mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2025-07-20 13:38:07 +00:00
add support VMware Tanzu(TKGI) Benchmarks v1.2.53
fixed all the yaml lint errors
This commit is contained in:
Kiran Bodipi
commit
5ca84a80df
@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
## Version-specific settings that override the values in cfg/config.yaml
|
## Version-specific settings that override the values in cfg/config.yaml
|
||||||
|
|||||||
@ -64,4 +64,4 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Consider modification of the audit policy in use on the cluster to include these items, at a
|
Consider modification of the audit policy in use on the cluster to include these items, at a
|
||||||
minimum.
|
minimum.
|
||||||
scored: false
|
scored: false
|
||||||
|
|||||||
@ -118,4 +118,4 @@ groups:
|
|||||||
Then, edit the etcd pod specification file etcd config on the
|
Then, edit the etcd pod specification file etcd config on the
|
||||||
master node and set the below parameter.
|
master node and set the below parameter.
|
||||||
--trusted-ca-file=</path/to/ca-file>
|
--trusted-ca-file=</path/to/ca-file>
|
||||||
scored: false
|
scored: false
|
||||||
|
|||||||
@ -50,32 +50,32 @@ groups:
|
|||||||
For example, chmod 644 /var/vcap/jobs/kube-apiserver/config/bpm.yml
|
For example, chmod 644 /var/vcap/jobs/kube-apiserver/config/bpm.yml
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.4
|
- id: 1.1.4
|
||||||
text: "Ensure that the controller manager pod specification file ownership is set to root:root"
|
text: "Ensure that the controller manager pod specification file ownership is set to root:root"
|
||||||
audit: stat -c %U:%G /var/vcap/jobs/kube-controller-manager/config/bpm.yml
|
audit: stat -c %U:%G /var/vcap/jobs/kube-controller-manager/config/bpm.yml
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the
|
Run the below command (based on the file location on your system) on the
|
||||||
master node.
|
master node.
|
||||||
For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml
|
For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.5
|
- id: 1.1.5
|
||||||
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive"
|
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive"
|
||||||
audit: stat -c permissions=%a /var/vcap/jobs/kube-scheduler/config/bpm.yml
|
audit: stat -c permissions=%a /var/vcap/jobs/kube-scheduler/config/bpm.yml
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "permissions"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: bitmask
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the
|
Run the below command (based on the file location on your system) on the
|
||||||
master node.
|
master node.
|
||||||
For example, chown 644 /var/vcap/jobs/kube-scheduler/config/bpm.yml
|
For example, chown 644 /var/vcap/jobs/kube-scheduler/config/bpm.yml
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.6
|
- id: 1.1.6
|
||||||
text: "Ensure that the scheduler pod specification file ownership is set to root:root"
|
text: "Ensure that the scheduler pod specification file ownership is set to root:root"
|
||||||
@ -566,7 +566,7 @@ groups:
|
|||||||
not have access to a registry to pull in-use images. This setting is not appropriate for
|
not have access to a registry to pull in-use images. This setting is not appropriate for
|
||||||
clusters which use this configuration."
|
clusters which use this configuration."
|
||||||
TKGi is packages with pre-loaded images.
|
TKGi is packages with pre-loaded images.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.2.13
|
- id: 1.2.13
|
||||||
text: "Ensure that the admission control plugin SecurityContextDeny is set"
|
text: "Ensure that the admission control plugin SecurityContextDeny is set"
|
||||||
@ -666,13 +666,13 @@ groups:
|
|||||||
value that includes NodeRestriction.
|
value that includes NodeRestriction.
|
||||||
--enable-admission-plugins=...,NodeRestriction,...
|
--enable-admission-plugins=...,NodeRestriction,...
