arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00
Code Issues Releases Wiki Activity

Corrections to config file substitutions. Use “kubernetes” as a fake component name so we can more easily substitute “kubernetesconf”

Browse Source
This commit is contained in:
Liz Rice 2017-08-31 17:39:40 +01:00
parent e4a89123e0
commit a6036bcfcf
3 changed files with 19 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cfg/config.yaml
View File

@ -14,8 +14,7 @@ master:
- controllermanager - controllermanager
- etcd - etcd
- flanneld - flanneld
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
# benchmark but is believed to now be obselete
- kubernetes - kubernetes
kubernetes: kubernetes:
@ -74,6 +73,11 @@ node:
components: components:
- kubelet - kubelet
- proxy - proxy
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
- kubernetes
kubernetes:
defaultconf: /etc/kubernetes/config
kubelet: kubelet:
bins: bins:
@ -82,6 +86,7 @@ node:
confs: confs:
- /etc/kubernetes/kubelet.conf - /etc/kubernetes/kubelet.conf
- /etc/kubernetes/kubelet - /etc/kubernetes/kubelet
defaultconf: "/etc/kubernetes/kubelet.conf"
proxy: proxy:
bins: bins:

8
cfg/master.yaml
View File

@ -636,7 +636,7 @@ groups:
- id: 1.4.3 - id: 1.4.3
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -656,12 +656,12 @@ groups:
value: "600" value: "600"
set: true set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $config" \nFor example, chmod 644 $kubernetesconf"
scored: true scored: true
- id: 1.4.4 - id: 1.4.4
text: "Ensure that the config file ownership is set to root:root (Scored)" text: "Ensure that the config file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -670,7 +670,7 @@ groups:
value: "root:root" value: "root:root"
set: true set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chown root:root $config" \nFor example, chown root:root $kubernetesconf"
scored: true scored: true
- id: 1.4.5 - id: 1.4.5

14
cfg/node.yaml
View File

@ -17,7 +17,7 @@ groups:
op: eq op: eq
value: false value: false
set: true set: true
remediation: "Edit the $config file on each node and set the KUBE_ALLOW_PRIV remediation: "Edit the $kubeletconf file on each node and set the KUBE_ALLOW_PRIV
parameter to \"--allow-privileged=false\"" parameter to \"--allow-privileged=false\""
scored: true scored: true
@ -199,7 +199,7 @@ groups:
op: eq op: eq
value: true value: true
set: true set: true
remediation: "Edit the /etc/kubernetes/kubelet file on each node and set the KUBELET_ARGS parameter remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"." to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"."
scored: true scored: true
@ -213,7 +213,7 @@ groups:
op: eq op: eq
value: true value: true
set: true set: true
remediation: "Edit the /etc/kubernetes/kubelet file on each node and set the KUBELET_ARGS parameter remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"." to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"."
scored: true scored: true
@ -222,7 +222,7 @@ groups:
checks: checks:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -242,12 +242,12 @@ groups:
value: "600" value: "600"
set: true set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node. remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chmod 644 $config" \nFor example, chmod 644 $kubernetesconf"
scored: true scored: true
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the config file ownership is set to root:root (Scored)" text: "Ensure that the config file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -256,7 +256,7 @@ groups:
value: root:root value: root:root
set: true set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node. remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chown root:root $config" \nFor example, chown root:root $kubernetesconf"
scored: true scored: true
- id: 2.2.3 - id: 2.2.3