Updated check to pass if flag isn't set (#379)

5 years ago · 787bf6ca4d
parent f8b2f6c841
commit 787bf6ca4d
2 changed files with 6 additions and 0 deletions
--- a/cfg/1.11/master.yaml
+++ b/cfg/1.11/master.yaml
@ -441,12 +441,15 @@ groups:
    text: "Ensure that the admission control plugin ServiceAccount is set(Scored)"
    audit: "ps -ef | grep $apiserverbin | grep -v grep"
    tests:
+      bin_op: or
      test_items:
      - flag: "--enable-admission-plugins"
        compare:
          op: has
          value: "ServiceAccount"
        set: true
+      - flag: "--enable-admission-plugins"
+        set: false
    remediation: |
      Follow the documentation and create ServiceAccount objects as per your environment.
      Then, edit the API server pod specification file $apiserverconf
--- a/cfg/1.13/master.yaml
+++ b/cfg/1.13/master.yaml
@ -445,12 +445,15 @@ groups:
    text: "Ensure that the admission control plugin ServiceAccount is set(Scored)"
    audit: "ps -ef | grep $apiserverbin | grep -v grep"
    tests:
+      bin_op: or
      test_items:
      - flag: "--enable-admission-plugins"
        compare:
          op: has
          value: "ServiceAccount"
        set: true
+      - flag: "--enable-admission-plugins"
+        set: false
    remediation: |
      Follow the documentation and create ServiceAccount objects as per your environment.
      Then, edit the API server pod specification file $apiserverconf