arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into add-new-cfg-version1.4

Browse Source
pull/226/head
yoavrotems 5 years ago committed by GitHub
parent 82150fdc63 2d4019aabe
commit 50f22e7f13
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 123 additions and 94 deletions
Show Stats Download Patch File Download Diff File

82
cfg/1.11/node.yaml
Unescape View File

@ -10,7 +10,7 @@ groups:
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" text: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--allow-privileged" - flag: "--allow-privileged"
@ -19,7 +19,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false --allow-privileged=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -29,7 +29,7 @@ groups:
- id: 2.1.2 - id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
@ -41,7 +41,7 @@ groups:
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false . false .
If using executable arguments, edit the kubelet service file If using executable arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false --anonymous-auth=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -51,7 +51,7 @@ groups:
- id: 2.1.3 - id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: "--authorization-mode"
@ -62,7 +62,7 @@ groups:
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file If using executable arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable. set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook --authorization-mode=Webhook
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -72,7 +72,7 @@ groups:
- id: 2.1.4 - id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--client-ca-file" - flag: "--client-ca-file"
@ -81,7 +81,7 @@ groups:
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file. the location of the client CA file.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable. set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file> --client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -91,7 +91,7 @@ groups:
- id: 2.1.5 - id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--read-only-port" - flag: "--read-only-port"
@ -102,7 +102,7 @@ groups:
remediation: | remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0 . If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0 --read-only-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -112,7 +112,7 @@ groups:
- id: 2.1.6 - id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--streaming-connection-idle-timeout" - flag: "--streaming-connection-idle-timeout"
@ -124,7 +124,7 @@ groups:
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0. value other than 0.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m --streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -134,7 +134,7 @@ groups:
- id: 2.1.7 - id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--protect-kernel-defaults" - flag: "--protect-kernel-defaults"
@ -145,7 +145,7 @@ groups:
remediation: | remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true . If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true --protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -155,7 +155,7 @@ groups:
- id: 2.1.8 - id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -169,7 +169,7 @@ groups:
remediation: | remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true . If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -179,13 +179,13 @@ groups:
- id: 2.1.9 - id: 2.1.9
text: "Ensure that the --hostname-override argument is not set (Scored)" text: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--hostname-override" - flag: "--hostname-override"
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -195,7 +195,7 @@ groups:
- id: 2.1.10 - id: 2.1.10
text: "Ensure that the --event-qps argument is set to 0 (Scored)" text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--event-qps" - flag: "--event-qps"
@ -206,7 +206,7 @@ groups:
remediation: | remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 . If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0 --event-qps=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -216,7 +216,7 @@ groups:
- id: 2.1.11 - id: 2.1.11
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -229,7 +229,7 @@ groups:
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
corresponding private key file. corresponding private key file.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable. set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file> --tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file> file=<path/to/tls-key-file>
@ -240,7 +240,7 @@ groups:
- id: 2.1.12 - id: 2.1.12
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -252,7 +252,7 @@ groups:
- flag: "--cadvisor-port" - flag: "--cadvisor-port"
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0 --cadvisor-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -262,7 +262,7 @@ groups:
- id: 2.1.13 - id: 2.1.13
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--rotate-certificates" - flag: "--rotate-certificates"
@ -272,7 +272,7 @@ groups:
set: true set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true. If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file $kubeletconf If using command line arguments, edit the kubelet service file $kubeletsvc
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable. on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
@ -281,7 +281,7 @@ groups:
- id: 2.1.14 - id: 2.1.14
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletServerCertificate" - flag: "RotateKubeletServerCertificate"
@ -290,7 +290,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -300,7 +300,7 @@ groups:
- id: 2.1.15 - id: 2.1.15
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--tls-cipher-suites" - flag: "--tls-cipher-suites"
@ -320,7 +320,7 @@ groups:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -342,12 +342,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 644 $kubeletconf chmod 644 $kubeletkubeconfig
scored: true scored: true
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -358,7 +358,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $kubeletconf chown root:root $kubeletkubeconfig
scored: true scored: true
- id: 2.2.3 - id: 2.2.3
@ -404,7 +404,7 @@ groups:
- id: 2.2.5 - id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -426,12 +426,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 644 $proxyconf chmod 644 $proxykubeconfig
scored: true scored: true
- id: 2.2.6 - id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -439,7 +439,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $proxyconf chown root:root $proxykubeconfig
scored: true scored: true
- id: 2.2.7 - id: 2.2.7
@ -462,19 +462,19 @@ groups:
- id: 2.2.9 - id: 2.2.9
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
set: true set: true
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identied in the Audit step)
chown root:root /etc/kubernetes/kubelet.conf chown root:root $kubeletconf
scored: true scored: true
- id: 2.2.10 - id: 2.2.10
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %a /var/lib/kubelet/config.yaml; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -495,5 +495,5 @@ groups:
set: true set: true
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identied in the Audit step)
chmod 644 /var/lib/kubelet/config.yaml chmod 644 $kubeletconf
scored: true scored: true

