mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-22 08:08:07 +00:00
Openshift configs (#526)
* Adds openshift to autodetect node type * detect okd node units
This commit is contained in:
parent
af976e6f50
commit
6e1c39237a
@ -25,6 +25,7 @@ master:
|
||||
- "hyperkube apiserver"
|
||||
- "hyperkube kube-apiserver"
|
||||
- "apiserver"
|
||||
- "openshift start master api"
|
||||
confs:
|
||||
- /etc/kubernetes/manifests/kube-apiserver.yaml
|
||||
- /etc/kubernetes/manifests/kube-apiserver.manifest
|
||||
@ -37,6 +38,7 @@ master:
|
||||
- "hyperkube scheduler"
|
||||
- "hyperkube kube-scheduler"
|
||||
- "scheduler"
|
||||
- "openshift start master controllers"
|
||||
confs:
|
||||
- /etc/kubernetes/manifests/kube-scheduler.yaml
|
||||
- /etc/kubernetes/manifests/kube-scheduler.manifest
|
||||
@ -50,6 +52,7 @@ master:
|
||||
- "hyperkube controller-manager"
|
||||
- "hyperkube kube-controller-manager"
|
||||
- "controller-manager"
|
||||
- "openshift start master controllers"
|
||||
confs:
|
||||
- /etc/kubernetes/manifests/kube-controller-manager.yaml
|
||||
- /etc/kubernetes/manifests/kube-controller-manager.manifest
|
||||
@ -172,4 +175,4 @@ version_mapping:
|
||||
"1.16": "cis-1.5"
|
||||
"1.17": "cis-1.5"
|
||||
"ocp-3.10": "rh-0.7"
|
||||
"ocp-3.11": "rh-0.7"
|
||||
"ocp-3.11": "rh-0.7"
|
||||
|
@ -22,6 +22,9 @@ master:
|
||||
- openshift start etcd
|
||||
|
||||
node:
|
||||
svcs:
|
||||
- /etc/systemd/system/atomic-openshift-node.service
|
||||
- /etc/systemd/system/origin-node.service
|
||||
proxy:
|
||||
bins:
|
||||
- openshift start network
|
||||
|
@ -254,7 +254,7 @@ groups:
|
||||
|
||||
- id: 8.3
|
||||
text: "Verify the kubelet service file permissions of 644"
|
||||
audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
|
||||
audit: "stat -c %a $nodesvc"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
@ -275,12 +275,12 @@ groups:
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command on each worker node.
|
||||
chmod 644 /etc/systemd/system/atomic-openshift-node.service
|
||||
chmod 644 $nodesvc
|
||||
scored: true
|
||||
|
||||
- id: 8.4
|
||||
text: "Verify the kubelet service file ownership of root:root"
|
||||
audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
|
||||
audit: "stat -c %U:%G $nodesvc"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
@ -290,7 +290,7 @@ groups:
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command on each worker node.
|
||||
chown root:root /etc/systemd/system/atomic-openshift-node.service
|
||||
chown root:root $nodesvc
|
||||
scored: true
|
||||
|
||||
- id: 8.5
|
||||
|
Loading…
Reference in New Issue
Block a user