arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-26 01:49:28 +00:00
Code Issues Releases Wiki Activity

Openshift configs (#526)

Browse Source 
* Adds openshift to autodetect node type

* detect okd node units
This commit is contained in:
Mateus Caruccio 2019-12-09 11:07:44 -03:00 committed by Roberto Rojas
parent af976e6f50
commit 6e1c39237a
3 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cfg/config.yaml
View File

@ -25,6 +25,7 @@ master:
- "hyperkube apiserver" - "hyperkube apiserver"
- "hyperkube kube-apiserver" - "hyperkube kube-apiserver"
- "apiserver" - "apiserver"
- "openshift start master api"
confs: confs:
- /etc/kubernetes/manifests/kube-apiserver.yaml - /etc/kubernetes/manifests/kube-apiserver.yaml
- /etc/kubernetes/manifests/kube-apiserver.manifest - /etc/kubernetes/manifests/kube-apiserver.manifest
@ -37,6 +38,7 @@ master:
- "hyperkube scheduler" - "hyperkube scheduler"
- "hyperkube kube-scheduler" - "hyperkube kube-scheduler"
- "scheduler" - "scheduler"
- "openshift start master controllers"
confs: confs:
- /etc/kubernetes/manifests/kube-scheduler.yaml - /etc/kubernetes/manifests/kube-scheduler.yaml
- /etc/kubernetes/manifests/kube-scheduler.manifest - /etc/kubernetes/manifests/kube-scheduler.manifest
@ -50,6 +52,7 @@ master:
- "hyperkube controller-manager" - "hyperkube controller-manager"
- "hyperkube kube-controller-manager" - "hyperkube kube-controller-manager"
- "controller-manager" - "controller-manager"
- "openshift start master controllers"
confs: confs:
- /etc/kubernetes/manifests/kube-controller-manager.yaml - /etc/kubernetes/manifests/kube-controller-manager.yaml
- /etc/kubernetes/manifests/kube-controller-manager.manifest - /etc/kubernetes/manifests/kube-controller-manager.manifest

3
cfg/rh-0.7/config.yaml
View File

@ -22,6 +22,9 @@ master:
- openshift start etcd - openshift start etcd
node: node:
svcs:
- /etc/systemd/system/atomic-openshift-node.service
- /etc/systemd/system/origin-node.service
proxy: proxy:
bins: bins:
- openshift start network - openshift start network

8
cfg/rh-0.7/node.yaml
View File

@ -254,7 +254,7 @@ groups:
- id: 8.3 - id: 8.3
text: "Verify the kubelet service file permissions of 644" text: "Verify the kubelet service file permissions of 644"
audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service" audit: "stat -c %a $nodesvc"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -275,12 +275,12 @@ groups:
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/systemd/system/atomic-openshift-node.service chmod 644 $nodesvc
scored: true scored: true
- id: 8.4 - id: 8.4
text: "Verify the kubelet service file ownership of root:root" text: "Verify the kubelet service file ownership of root:root"
audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service" audit: "stat -c %U:%G $nodesvc"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -290,7 +290,7 @@ groups:
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/systemd/system/atomic-openshift-node.service chown root:root $nodesvc
scored: true scored: true
- id: 8.5 - id: 8.5