From 724cea4980aa4b71e53d664ac5eab7138315615b Mon Sep 17 00:00:00 2001 From: bjrara Date: Sun, 18 Oct 2020 23:10:29 +0800 Subject: [PATCH] Customize kubeconfig location for kube-scheduler and kube-controller-manager (#738) --- cfg/cis-1.5/master.yaml | 16 ++++++++-------- cfg/cis-1.6/master.yaml | 16 ++++++++-------- cfg/config.yaml | 8 ++++++++ 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml index 414f44e..8f9c1ad 100644 --- a/cfg/cis-1.5/master.yaml +++ b/cfg/cis-1.5/master.yaml @@ -223,7 +223,7 @@ groups: - id: 1.1.15 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'" + audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'" tests: test_items: - flag: "permissions" @@ -234,12 +234,12 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 /etc/kubernetes/scheduler.conf + chmod 644 $schedulerkubeconfig scored: true - id: 1.1.16 text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %U:%G /etc/kubernetes/scheduler.conf; fi'" + audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'" tests: test_items: - flag: "root:root" @@ -250,12 +250,12 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root /etc/kubernetes/scheduler.conf + chown root:root $schedulerkubeconfig scored: true - id: 1.1.17 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'" tests: test_items: - flag: "permissions" @@ -266,12 +266,12 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 /etc/kubernetes/controller-manager.conf + chmod 644 $controllermanagerkubeconfig scored: true - id: 1.1.18 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %U:%G /etc/kubernetes/controller-manager.conf; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'" tests: test_items: - flag: "root:root" @@ -282,7 +282,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root /etc/kubernetes/controller-manager.conf + chown root:root $controllermanagerkubeconfig scored: true - id: 1.1.19 diff --git a/cfg/cis-1.6/master.yaml b/cfg/cis-1.6/master.yaml index 030ea1b..fa23948 100644 --- a/cfg/cis-1.6/master.yaml +++ b/cfg/cis-1.6/master.yaml @@ -196,7 +196,7 @@ groups: - id: 1.1.15 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'" + audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'" tests: test_items: - flag: "permissions" @@ -206,24 +206,24 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 /etc/kubernetes/scheduler.conf + chmod 644 $schedulerkubeconfig scored: true - id: 1.1.16 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %U:%G /etc/kubernetes/scheduler.conf; fi'" + audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'" tests: test_items: - flag: "root:root" remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root /etc/kubernetes/scheduler.conf + chown root:root $schedulerkubeconfig scored: true - id: 1.1.17 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'" tests: test_items: - flag: "permissions" @@ -233,19 +233,19 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 /etc/kubernetes/controller-manager.conf + chmod 644 $controllermanagerkubeconfig scored: true - id: 1.1.18 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %U:%G /etc/kubernetes/controller-manager.conf; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'" tests: test_items: - flag: "root:root" remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root /etc/kubernetes/controller-manager.conf + chown root:root $controllermanagerkubeconfig scored: true - id: 1.1.19 diff --git a/cfg/config.yaml b/cfg/config.yaml index 7170877..b31cab1 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -46,6 +46,10 @@ master: - /var/snap/kube-scheduler/current/args - /var/snap/microk8s/current/args/kube-scheduler defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml + kubeconfig: + - /etc/kubernetes/scheduler.conf + defaultkubeconfig: + - /etc/kubernetes/scheduler.conf controllermanager: bins: @@ -61,6 +65,10 @@ master: - /var/snap/kube-controller-manager/current/args - /var/snap/microk8s/current/args/kube-controller-manager defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml + kubeconfig: + - /etc/kubernetes/controller-manager.conf + defaultkubeconfig: + - /etc/kubernetes/controller-manager.conf etcd: optional: true