|
||||||
Exception
|
Exception
|
||||||
PR opened to address the issue https://github.com/cloudfoundry-incubator/kubo-release/pull/179"
|
PR opened to address the issue https://github.com/cloudfoundry-incubator/kubo-release/pull/179"
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.2.18
|
- id: 1.2.18
|
||||||
text: "Ensure that the --insecure-bind-address argument is not set"
|
text: "Ensure that the --insecure-bind-address argument is not set"
|
||||||
audit: |
|
audit: |
|
||||||
ps -ef | grep kube-apiserver | grep -v tini | grep -v -- "--insecure-bind-address"
|
ps -ef | grep kube-apiserver | grep -v tini | grep -v -- "--insecure-bind-address"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--insecure-bind-address"
|
- flag: "--insecure-bind-address"
|
||||||
@ -1095,4 +1095,4 @@ groups:
|
|||||||
Exception
|
Exception
|
||||||
This setting can be set to expected value using Kubernetes Profiles. Please follow instructions here
|
This setting can be set to expected value using Kubernetes Profiles. Please follow instructions here
|
||||||
https://docs.pivotal.io/tkgi/1-8/k8s-profiles.html
|
https://docs.pivotal.io/tkgi/1-8/k8s-profiles.html
|
||||||
scored: false
|
scored: false
|
||||||
|
|||||||
@ -55,7 +55,7 @@ groups:
|
|||||||
- id: 4.1.4
|
- id: 4.1.4
|
||||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root"
|
text: "Ensure that the proxy kubeconfig file ownership is set to root:root"
|
||||||
audit: stat -c %U:%G /var/vcap/jobs/kube-proxy/config/kubeconfig
|
audit: stat -c %U:%G /var/vcap/jobs/kube-proxy/config/kubeconfig
|
||||||
type: manual
|
type: manual
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: root:root
|
- flag: root:root
|
||||||
@ -181,7 +181,7 @@ groups:
|
|||||||
|
|
||||||
- id: 4.2.2
|
- id: 4.2.2
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow"
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow"
|
||||||
audit: |
|
audit: |
|
||||||
grep "^authorization:\n\s{2}mode: AlwaysAllow$" /var/vcap/jobs/kubelet/config/kubeletconfig.yml
|
grep "^authorization:\n\s{2}mode: AlwaysAllow$" /var/vcap/jobs/kubelet/config/kubeletconfig.yml
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -298,7 +298,7 @@ groups:
|
|||||||
ps -ef | grep [k]ubelet | grep -- --[c]onfig=/var/vcap/jobs/kubelet/config/kubeletconfig.yml | grep -v -- --hostname-override
|
ps -ef | grep [k]ubelet | grep -- --[c]onfig=/var/vcap/jobs/kubelet/config/kubeletconfig.yml | grep -v -- --hostname-override
|
||||||
type: manual
|
type: manual
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file
|
Edit the kubelet service file
|
||||||
on each worker node and remove the --hostname-override argument from the
|
on each worker node and remove the --hostname-override argument from the
|
||||||
KUBELET_SYSTEM_PODS_ARGS variable.
|
KUBELET_SYSTEM_PODS_ARGS variable.
|
||||||
Based on your system, restart the kubelet service. For example:
|
Based on your system, restart the kubelet service. For example:
|
||||||
@ -331,8 +331,8 @@ groups:
|
|||||||
|
|
||||||
- id: 4.2.10
|
- id: 4.2.10
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate"
|
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate"
|
||||||
audit: |
|
audit: |
|
||||||
grep ^tlsCertFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet\.pem\"\ntlsPrivateKeyFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet-key\.pem\"$
|
grep ^tlsCertFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet\.pem\"\ntlsPrivateKeyFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet-key\.pem\"$
|
||||||
/var/vcap/jobs/kubelet/config/kubeletconfig.yml
|
/var/vcap/jobs/kubelet/config/kubeletconfig.yml
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -383,7 +383,7 @@ groups:
|
|||||||
test_items:
|
test_items:
|
||||||
- flag: "RotateKubeletServerCertificate=true"
|
- flag: "RotateKubeletServerCertificate=true"
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file
|
Edit the kubelet service file
|
||||||
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
||||||
--feature-gates=RotateKubeletServerCertificate=true
|
--feature-gates=RotateKubeletServerCertificate=true
|
||||||
Based on your system, restart the kubelet service. For example:
|
Based on your system, restart the kubelet service. For example:
|
||||||
@ -415,4 +415,4 @@ groups:
|
|||||||
Based on your system, restart the kubelet service. For example:
|
Based on your system, restart the kubelet service. For example:
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
systemctl restart kubelet.service
|
systemctl restart kubelet.service
|
||||||
scored: false
|
scored: false
|
||||||
|
|||||||
@ -284,4 +284,4 @@ groups:
|
|||||||
resources and that all new resources are created in a specific namespace.
|
resources and that all new resources are created in a specific namespace.
|
||||||
Exception
|
Exception
|
||||||
This is site-specific setting.
|
This is site-specific setting.
|
||||||
scored: false
|
scored: false
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user