arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into u/jaxxstorm/golint

Browse Source
pull/84/head
Liz Rice 6 years ago committed by GitHub
parent 94a1f3c41f 731fcb4437
commit 58b6358a02
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 201 additions and 153 deletions
Show Stats Download Patch File Download Diff File

18
.goreleaser.yml
Unescape View File

@ -0,0 +1,18 @@
builds:
- main: main.go
binary: kube-bench
goos:
- darwin
- linux
goarch:
- amd64
# Archive customization
archive:
format: tar.gz
fpm:
vendor: Aqua Security
description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"
license: Apache-2.0
formats:
- deb
- rpm

25
.travis.yml
Unescape View File

@ -1,6 +1,25 @@
---
language: go language: go
install:
- go get github.com/aquasecurity/kube-bench notifications:
email: false
before_install:
- sudo apt-get -qq update
- sudo apt-get install -y rpm
- gem install --no-ri --no-rdoc fpm
install:
- go get -v github.com/Masterminds/glide
- cd $GOPATH/src/github.com/Masterminds/glide && git checkout tags/v0.12.3 && go install && cd - # use a known good glide version
- glide install
script: script:
- go test ./... - go test ./...
- go build -o kube-bench .
after_success:
- test -n "$TRAVIS_TAG" && curl -sL https://git.io/goreleaser | bash
env:
global:
secure: mb8AYZKDo6hkKN+2F9ldXcw27Yn2AfxpXvKlD8GD7NdGOI+TaiSFbE0I+qqTa/1DqcRekCQwqN7OG/17s9JDkgzUXYuYUGlVUOM4WbeJoSlzJFIOh9r9R/JddluYJohypgkE20IBHIrEHq5sY0Nn1Pl9WgSQFaVcQjxkX009AOuVjN0o5HcoXsb5hAzvHrpoSPkcSSqq7VWab60TgUttVaRlZSGwGdSYQEqk5TdO0hWHuXyxaaEPybgFIyZLLbxPS4JmMz8n3Sngetpw9Jgc+V9Fc7wKXpjvZZ33SpArG5p5ZFFu2YQOXFLZth9qtQOjduQ2gU1kHN6WjWnJ8QX2s8vmU38Tk19kd5i+mz9dvc87IdBvmTIqVYSpM6AAYa2osBGP3f97Rj2S68lTad4ecSVyHdsjz56vdE3ZH4wskswmogbKkVdvO4biPHxT6odszBxYLEJuRJyZ7ckXd52MCzqAUPrw7YUuH8N1mLIlf7V5bW5R+q4DlKw774zxnHiWrymXGvlINSrB0qxBn8Fii6ib+Pacl3PuqSumCcgIHlVjqrzIXaqcTMn2/ABZYC99mralGvwA/EgNa8CBKB5evMCEwWa5Ntvcs2I2DFcO5Q2WzN4H0YScyAzzCzK7/3hWJE/rUIJntwiSXkV3MSa1yxWSGGH8F1lcz+lzgTBm/MU=

4
Dockerfile
Unescape View File

@ -5,8 +5,8 @@ RUN go get github.com/aquasecurity/kube-bench
FROM alpine:latest FROM alpine:latest
WORKDIR / WORKDIR /
COPY --from=0 /go/bin/kube-bench /kube-bench COPY --from=0 /go/bin/kube-bench /kube-bench
COPY cfg cfg COPY --from=0 /go/src/github.com/aquasecurity/kube-bench/cfg /cfg
COPY entrypoint.sh /entrypoint.sh COPY --from=0 /go/src/github.com/aquasecurity/kube-bench/entrypoint.sh /entrypoint.sh
ENTRYPOINT /entrypoint.sh ENTRYPOINT /entrypoint.sh
# Build-time metadata as defined at http://label-schema.org # Build-time metadata as defined at http://label-schema.org

4
cfg/1.6/master.yaml
Unescape View File

@ -731,7 +731,7 @@ groups:
- id: 1.4.11 - id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
tests: tests:
test_items: test_items:
- flag: "700" - flag: "700"
@ -748,7 +748,7 @@ groups:
- id: 1.4.12 - id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
tests: tests:
test_items: test_items:
- flag: "etcd:etcd" - flag: "etcd:etcd"

4
cfg/1.7/master.yaml
Unescape View File

@ -793,7 +793,7 @@ groups:
- id: 1.4.11 - id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
tests: tests:
test_items: test_items:
- flag: "700" - flag: "700"
@ -810,7 +810,7 @@ groups:
- id: 1.4.12 - id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" audit: ps -ef | grep $etcdbin | grep -v grep | ed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
tests: tests:
test_items: test_items:
- flag: "etcd:etcd" - flag: "etcd:etcd"

