mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-24 07:28:06 +00:00
Merge pull request #290 from aquasecurity/config-improvements
Config improvements
This commit is contained in:
commit
74fd7cd595
@ -9,10 +9,6 @@ node:
|
|||||||
- "/var/lib/kubelet/kubeconfig"
|
- "/var/lib/kubelet/kubeconfig"
|
||||||
|
|
||||||
kubelet:
|
kubelet:
|
||||||
bins:
|
|
||||||
- "hyperkube kubelet"
|
|
||||||
- "kubelet"
|
|
||||||
defaultconf: "/etc/kubernetes/kubelet/kubelet-config.json"
|
|
||||||
defaultsvc: "/etc/systemd/system/kubelet.service"
|
defaultsvc: "/etc/systemd/system/kubelet.service"
|
||||||
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
|
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
|
||||||
|
|
||||||
|
@ -31,11 +31,3 @@ master:
|
|||||||
- /etc/kubernetes/manifests/etcd.yaml
|
- /etc/kubernetes/manifests/etcd.yaml
|
||||||
- /etc/kubernetes/manifests/etcd.manifest
|
- /etc/kubernetes/manifests/etcd.manifest
|
||||||
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
||||||
|
|
||||||
node:
|
|
||||||
kubelet:
|
|
||||||
defaultconf: /etc/kubernetes/kubelet.conf
|
|
||||||
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
||||||
|
|
||||||
proxy:
|
|
||||||
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
|
||||||
|
@ -31,11 +31,3 @@ master:
|
|||||||
- /etc/kubernetes/manifests/etcd.yaml
|
- /etc/kubernetes/manifests/etcd.yaml
|
||||||
- /etc/kubernetes/manifests/etcd.manifest
|
- /etc/kubernetes/manifests/etcd.manifest
|
||||||
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
||||||
|
|
||||||
node:
|
|
||||||
kubelet:
|
|
||||||
defaultconf: /etc/kubernetes/kubelet.conf
|
|
||||||
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
||||||
|
|
||||||
proxy:
|
|
||||||
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
|
||||||
|
@ -220,12 +220,15 @@ groups:
|
|||||||
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
|
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--disable-admission-plugins"
|
- flag: "--disable-admission-plugins"
|
||||||
compare:
|
compare:
|
||||||
op: nothave
|
op: nothave
|
||||||
value: "NamespaceLifecycle"
|
value: "NamespaceLifecycle"
|
||||||
set: true
|
set: true
|
||||||
|
- flag: "--disable-admission-plugins"
|
||||||
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the API server pod specification file $apiserverconf
|
Edit the API server pod specification file $apiserverconf
|
||||||
on the master node and set the --disable-admission-plugins parameter to
|
on the master node and set the --disable-admission-plugins parameter to
|
||||||
|
@ -31,12 +31,3 @@ master:
|
|||||||
- /etc/kubernetes/manifests/etcd.yaml
|
- /etc/kubernetes/manifests/etcd.yaml
|
||||||
- /etc/kubernetes/manifests/etcd.manifest
|
- /etc/kubernetes/manifests/etcd.manifest
|
||||||
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
||||||
|
|
||||||
node:
|
|
||||||
kubelet:
|
|
||||||
defaultconf: /var/lib/kubelet/config.yaml
|
|
||||||
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
||||||
defaultkubeconfig: /etc/kubernetes/kubelet.conf
|
|
||||||
|
|
||||||
proxy:
|
|
||||||
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
|
||||||
|
@ -81,6 +81,9 @@ node:
|
|||||||
bins:
|
bins:
|
||||||
- "hyperkube kubelet"
|
- "hyperkube kubelet"
|
||||||
- "kubelet"
|
- "kubelet"
|
||||||
|
confs:
|
||||||
|
- "/var/lib/kubelet/config.yaml"
|
||||||
|
- "/etc/kubernetes/kubelet/kubelet-config.json"
|
||||||
defaultconf: "/var/lib/kubelet/config.yaml"
|
defaultconf: "/var/lib/kubelet/config.yaml"
|
||||||
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
|
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
|
||||||
defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
|
defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
|
||||||
@ -93,6 +96,7 @@ node:
|
|||||||
confs:
|
confs:
|
||||||
- /etc/kubernetes/proxy
|
- /etc/kubernetes/proxy
|
||||||
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
||||||
|
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
||||||
defaultkubeconfig: "/etc/kubernetes/proxy.conf"
|
defaultkubeconfig: "/etc/kubernetes/proxy.conf"
|
||||||
|
|
||||||
federated:
|
federated:
|
||||||
|
Loading…
Reference in New Issue
Block a user