add support VMware Tanzu(TKGI) Benchmarks v1.2.53

fixed all the yaml lint errors
1 year ago · 5ca84a80df
parent 7be067c733 2f61dc174b
commit 5ca84a80df
6 changed files with 36 additions and 36 deletions
--- a/cfg/tkgi-1.2.53/config.yaml
+++ b/cfg/tkgi-1.2.53/config.yaml
@ -1,2 +1,2 @@
 ---
-## Version-specific settings that override the values in cfg/config.yaml
+## Version-specific settings that override the values in cfg/config.yaml
--- a/cfg/tkgi-1.2.53/controlplane.yaml
+++ b/cfg/tkgi-1.2.53/controlplane.yaml
@ -64,4 +64,4 @@ groups:
        remediation: |
          Consider modification of the audit policy in use on the cluster to include these items, at a
          minimum.
-        scored: false
+        scored: false
--- a/cfg/tkgi-1.2.53/etcd.yaml
+++ b/cfg/tkgi-1.2.53/etcd.yaml
@ -118,4 +118,4 @@ groups:
          Then, edit the etcd pod specification file etcd config on the
          master node and set the below parameter.
          --trusted-ca-file=</path/to/ca-file>
-        scored: false
+        scored: false
--- a/cfg/tkgi-1.2.53/master.yaml
+++ b/cfg/tkgi-1.2.53/master.yaml
@ -50,32 +50,32 @@ groups:
          For example, chmod 644 /var/vcap/jobs/kube-apiserver/config/bpm.yml
        scored: true

-      - id: 1.1.4                                                                 
+      - id: 1.1.4
        text: "Ensure that the controller manager pod specification file ownership is set to root:root"
-        audit: stat -c %U:%G /var/vcap/jobs/kube-controller-manager/config/bpm.yml                  
-        tests:                                                                                         
-          test_items:                                                                                  
-            - flag: "root:root"                                                                        
-        remediation: |                                                                                 
-          Run the below command (based on the file location on your system) on the                     
-          master node.                                                                                 
-          For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml          
-        scored: true 
-
-      - id: 1.1.5                                                                 
+        audit: stat -c %U:%G /var/vcap/jobs/kube-controller-manager/config/bpm.yml
+        tests:
+          test_items:
+            - flag: "root:root"
+        remediation: |
+          Run the below command (based on the file location on your system) on the
+          master node.
+          For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml
+        scored: true
+
+      - id: 1.1.5
        text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive"
-        audit: stat -c permissions=%a /var/vcap/jobs/kube-scheduler/config/bpm.yml                   
-        tests:                                                                                         
-          test_items:                                                                                  
+        audit: stat -c permissions=%a /var/vcap/jobs/kube-scheduler/config/bpm.yml
+        tests:
+          test_items:
            - flag: "permissions"
              compare:
                op: bitmask
-                value: "644"                                                                       
-        remediation: |                                                                                 
-          Run the below command (based on the file location on your system) on the                     
-          master node.                                                                                 
-          For example, chown 644 /var/vcap/jobs/kube-scheduler/config/bpm.yml          
-        scored: true 
+                value: "644"
+        remediation: |
+          Run the below command (based on the file location on your system) on the
+          master node.
+          For example, chown 644 /var/vcap/jobs/kube-scheduler/config/bpm.yml
+        scored: true

      - id: 1.1.6
        text: "Ensure that the scheduler pod specification file ownership is set to root:root"
@ -566,7 +566,7 @@ groups:
          not have access to a registry to pull in-use images. This setting is not appropriate for
          clusters which use this configuration."
          TKGi is packages with pre-loaded images.
-        scored: false 
+        scored: false

      - id: 1.2.13
        text: "Ensure that the admission control plugin SecurityContextDeny is set"
@ -666,13 +666,13 @@ groups:
          value that includes NodeRestriction.
          --enable-admission-plugins=...,NodeRestriction,...
          Exception
-          PR opened to address the issue https://github.com/cloudfoundry-incubator/kubo-release/pull/179" 
+          PR opened to address the issue https://github.com/cloudfoundry-incubator/kubo-release/pull/179"
        scored: true

      - id: 1.2.18
        text: "Ensure that the --insecure-bind-address argument is not set"
        audit: |
-          ps -ef | grep kube-apiserver | grep -v tini | grep -v -- "--insecure-bind-address"        
+          ps -ef | grep kube-apiserver | grep -v tini | grep -v -- "--insecure-bind-address"
        tests:
          test_items:
            - flag: "--insecure-bind-address"
@ -1095,4 +1095,4 @@ groups:
          Exception
          This setting can be set to expected value using Kubernetes Profiles. Please follow instructions here
          https://docs.pivotal.io/tkgi/1-8/k8s-profiles.html
-        scored: false
+        scored: false
--- a/cfg/tkgi-1.2.53/node.yaml
+++ b/cfg/tkgi-1.2.53/node.yaml
@ -55,7 +55,7 @@ groups:
      - id: 4.1.4
        text: "Ensure that the proxy kubeconfig file ownership is set to root:root"
        audit: stat -c %U:%G /var/vcap/jobs/kube-proxy/config/kubeconfig
-        type:  manual
+        type: manual
        tests:
          test_items:
            - flag: root:root
@ -181,7 +181,7 @@ groups:

      - id: 4.2.2
        text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow"
-        audit:  |
+        audit: |
          grep "^authorization:\n\s{2}mode: AlwaysAllow$" /var/vcap/jobs/kubelet/config/kubeletconfig.yml
        tests:
          test_items:
@ -298,7 +298,7 @@ groups:
          ps -ef | grep [k]ubelet | grep -- --[c]onfig=/var/vcap/jobs/kubelet/config/kubeletconfig.yml | grep -v -- --hostname-override
        type: manual
        remediation: |
-          Edit the kubelet service file 
+          Edit the kubelet service file
          on each worker node and remove the --hostname-override argument from the
          KUBELET_SYSTEM_PODS_ARGS variable.
          Based on your system, restart the kubelet service. For example:
@ -331,8 +331,8 @@ groups:

      - id: 4.2.10
        text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate"
-        audit:  |
-          grep  ^tlsCertFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet\.pem\"\ntlsPrivateKeyFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet-key\.pem\"$ 
+        audit: |
+          grep  ^tlsCertFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet\.pem\"\ntlsPrivateKeyFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet-key\.pem\"$
          /var/vcap/jobs/kubelet/config/kubeletconfig.yml
        tests:
          bin_op: and
@ -383,7 +383,7 @@ groups:
          test_items:
            - flag: "RotateKubeletServerCertificate=true"
        remediation: |
-          Edit the kubelet service file 
+          Edit the kubelet service file
          on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
          --feature-gates=RotateKubeletServerCertificate=true
          Based on your system, restart the kubelet service. For example:
@ -415,4 +415,4 @@ groups:
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
-        scored: false
+        scored: false
--- a/cfg/tkgi-1.2.53/policies.yaml
+++ b/cfg/tkgi-1.2.53/policies.yaml
@ -284,4 +284,4 @@ groups:
          resources and that all new resources are created in a specific namespace.
          Exception
          This is site-specific setting.
-        scored: false
+        scored: false