38
cfg/1.8/config.yaml
Unescape View File

@ -0,0 +1,38 @@
---
## Controls Files.
# These are YAML files that hold all the details for running checks.
#
## Uncomment to use different control file paths.
# masterControls: ./cfg/master.yaml
# nodeControls: ./cfg/node.yaml
# federatedControls: ./cfg/federated.yaml
master:
apiserver:
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler:
confs:
- /etc/kubernetes/manifests/kube-scheduler.yaml
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
controllermanager:
confs:
- /etc/kubernetes/manifests/kube-controller-manager.yaml
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
etcd:
confs:
- /etc/kubernetes/manifests/etcd.yaml
defaultconf: /etc/kubernetes/manifests/etcd.yaml
node:
kubelet:
confs:
- /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
proxy:
confs:
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

140
cfg/1.8/master.yaml
Unescape View File

@ -19,7 +19,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter. on the master node and set the below parameter.
--anonymous-auth=false --anonymous-auth=false
@ -34,7 +34,7 @@ groups:
set: false set: false
remediation: | remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then, Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the API server pod specification file $apiserverpodspec edit the API server pod specification file $apiserverconf
on the master node and remove the --basic-auth-file=<filename> on the master node and remove the --basic-auth-file=<filename>
parameter. parameter.
scored: true scored: true
@ -47,7 +47,7 @@ groups:
- flag: "--insecure-allow-any-token" - flag: "--insecure-allow-any-token"
set: false set: false
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and remove the --insecure-allow-any-token on the master node and remove the --insecure-allow-any-token
parameter. parameter.
scored: true scored: true
@ -66,7 +66,7 @@ groups:
- flag: "--kubelet-https" - flag: "--kubelet-https"
set: false set: false
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and remove the --kubelet-https parameter. on the master node and remove the --kubelet-https parameter.
scored: true scored: true
@ -78,7 +78,7 @@ groups:
- flag: "--insecure-bind-address" - flag: "--insecure-bind-address"
set: false set: false
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and remove the --insecure-bind-address on the master node and remove the --insecure-bind-address
parameter. parameter.
scored: true scored: true
@ -94,7 +94,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
apiserver.yaml on the master node and set the below parameter. apiserver.yaml on the master node and set the below parameter.
--insecure-port=0 --insecure-port=0
scored: true scored: true
@ -113,7 +113,7 @@ groups:
- flag: "--secure-port" - flag: "--secure-port"
set: false set: false
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and either remove the --secure-port parameter or on the master node and either remove the --secure-port parameter or
set it to a different (non-zero) desired port. set it to a different (non-zero) desired port.
scored: true scored: true
@ -129,7 +129,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter. on the master node and set the below parameter.
--profiling=false --profiling=false
scored: true scored: true
@ -145,7 +145,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter. on the master node and set the below parameter.
--repair-malformed-updates=false --repair-malformed-updates=false
scored: true scored: true
@ -161,7 +161,7 @@ groups:
value: AlwaysAdmit value: AlwaysAdmit
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to a on the master node and set the --admission-control parameter to a
value that does not include AlwaysAdmit. value that does not include AlwaysAdmit.
scored: true scored: true
@ -177,7 +177,7 @@ groups:
value: "AlwaysPullImages" value: "AlwaysPullImages"
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to on the master node and set the --admission-control parameter to
include AlwaysPullImages. include AlwaysPullImages.
--admission-control=...,AlwaysPullImages,... --admission-control=...,AlwaysPullImages,...
@ -194,7 +194,7 @@ groups:
value: "DenyEscalatingExec" value: "DenyEscalatingExec"
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to a on the master node and set the --admission-control parameter to a
value that includes DenyEscalatingExec. value that includes DenyEscalatingExec.
--admission-control=...,DenyEscalatingExec,... --admission-control=...,DenyEscalatingExec,...
@ -211,7 +211,7 @@ groups:
value: "SecurityContextDeny" value: "SecurityContextDeny"
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to on the master node and set the --admission-control parameter to
include SecurityContextDeny. include SecurityContextDeny.
--admission-control=...,SecurityContextDeny,... --admission-control=...,SecurityContextDeny,...
@ -228,7 +228,7 @@ groups:
value: "NamespaceLifecycle" value: "NamespaceLifecycle"
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to on the master node and set the --admission-control parameter to
include NamespaceLifecycle. include NamespaceLifecycle.
--admission-control=...,NamespaceLifecycle,... --admission-control=...,NamespaceLifecycle,...
@ -242,7 +242,7 @@ groups:
- flag: "--audit-log-path" - flag: "--audit-log-path"
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-path parameter to a suitable on the master node and set the --audit-log-path parameter to a suitable
path and file where you would like audit logs to be written, for example: path and file where you would like audit logs to be written, for example:
--audit-log-path=/var/log/apiserver/audit.log --audit-log-path=/var/log/apiserver/audit.log
@ -259,7 +259,7 @@ groups:
value: 30 value: 30
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-maxage parameter to 30 or on the master node and set the --audit-log-maxage parameter to 30 or
as an appropriate number of days: as an appropriate number of days:
--audit-log-maxage=30 --audit-log-maxage=30
@ -276,7 +276,7 @@ groups:
value: 10 value: 10
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-maxbackup parameter to 10 on the master node and set the --audit-log-maxbackup parameter to 10
or to an appropriate value. or to an appropriate value.
--audit-log-maxbackup=10 --audit-log-maxbackup=10
@ -293,7 +293,7 @@ groups:
value: 100 value: 100
