mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-20 21:58:06 +00:00
Merge pull request #67 from aquasecurity/config-spacing
Remove odd spacing and line breaks from test config files
This commit is contained in:
commit
85fb818e41
@ -19,9 +19,8 @@ groups:
|
|||||||
value: false
|
value: false
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set --anonymous-auth=false .
|
Edit the deployment specs and set --anonymous-auth=false.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.2
|
- id: 3.1.2
|
||||||
@ -33,9 +32,8 @@ groups:
|
|||||||
set: false
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the documentation and configure alternate mechanisms for authentication. Then,
|
Follow the documentation and configure alternate mechanisms for authentication. Then,
|
||||||
edit the deployment specs and remove "--basic-auth-file=<filename>" .
|
edit the deployment specs and remove "--basic-auth-file=<filename>".
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.3
|
- id: 3.1.3
|
||||||
@ -46,9 +44,8 @@ groups:
|
|||||||
- flag: "--insecure-allow-any-token"
|
- flag: "--insecure-allow-any-token"
|
||||||
set: false
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and remove --insecure-allow-any-token .
|
Edit the deployment specs and remove --insecure-allow-any-token.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.4
|
- id: 3.1.4
|
||||||
@ -59,9 +56,8 @@ groups:
|
|||||||
- flag: "--insecure-bind-address"
|
- flag: "--insecure-bind-address"
|
||||||
set: false
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and remove --insecure-bind-address .
|
Edit the deployment specs and remove --insecure-bind-address.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.5
|
- id: 3.1.5
|
||||||
@ -75,9 +71,8 @@ groups:
|
|||||||
value: 0
|
value: 0
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set --insecure-port=0 .
|
Edit the deployment specs and set --insecure-port=0.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.6
|
- id: 3.1.6
|
||||||
@ -95,8 +90,7 @@ groups:
|
|||||||
set: false
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set the --secure-port argument to the desired port.
|
Edit the deployment specs and set the --secure-port argument to the desired port.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.7
|
- id: 3.1.7
|
||||||
@ -110,9 +104,8 @@ groups:
|
|||||||
value: false
|
value: false
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set "--profiling=false" :
|
Edit the deployment specs and set "--profiling=false":
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
score: true
|
score: true
|
||||||
|
|
||||||
- id: 3.1.8
|
- id: 3.1.8
|
||||||
@ -128,8 +121,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set --admission-control argument to a value that does not
|
Edit the deployment specs and set --admission-control argument to a value that does not
|
||||||
include AlwaysAdmit .
|
include AlwaysAdmit .
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.9
|
- id: 3.1.9
|
||||||
@ -144,9 +136,8 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set --admission-control argument to a value that includes
|
Edit the deployment specs and set --admission-control argument to a value that includes
|
||||||
NamespaceLifecycle .
|
NamespaceLifecycle.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.10
|
- id: 3.1.10
|
||||||
@ -172,8 +163,7 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.
|
Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.12
|
- id: 3.1.12
|
||||||
@ -188,8 +178,7 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.
|
Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.13
|
- id: 3.1.13
|
||||||
@ -204,8 +193,7 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.
|
Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.14
|
- id: 3.1.14
|
||||||
@ -221,8 +209,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set --authorization-mode argument to a value other than
|
Edit the deployment specs and set --authorization-mode argument to a value other than
|
||||||
AlwaysAllow
|
AlwaysAllow
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.15
|
- id: 3.1.15
|
||||||
@ -235,8 +222,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Follow the documentation and configure alternate mechanisms for authentication. Then,
|
Follow the documentation and configure alternate mechanisms for authentication. Then,
|
||||||
edit the deployment specs and remove the --token-auth-file=<filename> argument.
|
edit the deployment specs and remove the --token-auth-file=<filename> argument.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.16
|
- id: 3.1.16
|
||||||
@ -251,8 +237,7 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set "--service-account-lookup=true" .
|
Edit the deployment specs and set "--service-account-lookup=true" .
