diff --git a/cfg/tkgi-1.2.53/config.yaml b/cfg/tkgi-1.2.53/config.yaml index 4cbf4cf..b783945 100644 --- a/cfg/tkgi-1.2.53/config.yaml +++ b/cfg/tkgi-1.2.53/config.yaml @@ -1,2 +1,2 @@ --- -## Version-specific settings that override the values in cfg/config.yaml \ No newline at end of file +## Version-specific settings that override the values in cfg/config.yaml diff --git a/cfg/tkgi-1.2.53/controlplane.yaml b/cfg/tkgi-1.2.53/controlplane.yaml index 9a3156c..4f3ab67 100644 --- a/cfg/tkgi-1.2.53/controlplane.yaml +++ b/cfg/tkgi-1.2.53/controlplane.yaml @@ -64,4 +64,4 @@ groups: remediation: | Consider modification of the audit policy in use on the cluster to include these items, at a minimum. - scored: false \ No newline at end of file + scored: false diff --git a/cfg/tkgi-1.2.53/etcd.yaml b/cfg/tkgi-1.2.53/etcd.yaml index aca215b..8f99b7f 100644 --- a/cfg/tkgi-1.2.53/etcd.yaml +++ b/cfg/tkgi-1.2.53/etcd.yaml @@ -118,4 +118,4 @@ groups: Then, edit the etcd pod specification file etcd config on the master node and set the below parameter. --trusted-ca-file= - scored: false \ No newline at end of file + scored: false diff --git a/cfg/tkgi-1.2.53/master.yaml b/cfg/tkgi-1.2.53/master.yaml index e7323d6..8d19457 100644 --- a/cfg/tkgi-1.2.53/master.yaml +++ b/cfg/tkgi-1.2.53/master.yaml @@ -50,32 +50,32 @@ groups: For example, chmod 644 /var/vcap/jobs/kube-apiserver/config/bpm.yml scored: true - - id: 1.1.4 + - id: 1.1.4 text: "Ensure that the controller manager pod specification file ownership is set to root:root" - audit: stat -c %U:%G /var/vcap/jobs/kube-controller-manager/config/bpm.yml - tests: - test_items: - - flag: "root:root" - remediation: | - Run the below command (based on the file location on your system) on the - master node. - For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml - scored: true + audit: stat -c %U:%G /var/vcap/jobs/kube-controller-manager/config/bpm.yml + tests: + test_items: + - flag: "root:root" + remediation: | + Run the below command (based on the file location on your system) on the + master node. + For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml + scored: true - - id: 1.1.5 + - id: 1.1.5 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive" - audit: stat -c permissions=%a /var/vcap/jobs/kube-scheduler/config/bpm.yml - tests: - test_items: + audit: stat -c permissions=%a /var/vcap/jobs/kube-scheduler/config/bpm.yml + tests: + test_items: - flag: "permissions" compare: op: bitmask - value: "644" - remediation: | - Run the below command (based on the file location on your system) on the - master node. - For example, chown 644 /var/vcap/jobs/kube-scheduler/config/bpm.yml - scored: true + value: "644" + remediation: | + Run the below command (based on the file location on your system) on the + master node. + For example, chown 644 /var/vcap/jobs/kube-scheduler/config/bpm.yml + scored: true - id: 1.1.6 text: "Ensure that the scheduler pod specification file ownership is set to root:root" @@ -566,7 +566,7 @@ groups: not have access to a registry to pull in-use images. This setting is not appropriate for clusters which use this configuration." TKGi is packages with pre-loaded images. - scored: false + scored: false - id: 1.2.13 text: "Ensure that the admission control plugin SecurityContextDeny is set" @@ -666,13 +666,13 @@ groups: value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,... Exception - PR opened to address the issue https://github.com/cloudfoundry-incubator/kubo-release/pull/179" + PR opened to address the issue https://github.com/cloudfoundry-incubator/kubo-release/pull/179" scored: true - id: 1.2.18 text: "Ensure that the --insecure-bind-address argument is not set" audit: | - ps -ef | grep kube-apiserver | grep -v tini | grep -v -- "--insecure-bind-address" + ps -ef | grep kube-apiserver | grep -v tini | grep -v -- "--insecure-bind-address" tests: test_items: - flag: "--insecure-bind-address" @@ -1095,4 +1095,4 @@ groups: Exception This setting can be set to expected value using Kubernetes Profiles. Please follow instructions here https://docs.pivotal.io/tkgi/1-8/k8s-profiles.html - scored: false \ No newline at end of file + scored: false diff --git a/cfg/tkgi-1.2.53/node.yaml b/cfg/tkgi-1.2.53/node.yaml index 2656171..8e0f095 100644 --- a/cfg/tkgi-1.2.53/node.yaml +++ b/cfg/tkgi-1.2.53/node.yaml @@ -55,7 +55,7 @@ groups: - id: 4.1.4 text: "Ensure that the proxy kubeconfig file ownership is set to root:root" audit: stat -c %U:%G /var/vcap/jobs/kube-proxy/config/kubeconfig - type: manual + type: manual tests: test_items: - flag: root:root @@ -181,7 +181,7 @@ groups: - id: 4.2.2 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow" - audit: | + audit: | grep "^authorization:\n\s{2}mode: AlwaysAllow$" /var/vcap/jobs/kubelet/config/kubeletconfig.yml tests: test_items: @@ -298,7 +298,7 @@ groups: ps -ef | grep [k]ubelet | grep -- --[c]onfig=/var/vcap/jobs/kubelet/config/kubeletconfig.yml | grep -v -- --hostname-override type: manual remediation: | - Edit the kubelet service file + Edit the kubelet service file on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: @@ -331,8 +331,8 @@ groups: - id: 4.2.10 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate" - audit: | - grep ^tlsCertFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet\.pem\"\ntlsPrivateKeyFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet-key\.pem\"$ + audit: | + grep ^tlsCertFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet\.pem\"\ntlsPrivateKeyFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet-key\.pem\"$ /var/vcap/jobs/kubelet/config/kubeletconfig.yml tests: bin_op: and @@ -383,7 +383,7 @@ groups: test_items: - flag: "RotateKubeletServerCertificate=true" remediation: | - Edit the kubelet service file + Edit the kubelet service file on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. --feature-gates=RotateKubeletServerCertificate=true Based on your system, restart the kubelet service. For example: @@ -415,4 +415,4 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: false \ No newline at end of file + scored: false diff --git a/cfg/tkgi-1.2.53/policies.yaml b/cfg/tkgi-1.2.53/policies.yaml index 801c3cf..ef5f1ad 100644 --- a/cfg/tkgi-1.2.53/policies.yaml +++ b/cfg/tkgi-1.2.53/policies.yaml @@ -284,4 +284,4 @@ groups: resources and that all new resources are created in a specific namespace. Exception This is site-specific setting. - scored: false \ No newline at end of file + scored: false