arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-05-28 19:58:51 +00:00
Code Issues Releases Wiki Activity

Merge branch 'main' into dependabot/github_actions/golangci/golangci-lint-action-7

Browse Source
This commit is contained in:
afdesk 2025-04-03 14:48:40 +06:00 committed by GitHub
commit cbbd643cd4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cfg/config.yaml
View File

@ -60,6 +60,7 @@ master:
- /etc/kubernetes/scheduler.conf
- /var/lib/kube-scheduler/kubeconfig
- /var/lib/kube-scheduler/config.yaml
- /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig
- /system/secrets/kubernetes/kube-scheduler/kubeconfig
defaultkubeconfig: /etc/kubernetes/scheduler.conf
@ -84,6 +85,7 @@ master:
kubeconfig:
- /etc/kubernetes/controller-manager.conf
- /var/lib/kube-controller-manager/kubeconfig
- /var/lib/rancher/rke2/server/cred/controller.kubeconfig
- /system/secrets/kubernetes/kube-controller-manager/kubeconfig
defaultkubeconfig: /etc/kubernetes/controller-manager.conf

10
cfg/rke2-cis-1.23/master.yaml
View File

@ -223,7 +223,7 @@ groups:
- id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig"
audit: "stat -c %a $schedulerkubeconfig"
tests:
test_items:
- flag: "644"
@ -239,7 +239,7 @@ groups:
- id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig"
audit: "stat -c %U:%G $schedulerkubeconfig"
tests:
test_items:
- flag: "root:root"
@ -255,7 +255,7 @@ groups:
- id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/controller.kubeconfig"
audit: "stat -c %a $controllermanagerkubeconfig"
tests:
test_items:
- flag: "644"
@ -271,7 +271,7 @@ groups:
- id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig"
audit: "stat -c %U:%G $controllermanagerkubeconfig"
tests:
test_items:
- flag: "root:root"
@ -282,7 +282,7 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig
chown root:root $controllermanagerkubeconfig
scored: true
- id: 1.1.19

10
cfg/rke2-cis-1.24/master.yaml
View File

@ -229,7 +229,7 @@ groups:
- id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig"
audit: "stat -c %a $schedulerkubeconfig"
tests:
test_items:
- flag: "600"
@ -245,7 +245,7 @@ groups:
- id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig"
audit: "stat -c %U:%G $schedulerkubeconfig"
tests:
test_items:
- flag: "root:root"
@ -261,7 +261,7 @@ groups:
- id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/controller.kubeconfig"
audit: "stat -c %a $controllermanagerkubeconfig"
tests:
test_items:
- flag: "600"
@ -277,7 +277,7 @@ groups:
- id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig"
audit: "stat -c %U:%G $controllermanagerkubeconfig"
tests:
test_items:
- flag: "root:root"
@ -288,7 +288,7 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig
chown root:root $controllermanagerkubeconfig
scored: true
- id: 1.1.19

6
cfg/rke2-cis-1.7/master.yaml
View File

@ -239,7 +239,7 @@ groups:
- id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig"
audit: "stat -c %U:%G $schedulerkubeconfig"
tests:
test_items:
- flag: "root:root"
@ -271,7 +271,7 @@ groups:
- id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig"
audit: "stat -c %U:%G $controllermanagerkubeconfig"
tests:
test_items:
- flag: "root:root"
@ -282,7 +282,7 @@ groups:
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig
chown root:root $controllermanagerkubeconfig
scored: true
- id: 1.1.19

12
job-tkgi.yaml
View File

@ -23,6 +23,9 @@ spec:
- name: var-vcap-jobs
mountPath: /var/vcap/jobs
readOnly: true
- name: var-vcap-data-jobs
mountPath: /var/vcap/data/jobs
readOnly: true
- name: var-vcap-packages
mountPath: /var/vcap/packages
readOnly: true
@ -32,6 +35,9 @@ spec:
- name: var-vcap-sys
mountPath: /var/vcap/sys
readOnly: true
- name: var-vcap-data-sys
mountPath: /var/vcap/data/sys
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
@ -40,6 +46,9 @@ spec:
- name: var-vcap-jobs
hostPath:
path: "/var/vcap/jobs"
- name: var-vcap-data-jobs
hostPath:
path: "/var/vcap/data/jobs"
- name: var-vcap-packages
hostPath:
path: "/var/vcap/packages"
@ -49,6 +58,9 @@ spec:
- name: var-vcap-sys
hostPath:
path: "/var/vcap/sys"
- name: var-vcap-data-sys
hostPath:
path: "/var/vcap/data/sys"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"