arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 08:08:07 +00:00
Code Issues Releases Wiki Activity

Fix 4.1.9, skip irremediable checks, add /home/kubernetes mount (#976)

Browse Source 
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
This commit is contained in:
Nick Keenan 2021-08-30 06:33:59 -06:00 committed by GitHub
parent ed484cae83
commit 946a48ca74
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
cfg/gke-1.0/node.yaml
View File

@ -78,7 +78,7 @@ groups:
- flag: "permissions" - flag: "permissions"
set: true set: true
compare: compare:
op: eq op: bitmask
value: "644" value: "644"
remediation: | remediation: |
Run the following command (using the config file location identified in the Audit step) Run the following command (using the config file location identified in the Audit step)
@ -167,24 +167,8 @@ groups:
- id: 4.2.4 - id: 4.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "/bin/ps -fC $kubeletbin" type: skip
audit_config: "/bin/cat $kubeletconf" remediation: "This control cannot be modified in GKE."
tests:
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.5 - id: 4.2.5
@ -216,25 +200,8 @@ groups:
- id: 4.2.6 - id: 4.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "/bin/ps -fC $kubeletbin" type: skip
audit_config: "/bin/cat $kubeletconf" remediation: "This control cannot be modified in GKE."
tests:
test_items:
- flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}'
compare:
op: eq
value: true
remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.7 - id: 4.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) " text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) "
@ -280,50 +247,13 @@ groups:
- id: 4.2.9 - id: 4.2.9
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)" text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)"
audit: "/bin/ps -fC $kubeletbin" type: skip
audit_config: "/bin/cat $kubeletconf" remediation: "This control cannot be modified in GKE."
tests:
test_items:
- flag: --event-qps
path: '{.eventRecordQPS}'
set: true
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.10 - id: 4.2.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "/bin/ps -fC $kubeletbin" type: skip
audit_config: "/bin/cat $kubeletconf" remediation: "This control cannot be modified in GKE."
tests:
bin_op: and
test_items:
- flag: --tls-cert-file
path: '{.tlsCertFile}'
- flag: --tls-private-key-file
path: '{.tlsPrivateKeyFile}'
remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location
of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
to the location of the corresponding private key file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.11 - id: 4.2.11
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"

9
job-gke.yaml
View File

@ -14,10 +14,16 @@ spec:
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet
readOnly: true
- name: etc-systemd - name: etc-systemd
mountPath: /etc/systemd mountPath: /etc/systemd
readOnly: true
- name: etc-kubernetes - name: etc-kubernetes
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
readOnly: true
- name: home-kubernetes
mountPath: /home/kubernetes
readOnly: true
restartPolicy: Never restartPolicy: Never
volumes: volumes:
- name: var-lib-kubelet - name: var-lib-kubelet
@ -29,3 +35,6 @@ spec:
- name: etc-kubernetes - name: etc-kubernetes
hostPath: hostPath:
path: "/etc/kubernetes" path: "/etc/kubernetes"
- name: home-kubernetes
hostPath:
path: "/home/kubernetes"