From 893aa3588c10db901f65e93a5a523e091717b4ef Mon Sep 17 00:00:00 2001
From: mwwolters <mwwolters@google.com>
Date: Tue, 30 Jul 2019 10:09:24 -0700
Subject: [PATCH] Updated check to pass if flag isn't set (#375)

---
 cfg/1.11/master.yaml | 3 +++
 cfg/1.13/master.yaml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/cfg/1.11/master.yaml b/cfg/1.11/master.yaml
index f24cc61..8a44464 100644
--- a/cfg/1.11/master.yaml
+++ b/cfg/1.11/master.yaml
@@ -153,12 +153,15 @@ groups:
     text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     tests:
+      bin_op: or
       test_items:
       - flag: "--enable-admission-plugins"
         compare:
           op: nothave
           value: AlwaysAdmit
         set: true
+      - flag: "--enable-admission-plugins"
+        set: false
     remediation: |
       Edit the API server pod specification file $apiserverconf
       on the master node and set the --enable-admission-plugins parameter to a
diff --git a/cfg/1.13/master.yaml b/cfg/1.13/master.yaml
index be9e757..ea7b974 100644
--- a/cfg/1.13/master.yaml
+++ b/cfg/1.13/master.yaml
@@ -153,12 +153,15 @@ groups:
     text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     tests:
+      bin_op: or
       test_items:
       - flag: "--enable-admission-plugins"
         compare:
           op: nothave
           value: AlwaysAdmit
         set: true
+      - flag: "--enable-admission-plugins"
+        set: false
     remediation: |
       Edit the API server pod specification file $apiserverconf
       on the master node and set the --enable-admission-plugins parameter to a