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-maxsize parameter to an on the master node and set the --audit-log-maxsize parameter to an
appropriate size in MB. For example, to set it as 100 MB: appropriate size in MB. For example, to set it as 100 MB:
--audit-log-maxsize=100 --audit-log-maxsize=100
@ -310,7 +310,7 @@ groups:
value: "AlwaysAllow" value: "AlwaysAllow"
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --authorization-mode parameter to on the master node and set the --authorization-mode parameter to
values other than AlwaysAllow. One such example could be as below. values other than AlwaysAllow. One such example could be as below.
--authorization-mode=RBAC --authorization-mode=RBAC
@ -325,7 +325,7 @@ groups:
set: false set: false
remediation: | remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then, Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the API server pod specification file $apiserverpodspec edit the API server pod specification file $apiserverconf
on the master node and remove the --token-auth-file=<filename> on the master node and remove the --token-auth-file=<filename>
parameter. parameter.
scored: true scored: true
@ -340,7 +340,7 @@ groups:
remediation: | remediation: |
Follow the Kubernetes documentation and setup the TLS connection between the apiserver Follow the Kubernetes documentation and setup the TLS connection between the apiserver
and kubelets. Then, edit the API server pod specification file and kubelets. Then, edit the API server pod specification file
$apiserverpodspec on the master node and set the -- $apiserverconf on the master node and set the --
kubelet-certificate-authority parameter to the path to the cert file for the certificate kubelet-certificate-authority parameter to the path to the cert file for the certificate
authority. authority.
--kubelet-certificate-authority=<ca-string> --kubelet-certificate-authority=<ca-string>
@ -360,7 +360,7 @@ groups:
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and kubelets. Then, edit API server pod specification file apiserver and kubelets. Then, edit API server pod specification file
$apiserverpodspec on the master node and set the $apiserverconf on the master node and set the
kubelet client certificate and key parameters as below. kubelet client certificate and key parameters as below.
--kubelet-client-certificate=<path/to/client-certificate-file> --kubelet-client-certificate=<path/to/client-certificate-file>
--kubelet-client-key=<path/to/client-key-file> --kubelet-client-key=<path/to/client-key-file>
@ -377,7 +377,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter. on the master node and set the below parameter.
--service-account-lookup=true --service-account-lookup=true
scored: true scored: true
@ -394,7 +394,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the documentation and create Pod Security Policy objects as per your environment. Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file $apiserverpodspec Then, edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to a on the master node and set the --admission-control parameter to a
value that includes PodSecurityPolicy : value that includes PodSecurityPolicy :
--admission-control=...,PodSecurityPolicy,... --admission-control=...,PodSecurityPolicy,...
@ -410,7 +410,7 @@ groups:
- flag: "--service-account-key-file" - flag: "--service-account-key-file"
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --service-account-key-file parameter on the master node and set the --service-account-key-file parameter
to the public key file for service accounts: to the public key file for service accounts:
--service-account-key-file=<filename> --service-account-key-file=<filename>
@ -430,7 +430,7 @@ groups:
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file apiserver and etcd. Then, edit the API server pod specification file
$apiserverpodspec on the master node and set the etcd $apiserverconf on the master node and set the etcd
certificate and key file parameters. certificate and key file parameters.
--etcd-certfile=<path/to/client-certificate-file> --etcd-certfile=<path/to/client-certificate-file>
--etcd-keyfile=<path/to/client-key-file> --etcd-keyfile=<path/to/client-key-file>
@ -448,7 +448,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the documentation and create ServiceAccount objects as per your environment. Follow the documentation and create ServiceAccount objects as per your environment.
Then, edit the API server pod specification file $apiserverpodspec Then, edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to a on the master node and set the --admission-control parameter to a
value that includes ServiceAccount. value that includes ServiceAccount.
--admission-control=...,ServiceAccount,... --admission-control=...,ServiceAccount,...
@ -467,7 +467,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
Then, edit the API server pod specification file $apiserverpodspec Then, edit the API server pod specification file $apiserverconf
on the master node and set the TLS certificate and private key file on the master node and set the TLS certificate and private key file
parameters. parameters.
--tls-cert-file=<path/to/tls-certificate-file> --tls-cert-file=<path/to/tls-certificate-file>
@ -483,7 +483,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
Then, edit the API server pod specification file $apiserverpodspec Then, edit the API server pod specification file $apiserverconf
on the master node and set the client certificate authority file. on the master node and set the client certificate authority file.
--client-ca-file=<path/to/client-ca-file> --client-ca-file=<path/to/client-ca-file>
scored: true scored: true
@ -498,7 +498,7 @@ groups:
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file apiserver and etcd. Then, edit the API server pod specification file
$apiserverpodspec on the master node and set the etcd $apiserverconf on the master node and set the etcd
certificate authority file parameter. certificate authority file parameter.
--etcd-cafile=<path/to/ca-file> --etcd-cafile=<path/to/ca-file>
scored: true scored: true
@ -514,7 +514,7 @@ groups:
value: "Node" value: "Node"
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
on the master node and set the --authorization-mode parameter to a on the master node and set the --authorization-mode parameter to a
