1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-26 01:49:28 +00:00

FIXING RKE2-CIS-1.24 CHECKS

. MASTER:
            a. Checks 1.1.10,1.1.20 are manual according to https://docs.rke2.io/security/cis_self_assessment124#1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual and https://docs.rke2.io/security/cis_self_assessment124#1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual respectively.
            b. Check 1.3.6 is not relevant to an RKE2 cluster as RKE2 rotates TLS certificates internally - https://github.com/rancher/dashboard/issues/4485. We will skip it and not score it

    2. NODE:
            a. Check 4.2.12 is the node-level equivalent of the master-level check 1.3.6 and is treated the same way.
This commit is contained in:
Saurabh Misra 2024-09-19 18:08:05 +05:30
parent 5a3fd1d896
commit 72f5a54777
2 changed files with 4 additions and 1 deletions

View File

@ -154,6 +154,7 @@ groups:
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
type: manual
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
@ -313,6 +314,7 @@ groups:
op: bitmask op: bitmask
value: "600" value: "600"
set: true set: true
type: manual
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
@ -979,7 +981,7 @@ groups:
Edit the Controller Manager pod specification file $controllermanagerconf Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
scored: true scored: false
type: skip type: skip
- id: 1.3.7 - id: 1.3.7

View File

@ -440,6 +440,7 @@ groups:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: false
type: skip
- id: 4.2.13 - id: 4.2.13
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"