1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-24 07:28:06 +00:00

Merge branch 'master' into print-actual-result-of-failed-tests

This commit is contained in:
Liz Rice 2019-05-17 14:49:21 +01:00 committed by GitHub
commit 9f9514d8c6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 7 additions and 29 deletions

View File

@ -9,10 +9,6 @@ node:
- "/var/lib/kubelet/kubeconfig" - "/var/lib/kubelet/kubeconfig"
kubelet: kubelet:
bins:
- "hyperkube kubelet"
- "kubelet"
defaultconf: "/etc/kubernetes/kubelet/kubelet-config.json"
defaultsvc: "/etc/systemd/system/kubelet.service" defaultsvc: "/etc/systemd/system/kubelet.service"
defaultkubeconfig: "/var/lib/kubelet/kubeconfig" defaultkubeconfig: "/var/lib/kubelet/kubeconfig"

View File

@ -31,11 +31,3 @@ master:
- /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.manifest - /etc/kubernetes/manifests/etcd.manifest
defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultconf: /etc/kubernetes/manifests/etcd.yaml
node:
kubelet:
defaultconf: /etc/kubernetes/kubelet.conf
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
proxy:
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

View File

@ -31,11 +31,3 @@ master:
- /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.manifest - /etc/kubernetes/manifests/etcd.manifest
defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultconf: /etc/kubernetes/manifests/etcd.yaml
node:
kubelet:
defaultconf: /etc/kubernetes/kubelet.conf
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
proxy:
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

View File

@ -220,12 +220,15 @@ groups:
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)" text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--disable-admission-plugins" - flag: "--disable-admission-plugins"
compare: compare:
op: nothave op: nothave
value: "NamespaceLifecycle" value: "NamespaceLifecycle"
set: true set: true
- flag: "--disable-admission-plugins"
set: false
remediation: | remediation: |
Edit the API server pod specification file $apiserverconf Edit the API server pod specification file $apiserverconf
on the master node and set the --disable-admission-plugins parameter to on the master node and set the --disable-admission-plugins parameter to

View File

@ -31,12 +31,3 @@ master:
- /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.manifest - /etc/kubernetes/manifests/etcd.manifest
defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultconf: /etc/kubernetes/manifests/etcd.yaml
node:
kubelet:
defaultconf: /var/lib/kubelet/config.yaml
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
defaultkubeconfig: /etc/kubernetes/kubelet.conf
proxy:
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

View File

@ -81,6 +81,9 @@ node:
bins: bins:
- "hyperkube kubelet" - "hyperkube kubelet"
- "kubelet" - "kubelet"
confs:
- "/var/lib/kubelet/config.yaml"
- "/etc/kubernetes/kubelet/kubelet-config.json"
defaultconf: "/var/lib/kubelet/config.yaml" defaultconf: "/var/lib/kubelet/config.yaml"
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
defaultkubeconfig: "/etc/kubernetes/kubelet.conf" defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
@ -93,6 +96,7 @@ node:
confs: confs:
- /etc/kubernetes/proxy - /etc/kubernetes/proxy
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
defaultkubeconfig: "/etc/kubernetes/proxy.conf" defaultkubeconfig: "/etc/kubernetes/proxy.conf"
federated: federated: