arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into features/autodetect-nodetype

Browse Source
pull/238/head
Liz Rice 5 years ago committed by GitHub
parent 5baf81a70a c4c0d911d4
commit 9246be924d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 2111 additions and 83 deletions
Show Stats Download Patch File Download Diff File

52
cfg/1.11/node.yaml
Unescape View File

@ -19,7 +19,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false --allow-privileged=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -41,7 +41,7 @@ groups:
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false . false .
If using executable arguments, edit the kubelet service file If using executable arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false --anonymous-auth=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -62,7 +62,7 @@ groups:
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file If using executable arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable. set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook --authorization-mode=Webhook
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -81,7 +81,7 @@ groups:
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file. the location of the client CA file.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable. set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file> --client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -102,7 +102,7 @@ groups:
remediation: | remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0 . If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0 --read-only-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -124,7 +124,7 @@ groups:
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0. value other than 0.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m --streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -145,7 +145,7 @@ groups:
remediation: | remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true . If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true --protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -169,7 +169,7 @@ groups:
remediation: | remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true . If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -185,7 +185,7 @@ groups:
- flag: "--hostname-override" - flag: "--hostname-override"
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -206,7 +206,7 @@ groups:
remediation: | remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 . If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0 --event-qps=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -229,7 +229,7 @@ groups:
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
corresponding private key file. corresponding private key file.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and $kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable. set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file> --tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file> file=<path/to/tls-key-file>
@ -252,7 +252,7 @@ groups:
- flag: "--cadvisor-port" - flag: "--cadvisor-port"
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0 --cadvisor-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -272,7 +272,7 @@ groups:
set: true set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true. If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file $kubeletconf If using command line arguments, edit the kubelet service file $kubeletsvc
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable. on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
@ -290,7 +290,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -320,7 +320,7 @@ groups:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -342,12 +342,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 644 $kubeletconf chmod 644 $kubeletkubeconfig
scored: true scored: true
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -358,7 +358,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $kubeletconf chown root:root $kubeletkubeconfig
scored: true scored: true
- id: 2.2.3 - id: 2.2.3
@ -404,7 +404,7 @@ groups:
- id: 2.2.5 - id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -426,12 +426,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 644 $proxyconf chmod 644 $proxykubeconfig
scored: true scored: true
- id: 2.2.6 - id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -439,7 +439,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $proxyconf chown root:root $proxykubeconfig
scored: true scored: true
- id: 2.2.7 - id: 2.2.7
@ -462,19 +462,19 @@ groups:
- id: 2.2.9 - id: 2.2.9
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
set: true set: true
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identied in the Audit step)
chown root:root /etc/kubernetes/kubelet.conf chown root:root $kubeletconf
scored: true scored: true
- id: 2.2.10 - id: 2.2.10
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %a /var/lib/kubelet/config.yaml; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -495,5 +495,5 @@ groups:
set: true set: true
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identied in the Audit step)
chmod 644 /var/lib/kubelet/config.yaml chmod 644 $kubeletconf
scored: true scored: true

29
cfg/1.13/config.yaml
Unescape View File

@ -0,0 +1,29 @@
---
## Controls Files.
# These are YAML files that hold all the details for running checks.
#
## Uncomment to use different control file paths.
# masterControls: ./cfg/master.yaml
# nodeControls: ./cfg/node.yaml
# federatedControls: ./cfg/federated.yaml
master:
apiserver:
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler:
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
controllermanager:
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
etcd:
defaultconf: /etc/kubernetes/manifests/etcd.yaml
node:
kubelet:
defaultconf: /etc/kubernetes/kubelet.conf
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
proxy:
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

1500
cfg/1.13/master.yaml
View File

File diff suppressed because it is too large Load Diff

480
cfg/1.13/node.yaml
Unescape View File

@ -0,0 +1,480 @@
---
controls:
version: 1.13
id: 2
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 2.1
text: "Kubelet"
checks:
- id: 2.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--anonymous-auth"
compare:
op: eq
value: false
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false .
If using executable arguments, edit the kubelet service file
$kubeletconf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: nothave
value: "AlwaysAllow"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--client-ca-file"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.4
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--read-only-port"
compare:
op: eq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--streaming-connection-idle-timeout"
compare:
op: noteq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--protect-kernel-defaults"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -fC $kubeletbin"
tests:
bin_op: or
test_items:
- flag: "--make-iptables-util-chains"
compare:
op: eq
value: true
set: true
- flag: "--make-iptables-util-chains"
set: false
remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.8
text: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--hostname-override"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.9
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--event-qps"
compare:
op: eq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -fC $kubeletbin"
tests:
bin_op: and
test_items:
- flag: "--tls-cert-file"
set: true
- flag: "--tls-private-key-file"
set: true
remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
corresponding private key file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.11
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -fC $kubeletbin"
tests:
bin_op: or
test_items:
- flag: "--cadvisor-port"
compare:
op: eq
value: 0
set: true
- flag: "--cadvisor-port"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.12
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--rotate-certificates"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file $kubeletsvc
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.13
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "RotateKubeletServerCertificate"
compare:
op: eq
value: true
set: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.14
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--tls-cipher-suites"
compare:
op: eq
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
set: true
remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- id: 2.2
text: "Configuration Files"
checks:
- id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $kubeletkubeconfig
scored: true
- id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletkubeconfig
scored: true
- id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: 644
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 755 $kubeletsvc
scored: true
- id: 2.2.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletsvc
scored: true
- id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $proxykubeconfig
scored: true
- id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $proxykubeconfig
scored: true
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: manual
remediation: |
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
type: manual
remediation: |
Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename>
scored: true
- id: 2.2.9
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chown root:root $kubeletconf
scored: true
- id: 2.2.10
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf
scored: true

