1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 08:08:07 +00:00

Openshift configs (#526)

* Adds openshift to autodetect node type

* detect okd node units
This commit is contained in:
Mateus Caruccio 2019-12-09 11:07:44 -03:00 committed by Roberto Rojas
parent af976e6f50
commit 6e1c39237a
3 changed files with 11 additions and 5 deletions

View File

@ -25,6 +25,7 @@ master:
- "hyperkube apiserver"
- "hyperkube kube-apiserver"
- "apiserver"
- "openshift start master api"
confs:
- /etc/kubernetes/manifests/kube-apiserver.yaml
- /etc/kubernetes/manifests/kube-apiserver.manifest
@ -37,6 +38,7 @@ master:
- "hyperkube scheduler"
- "hyperkube kube-scheduler"
- "scheduler"
- "openshift start master controllers"
confs:
- /etc/kubernetes/manifests/kube-scheduler.yaml
- /etc/kubernetes/manifests/kube-scheduler.manifest
@ -50,6 +52,7 @@ master:
- "hyperkube controller-manager"
- "hyperkube kube-controller-manager"
- "controller-manager"
- "openshift start master controllers"
confs:
- /etc/kubernetes/manifests/kube-controller-manager.yaml
- /etc/kubernetes/manifests/kube-controller-manager.manifest
@ -172,4 +175,4 @@ version_mapping:
"1.16": "cis-1.5"
"1.17": "cis-1.5"
"ocp-3.10": "rh-0.7"
"ocp-3.11": "rh-0.7"
"ocp-3.11": "rh-0.7"

View File

@ -22,6 +22,9 @@ master:
- openshift start etcd
node:
svcs:
- /etc/systemd/system/atomic-openshift-node.service
- /etc/systemd/system/origin-node.service
proxy:
bins:
- openshift start network

View File

@ -254,7 +254,7 @@ groups:
- id: 8.3
text: "Verify the kubelet service file permissions of 644"
audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
audit: "stat -c %a $nodesvc"
tests:
bin_op: or
test_items:
@ -275,12 +275,12 @@ groups:
set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/systemd/system/atomic-openshift-node.service
chmod 644 $nodesvc
scored: true
- id: 8.4
text: "Verify the kubelet service file ownership of root:root"
audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
audit: "stat -c %U:%G $nodesvc"
tests:
test_items:
- flag: "root:root"
@ -290,7 +290,7 @@ groups:
set: true
remediation: |
Run the below command on each worker node.
chown root:root /etc/systemd/system/atomic-openshift-node.service
chown root:root $nodesvc
scored: true
- id: 8.5