arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00
Code Issues Releases Wiki Activity

Update gke-1.0 (#873)

Browse Source 
* Create controlplane.yaml

* Update and tidy yaml

* Update and tidy yaml

* Update and tidy yaml
This commit is contained in:
Yoav Rotem 2021-05-18 16:37:55 +03:00 committed by GitHub
parent e4d9455820
commit 9820da9579
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 19 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cfg/gke-1.0/controlplane.yaml
View File

@ -20,6 +20,7 @@ groups:
- id: 3.2 - id: 3.2
text: "Logging" text: "Logging"
type: skip
checks: checks:
- id: 3.2.1 - id: 3.2.1
text: "Ensure that a minimal audit policy is created (Not Scored)" text: "Ensure that a minimal audit policy is created (Not Scored)"

1
cfg/gke-1.0/etcd.yaml
View File

@ -7,6 +7,7 @@ type: "etcd"
groups: groups:
- id: 2 - id: 2
text: "Etcd Node Configuration Files" text: "Etcd Node Configuration Files"
type: skip
checks: checks:
- id: 2.1 - id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Not Scored)" text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Not Scored)"

4
cfg/gke-1.0/master.yaml
View File

@ -7,6 +7,7 @@ type: "master"
groups: groups:
- id: 1.1 - id: 1.1
text: "Master Node Configuration Files " text: "Master Node Configuration Files "
type: skip
checks: checks:
- id: 1.1.1 - id: 1.1.1
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Scored)" text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Scored)"
@ -115,6 +116,7 @@ groups:
- id: 1.2 - id: 1.2
text: "API Server" text: "API Server"
type: skip
checks: checks:
- id: 1.2.1 - id: 1.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)" text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)"
@ -298,6 +300,7 @@ groups:
- id: 1.3 - id: 1.3
text: "Controller Manager" text: "Controller Manager"
type: skip
checks: checks:
- id: 1.3.1 - id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)" text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)"
@ -336,6 +339,7 @@ groups:
- id: 1.4 - id: 1.4
text: "Scheduler" text: "Scheduler"
type: skip
checks: checks:
- id: 1.4.1 - id: 1.4.1
text: "Ensure that the --profiling argument is set to false (Not Scored)" text: "Ensure that the --profiling argument is set to false (Not Scored)"

