mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-23 23:18:33 +00:00
Customize kubeconfig location for kube-scheduler and kube-controller-manager (#738)
This commit is contained in:
parent
d026e046f7
commit
724cea4980
@ -223,7 +223,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.15
|
- id: 1.1.15
|
||||||
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "permissions"
|
- flag: "permissions"
|
||||||
@ -234,12 +234,12 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chmod 644 /etc/kubernetes/scheduler.conf
|
chmod 644 $schedulerkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.16
|
- id: 1.1.16
|
||||||
text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)"
|
text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %U:%G /etc/kubernetes/scheduler.conf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -250,12 +250,12 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chown root:root /etc/kubernetes/scheduler.conf
|
chown root:root $schedulerkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.17
|
- id: 1.1.17
|
||||||
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "permissions"
|
- flag: "permissions"
|
||||||
@ -266,12 +266,12 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chmod 644 /etc/kubernetes/controller-manager.conf
|
chmod 644 $controllermanagerkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.18
|
- id: 1.1.18
|
||||||
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)"
|
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %U:%G /etc/kubernetes/controller-manager.conf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -282,7 +282,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chown root:root /etc/kubernetes/controller-manager.conf
|
chown root:root $controllermanagerkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.19
|
- id: 1.1.19
|
||||||
|
@ -196,7 +196,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.15
|
- id: 1.1.15
|
||||||
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"
|
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "permissions"
|
- flag: "permissions"
|
||||||
@ -206,24 +206,24 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chmod 644 /etc/kubernetes/scheduler.conf
|
chmod 644 $schedulerkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.16
|
- id: 1.1.16
|
||||||
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
|
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %U:%G /etc/kubernetes/scheduler.conf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chown root:root /etc/kubernetes/scheduler.conf
|
chown root:root $schedulerkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.17
|
- id: 1.1.17
|
||||||
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"
|
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "permissions"
|
- flag: "permissions"
|
||||||
@ -233,19 +233,19 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chmod 644 /etc/kubernetes/controller-manager.conf
|
chmod 644 $controllermanagerkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.18
|
- id: 1.1.18
|
||||||
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
|
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %U:%G /etc/kubernetes/controller-manager.conf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chown root:root /etc/kubernetes/controller-manager.conf
|
chown root:root $controllermanagerkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.19
|
- id: 1.1.19
|
||||||
|
@ -46,6 +46,10 @@ master:
|
|||||||
- /var/snap/kube-scheduler/current/args
|
- /var/snap/kube-scheduler/current/args
|
||||||
- /var/snap/microk8s/current/args/kube-scheduler
|
- /var/snap/microk8s/current/args/kube-scheduler
|
||||||
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
|
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
|
||||||
|
kubeconfig:
|
||||||
|
- /etc/kubernetes/scheduler.conf
|
||||||
|
defaultkubeconfig:
|
||||||
|
- /etc/kubernetes/scheduler.conf
|
||||||
|
|
||||||
controllermanager:
|
controllermanager:
|
||||||
bins:
|
bins:
|
||||||
@ -61,6 +65,10 @@ master:
|
|||||||
- /var/snap/kube-controller-manager/current/args
|
- /var/snap/kube-controller-manager/current/args
|
||||||
- /var/snap/microk8s/current/args/kube-controller-manager
|
- /var/snap/microk8s/current/args/kube-controller-manager
|
||||||
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
|
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
|
||||||
|
kubeconfig:
|
||||||
|
- /etc/kubernetes/controller-manager.conf
|
||||||
|
defaultkubeconfig:
|
||||||
|
- /etc/kubernetes/controller-manager.conf
|
||||||
|
|
||||||
etcd:
|
etcd:
|
||||||
optional: true
|
optional: true
|
||||||
|
Loading…
Reference in New Issue
Block a user