1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-23 23:18:33 +00:00

Customize kubeconfig location for kube-scheduler and kube-controller-manager (#738)

This commit is contained in:
bjrara 2020-10-18 23:10:29 +08:00 committed by GitHub
parent d026e046f7
commit 724cea4980
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 24 additions and 16 deletions

View File

@ -223,7 +223,7 @@ groups:
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'" audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"
@ -234,12 +234,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 /etc/kubernetes/scheduler.conf chmod 644 $schedulerkubeconfig
scored: true scored: true
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)" text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %U:%G /etc/kubernetes/scheduler.conf; fi'" audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -250,12 +250,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root /etc/kubernetes/scheduler.conf chown root:root $schedulerkubeconfig
scored: true scored: true
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"
@ -266,12 +266,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 /etc/kubernetes/controller-manager.conf chmod 644 $controllermanagerkubeconfig
scored: true scored: true
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)" text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %U:%G /etc/kubernetes/controller-manager.conf; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -282,7 +282,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root /etc/kubernetes/controller-manager.conf chown root:root $controllermanagerkubeconfig
scored: true scored: true
- id: 1.1.19 - id: 1.1.19

View File

@ -196,7 +196,7 @@ groups:
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)" text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'" audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"
@ -206,24 +206,24 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 /etc/kubernetes/scheduler.conf chmod 644 $schedulerkubeconfig
scored: true scored: true
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %U:%G /etc/kubernetes/scheduler.conf; fi'" audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root /etc/kubernetes/scheduler.conf chown root:root $schedulerkubeconfig
scored: true scored: true
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)" text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"
@ -233,19 +233,19 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 /etc/kubernetes/controller-manager.conf chmod 644 $controllermanagerkubeconfig
scored: true scored: true
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %U:%G /etc/kubernetes/controller-manager.conf; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root /etc/kubernetes/controller-manager.conf chown root:root $controllermanagerkubeconfig
scored: true scored: true
- id: 1.1.19 - id: 1.1.19

View File

@ -46,6 +46,10 @@ master:
- /var/snap/kube-scheduler/current/args - /var/snap/kube-scheduler/current/args
- /var/snap/microk8s/current/args/kube-scheduler - /var/snap/microk8s/current/args/kube-scheduler
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
kubeconfig:
- /etc/kubernetes/scheduler.conf
defaultkubeconfig:
- /etc/kubernetes/scheduler.conf
controllermanager: controllermanager:
bins: bins:
@ -61,6 +65,10 @@ master:
- /var/snap/kube-controller-manager/current/args - /var/snap/kube-controller-manager/current/args
- /var/snap/microk8s/current/args/kube-controller-manager - /var/snap/microk8s/current/args/kube-controller-manager
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
kubeconfig:
- /etc/kubernetes/controller-manager.conf
defaultkubeconfig:
- /etc/kubernetes/controller-manager.conf
etcd: etcd:
optional: true optional: true