mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-19 05:08:07 +00:00
Update kubernetes node benchmark to check kubelet systemd unitfile.
Also clean up the config file for 1.11 a bit.
This commit is contained in:
Abubakr-Sadik Nii Nai Davis
parent
ed21839464
commit
97623aea05
@ -9,39 +9,21 @@
|
|||||||
|
|
||||||
master:
|
master:
|
||||||
apiserver:
|
apiserver:
|
||||||
confs:
|
|
||||||
- /etc/kubernetes/manifests/kube-apiserver.yaml
|
|
||||||
- /etc/kubernetes/manifests/kube-apiserver.manifest
|
|
||||||
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
|
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
|
||||||
|
|
||||||
scheduler:
|
scheduler:
|
||||||
confs:
|
|
||||||
- /etc/kubernetes/manifests/kube-scheduler.yaml
|
|
||||||
- /etc/kubernetes/manifests/kube-scheduler.manifest
|
|
||||||
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
|
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
|
||||||
|
|
||||||
controllermanager:
|
controllermanager:
|
||||||
confs:
|
|
||||||
- /etc/kubernetes/manifests/kube-controller-manager.yaml
|
|
||||||
- /etc/kubernetes/manifests/kube-controller-manager.manifest
|
|
||||||
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
|
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
|
||||||
|
|
||||||
etcd:
|
etcd:
|
||||||
confs:
|
|
||||||
- /etc/kubernetes/manifests/etcd.yaml
|
|
||||||
- /etc/kubernetes/manifests/etcd.manifest
|
|
||||||
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
||||||
|
|
||||||
node:
|
node:
|
||||||
kubelet:
|
kubelet:
|
||||||
confs:
|
defaultconf: /etc/kubernetes/kubelet.conf
|
||||||
- /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
||||||
- /etc/kubernetes/kubelet.conf
|
|
||||||
defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
||||||
|
|
||||||
proxy:
|
proxy:
|
||||||
confs:
|
|
||||||
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
|
||||||
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -362,7 +362,7 @@ groups:
|
|||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
text: "Ensure that the kubelet service file permissions are set to 644 or
|
text: "Ensure that the kubelet service file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
@ -384,12 +384,12 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chmod 755 $kubeletconf
|
chmod 755 $kubeletsvc
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.4
|
- id: 2.2.4
|
||||||
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
@ -397,7 +397,7 @@ groups:
|
|||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $kubeletconf
|
chown root:root $kubeletsvc
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user