arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-26 08:28:08 +00:00
Code Issues Releases Wiki Activity

Changed 1.1.14 to not fail when flag is not set

Browse Source 
Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op. 
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
This commit is contained in:
Maximilian Bischoff 2019-01-08 13:58:41 +01:00 committed by GitHub
parent f6cab11357
commit 791fbba9e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cfg/1.11/master.yaml
View File

@ -220,12 +220,15 @@ groups:
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--disable-admission-plugins"
compare:
op: nothave
value: "NamespaceLifecycle"
set: true
- flag: "--disable-admission-plugins"
set: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --disable-admission-plugins parameter to