arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-07-06 23:02:37 +00:00
Code Issues Releases Wiki Activity

Fixes for node and etcd TCs

Browse Source
This commit is contained in:
Deepanshu Bhatia 2024-09-18 00:43:10 +05:30 committed by Md Safiyat Reza
parent 1a2de3063b
commit 77a1f3a7a0
2 changed files with 46 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cfg/rh-1.0/etcd.yaml
View File

@ -28,7 +28,7 @@ groups:
- flag: "file" - flag: "file"
compare: compare:
op: regex op: regex
value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-serving\/etcd-serving-.*\.(?:crt|key)' value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-certs\/etcd-serving-.*\.(?:crt|key)'
remediation: | remediation: |
OpenShift does not use the etcd-certfile or etcd-keyfile flags. OpenShift does not use the etcd-certfile or etcd-keyfile flags.
Certificates for etcd are managed by the etcd cluster operator. Certificates for etcd are managed by the etcd cluster operator.
@ -103,7 +103,7 @@ groups:
- flag: "file" - flag: "file"
compare: compare:
op: regex op: regex
value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-peer\/etcd-peer-.*\.(?:crt|key)' value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-certs\/etcd-peer-.*\.(?:crt|key)'
remediation: | remediation: |
None. This configuration is managed by the etcd operator. None. This configuration is managed by the etcd operator.
scored: false scored: false

30
cfg/rh-1.6/node.yaml
View File

@ -148,8 +148,13 @@ groups:
text: "Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)" text: "Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)"
audit: | audit: |
NODE_NAME=$(oc get pod $HOSTNAME -o=jsonpath='{.spec.nodeName}') NODE_NAME=$(oc get pod $HOSTNAME -o=jsonpath='{.spec.nodeName}')
# default setups have the file present at /var/lib/kubelet only. # default setups have the file present at /var/lib/kubelet only. Custom setup is present at /var/data/kubelet/config.json.
oc debug node/$NODE_NAME -- chroot /host stat -c "$NODE_NAME %n permissions=%a" /var/lib/kubelet/config.json /var/data/kubelet/config.json 2> /dev/null oc debug node/$NODE_NAME -- /bin/sh -c '
if [ -f /var/data/kubelet/config.json ]; then
chroot /host stat -c "$NODE_NAME %n permissions=%a" /var/data/kubelet/config.json;
else
chroot /host stat -c "$NODE_NAME %n permissions=%a" /var/lib/kubelet/config.json;
fi' 2> /dev/null
use_multiple_values: true use_multiple_values: true
tests: tests:
test_items: test_items:
@ -165,8 +170,13 @@ groups:
text: "Ensure that the kubelet configuration file ownership is set to root:root (Automated)" text: "Ensure that the kubelet configuration file ownership is set to root:root (Automated)"
audit: | audit: |
NODE_NAME=$(oc get pod $HOSTNAME -o=jsonpath='{.spec.nodeName}') NODE_NAME=$(oc get pod $HOSTNAME -o=jsonpath='{.spec.nodeName}')
# default setups have the file present at /var/lib/kubelet only. # default setups have the file present at /var/lib/kubelet only. Custom setup is present at /var/data/kubelet/config.json.
oc debug node/$NODE_NAME -- chroot /host stat -c "$NODE_NAME %n %U:%G" /var/lib/kubelet/config.json /var/data/kubelet/config.json 2> /dev/null oc debug node/$NODE_NAME -- /bin/sh -c '
if [ -f /var/data/kubelet/config.json ]; then
chroot /host stat -c "$NODE_NAME %n %U:%G" /var/data/kubelet/config.json;
else
chroot /host stat -c "$NODE_NAME %n %U:%G" /var/lib/kubelet/config.json;
fi' 2> /dev/null
use_multiple_values: true use_multiple_values: true
tests: tests:
test_items: test_items:
@ -229,11 +239,11 @@ groups:
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: | audit: |
NODE_NAME=$(oc get pod $HOSTNAME -o=jsonpath='{.spec.nodeName}') NODE_NAME=$(oc get pod $HOSTNAME -o=jsonpath='{.spec.nodeName}')
oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig.authentication.x509' 2> /dev/null oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq -r '.kubeletconfig.authentication.x509.clientCAFile' 2> /dev/null
use_multiple_values: true use_multiple_values: true
tests: tests:
test_items: test_items:
- flag: '"clientCAFile": "/etc/kubernetes/kubelet-ca.crt"' - flag: '/etc/kubernetes/kubelet-ca.crt'
remediation: | remediation: |
None required. Changing the clientCAFile value is unsupported. None required. Changing the clientCAFile value is unsupported.
scored: true scored: true
@ -244,7 +254,7 @@ groups:
oc -n openshift-kube-apiserver get cm config -o json | jq -r '.data."config.yaml"' | jq -r '.apiServerArguments."kubelet-read-only-port"[]' 2> /dev/null oc -n openshift-kube-apiserver get cm config -o json | jq -r '.data."config.yaml"' | jq -r '.apiServerArguments."kubelet-read-only-port"[]' 2> /dev/null
tests: tests:
test_items: test_items:
- flag: '"0"' - flag: '0'
remediation: | remediation: |
In earlier versions of OpenShift 4, the read-only-port argument is not used. In earlier versions of OpenShift 4, the read-only-port argument is not used.
Follow the instructions in the documentation https://docs.openshift.com/container-platform/latest/post_installation_configuration/machine-configuration-tasks.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_post-install-machine-configuration-tasks Follow the instructions in the documentation https://docs.openshift.com/container-platform/latest/post_installation_configuration/machine-configuration-tasks.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_post-install-machine-configuration-tasks
@ -319,7 +329,7 @@ groups:
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)" text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
audit: | audit: |
NODE_NAME=$(oc get pod $HOSTNAME -o=jsonpath='{.spec.nodeName}') NODE_NAME=$(oc get pod $HOSTNAME -o=jsonpath='{.spec.nodeName}')
oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq -r '.kubeletconfig' 2> /dev/null echo rotateCertificates=$(oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq -r '.kubeletconfig.rotateCertificates' 2> /dev/null)
use_multiple_values: true use_multiple_values: true
tests: tests:
test_items: test_items:
@ -336,9 +346,9 @@ groups:
audit: | audit: |
#Verify the rotateKubeletServerCertificate feature gate is on #Verify the rotateKubeletServerCertificate feature gate is on
NODE_NAME=$(oc get pod $HOSTNAME -o=jsonpath='{.spec.nodeName}') NODE_NAME=$(oc get pod $HOSTNAME -o=jsonpath='{.spec.nodeName}')
oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig.featureGates' 2> /dev/null echo RotateKubeletServerCertificate=$(oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig.featureGates.RotateKubeletServerCertificate' 2> /dev/null)
# Verify the rotateCertificates argument is set to true # Verify the rotateCertificates argument is set to true
oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq -r '.kubeletconfig' 2> /dev/null echo rotateCertificates=$(oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq -r '.kubeletconfig.rotateCertificates' 2> /dev/null)
use_multiple_values: true use_multiple_values: true
tests: tests:
bin_op: or bin_op: or