mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-25 01:18:12 +00:00
Fixed documentation errors (#450)
This commit is contained in:
parent
bea820bdfe
commit
b0abc74350
@ -4,9 +4,9 @@
|
|||||||
representation of the CIS Kubernetes Benchmark checks. There is a
|
representation of the CIS Kubernetes Benchmark checks. There is a
|
||||||
`controls` file per Kubernetes version and node type.
|
`controls` file per Kubernetes version and node type.
|
||||||
|
|
||||||
`controls` for the various versions of Kubernetes can be found in directories
|
`controls` for the various versions of kubernetes can be found in directories
|
||||||
with same name as the Kubernetes versions under `cfg/`, for example `cfg/1.12`.
|
with same name as the kubernetes versions under `cfg/`, for example `cfg/1.12`.
|
||||||
`controls` are also organized by distribution under the `cfg` directory for
|
`controls` are also organized by distribution under the `cfg` directory, for
|
||||||
example `cfg/ocp-3.10`.
|
example `cfg/ocp-3.10`.
|
||||||
|
|
||||||
## Controls
|
## Controls
|
||||||
@ -62,7 +62,7 @@ groups:
|
|||||||
the `controls` components have an id and a text description which are displayed
|
the `controls` components have an id and a text description which are displayed
|
||||||
in the `kube-bench` output.
|
in the `kube-bench` output.
|
||||||
|
|
||||||
`type` specifies what Kubernetes node type a `controls` is for. Possible values
|
`type` specifies what kubernetes node type a `controls` is for. Possible values
|
||||||
for `type` are `master` and `node`.
|
for `type` are `master` and `node`.
|
||||||
|
|
||||||
## Groups
|
## Groups
|
||||||
@ -154,10 +154,10 @@ object. `tests` contain `bin_op` and `test_items`.
|
|||||||
|
|
||||||
`test_items` specify the criteria(s) the `audit` command's output should meet to
|
`test_items` specify the criteria(s) the `audit` command's output should meet to
|
||||||
pass a check. This criteria is made up of keywords extracted from the output of
|
pass a check. This criteria is made up of keywords extracted from the output of
|
||||||
the `audit` command and operations that compare the these keywords against
|
the `audit` command and operations that compare these keywords against
|
||||||
values expected by the CIS Kubernetes Benchmark.
|
values expected by the CIS Kubernetes Benchmark.
|
||||||
|
|
||||||
The are two ways to extract keywords from the output of the `audit` command,
|
There are two ways to extract keywords from the output of the `audit` command,
|
||||||
`flag` and `path`.
|
`flag` and `path`.
|
||||||
|
|
||||||
`flag` is used when the keyword is a command line flag. The associated `audit`
|
`flag` is used when the keyword is a command line flag. The associated `audit`
|
||||||
@ -213,7 +213,7 @@ of the audit command, or config file. If `set` is false, the check passes only
|
|||||||
if the keyword is not present in the output of the audit command, or config file.
|
if the keyword is not present in the output of the audit command, or config file.
|
||||||
|
|
||||||
`compare` has two fields `op` and `value` to compare keywords with expected
|
`compare` has two fields `op` and `value` to compare keywords with expected
|
||||||
value. `op` specifies which operation is used for the comparison , and `value`
|
value. `op` specifies which operation is used for the comparison, and `value`
|
||||||
specifies the value to compare against.
|
specifies the value to compare against.
|
||||||
|
|
||||||
> To use `compare`, `set` must true. The comparison will be ignored if `set` is
|
> To use `compare`, `set` must true. The comparison will be ignored if `set` is
|
||||||
@ -266,7 +266,7 @@ nodetype
|
|||||||
|-- defaultkubeconfig (optional)
|
|-- defaultkubeconfig (optional)
|
||||||
```
|
```
|
||||||
|
|
||||||
Every node type has a subsection that specifies the main configurations items.
|
Every node type has a subsection that specifies the main configuration items.
|
||||||
|
|
||||||
- `components`: A list of components for the node type. For example master
|
- `components`: A list of components for the node type. For example master
|
||||||
will have an entry for **apiserver**, **scheduler** and **controllermanager**.
|
will have an entry for **apiserver**, **scheduler** and **controllermanager**.
|
||||||
@ -293,8 +293,8 @@ Every node type has a subsection that specifies the main configurations items.
|
|||||||
```
|
```
|
||||||
|
|
||||||
- `confs`: A list of candidate configuration files for a component. `kube-bench`
|
- `confs`: A list of candidate configuration files for a component. `kube-bench`
|
||||||
checks this list and selects the first config file that is found on the node,
|
checks this list and selects the first config file that is found on the node.
|
||||||
if none of the config files exists, `kube-bench` defaults conf to the value
|
If none of the config files exists, `kube-bench` defaults conf to the value
|
||||||
of `defaultconf`.
|
of `defaultconf`.
|
||||||
|
|
||||||
The selected config for a component can be referenced in `controls` using a
|
The selected config for a component can be referenced in `controls` using a
|
||||||
@ -309,8 +309,8 @@ Every node type has a subsection that specifies the main configurations items.
|
|||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
||||||
```
|
```
|
||||||
|
|
||||||
- `svcs`: A list of candidates unitfiles for a component. `kube-bench` checks this
|
- `svcs`: A list of candidate unitfiles for a component. `kube-bench` checks this
|
||||||
list and selects the first unitfile that is found on the node, if none of the
|
list and selects the first unitfile that is found on the node. If none of the
|
||||||
unitfiles exists, `kube-bench` defaults unitfile to the value of `defaultsvc`.
|
unitfiles exists, `kube-bench` defaults unitfile to the value of `defaultsvc`.
|
||||||
|
|
||||||
The selected unitfile for a component can be referenced in `controls` via a
|
The selected unitfile for a component can be referenced in `controls` via a
|
||||||
@ -332,7 +332,7 @@ Every node type has a subsection that specifies the main configurations items.
|
|||||||
```
|
```
|
||||||
|
|
||||||
- `kubeconfig`: A list of candidate kubeconfig files for a component. `kube-bench`
|
- `kubeconfig`: A list of candidate kubeconfig files for a component. `kube-bench`
|
||||||
checks this list and selects the first file that is found on the node, if none
|
checks this list and selects the first file that is found on the node. If none
|
||||||
of the files exists, `kube-bench` defaults kubeconfig to the value of
|
of the files exists, `kube-bench` defaults kubeconfig to the value of
|
||||||
`defaultkubeconfig`.
|
`defaultkubeconfig`.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user