value that includes Node. value that includes Node.
--authorization-mode=Node,RBAC --authorization-mode=Node,RBAC
@ -532,7 +532,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.
Then, edit the API server pod specification file $apiserverpodspec Then, edit the API server pod specification file $apiserverconf
on the master node and set the --admission-control parameter to a on the master node and set the --admission-control parameter to a
value that includes NodeRestriction. value that includes NodeRestriction.
--admission-control=...,NodeRestriction,... --admission-control=...,NodeRestriction,...
@ -548,7 +548,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit
the API server pod specification file $apiserverpodspec the API server pod specification file $apiserverconf
on the master node and set the --experimental-encryption-provider-config parameter on the master node and set the --experimental-encryption-provider-config parameter
to the path of that file: to the path of that file:
--experimental-encryption-provider-config=</path/to/EncryptionConfig/File> --experimental-encryption-provider-config=</path/to/EncryptionConfig/File>
@ -586,7 +586,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set the desired limits in a configuration file. Follow the Kubernetes documentation and set the desired limits in a configuration file.
Then, edit the API server pod specification file $apiserverpodspec Then, edit the API server pod specification file $apiserverconf
and set the below parameters. and set the below parameters.
--admission-control=EventRateLimit --admission-control=EventRateLimit
--admission-control-config-file=<path/to/configuration/file> --admission-control-config-file=<path/to/configuration/file>
@ -598,7 +598,7 @@ groups:
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and set the desired audit policy in the Follow the Kubernetes documentation and set the desired audit policy in the
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverpodspec /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
and set the below parameters. and set the below parameters.
--audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-policy-file=/etc/kubernetes/audit-policy.yaml
scored: true scored: true
@ -608,7 +608,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverconf
and set the below parameter as appropriate and if needed. For example, and set the below parameter as appropriate and if needed. For example,
--request-timeout=300 --request-timeout=300
scored: true scored: true
@ -628,7 +628,7 @@ groups:
set: true set: true
remediation: | remediation: |
Remediation: Remediation:
Edit the Scheduler pod specification file $apiserverpodspec Edit the Scheduler pod specification file $apiserverconf
file on the master node and set the below parameter. file on the master node and set the below parameter.
--profiling=false --profiling=false
scored: true scored: true
@ -644,7 +644,7 @@ groups:
- flag: "--terminated-pod-gc-threshold" - flag: "--terminated-pod-gc-threshold"
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec Edit the Controller Manager pod specification file $apiserverconf
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example: on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example:
--terminated-pod-gc-threshold=10 --terminated-pod-gc-threshold=10
scored: true scored: true
@ -660,7 +660,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec Edit the Controller Manager pod specification file $apiserverconf
on the master node and set the below parameter. on the master node and set the below parameter.
--profiling=false --profiling=false
scored: true scored: true
@ -676,7 +676,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec Edit the Controller Manager pod specification file $apiserverconf
on the master node to set the below parameter. on the master node to set the below parameter.
--use-service-account-credentials=true --use-service-account-credentials=true
scored: true scored: true
@ -689,7 +689,7 @@ groups:
- flag: "--service-account-private-key-file" - flag: "--service-account-private-key-file"
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec Edit the Controller Manager pod specification file $apiserverconf
on the master node and set the --service-account-private- on the master node and set the --service-account-private-
key-file parameter to the private key file for service accounts. key-file parameter to the private key file for service accounts.
--service-account-private-key-file=<filename> --service-account-private-key-file=<filename>
@ -703,7 +703,7 @@ groups:
- flag: "--root-ca-file" - flag: "--root-ca-file"
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec Edit the Controller Manager pod specification file $apiserverconf
on the master node and set the --root-ca-file parameter to on the master node and set the --root-ca-file parameter to
the certificate bundle file. the certificate bundle file.
--root-ca-file=<path/to/file> --root-ca-file=<path/to/file>
@ -729,7 +729,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec Edit the Controller Manager pod specification file $apiserverconf
controller-manager.yaml on the master node and set the --feature-gates parameter to controller-manager.yaml on the master node and set the --feature-gates parameter to
include RotateKubeletServerCertificate=true. include RotateKubeletServerCertificate=true.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
@ -741,7 +741,7 @@ groups:
- id: 1.4.1 - id: 1.4.1
text: "Ensure that the API server pod specification file permissions are text: "Ensure that the API server pod specification file permissions are
set to 644 or more restrictive (Scored)" set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverpodspec; then stat -c %a $apiserverpodspec; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -763,13 +763,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 $apiserverpodspec chmod 644 $apiserverconf
scored: true scored: true
- id: 1.4.2 - id: 1.4.2
text: "Ensure that the API server pod specification file ownership is set to text: "Ensure that the API server pod specification file ownership is set to
root:root (Scored)" root:root (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverpodspec; then stat -c %U:%G $apiserverpodspec; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -780,13 +780,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root $apiserverpodspec chown root:root $apiserverconf