8
cfg/1.8/config.yaml
Unescape View File

@ -34,11 +34,9 @@ master:
node: node:
kubelet: kubelet:
confs: defaultconf: /var/lib/kubelet/config.yaml
- /etc/systemd/system/kubelet.service.d/10-kubeadm.conf defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf defaultkubeconfig: /etc/kubernetes/kubelet.conf
proxy: proxy:
confs:
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

85
cfg/1.8/node.yaml
Unescape View File

@ -10,7 +10,7 @@ groups:
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" text: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--allow-privileged" - flag: "--allow-privileged"
@ -19,7 +19,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false --allow-privileged=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -29,7 +29,7 @@ groups:
- id: 2.1.2 - id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
@ -38,7 +38,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false --anonymous-auth=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -48,7 +48,7 @@ groups:
- id: 2.1.3 - id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: "--authorization-mode"
@ -57,7 +57,7 @@ groups:
value: "AlwaysAllow" value: "AlwaysAllow"
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook --authorization-mode=Webhook
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -67,13 +67,13 @@ groups:
- id: 2.1.4 - id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--client-ca-file" - flag: "--client-ca-file"
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file> --client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -83,7 +83,7 @@ groups:
- id: 2.1.5 - id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--read-only-port" - flag: "--read-only-port"
@ -92,7 +92,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0 --read-only-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -102,7 +102,7 @@ groups:
- id: 2.1.6 - id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--streaming-connection-idle-timeout" - flag: "--streaming-connection-idle-timeout"
@ -111,7 +111,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m --streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -121,7 +121,7 @@ groups:
- id: 2.1.7 - id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--protect-kernel-defaults" - flag: "--protect-kernel-defaults"
@ -130,7 +130,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true --protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -140,7 +140,7 @@ groups:
- id: 2.1.8 - id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -150,7 +150,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and remove the --make-iptables-util-chains argument from the on each worker node and remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -160,7 +160,7 @@ groups:
- id: 2.1.9 - id: 2.1.9
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--keep-terminated-pod-volumes" - flag: "--keep-terminated-pod-volumes"
@ -169,7 +169,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--keep-terminated-pod-volumes=false --keep-terminated-pod-volumes=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -179,13 +179,13 @@ groups:
- id: 2.1.10 - id: 2.1.10
text: "Ensure that the --hostname-override argument is not set (Scored)" text: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--hostname-override" - flag: "--hostname-override"
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -195,7 +195,7 @@ groups:
- id: 2.1.11 - id: 2.1.11
text: "Ensure that the --event-qps argument is set to 0 (Scored)" text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--event-qps" - flag: "--event-qps"
@ -204,7 +204,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0 --event-qps=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -214,7 +214,7 @@ groups:
- id: 2.1.12 - id: 2.1.12
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--tls-cert-file" - flag: "--tls-cert-file"
@ -223,8 +223,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the Kubelet. Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
Then edit the kubelet service file /etc/systemd/system/kubelet.service.d/10- Then edit the kubelet service file $kubeletsvc on each worker node and set the below parameters in
kubeadm.conf on each worker node and set the below parameters in
KUBELET_CERTIFICATE_ARGS variable. KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file> --tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file> file=<path/to/tls-key-file>
@ -236,7 +235,7 @@ groups:
- id: 2.1.13 - id: 2.1.13
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--cadvisor-port" - flag: "--cadvisor-port"
@ -245,7 +244,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0 --cadvisor-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -255,7 +254,7 @@ groups:
- id: 2.1.14 - id: 2.1.14
text: "Ensure that the RotateKubeletClientCertificate argument is set to true" text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletClientCertificate" - flag: "RotateKubeletClientCertificate"
@ -264,7 +263,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and remove the --feature- on each worker node and remove the --feature-
gates=RotateKubeletClientCertificate=false argument from the gates=RotateKubeletClientCertificate=false argument from the
KUBELET_CERTIFICATE_ARGS variable. KUBELET_CERTIFICATE_ARGS variable.
@ -275,7 +274,7 @@ groups:
- id: 2.1.15 - id: 2.1.15
text: "Ensure that the RotateKubeletServerCertificate argument is set to true" text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletServerCertificate" - flag: "RotateKubeletServerCertificate"
@ -284,7 +283,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -298,7 +297,7 @@ groups:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -320,12 +319,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 644 $kubeletconf chmod 644 $kubeletkubeconfig
scored: true scored: true
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -336,13 +335,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root /etc/kubernetes/kubelet.conf chown root:root $kubeletkubeconfig
scored: true scored: true
- id: 2.2.3 - id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -364,12 +363,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 755 $kubeletconf chmod 755 $kubeletsvc
scored: true scored: true
- id: 2.2.4 - id: 2.2.4
text: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)" text: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -377,13 +376,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $kubeletconf chown root:root $kubeletsvc
scored: true scored: true
- id: 2.2.5 - id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
restrictive (Scored)" restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -405,12 +404,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 644 $proxyconf chmod 644 $proxykubeconfig
scored: true scored: true
- id: 2.2.6 - id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -418,7 +417,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $proxyconf chown root:root $proxykubeconfig
scored: true scored: true
- id: 2.2.7 - id: 2.2.7

