1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-20 21:58:06 +00:00

Merge pull request #67 from aquasecurity/config-spacing

Remove odd spacing and line breaks from test config files
This commit is contained in:
Liz Rice 2017-11-02 11:14:03 +00:00 committed by GitHub
commit 85fb818e41
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 47 additions and 68 deletions

View File

@ -20,8 +20,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --anonymous-auth=false. Edit the deployment specs and set --anonymous-auth=false.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.2 - id: 3.1.2
@ -34,8 +33,7 @@ groups:
remediation: | remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then, Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the deployment specs and remove "--basic-auth-file=<filename>". edit the deployment specs and remove "--basic-auth-file=<filename>".
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.3 - id: 3.1.3
@ -47,8 +45,7 @@ groups:
set: false set: false
remediation: | remediation: |
Edit the deployment specs and remove --insecure-allow-any-token. Edit the deployment specs and remove --insecure-allow-any-token.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.4 - id: 3.1.4
@ -60,8 +57,7 @@ groups:
set: false set: false
remediation: | remediation: |
Edit the deployment specs and remove --insecure-bind-address. Edit the deployment specs and remove --insecure-bind-address.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.5 - id: 3.1.5
@ -76,8 +72,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --insecure-port=0. Edit the deployment specs and set --insecure-port=0.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.6 - id: 3.1.6
@ -95,8 +90,7 @@ groups:
set: false set: false
remediation: | remediation: |
Edit the deployment specs and set the --secure-port argument to the desired port. Edit the deployment specs and set the --secure-port argument to the desired port.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.7 - id: 3.1.7
@ -111,8 +105,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set "--profiling=false": Edit the deployment specs and set "--profiling=false":
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
score: true score: true
- id: 3.1.8 - id: 3.1.8
@ -128,8 +121,7 @@ groups:
remediation: | remediation: |
Edit the deployment specs and set --admission-control argument to a value that does not Edit the deployment specs and set --admission-control argument to a value that does not
include AlwaysAdmit . include AlwaysAdmit .
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.9 - id: 3.1.9
@ -145,8 +137,7 @@ groups:
remediation: | remediation: |
Edit the deployment specs and set --admission-control argument to a value that includes Edit the deployment specs and set --admission-control argument to a value that includes
NamespaceLifecycle. NamespaceLifecycle.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.10 - id: 3.1.10
@ -172,8 +163,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate. Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.12 - id: 3.1.12
@ -188,8 +178,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate. Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.13 - id: 3.1.13
@ -204,8 +193,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate. Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.14 - id: 3.1.14
@ -221,8 +209,7 @@ groups:
remediation: | remediation: |
Edit the deployment specs and set --authorization-mode argument to a value other than Edit the deployment specs and set --authorization-mode argument to a value other than
AlwaysAllow AlwaysAllow
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.15 - id: 3.1.15
@ -235,8 +222,7 @@ groups:
remediation: | remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then, Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the deployment specs and remove the --token-auth-file=<filename> argument. edit the deployment specs and remove the --token-auth-file=<filename> argument.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.16 - id: 3.1.16
@ -251,8 +237,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set "--service-account-lookup=true" . Edit the deployment specs and set "--service-account-lookup=true" .
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.17 - id: 3.1.17
@ -264,8 +249,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --service-account-key-file argument as appropriate. Edit the deployment specs and set --service-account-key-file argument as appropriate.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.18 - id: 3.1.18
@ -281,11 +265,10 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the Follow the Kubernetes documentation and set up the TLS connection between the
federation apiserver and etcd. Then, edit the deployment specs and set "--etcd- federation apiserver and etcd. Then, edit the deployment specs and set
certfile=<path/to/client-certificate-file>" and "--etcd- "--etcd-certfile=<path/to/client-certificate-file>" and
keyfile=<path/to/client-key-file>" arguments. "--etcd-keyfile=<path/to/client-key-file>" arguments.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.19 - id: 3.1.19
@ -301,10 +284,10 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the federation Follow the Kubernetes documentation and set up the TLS connection on the federation
apiserver. Then, edit the deployment specs and set "--tls-cert-file=<path/to/tls- apiserver. Then, edit the deployment specs and set
certificate-file>" and "--tls-private-key-file=<path/to/tls-key-file>" : "--tls-cert-file=<path/to/tls-certificate-file>" and
kubectl edit deployments federation-apiserver-deployment -- "--tls-private-key-file=<path/to/tls-key-file>":
namespace=federation-system kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true scored: true
- id: 3.2 - id: 3.2
@ -322,6 +305,5 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set "--profiling=false": Edit the deployment specs and set "--profiling=false":
kubectl edit deployments federation-controller-manager-deployment -- kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true

View File

@ -598,8 +598,7 @@ groups:
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and set the desired audit policy in the Follow the Kubernetes documentation and set the desired audit policy in the
/etc/kubernetes/audit-policy.yaml file. /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverpodspec
Then, edit the API server pod specification file $apiserverpodspec
and set the below parameters. and set the below parameters.
--audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-policy-file=/etc/kubernetes/audit-policy.yaml
scored: true scored: true
@ -646,8 +645,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec Edit the Controller Manager pod specification file $apiserverpodspec
on the master node and set the --terminated-pod-gc- on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example:
threshold to an appropriate threshold, for example:
--terminated-pod-gc-threshold=10 --terminated-pod-gc-threshold=10
scored: true scored: true
@ -707,7 +705,7 @@ groups:
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec Edit the Controller Manager pod specification file $apiserverpodspec
on the master node and set the --root-ca-file parameter to on the master node and set the --root-ca-file parameter to
the certificate bundle file`. the certificate bundle file.
--root-ca-file=<path/to/file> --root-ca-file=<path/to/file>
scored: true scored: true
@ -1140,8 +1138,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster. for your etcd cluster. Then, edit the etcd pod specification file $etcdpodspec on the
Then, edit the etcd pod specification file $etcdpodspec on the
master node and set the below parameters. master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file> --peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file> --peer-key-file=</path/to/peer-key-file>