1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-27 08:58:06 +00:00

Changed 1.1.14 to not fail when flag is not set

Added another test item that checks whether --disable-admission-plugins is not set and an "or" bin_op. 
This causes check 1.1.14 to be successful when the flag is not set, while still failing when the flag is set and includes the value NamespaceLifecycle
This commit is contained in:
Maximilian Bischoff 2019-01-08 13:58:41 +01:00 committed by GitHub
parent f6cab11357
commit 791fbba9e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -220,12 +220,15 @@ groups:
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)" text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--disable-admission-plugins" - flag: "--disable-admission-plugins"
compare: compare:
op: nothave op: nothave
value: "NamespaceLifecycle" value: "NamespaceLifecycle"
set: true set: true
- flag: "--disable-admission-plugins"
set: false
remediation: | remediation: |
Edit the API server pod specification file $apiserverconf Edit the API server pod specification file $apiserverconf
on the master node and set the --disable-admission-plugins parameter to on the master node and set the --disable-admission-plugins parameter to