the kubelet might be configured
+      ## without a kubelet-config file, we use a work-around
+      ## of pointing to the systemd service file (which can also
+      ## hold kubelet configuration).
+      ## Note: The following paths must match the one under 'svc'
+      - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
+      - "/etc/systemd/system/kubelet.service"
+      - "/lib/systemd/system/kubelet.service"
     defaultconf: "/var/lib/kubelet/config.yaml"
     defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
     defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
@@ -111,6 +124,10 @@ node:
     confs:
       - /etc/kubernetes/proxy
       - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
+    kubeconfig:
+      - /etc/kubernetes/kubelet-kubeconfig
+    svc:
+      - "/lib/systemd/system/kube-proxy.service"
     defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
     defaultkubeconfig: "/etc/kubernetes/proxy.conf"
 
diff --git a/job-iks.yaml b/job-iks.yaml
new file mode 100644
index 0000000..24528ba
--- /dev/null
+++ b/job-iks.yaml
@@ -0,0 +1,33 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kube-bench
+spec:
+  template:
+    spec:
+      hostPID: true
+      containers:
+      - name: kube-bench
+        image: aquasec/kube-bench:latest
+        command: ["kube-bench", "--version", "1.13", "node"]
+        volumeMounts:
+        - name: var-lib-kubelet
+          mountPath: /var/lib/kubelet
+        - name: etc-systemd
+          mountPath: /etc/systemd
+        - name: etc-kubernetes
+          mountPath: /etc/kubernetes
+      restartPolicy: Never
+      volumes:
+      - name: var-lib-kubelet
+        hostPath:
+          path: "/var/lib/kubelet"
+      - name: etc-systemd
+        hostPath:
+          path: "/lib/systemd"
+      - name: etc-kubernetes
+        hostPath:
+          path: "/etc/kubernetes"
+      - name: usr-bin
+        hostPath:
+          path: "/usr/bin"