mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2025-07-20 13:38:07 +00:00
add support VMware Tanzu(TKGI) Benchmarks v1.2.53
fixed all the yaml lint errors
This commit is contained in:
Kiran Bodipi
commit
5ca84a80df
@ -1,2 +1,2 @@
|
||||
---
|
||||
## Version-specific settings that override the values in cfg/config.yaml
|
||||
## Version-specific settings that override the values in cfg/config.yaml
|
||||
|
||||
@ -64,4 +64,4 @@ groups:
|
||||
remediation: |
|
||||
Consider modification of the audit policy in use on the cluster to include these items, at a
|
||||
minimum.
|
||||
scored: false
|
||||
scored: false
|
||||
|
||||
@ -118,4 +118,4 @@ groups:
|
||||
Then, edit the etcd pod specification file etcd config on the
|
||||
master node and set the below parameter.
|
||||
--trusted-ca-file=</path/to/ca-file>
|
||||
scored: false
|
||||
scored: false
|
||||
|
||||
@ -50,32 +50,32 @@ groups:
|
||||
For example, chmod 644 /var/vcap/jobs/kube-apiserver/config/bpm.yml
|
||||
scored: true
|
||||
|
||||
- id: 1.1.4
|
||||
- id: 1.1.4
|
||||
text: "Ensure that the controller manager pod specification file ownership is set to root:root"
|
||||
audit: stat -c %U:%G /var/vcap/jobs/kube-controller-manager/config/bpm.yml
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the
|
||||
master node.
|
||||
For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml
|
||||
scored: true
|
||||
audit: stat -c %U:%G /var/vcap/jobs/kube-controller-manager/config/bpm.yml
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the
|
||||
master node.
|
||||
For example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml
|
||||
scored: true
|
||||
|
||||
- id: 1.1.5
|
||||
- id: 1.1.5
|
||||
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive"
|
||||
audit: stat -c permissions=%a /var/vcap/jobs/kube-scheduler/config/bpm.yml
|
||||
tests:
|
||||
test_items:
|
||||
audit: stat -c permissions=%a /var/vcap/jobs/kube-scheduler/config/bpm.yml
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "permissions"
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the
|
||||
master node.
|
||||
For example, chown 644 /var/vcap/jobs/kube-scheduler/config/bpm.yml
|
||||
scored: true
|
||||
value: "644"
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the
|
||||
master node.
|
||||
For example, chown 644 /var/vcap/jobs/kube-scheduler/config/bpm.yml
|
||||
scored: true
|
||||
|
||||
- id: 1.1.6
|
||||
text: "Ensure that the scheduler pod specification file ownership is set to root:root"
|
||||
@ -566,7 +566,7 @@ groups:
|
||||
not have access to a registry to pull in-use images. This setting is not appropriate for
|
||||
clusters which use this configuration."
|
||||
TKGi is packages with pre-loaded images.
|
||||
scored: false
|
||||
scored: false
|
||||
|
||||
- id: 1.2.13
|
||||
text: "Ensure that the admission control plugin SecurityContextDeny is set"
|
||||
@ -666,13 +666,13 @@ groups:
|
||||
value that includes NodeRestriction.
|
||||
--enable-admission-plugins=...,NodeRestriction,...
|
||||
Exception
|
||||
PR opened to address the issue https://github.com/cloudfoundry-incubator/kubo-release/pull/179"
|
||||
PR opened to address the issue https://github.com/cloudfoundry-incubator/kubo-release/pull/179"
|
||||
scored: true
|
||||
|
||||
- id: 1.2.18
|
||||
text: "Ensure that the --insecure-bind-address argument is not set"
|
||||
audit: |
|
||||
ps -ef | grep kube-apiserver | grep -v tini | grep -v -- "--insecure-bind-address"
|
||||
ps -ef | grep kube-apiserver | grep -v tini | grep -v -- "--insecure-bind-address"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-bind-address"
|
||||
@ -1095,4 +1095,4 @@ groups:
|
||||
Exception
|
||||
This setting can be set to expected value using Kubernetes Profiles. Please follow instructions here
|
||||
https://docs.pivotal.io/tkgi/1-8/k8s-profiles.html
|
||||
scored: false
|
||||
scored: false
|
||||
|
||||
@ -55,7 +55,7 @@ groups:
|
||||
- id: 4.1.4
|
||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root"
|
||||
audit: stat -c %U:%G /var/vcap/jobs/kube-proxy/config/kubeconfig
|
||||
type: manual
|
||||
type: manual
|
||||
tests:
|
||||
test_items:
|
||||
- flag: root:root
|
||||
@ -181,7 +181,7 @@ groups:
|
||||
|
||||
- id: 4.2.2
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow"
|
||||
audit: |
|
||||
audit: |
|
||||
grep "^authorization:\n\s{2}mode: AlwaysAllow$" /var/vcap/jobs/kubelet/config/kubeletconfig.yml
|
||||
tests:
|
||||
test_items:
|
||||
@ -298,7 +298,7 @@ groups:
|
||||
ps -ef | grep [k]ubelet | grep -- --[c]onfig=/var/vcap/jobs/kubelet/config/kubeletconfig.yml | grep -v -- --hostname-override
|
||||
type: manual
|
||||
remediation: |
|
||||
Edit the kubelet service file
|
||||
Edit the kubelet service file
|
||||
on each worker node and remove the --hostname-override argument from the
|
||||
KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
@ -331,8 +331,8 @@ groups:
|
||||
|
||||
- id: 4.2.10
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate"
|
||||
audit: |
|
||||
grep ^tlsCertFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet\.pem\"\ntlsPrivateKeyFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet-key\.pem\"$
|
||||
audit: |
|
||||
grep ^tlsCertFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet\.pem\"\ntlsPrivateKeyFile:\s\"\/var\/vcap\/jobs\/kubelet\/config\/kubelet-key\.pem\"$
|
||||
/var/vcap/jobs/kubelet/config/kubeletconfig.yml
|
||||
tests:
|
||||
bin_op: and
|
||||
@ -383,7 +383,7 @@ groups:
|
||||
test_items:
|
||||
- flag: "RotateKubeletServerCertificate=true"
|
||||
remediation: |
|
||||
Edit the kubelet service file
|
||||
Edit the kubelet service file
|
||||
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
||||
--feature-gates=RotateKubeletServerCertificate=true
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
@ -415,4 +415,4 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: false
|
||||
|
||||
@ -284,4 +284,4 @@ groups:
|
||||
resources and that all new resources are created in a specific namespace.
|
||||
Exception
|
||||
This is site-specific setting.
|
||||
scored: false
|
||||
scored: false
|
||||
|
||||
Loading…
Reference in New Issue
Block a user