1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-25 01:18:12 +00:00

Fixed documentation errors (#450)

This commit is contained in:
michizhou 2019-10-25 14:58:41 -04:00 committed by Simarpreet Singh
parent bea820bdfe
commit b0abc74350

View File

@ -4,9 +4,9 @@
representation of the CIS Kubernetes Benchmark checks. There is a representation of the CIS Kubernetes Benchmark checks. There is a
`controls` file per Kubernetes version and node type. `controls` file per Kubernetes version and node type.
`controls` for the various versions of Kubernetes can be found in directories `controls` for the various versions of kubernetes can be found in directories
with same name as the Kubernetes versions under `cfg/`, for example `cfg/1.12`. with same name as the kubernetes versions under `cfg/`, for example `cfg/1.12`.
`controls` are also organized by distribution under the `cfg` directory for `controls` are also organized by distribution under the `cfg` directory, for
example `cfg/ocp-3.10`. example `cfg/ocp-3.10`.
## Controls ## Controls
@ -62,7 +62,7 @@ groups:
the `controls` components have an id and a text description which are displayed the `controls` components have an id and a text description which are displayed
in the `kube-bench` output. in the `kube-bench` output.
`type` specifies what Kubernetes node type a `controls` is for. Possible values `type` specifies what kubernetes node type a `controls` is for. Possible values
for `type` are `master` and `node`. for `type` are `master` and `node`.
## Groups ## Groups
@ -154,10 +154,10 @@ object. `tests` contain `bin_op` and `test_items`.
`test_items` specify the criteria(s) the `audit` command's output should meet to `test_items` specify the criteria(s) the `audit` command's output should meet to
pass a check. This criteria is made up of keywords extracted from the output of pass a check. This criteria is made up of keywords extracted from the output of
the `audit` command and operations that compare the these keywords against the `audit` command and operations that compare these keywords against
values expected by the CIS Kubernetes Benchmark. values expected by the CIS Kubernetes Benchmark.
The are two ways to extract keywords from the output of the `audit` command, There are two ways to extract keywords from the output of the `audit` command,
`flag` and `path`. `flag` and `path`.
`flag` is used when the keyword is a command line flag. The associated `audit` `flag` is used when the keyword is a command line flag. The associated `audit`
@ -213,7 +213,7 @@ of the audit command, or config file. If `set` is false, the check passes only
if the keyword is not present in the output of the audit command, or config file. if the keyword is not present in the output of the audit command, or config file.
`compare` has two fields `op` and `value` to compare keywords with expected `compare` has two fields `op` and `value` to compare keywords with expected
value. `op` specifies which operation is used for the comparison , and `value` value. `op` specifies which operation is used for the comparison, and `value`
specifies the value to compare against. specifies the value to compare against.
> To use `compare`, `set` must true. The comparison will be ignored if `set` is > To use `compare`, `set` must true. The comparison will be ignored if `set` is
@ -266,7 +266,7 @@ nodetype
|-- defaultkubeconfig (optional) |-- defaultkubeconfig (optional)
``` ```
Every node type has a subsection that specifies the main configurations items. Every node type has a subsection that specifies the main configuration items.
- `components`: A list of components for the node type. For example master - `components`: A list of components for the node type. For example master
will have an entry for **apiserver**, **scheduler** and **controllermanager**. will have an entry for **apiserver**, **scheduler** and **controllermanager**.
@ -293,8 +293,8 @@ Every node type has a subsection that specifies the main configurations items.
``` ```
- `confs`: A list of candidate configuration files for a component. `kube-bench` - `confs`: A list of candidate configuration files for a component. `kube-bench`
checks this list and selects the first config file that is found on the node, checks this list and selects the first config file that is found on the node.
if none of the config files exists, `kube-bench` defaults conf to the value If none of the config files exists, `kube-bench` defaults conf to the value
of `defaultconf`. of `defaultconf`.
The selected config for a component can be referenced in `controls` using a The selected config for a component can be referenced in `controls` using a
@ -309,8 +309,8 @@ Every node type has a subsection that specifies the main configurations items.
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
``` ```
- `svcs`: A list of candidates unitfiles for a component. `kube-bench` checks this - `svcs`: A list of candidate unitfiles for a component. `kube-bench` checks this
list and selects the first unitfile that is found on the node, if none of the list and selects the first unitfile that is found on the node. If none of the
unitfiles exists, `kube-bench` defaults unitfile to the value of `defaultsvc`. unitfiles exists, `kube-bench` defaults unitfile to the value of `defaultsvc`.
The selected unitfile for a component can be referenced in `controls` via a The selected unitfile for a component can be referenced in `controls` via a
@ -332,7 +332,7 @@ Every node type has a subsection that specifies the main configurations items.
``` ```
- `kubeconfig`: A list of candidate kubeconfig files for a component. `kube-bench` - `kubeconfig`: A list of candidate kubeconfig files for a component. `kube-bench`
checks this list and selects the first file that is found on the node, if none checks this list and selects the first file that is found on the node. If none
of the files exists, `kube-bench` defaults kubeconfig to the value of of the files exists, `kube-bench` defaults kubeconfig to the value of
`defaultkubeconfig`. `defaultkubeconfig`.