From 97623aea05783a1995e4f9033ae0510344976f62 Mon Sep 17 00:00:00 2001
From: Abubakr-Sadik Nii Nai Davis <dwa2pac@gmail.com>
Date: Tue, 23 Oct 2018 02:30:08 +0000
Subject: [PATCH] Update kubernetes node benchmark to check kubelet systemd
 unitfile.

Also clean up the config file for 1.11 a bit.
---
 cfg/1.11/config.yaml | 22 ++--------------------
 cfg/1.11/node.yaml   |  8 ++++----
 2 files changed, 6 insertions(+), 24 deletions(-)

diff --git a/cfg/1.11/config.yaml b/cfg/1.11/config.yaml
index 43a26e3..1d51f6c 100644
--- a/cfg/1.11/config.yaml
+++ b/cfg/1.11/config.yaml
@@ -9,39 +9,21 @@
 
 master:
   apiserver:
-    confs:
-      - /etc/kubernetes/manifests/kube-apiserver.yaml
-      - /etc/kubernetes/manifests/kube-apiserver.manifest
     defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
 
   scheduler:
-    confs:
-      - /etc/kubernetes/manifests/kube-scheduler.yaml
-      - /etc/kubernetes/manifests/kube-scheduler.manifest
     defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
 
   controllermanager:
-    confs:
-      - /etc/kubernetes/manifests/kube-controller-manager.yaml
-      - /etc/kubernetes/manifests/kube-controller-manager.manifest
     defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
 
   etcd:
-    confs:
-      - /etc/kubernetes/manifests/etcd.yaml
-      - /etc/kubernetes/manifests/etcd.manifest
     defaultconf: /etc/kubernetes/manifests/etcd.yaml
 
 node:
   kubelet:
-    confs:
-     - /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
-     - /etc/kubernetes/kubelet.conf
-    defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+    defaultconf: /etc/kubernetes/kubelet.conf
+    defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
 
   proxy:
-    confs:
-      - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
     defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
-
-
diff --git a/cfg/1.11/node.yaml b/cfg/1.11/node.yaml
index 1a61899..18e4876 100644
--- a/cfg/1.11/node.yaml
+++ b/cfg/1.11/node.yaml
@@ -362,7 +362,7 @@ groups:
     - id: 2.2.3
       text: "Ensure that the kubelet service file permissions are set to 644 or
       more restrictive (Scored)"
-      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
       tests:
         bin_op: or
         test_items:
@@ -384,12 +384,12 @@ groups:
       remediation: |
         Run the below command (based on the file location on your system) on the each worker
         node. For example,
-        chmod 755 $kubeletconf
+        chmod 755 $kubeletsvc
       scored: true
 
     - id: 2.2.4
       text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
       tests:
         test_items:
         - flag: "root:root"
@@ -397,7 +397,7 @@ groups:
       remediation: |
         Run the below command (based on the file location on your system) on the each worker
         node. For example,
-        chown root:root $kubeletconf
+        chown root:root $kubeletsvc
       scored: true
 
     - id: 2.2.5