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.17
|
- id: 3.1.17
|
||||||
@ -264,8 +249,7 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set --service-account-key-file argument as appropriate.
|
Edit the deployment specs and set --service-account-key-file argument as appropriate.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.18
|
- id: 3.1.18
|
||||||
@ -281,11 +265,10 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the Kubernetes documentation and set up the TLS connection between the
|
Follow the Kubernetes documentation and set up the TLS connection between the
|
||||||
federation apiserver and etcd. Then, edit the deployment specs and set "--etcd-
|
federation apiserver and etcd. Then, edit the deployment specs and set
|
||||||
certfile=<path/to/client-certificate-file>" and "--etcd-
|
"--etcd-certfile=<path/to/client-certificate-file>" and
|
||||||
keyfile=<path/to/client-key-file>" arguments.
|
"--etcd-keyfile=<path/to/client-key-file>" arguments.
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.19
|
- id: 3.1.19
|
||||||
@ -301,10 +284,10 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the Kubernetes documentation and set up the TLS connection on the federation
|
Follow the Kubernetes documentation and set up the TLS connection on the federation
|
||||||
apiserver. Then, edit the deployment specs and set "--tls-cert-file=<path/to/tls-
|
apiserver. Then, edit the deployment specs and set
|
||||||
certificate-file>" and "--tls-private-key-file=<path/to/tls-key-file>" :
|
"--tls-cert-file=<path/to/tls-certificate-file>" and
|
||||||
kubectl edit deployments federation-apiserver-deployment --
|
"--tls-private-key-file=<path/to/tls-key-file>":
|
||||||
namespace=federation-system
|
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.2
|
- id: 3.2
|
||||||
@ -321,7 +304,6 @@ groups:
|
|||||||
value: false
|
value: false
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the deployment specs and set "--profiling=false" :
|
Edit the deployment specs and set "--profiling=false":
|
||||||
kubectl edit deployments federation-controller-manager-deployment --
|
kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system
|
||||||
namespace=federation-system
|
|
||||||
scored: true
|
scored: true
|
||||||
|
@ -163,7 +163,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Edit the API server pod specification file $apiserverpodspec
|
Edit the API server pod specification file $apiserverpodspec
|
||||||
on the master node and set the --admission-control parameter to a
|
on the master node and set the --admission-control parameter to a
|
||||||
value that does not include AlwaysAdmit .
|
value that does not include AlwaysAdmit.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.11
|
- id: 1.1.11
|
||||||
@ -179,7 +179,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Edit the API server pod specification file $apiserverpodspec
|
Edit the API server pod specification file $apiserverpodspec
|
||||||
on the master node and set the --admission-control parameter to
|
on the master node and set the --admission-control parameter to
|
||||||
include AlwaysPullImages .
|
include AlwaysPullImages.
|
||||||
--admission-control=...,AlwaysPullImages,...
|
--admission-control=...,AlwaysPullImages,...
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -196,7 +196,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Edit the API server pod specification file $apiserverpodspec
|
Edit the API server pod specification file $apiserverpodspec
|
||||||
on the master node and set the --admission-control parameter to a
|
on the master node and set the --admission-control parameter to a
|
||||||
value that includes DenyEscalatingExec .
|
value that includes DenyEscalatingExec.
|
||||||
--admission-control=...,DenyEscalatingExec,...
|
--admission-control=...,DenyEscalatingExec,...
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -213,7 +213,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Edit the API server pod specification file $apiserverpodspec
|
Edit the API server pod specification file $apiserverpodspec
|
||||||
on the master node and set the --admission-control parameter to
|
on the master node and set the --admission-control parameter to
|
||||||
include SecurityContextDeny .
|
include SecurityContextDeny.
|
||||||
--admission-control=...,SecurityContextDeny,...
|
--admission-control=...,SecurityContextDeny,...
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -230,7 +230,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Edit the API server pod specification file $apiserverpodspec
|
Edit the API server pod specification file $apiserverpodspec
|
||||||
on the master node and set the --admission-control parameter to
|
on the master node and set the --admission-control parameter to
|
||||||
include NamespaceLifecycle .
|
include NamespaceLifecycle.
|
||||||
--admission-control=...,NamespaceLifecycle,...
|
--admission-control=...,NamespaceLifecycle,...
