1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-21 23:58:06 +00:00

Change to checking --disable-admission-plugins for cis-1.4-1.1.27 and cis-1.5-1.2.14 (#584)

Fixes #582
This commit is contained in:
Huang Huang 2020-02-18 22:37:50 +08:00 committed by GitHub
parent 17cd104788
commit 65fb352e0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 12 additions and 24 deletions

View File

@ -447,12 +447,12 @@ groups:
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--disable-admission-plugins"
compare: compare:
op: has op: nothave
value: "ServiceAccount" value: "ServiceAccount"
set: true set: true
- flag: "--enable-admission-plugins" - flag: "--disable-admission-plugins"
set: false set: false
remediation: | remediation: |
Follow the documentation and create ServiceAccount objects as per your environment. Follow the documentation and create ServiceAccount objects as per your environment.

View File

@ -755,12 +755,12 @@ groups:
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--disable-admission-plugins"
compare: compare:
op: has op: nothave
value: "ServiceAccount" value: "ServiceAccount"
set: true set: true
- flag: "--enable-admission-plugins" - flag: "--disable-admission-plugins"
set: false set: false
remediation: | remediation: |
Follow the documentation and create ServiceAccount objects as per your environment. Follow the documentation and create ServiceAccount objects as per your environment.

View File

@ -26,7 +26,7 @@
[FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored) [FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
[PASS] 1.1.25 Ensure that the --service-account-key-file argument is set as appropriate (Scored) [PASS] 1.1.25 Ensure that the --service-account-key-file argument is set as appropriate (Scored)
[PASS] 1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored) [PASS] 1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)
[FAIL] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored) [PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
[PASS] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [PASS] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[PASS] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored) [PASS] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored) [PASS] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
@ -154,12 +154,6 @@ value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,... --enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server. Then restart the API Server.
1.1.27 Follow the documentation and create ServiceAccount objects as per your environment.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins parameter to a
value that includes ServiceAccount.
--enable-admission-plugins=...,ServiceAccount,...
1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter. on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
@ -327,7 +321,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
== Summary == == Summary ==
48 checks PASS 49 checks PASS
18 checks FAIL 17 checks FAIL
25 checks WARN 25 checks WARN
1 checks INFO 1 checks INFO

View File

@ -26,7 +26,7 @@
[FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored) [FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
[PASS] 1.1.25 Ensure that the --service-account-key-file argument is set as appropriate (Scored) [PASS] 1.1.25 Ensure that the --service-account-key-file argument is set as appropriate (Scored)
[PASS] 1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored) [PASS] 1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)
[FAIL] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored) [PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
[PASS] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [PASS] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[PASS] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored) [PASS] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored) [PASS] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
@ -154,12 +154,6 @@ value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,... --enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server. Then restart the API Server.
1.1.27 Follow the documentation and create ServiceAccount objects as per your environment.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins parameter to a
value that includes ServiceAccount.
--enable-admission-plugins=...,ServiceAccount,...
1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter. on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
@ -327,8 +321,8 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
== Summary == == Summary ==
48 checks PASS 49 checks PASS
18 checks FAIL 17 checks FAIL
25 checks WARN 25 checks WARN
1 checks INFO 1 checks INFO
[INFO] 2 Worker Node Security Configuration [INFO] 2 Worker Node Security Configuration