8
cfg/1.8/config.yaml
Unescape View File

@ -34,11 +34,9 @@ master:
node: node:
kubelet: kubelet:
confs: defaultconf: /var/lib/kubelet/config.yaml
- /etc/systemd/system/kubelet.service.d/10-kubeadm.conf defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf defaultkubeconfig: /etc/kubernetes/kubelet.conf
proxy: proxy:
confs:
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

55
cfg/1.8/node.yaml
Unescape View File

@ -19,7 +19,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false --allow-privileged=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -38,7 +38,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false --anonymous-auth=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -57,7 +57,7 @@ groups:
value: "AlwaysAllow" value: "AlwaysAllow"
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook --authorization-mode=Webhook
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -73,7 +73,7 @@ groups:
- flag: "--client-ca-file" - flag: "--client-ca-file"
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file> --client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -92,7 +92,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0 --read-only-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -111,7 +111,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m --streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -130,7 +130,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true --protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -150,7 +150,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and remove the --make-iptables-util-chains argument from the on each worker node and remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -169,7 +169,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--keep-terminated-pod-volumes=false --keep-terminated-pod-volumes=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -185,7 +185,7 @@ groups:
- flag: "--hostname-override" - flag: "--hostname-override"
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -204,7 +204,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0 --event-qps=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -223,8 +223,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the Kubelet. Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
Then edit the kubelet service file /etc/systemd/system/kubelet.service.d/10- Then edit the kubelet service file $kubeletsvc on each worker node and set the below parameters in
kubeadm.conf on each worker node and set the below parameters in
KUBELET_CERTIFICATE_ARGS variable. KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file> --tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file> file=<path/to/tls-key-file>
@ -245,7 +244,7 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0 --cadvisor-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -264,7 +263,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and remove the --feature- on each worker node and remove the --feature-
gates=RotateKubeletClientCertificate=false argument from the gates=RotateKubeletClientCertificate=false argument from the
KUBELET_CERTIFICATE_ARGS variable. KUBELET_CERTIFICATE_ARGS variable.
@ -284,7 +283,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
@ -298,7 +297,7 @@ groups:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -320,12 +319,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 644 $kubeletconf chmod 644 $kubeletkubeconfig
scored: true scored: true
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -336,13 +335,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root /etc/kubernetes/kubelet.conf chown root:root $kubeletkubeconfig
scored: true scored: true
- id: 2.2.3 - id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -364,12 +363,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 755 $kubeletconf chmod 755 $kubeletsvc
scored: true scored: true
- id: 2.2.4 - id: 2.2.4
text: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)" text: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -377,13 +376,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $kubeletconf chown root:root $kubeletsvc
scored: true scored: true
- id: 2.2.5 - id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
restrictive (Scored)" restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -405,12 +404,12 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 644 $proxyconf chmod 644 $proxykubeconfig
scored: true scored: true
- id: 2.2.6 - id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -418,7 +417,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $proxyconf chown root:root $proxykubeconfig
scored: true scored: true
- id: 2.2.7 - id: 2.2.7