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -312,7 +312,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Edit the API server pod specification file $apiserverpodspec
|
Edit the API server pod specification file $apiserverpodspec
|
||||||
on the master node and set the --authorization-mode parameter to
|
on the master node and set the --authorization-mode parameter to
|
||||||
values other than AlwaysAllow . One such example could be as below.
|
values other than AlwaysAllow. One such example could be as below.
|
||||||
--authorization-mode=RBAC
|
--authorization-mode=RBAC
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -450,7 +450,7 @@ groups:
|
|||||||
Follow the documentation and create ServiceAccount objects as per your environment.
|
Follow the documentation and create ServiceAccount objects as per your environment.
|
||||||
Then, edit the API server pod specification file $apiserverpodspec
|
Then, edit the API server pod specification file $apiserverpodspec
|
||||||
on the master node and set the --admission-control parameter to a
|
on the master node and set the --admission-control parameter to a
|
||||||
value that includes ServiceAccount .
|
value that includes ServiceAccount.
|
||||||
--admission-control=...,ServiceAccount,...
|
--admission-control=...,ServiceAccount,...
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -516,7 +516,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Edit the API server pod specification file $apiserverpodspec
|
Edit the API server pod specification file $apiserverpodspec
|
||||||
on the master node and set the --authorization-mode parameter to a
|
on the master node and set the --authorization-mode parameter to a
|
||||||
value that includes Node .
|
value that includes Node.
|
||||||
--authorization-mode=Node,RBAC
|
--authorization-mode=Node,RBAC
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -598,8 +598,7 @@ groups:
|
|||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the Kubernetes documentation and set the desired audit policy in the
|
Follow the Kubernetes documentation and set the desired audit policy in the
|
||||||
/etc/kubernetes/audit-policy.yaml file.
|
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverpodspec
|
||||||
Then, edit the API server pod specification file $apiserverpodspec
|
|
||||||
and set the below parameters.
|
and set the below parameters.
|
||||||
--audit-policy-file=/etc/kubernetes/audit-policy.yaml
|
--audit-policy-file=/etc/kubernetes/audit-policy.yaml
|
||||||
scored: true
|
scored: true
|
||||||
@ -646,8 +645,7 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Controller Manager pod specification file $apiserverpodspec
|
Edit the Controller Manager pod specification file $apiserverpodspec
|
||||||
on the master node and set the --terminated-pod-gc-
|
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example:
|
||||||
threshold to an appropriate threshold, for example:
|
|
||||||
--terminated-pod-gc-threshold=10
|
--terminated-pod-gc-threshold=10
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -707,7 +705,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Edit the Controller Manager pod specification file $apiserverpodspec
|
Edit the Controller Manager pod specification file $apiserverpodspec
|
||||||
on the master node and set the --root-ca-file parameter to
|
on the master node and set the --root-ca-file parameter to
|
||||||
the certificate bundle file`.
|
the certificate bundle file.
|
||||||
--root-ca-file=<path/to/file>
|
--root-ca-file=<path/to/file>
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -1124,7 +1122,7 @@ groups:
|
|||||||
value: true
|
value: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the etcd pod specification file $etcdpodspec on the master
|
Edit the etcd pod specification file $etcdpodspec on the master
|
||||||
node and either remove the --auto-tls parameter or set it to false .
|
node and either remove the --auto-tls parameter or set it to false.
|
||||||
--auto-tls=false
|
--auto-tls=false
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -1140,8 +1138,7 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the etcd service documentation and configure peer TLS encryption as appropriate
|
Follow the etcd service documentation and configure peer TLS encryption as appropriate
|
||||||
for your etcd cluster.
|
for your etcd cluster. Then, edit the etcd pod specification file $etcdpodspec on the
|
||||||
Then, edit the etcd pod specification file $etcdpodspec on the
|
|
||||||
master node and set the below parameters.
|
master node and set the below parameters.
|
||||||
--peer-client-file=</path/to/peer-cert-file>
|
--peer-client-file=</path/to/peer-cert-file>
|
||||||
--peer-key-file=</path/to/peer-key-file>
|
--peer-key-file=</path/to/peer-key-file>
|
||||||
@ -1178,7 +1175,7 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the etcd pod specification file $etcdpodspec on the master
|
Edit the etcd pod specification file $etcdpodspec on the master
|
||||||
node and either remove the --peer-auto-tls parameter or set it to false .
|
node and either remove the --peer-auto-tls parameter or set it to false.
|
||||||
--peer-auto-tls=false
|
--peer-auto-tls=false
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user