arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-07-28 17:38:28 +00:00
Code Issues Releases Wiki Activity

1.1.15, 1.1.17 of rke2-cis-1.7 fails

Browse Source 
Resolves #1843.

This PR adds pathes to schedulerkubeconfig and controllermanagerkubeconfig to
fix the failures. And replace hard coded values with variables.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This commit is contained in:
Masashi Honma 2025-03-24 17:39:39 +09:00
parent 6edf7e590c
commit c9aa619106
4 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cfg/config.yaml
View File

@ -60,6 +60,7 @@ master:
- /etc/kubernetes/scheduler.conf - /etc/kubernetes/scheduler.conf
- /var/lib/kube-scheduler/kubeconfig - /var/lib/kube-scheduler/kubeconfig
- /var/lib/kube-scheduler/config.yaml - /var/lib/kube-scheduler/config.yaml
- /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig
- /system/secrets/kubernetes/kube-scheduler/kubeconfig - /system/secrets/kubernetes/kube-scheduler/kubeconfig
defaultkubeconfig: /etc/kubernetes/scheduler.conf defaultkubeconfig: /etc/kubernetes/scheduler.conf
@ -84,6 +85,7 @@ master:
kubeconfig: kubeconfig:
- /etc/kubernetes/controller-manager.conf - /etc/kubernetes/controller-manager.conf
- /var/lib/kube-controller-manager/kubeconfig - /var/lib/kube-controller-manager/kubeconfig
- /var/lib/rancher/rke2/server/cred/controller.kubeconfig
- /system/secrets/kubernetes/kube-controller-manager/kubeconfig - /system/secrets/kubernetes/kube-controller-manager/kubeconfig
defaultkubeconfig: /etc/kubernetes/controller-manager.conf defaultkubeconfig: /etc/kubernetes/controller-manager.conf

10
cfg/rke2-cis-1.23/master.yaml
View File

@ -223,7 +223,7 @@ groups:
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)" text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" audit: "stat -c %a $schedulerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -239,7 +239,7 @@ groups:
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" audit: "stat -c %U:%G $schedulerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -255,7 +255,7 @@ groups:
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)" text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/controller.kubeconfig" audit: "stat -c %a $controllermanagerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -271,7 +271,7 @@ groups:
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" audit: "stat -c %U:%G $controllermanagerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -282,7 +282,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig chown root:root $controllermanagerkubeconfig
scored: true scored: true
- id: 1.1.19 - id: 1.1.19

10
cfg/rke2-cis-1.24/master.yaml
View File

@ -229,7 +229,7 @@ groups:
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)" text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" audit: "stat -c %a $schedulerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "600" - flag: "600"
@ -245,7 +245,7 @@ groups:
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" audit: "stat -c %U:%G $schedulerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -261,7 +261,7 @@ groups:
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)" text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/controller.kubeconfig" audit: "stat -c %a $controllermanagerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "600" - flag: "600"
@ -277,7 +277,7 @@ groups:
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" audit: "stat -c %U:%G $controllermanagerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -288,7 +288,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig chown root:root $controllermanagerkubeconfig
scored: true scored: true
- id: 1.1.19 - id: 1.1.19

6
cfg/rke2-cis-1.7/master.yaml
View File

@ -239,7 +239,7 @@ groups:
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" audit: "stat -c %U:%G $schedulerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -271,7 +271,7 @@ groups:
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" audit: "stat -c %U:%G $controllermanagerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -282,7 +282,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig chown root:root $controllermanagerkubeconfig
scored: true scored: true
- id: 1.1.19 - id: 1.1.19