scored: true scored: true
- id: 1.4.3 - id: 1.4.3
text: "Ensure that the controller manager pod specification file text: "Ensure that the controller manager pod specification file
permissions are set to 644 or more restrictive (Scored)" permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerpodspec; then stat -c %a $controllermanagerpodspec; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -808,13 +808,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 $controllermanagerpodspec chmod 644 $controllermanagerconf
scored: true scored: true
- id: 1.4.4 - id: 1.4.4
text: "Ensure that the controller manager pod specification file text: "Ensure that the controller manager pod specification file
ownership is set to root:root (Scored)" ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerpodspec; then stat -c %U:%G $controllermanagerpodspec; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -825,13 +825,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root $controllermanagerpodspec chown root:root $controllermanagerconf
scored: true scored: true
- id: 1.4.5 - id: 1.4.5
text: "Ensure that the scheduler pod specification file permissions are set text: "Ensure that the scheduler pod specification file permissions are set
to 644 or more restrictive (Scored)" to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerpodspec; then stat -c %a $schedulerpodspec; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -853,13 +853,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 $schedulerpodspec chmod 644 $schedulerconf
scored: true scored: true
- id: 1.4.6 - id: 1.4.6
text: "Ensure that the scheduler pod specification file ownership is set to text: "Ensure that the scheduler pod specification file ownership is set to
root:root (Scored)" root:root (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerpodspec; then stat -c %U:%G $schedulerpodspec; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -870,13 +870,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root $schedulerpodspec chown root:root $schedulerconf
scored: true scored: true
- id: 1.4.7 - id: 1.4.7
text: "Ensure that the etcd pod specification file permissions are set to text: "Ensure that the etcd pod specification file permissions are set to
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdpodspec; then stat -c %a $etcdpodspec; fi'" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -898,13 +898,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 $etcdpodspec chmod 644 $etcdconf
scored: true scored: true
- id: 1.4.8 - id: 1.4.8
text: "Ensure that the etcd pod specification file ownership is set to text: "Ensure that the etcd pod specification file ownership is set to
root:root (Scored)" root:root (Scored)"
audit: "/bin/sh -c 'if test -e $etcdpodspec; then stat -c %U:%G $etcdpodspec; fi'" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -915,7 +915,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root $etcdpodspec chown root:root $etcdconf
scored: true scored: true
- id: 1.4.9 - id: 1.4.9
@ -942,7 +942,7 @@ groups:
- id: 1.4.11 - id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
tests: tests:
test_items: test_items:
- flag: "700" - flag: "700"
@ -960,7 +960,7 @@ groups:
- id: 1.4.12 - id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
tests: tests:
test_items: test_items:
- flag: "etcd:etcd" - flag: "etcd:etcd"
@ -1086,7 +1086,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure TLS encryption. Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file $etcdpodspec on the Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters. master node and set the below parameters.
--ca-file=</path/to/ca-file> --ca-file=</path/to/ca-file>
--key-file=</path/to/key-file> --key-file=</path/to/key-file>
@ -1103,7 +1103,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdpodspec on the master Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter. node and set the below parameter.
--client-cert-auth="true" --client-cert-auth="true"
scored: true scored: true
@ -1121,7 +1121,7 @@ groups:
op: neq op: neq
value: true value: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdpodspec on the master Edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false. node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false --auto-tls=false
scored: true scored: true
@ -1138,7 +1138,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster. Then, edit the etcd pod specification file $etcdpodspec on the for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters. master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file> --peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file> --peer-key-file=</path/to/peer-key-file>
@ -1155,7 +1155,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdpodspec on the master Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter. node and set the below parameter.
--peer-client-cert-auth=true --peer-client-cert-auth=true
scored: true scored: true
@ -1174,7 +1174,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdpodspec on the master Edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false. node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false --peer-auto-tls=false
scored: true scored: true
@ -1187,7 +1187,7 @@ groups:
- flag: "--wal-dir" - flag: "--wal-dir"
set: true set: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdpodspec on the master Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter. node and set the below parameter.
--wal-dir=</path/to/log/dir> --wal-dir=</path/to/log/dir>
scored: true scored: true
@ -1203,7 +1203,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdpodspec on the master Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter. node and set the below parameter.
--max-wals=0 --max-wals=0
scored: true scored: true
@ -1218,7 +1218,7 @@ groups:
remediation: | remediation: |
Follow the etcd documentation and create a dedicated certificate authority setup for the Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service. etcd service.
Then, edit the etcd pod specification file $etcdpodspec on the Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameter. master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file> --trusted-ca-file=</path/to/ca-file>
scored: false scored: false

