|
|
@ -32,7 +32,7 @@ groups:
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.authentication.anonymous.enabled}"
|
|
|
|
- path: "{.authentication.anonymous.enabled}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
op: eq
|
|
|
|
value: false
|
|
|
|
value: false
|
|
|
@ -54,7 +54,7 @@ groups:
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.authorization.mode}"
|
|
|
|
- path: "{.authorization.mode}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: noteq
|
|
|
|
op: noteq
|
|
|
|
value: "AlwaysAllow"
|
|
|
|
value: "AlwaysAllow"
|
|
|
@ -75,7 +75,7 @@ groups:
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.authentication.x509.clientCAFile}"
|
|
|
|
- path: "{.authentication.x509.clientCAFile}"
|
|
|
|
set: true
|
|
|
|
set: true
|
|
|
|
remediation: |
|
|
|
|
remediation: |
|
|
|
|
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
|
|
|
|
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
|
|
|
@ -95,9 +95,9 @@ groups:
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.readOnlyPort}"
|
|
|
|
- path: "{.readOnlyPort}"
|
|
|
|
set: false
|
|
|
|
set: false
|
|
|
|
- jsonpath: "{.readOnlyPort}"
|
|
|
|
- path: "{.readOnlyPort}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
op: eq
|
|
|
|
value: "0"
|
|
|
|
value: "0"
|
|
|
@ -119,9 +119,9 @@ groups:
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.streamingConnectionIdleTimeout}"
|
|
|
|
- path: "{.streamingConnectionIdleTimeout}"
|
|
|
|
set: false
|
|
|
|
set: false
|
|
|
|
- jsonpath: "{.streamingConnectionIdleTimeout}"
|
|
|
|
- path: "{.streamingConnectionIdleTimeout}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: noteq
|
|
|
|
op: noteq
|
|
|
|
value: 0
|
|
|
|
value: 0
|
|
|
@ -143,7 +143,7 @@ groups:
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.protectKernelDefaults}"
|
|
|
|
- path: "{.protectKernelDefaults}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
value: true
|
|
|
@ -165,9 +165,9 @@ groups:
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.makeIPTablesUtilChains}"
|
|
|
|
- path: "{.makeIPTablesUtilChains}"
|
|
|
|
set: false
|
|
|
|
set: false
|
|
|
|
- jsonpath: "{.makeIPTablesUtilChains}"
|
|
|
|
- path: "{.makeIPTablesUtilChains}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
value: true
|
|
|
@ -188,7 +188,7 @@ groups:
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.hostnameOverride}"
|
|
|
|
- path: "{.hostnameOverride}"
|
|
|
|
set: false
|
|
|
|
set: false
|
|
|
|
remediation: |
|
|
|
|
remediation: |
|
|
|
|
Edit the kubelet service file $kubeletsvc
|
|
|
|
Edit the kubelet service file $kubeletsvc
|
|
|
@ -204,7 +204,7 @@ groups:
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.eventRecordQPS}"
|
|
|
|
- path: "{.eventRecordQPS}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
value: 0
|
|
|
@ -226,9 +226,9 @@ groups:
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
bin_op: and
|
|
|
|
bin_op: and
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.tlsCertFile}"
|
|
|
|
- path: "{.tlsCertFile}"
|
|
|
|
set: true
|
|
|
|
set: true
|
|
|
|
- jsonpath: "{.tlsPrivateKeyFile}"
|
|
|
|
- path: "{.tlsPrivateKeyFile}"
|
|
|
|
set: true
|
|
|
|
set: true
|
|
|
|
remediation: |
|
|
|
|
remediation: |
|
|
|
|
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
|
|
|
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
|
|
@ -250,12 +250,12 @@ groups:
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.cadvisorPort}"
|
|
|
|
- path: "{.cadvisorPort}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
value: 0
|
|
|
|
set: true
|
|
|
|
set: true
|
|
|
|
- jsonpath: "{.cadvisorPort}"
|
|
|
|
- path: "{.cadvisorPort}"
|
|
|
|
set: false
|
|
|
|
set: false
|
|
|
|
remediation: |
|
|
|
|
remediation: |
|
|
|
|
Edit the kubelet service file $kubeletsvc
|
|
|
|
Edit the kubelet service file $kubeletsvc
|
|
|
@ -272,9 +272,9 @@ groups:
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.rotateCertificates}"
|
|
|
|
- path: "{.rotateCertificates}"
|
|
|
|
set: false
|
|
|
|
set: false
|
|
|
|
- jsonpath: "{.rotateCertificates}"
|
|
|
|
- path: "{.rotateCertificates}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: noteq
|
|
|
|
op: noteq
|
|
|
|
value: "false"
|
|
|
|
value: "false"
|
|
|
@ -293,7 +293,7 @@ groups:
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.featureGates.RotateKubeletServerCertificate}"
|
|
|
|
- path: "{.featureGates.RotateKubeletServerCertificate}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
value: true
|
|
|
@ -312,7 +312,7 @@ groups:
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
audit: "cat $kubeletconf"
|
|
|
|
tests:
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
test_items:
|
|
|
|
- jsonpath: "{.tlsCipherSuites}"
|
|
|
|
- path: "{.tlsCipherSuites}"
|
|
|
|
compare:
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
op: eq
|
|
|
|
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
|
|
|
|
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
|
|
|
|