9
cfg/config.yaml
Unescape View File

@ -78,10 +78,9 @@ node:
bins: bins:
- "hyperkube kubelet" - "hyperkube kubelet"
- "kubelet" - "kubelet"
confs: defaultconf: "/var/lib/kubelet/config.yaml"
- /etc/kubernetes/kubelet.conf defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
- /etc/kubernetes/kubelet defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
defaultconf: "/etc/kubernetes/kubelet.conf"
proxy: proxy:
bins: bins:
@ -89,9 +88,9 @@ node:
- "hyperkube proxy" - "hyperkube proxy"
- "proxy" - "proxy"
confs: confs:
- /etc/kubernetes/proxy.conf
- /etc/kubernetes/proxy - /etc/kubernetes/proxy
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
defaultkubeconfig: "/etc/kubernetes/proxy.conf"
federated: federated:
components: components:

2
cmd/common.go
Unescape View File

@ -83,12 +83,14 @@ func runChecks(nodetype check.NodeType) {
binmap := getBinaries(typeConf) binmap := getBinaries(typeConf)
confmap := getConfigFiles(typeConf) confmap := getConfigFiles(typeConf)
svcmap := getServiceFiles(typeConf) svcmap := getServiceFiles(typeConf)
kubeconfmap := getKubeConfigFiles(typeConf)
// Variable substitutions. Replace all occurrences of variables in controls files. // Variable substitutions. Replace all occurrences of variables in controls files.
s := string(in) s := string(in)
s = makeSubstitutions(s, "bin", binmap) s = makeSubstitutions(s, "bin", binmap)
s = makeSubstitutions(s, "conf", confmap) s = makeSubstitutions(s, "conf", confmap)
s = makeSubstitutions(s, "svc", svcmap) s = makeSubstitutions(s, "svc", svcmap)
s = makeSubstitutions(s, "kubeconfig", kubeconfmap)
controls, err := check.NewControls(nodetype, []byte(s)) controls, err := check.NewControls(nodetype, []byte(s))
if err != nil { if err != nil {

31
cmd/util.go
Unescape View File

@ -219,6 +219,37 @@ func getServiceFiles(v *viper.Viper) map[string]string {
return svcmap return svcmap
} }
// getKubeConfigFiles finds which of the set of candidate kubeconfig files exist
func getKubeConfigFiles(v *viper.Viper) map[string]string {
kubeconfigmap := make(map[string]string)
for _, component := range v.GetStringSlice("components") {
s := v.Sub(component)
if s == nil {
continue
}
// See if any of the candidate config files exist
kubeconfig := findConfigFile(s.GetStringSlice("kubeconfig"))
if kubeconfig == "" {
if s.IsSet("defaultkubeconfig") {
kubeconfig = s.GetString("defaultkubeconfig")
glog.V(2).Info(fmt.Sprintf("Using default kubeconfig file name '%s' for component %s", kubeconfig, component))
} else {
// Default the service file name that we'll substitute to the name of the component
glog.V(2).Info(fmt.Sprintf("Missing service file for %s", component))
kubeconfig = component
}
} else {
glog.V(2).Info(fmt.Sprintf("Component %s uses service file '%s'", component, kubeconfig))
}
kubeconfigmap[component] = kubeconfig
}
return kubeconfigmap
}
// verifyBin checks that the binary specified is running // verifyBin checks that the binary specified is running
func verifyBin(bin string) bool { func verifyBin(bin string) bool {

Write Preview
Loading…
Cancel
Save