36
cfg/1.8/node.yaml
Unescape View File

@ -19,7 +19,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false --allow-privileged=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -38,7 +38,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false --anonymous-auth=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -57,7 +57,7 @@ groups:
value: "AlwaysAllow" value: "AlwaysAllow"
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook --authorization-mode=Webhook
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -73,7 +73,7 @@ groups:
- flag: "--client-ca-file" - flag: "--client-ca-file"
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file> --client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -92,7 +92,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0 --read-only-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -111,7 +111,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m --streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -130,7 +130,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true --protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -150,7 +150,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and remove the --make-iptables-util-chains argument from the on each worker node and remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -169,7 +169,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--keep-terminated-pod-volumes=false --keep-terminated-pod-volumes=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -185,7 +185,7 @@ groups:
- flag: "--hostname-override" - flag: "--hostname-override"
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and remove the --hostname-override argument from the on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -204,7 +204,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0 --event-qps=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -245,7 +245,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0 --cadvisor-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -264,7 +264,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and remove the --feature- on each worker node and remove the --feature-
gates=RotateKubeletClientCertificate=false argument from the gates=RotateKubeletClientCertificate=false argument from the
KUBELET_CERTIFICATE_ARGS variable. KUBELET_CERTIFICATE_ARGS variable.
@ -284,7 +284,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletunitfile Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -342,7 +342,7 @@ groups:
- id: 2.2.3 - id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %a $kubeletunitfile; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -364,13 +364,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 755 $kubeletunitfile chmod 755 $kubeletconf
scored: true scored: true
- id: 2.2.4 - id: 2.2.4
text: "Ensure that the kubelet service file permissions are set to 644 or text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %U:%G $kubeletunitfile; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -378,7 +378,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $kubeletunitfile chown root:root $kubeletconf
scored: true scored: true
- id: 2.2.5 - id: 2.2.5