12
cfg/config.yaml
Unescape View File

@ -24,6 +24,7 @@ master:
bins: bins:
- "kube-apiserver" - "kube-apiserver"
- "hyperkube apiserver" - "hyperkube apiserver"
- "hyperkube kube-apiserver"
- "apiserver" - "apiserver"
confs: confs:
- /etc/kubernetes/apiserver.conf - /etc/kubernetes/apiserver.conf
@ -34,6 +35,7 @@ master:
bins: bins:
- "kube-scheduler" - "kube-scheduler"
- "hyperkube scheduler" - "hyperkube scheduler"
- "hyperkube kube-scheduler"
- "scheduler" - "scheduler"
confs: confs:
- /etc/kubernetes/scheduler.conf - /etc/kubernetes/scheduler.conf
@ -44,6 +46,7 @@ master:
bins: bins:
- "kube-controller-manager" - "kube-controller-manager"
- "hyperkube controller-manager" - "hyperkube controller-manager"
- "hyperkube kube-controller-manager"
- "controller-manager" - "controller-manager"
confs: confs:
- /etc/kubernetes/controller-manager.conf - /etc/kubernetes/controller-manager.conf
@ -78,10 +81,9 @@ node:
bins: bins:
- "hyperkube kubelet" - "hyperkube kubelet"
- "kubelet" - "kubelet"
confs: defaultconf: "/var/lib/kubelet/config.yaml"
- /etc/kubernetes/kubelet.conf defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
- /etc/kubernetes/kubelet defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
defaultconf: "/etc/kubernetes/kubelet.conf"
proxy: proxy:
bins: bins:
@ -89,9 +91,9 @@ node:
- "hyperkube proxy" - "hyperkube proxy"
- "proxy" - "proxy"
confs: confs:
- /etc/kubernetes/proxy.conf
- /etc/kubernetes/proxy - /etc/kubernetes/proxy
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
defaultkubeconfig: "/etc/kubernetes/proxy.conf"
federated: federated:
components: components:

23
cfg/ocp-3.10/config.yaml
Unescape View File

@ -10,26 +10,13 @@
master: master:
apiserver: apiserver:
bins: bins:
- openshift start master api - hypershift openshift-kube-apiserver
defaultconf: /etc/origin/master/master-config.yaml
scheduler:
bins:
- openshift start master controllers
defaultconf: /etc/origin/master/master-config.yaml
controllermanager:
bins:
- openshift start master controllers
defaultconf: /etc/origin/master/master-config.yaml
etcd: etcd:
defaultconf: /etc/kubernetes/manifests/etcd.yaml bins:
- openshift start etcd
node: node:
kubelet:
defaultconf: /etc/kubernetes/kubelet.conf
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
proxy: proxy:
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml bins:
- openshift start network

2
cfg/ocp-3.10/master.yaml
Unescape View File

@ -1043,7 +1043,7 @@ groups:
remediation: | remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir , On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command: from the below command:
ps -ef | grep $etcdbin ps -ef | grep etcd
Run the below command (based on the etcd data directory found above). For example, Run the below command (based on the etcd data directory found above). For example,
chmod 700 /var/lib/etcd chmod 700 /var/lib/etcd
scored: true scored: true

2
cmd/common.go
Unescape View File

@ -51,12 +51,14 @@ func runChecks(nodetype check.NodeType) {
confmap := getConfigFiles(typeConf) confmap := getConfigFiles(typeConf)
svcmap := getServiceFiles(typeConf) svcmap := getServiceFiles(typeConf)
kubeconfmap := getKubeConfigFiles(typeConf)
// Variable substitutions. Replace all occurrences of variables in controls files. // Variable substitutions. Replace all occurrences of variables in controls files.
s := string(in) s := string(in)
s = makeSubstitutions(s, "bin", binmap) s = makeSubstitutions(s, "bin", binmap)
s = makeSubstitutions(s, "conf", confmap) s = makeSubstitutions(s, "conf", confmap)
s = makeSubstitutions(s, "svc", svcmap) s = makeSubstitutions(s, "svc", svcmap)
s = makeSubstitutions(s, "kubeconfig", kubeconfmap)
controls, err := check.NewControls(nodetype, []byte(s)) controls, err := check.NewControls(nodetype, []byte(s))
if err != nil { if err != nil {

31
cmd/util.go
Unescape View File

@ -220,6 +220,37 @@ func getServiceFiles(v *viper.Viper) map[string]string {
return svcmap return svcmap
} }
// getKubeConfigFiles finds which of the set of candidate kubeconfig files exist
func getKubeConfigFiles(v *viper.Viper) map[string]string {
kubeconfigmap := make(map[string]string)
for _, component := range v.GetStringSlice("components") {
s := v.Sub(component)
if s == nil {
continue
}
// See if any of the candidate config files exist
kubeconfig := findConfigFile(s.GetStringSlice("kubeconfig"))
if kubeconfig == "" {
if s.IsSet("defaultkubeconfig") {
kubeconfig = s.GetString("defaultkubeconfig")
glog.V(2).Info(fmt.Sprintf("Using default kubeconfig file name '%s' for component %s", kubeconfig, component))
} else {
// Default the service file name that we'll substitute to the name of the component
glog.V(2).Info(fmt.Sprintf("Missing service file for %s", component))
kubeconfig = component
}
} else {
glog.V(2).Info(fmt.Sprintf("Component %s uses service file '%s'", component, kubeconfig))
}
kubeconfigmap[component] = kubeconfig
}
return kubeconfigmap
}
// verifyBin checks that the binary specified is running // verifyBin checks that the binary specified is running
func verifyBin(bin string) bool { func verifyBin(bin string) bool {

Write Preview
Loading…
Cancel
Save