96
cfg/gke-1.0/node.yaml
View File

@ -10,55 +10,25 @@ groups:
checks: checks:
- id: 4.1.1 - id: 4.1.1
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Not Scored)" text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Not Scored)"
type: skip
remediation: "This control cannot be modified in GKE." remediation: "This control cannot be modified in GKE."
scored: false scored: false
- id: 4.1.2 - id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Not Scored)" text: "Ensure that the kubelet service file ownership is set to root:root (Not Scored)"
type: skip
remediation: "This control cannot be modified in GKE." remediation: "This control cannot be modified in GKE."
scored: false scored: false
- id: 4.1.3 - id: 4.1.3
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' ' audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: "644" - flag: "permissions"
compare: compare:
op: eq op: bitmask
value: "644" value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: | remediation: |
Run the below command (based on the file location on your system) on each worker node. Run the below command (based on the file location on your system) on each worker node.
For example, For example,
@ -71,7 +41,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root
set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on each worker node. Run the below command (based on the file location on your system) on each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig
@ -79,65 +48,38 @@ groups:
- id: 4.1.5 - id: 4.1.5
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Not Scored)" text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Not Scored)"
type: skip
remediation: "This control cannot be modified in GKE." remediation: "This control cannot be modified in GKE."
scored: false scored: false
- id: 4.1.6 - id: 4.1.6
text: "Ensure that the kubelet.conf file ownership is set to root:root (Not Scored)" text: "Ensure that the kubelet.conf file ownership is set to root:root (Not Scored)"
type: skip
remediation: "This control cannot be modified in GKE." remediation: "This control cannot be modified in GKE."
scored: false scored: false
- id: 4.1.7 - id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Not Scored)" text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Not Scored)"
type: skip
remediation: "This control cannot be modified in GKE." remediation: "This control cannot be modified in GKE."
scored: false scored: false
- id: 4.1.8 - id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Not Scored)" text: "Ensure that the client certificate authorities file ownership is set to root:root (Not Scored)"
type: skip
remediation: "This control cannot be modified in GKE." remediation: "This control cannot be modified in GKE."
scored: false scored: false
- id: 4.1.9 - id: 4.1.9
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests: tests:
test_items: test_items:
- flag: "644" - flag: "permissions"
set: true set: true
compare: compare:
op: eq op: eq
value: "644" value: "644"
- flag: "640"
set: true
compare:
op: eq
value: "640"
- flag: "600"
set: true
compare:
op: eq
value: "600"
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: | remediation: |
Run the following command (using the config file location identified in the Audit step) Run the following command (using the config file location identified in the Audit step)
chmod 644 $kubeletconf chmod 644 $kubeletconf
@ -149,7 +91,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root
set: true
remediation: | remediation: |
Run the following command (using the config file location identified in the Audit step) Run the following command (using the config file location identified in the Audit step)
chown root:root $kubeletconf chown root:root $kubeletconf
@ -166,7 +107,6 @@ groups:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}' path: '{.authentication.anonymous.enabled}'
set: true
compare: compare:
op: eq op: eq
value: false value: false
@ -190,7 +130,6 @@ groups:
test_items: test_items:
- flag: --authorization-mode - flag: --authorization-mode
path: '{.authorization.mode}' path: '{.authorization.mode}'
set: true
compare: compare:
op: nothave op: nothave
value: AlwaysAllow value: AlwaysAllow
@ -234,7 +173,6 @@ groups:
test_items: test_items:
- flag: "--read-only-port" - flag: "--read-only-port"
path: '{.readOnlyPort}' path: '{.readOnlyPort}'
set: true
compare: compare:
op: eq op: eq
value: 0 value: 0
@ -257,7 +195,6 @@ groups:
test_items: test_items:
- flag: --streaming-connection-idle-timeout - flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}' path: '{.streamingConnectionIdleTimeout}'
set: true
compare: compare:
op: noteq op: noteq
value: 0 value: 0
@ -285,7 +222,6 @@ groups:
test_items: test_items:
- flag: --protect-kernel-defaults - flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}' path: '{.protectKernelDefaults}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
@ -308,7 +244,6 @@ groups:
test_items: test_items:
- flag: --make-iptables-util-chains - flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}' path: '{.makeIPTablesUtilChains}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
@ -329,9 +264,6 @@ groups:
- id: 4.2.8 - id: 4.2.8
text: "Ensure that the --hostname-override argument is not set (Scored)" text: "Ensure that the --hostname-override argument is not set (Scored)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "/bin/ps -fC $kubeletbin " audit: "/bin/ps -fC $kubeletbin "
tests: tests:
test_items: test_items:
@ -373,13 +305,12 @@ groups:
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
bin_op: and
test_items: test_items:
- flag: --tls-cert-file - flag: --tls-cert-file
path: '{.tlsCertFile}' path: '{.tlsCertFile}'
set: true
- flag: --tls-private-key-file - flag: --tls-private-key-file
path: '{.tlsPrivateKeyFile}' path: '{.tlsPrivateKeyFile}'
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location If using a Kubelet config file, edit the file to set tlsCertFile to the location
of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
@ -402,7 +333,6 @@ groups:
test_items: test_items:
- flag: --rotate-certificates - flag: --rotate-certificates
path: '{.rotateCertificates}' path: '{.rotateCertificates}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
@ -430,7 +360,6 @@ groups:
test_items: test_items:
- flag: RotateKubeletServerCertificate - flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}' path: '{.featureGates.RotateKubeletServerCertificate}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
@ -445,5 +374,6 @@ groups:
- id: 4.2.13 - id: 4.2.13
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
type: skip
remediation: "This control cannot be modified in GKE." remediation: "This control cannot be modified in GKE."
scored: false scored: false