23
cfg/config.yaml
Unescape View File

@ -30,10 +30,6 @@ master:
- /etc/kubernetes/apiserver - /etc/kubernetes/apiserver
defaultconf: /etc/kubernetes/apiserver defaultconf: /etc/kubernetes/apiserver
podspecs:
- /etc/kubernetes/manifests/kube-apiserver.yaml
defaultpodspec: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler: scheduler:
bins: bins:
- "kube-scheduler" - "kube-scheduler"
@ -44,10 +40,6 @@ master:
- /etc/kubernetes/scheduler - /etc/kubernetes/scheduler
defaultconf: /etc/kubernetes/scheduler defaultconf: /etc/kubernetes/scheduler
podspecs:
- /etc/kubernetes/manifests/kube-scheduler.yaml
defaultpodspec: /etc/kubernetes/manifests/kube-scheduler.yaml
controllermanager: controllermanager:
bins: bins:
- "kube-controller-manager" - "kube-controller-manager"
@ -58,10 +50,6 @@ master:
- /etc/kubernetes/controller-manager - /etc/kubernetes/controller-manager
defaultconf: /etc/kubernetes/controller-manager defaultconf: /etc/kubernetes/controller-manager
podspecs:
- /etc/kubernetes/manifests/kube-controller-manager.yaml
defaultpodspec: /etc/kubernetes/manifests/kube-controller-manager.yaml
etcd: etcd:
optional: true optional: true
bins: bins:
@ -70,17 +58,12 @@ master:
- /etc/etcd/etcd.conf - /etc/etcd/etcd.conf
defaultconf: /etc/etcd/etcd.conf defaultconf: /etc/etcd/etcd.conf
podspecs:
- /etc/kubernetes/manifests/etcd.yaml
defaultpodspec: /etc/kubernetes/manifests/etcd.yaml
flanneld: flanneld:
optional: true optional: true
bins: bins:
- flanneld - flanneld
defaultconf: /etc/sysconfig/flanneld defaultconf: /etc/sysconfig/flanneld
node: node:
components: components:
- kubelet - kubelet
@ -100,10 +83,6 @@ node:
- /etc/kubernetes/kubelet - /etc/kubernetes/kubelet
defaultconf: "/etc/kubernetes/kubelet.conf" defaultconf: "/etc/kubernetes/kubelet.conf"
unitfiles:
- /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
defaultunitfile: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
proxy: proxy:
bins: bins:
- "kube-proxy" - "kube-proxy"
@ -130,5 +109,3 @@ federated:
- "hyperkube federation-controller-manager" - "hyperkube federation-controller-manager"
- "kube-federation-controller-manager" - "kube-federation-controller-manager"
- "federation-controller-manager" - "federation-controller-manager"

46
cmd/common.go
Unescape View File

@ -29,6 +29,7 @@ var (
func runChecks(t check.NodeType) { func runChecks(t check.NodeType) {
var summary check.Summary var summary check.Summary
var nodetype string
var file string var file string
var err error var err error
var typeConf *viper.Viper var typeConf *viper.Viper
@ -36,49 +37,44 @@ func runChecks(t check.NodeType) {
switch t { switch t {
case check.MASTER: case check.MASTER:
file = masterFile file = masterFile
typeConf = viper.Sub("master") nodetype = "master"
case check.NODE:
file = nodeFile
typeConf = viper.Sub("node")
case check.FEDERATED:
file = federatedFile
typeConf = viper.Sub("federated")
}
// Get the set of exectuables and config files we care about on this type of node. This also
// checks that the executables we need for the node type are running.
binmap := getBinaries(typeConf)
confmap := getConfigFiles(typeConf, "conf")
podspecmap := getConfigFiles(typeConf, "podspec")
unitfilemap := getConfigFiles(typeConf, "unitfile")
switch t {
case check.MASTER:
file = masterFile
case check.NODE: case check.NODE:
file = nodeFile file = nodeFile
nodetype = "node"
case check.FEDERATED: case check.FEDERATED:
file = federatedFile file = federatedFile
nodetype = "federated"
} }
ver := getKubeVersion() ver := getKubeVersion()
glog.V(1).Info(fmt.Sprintf("Running tests for Kubernetes version: %s", ver)) path := fmt.Sprintf("%s/%s", cfgDir, ver)
path := fmt.Sprintf("%s/%s/%s", cfgDir, ver, file) def := fmt.Sprintf("%s/%s", path, file)
in, err := ioutil.ReadFile(path) in, err := ioutil.ReadFile(def)
if err != nil { if err != nil {
exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err)) exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err))
} }
// Merge kubernetes version specific config if any.
viper.SetConfigFile(path + "/config.yaml")
err = viper.MergeInConfig()
if err != nil {
continueWithError(err, fmt.Sprintf("Reading %s specific configuration file", ver))
}
typeConf = viper.Sub(nodetype)
// Get the set of exectuables and config files we care about on this type of node. This also
// checks that the executables we need for the node type are running.
binmap := getBinaries(typeConf)
confmap := getConfigFiles(typeConf)
// Variable substitutions. Replace all occurrences of variables in controls files. // Variable substitutions. Replace all occurrences of variables in controls files.
s := string(in) s := string(in)
s = makeSubstitutions(s, "bin", binmap) s = makeSubstitutions(s, "bin", binmap)
s = makeSubstitutions(s, "conf", confmap) s = makeSubstitutions(s, "conf", confmap)
s = makeSubstitutions(s, "podspec", podspecmap)
s = makeSubstitutions(s, "unitfile", unitfilemap)
glog.V(1).Info(fmt.Sprintf("Using config file: %s\n", viper.ConfigFileUsed())) glog.V(1).Info(fmt.Sprintf("Using config file: %s\n", viper.ConfigFileUsed()))
glog.V(1).Info(fmt.Sprintf("Using benchmark file: %s\n", path)) glog.V(1).Info(fmt.Sprintf("Using benchmark file: %s\n", def))
controls, err := check.NewControls(t, []byte(s)) controls, err := check.NewControls(t, []byte(s))
if err != nil { if err != nil {

10
cmd/util.go
Unescape View File

@ -119,7 +119,7 @@ func getBinaries(v *viper.Viper) map[string]string {
// getConfigFiles finds which of the set of candidate config files exist // getConfigFiles finds which of the set of candidate config files exist
// accepts a string 't' which indicates the type of config file, conf, // accepts a string 't' which indicates the type of config file, conf,
// podspec or untifile. // podspec or untifile.
func getConfigFiles(v *viper.Viper, t string) map[string]string { func getConfigFiles(v *viper.Viper) map[string]string {
confmap := make(map[string]string) confmap := make(map[string]string)
for _, component := range v.GetStringSlice("components") { for _, component := range v.GetStringSlice("components") {
@ -129,14 +129,14 @@ func getConfigFiles(v *viper.Viper, t string) map[string]string {
} }
// See if any of the candidate config files exist // See if any of the candidate config files exist
conf := findConfigFile(s.GetStringSlice(t + "s")) conf := findConfigFile(s.GetStringSlice("confs"))
if conf == "" { if conf == "" {
if s.IsSet("default" + t) { if s.IsSet("defaultconf") {
conf = s.GetString("default" + t) conf = s.GetString("defaultconf")
glog.V(2).Info(fmt.Sprintf("Using default config file name '%s' for component %s", conf, component)) glog.V(2).Info(fmt.Sprintf("Using default config file name '%s' for component %s", conf, component))
} else { } else {
// Default the config file name that we'll substitute to the name of the component // Default the config file name that we'll substitute to the name of the component
printlnWarn(fmt.Sprintf("Missing config file for %s", component)) glog.V(2).Info(fmt.Sprintf("Missing config file for %s", component))
conf = component conf = component
} }
} else { } else {

2
cmd/util_test.go
Unescape View File

@ -279,7 +279,7 @@ func TestGetConfigFiles(t *testing.T) {
e = c.statResults e = c.statResults
eIndex = 0 eIndex = 0
m := getConfigFiles(v, "conf") m := getConfigFiles(v)
if !reflect.DeepEqual(m, c.exp) { if !reflect.DeepEqual(m, c.exp) {
t.Fatalf("Got %v\nExpected %v", m, c.exp) t.Fatalf("Got %v\nExpected %v", m, c.exp)
} }

4
entrypoint.sh
Unescape View File

@ -1,8 +1,8 @@
#!/bin/sh #!/bin/sh
if [ -d /host ]; then if [ -d /host ]; then
mkdir -p /host/cfg/ mkdir -p /host/cfg/
yes | cp -rf ./kube-bench/cfg/* /host/cfg/ yes | cp -rf /cfg/* /host/cfg/
yes | cp -rf ./kube-bench/kube-bench /host/ yes | cp -rf /kube-bench /host/
echo "===============================================" echo "==============================================="
echo "kube-bench is now installed on your host " echo "kube-bench is now installed on your host "
echo "Run ./kube-bench to perform a security check " echo "Run ./kube-bench to perform a security check "

Write Preview
Loading…
Cancel
Save