From 6a46d64538bc1ad52857740a1fabc2b22be6eae7 Mon Sep 17 00:00:00 2001 From: Masashi Honma <1505016+masap@users.noreply.github.com> Date: Wed, 2 Apr 2025 17:52:03 +0900 Subject: [PATCH 1/2] 1.1.15, 1.1.17 of rke2-cis-1.7 fails (#1844) Resolves #1843. This PR adds pathes to schedulerkubeconfig and controllermanagerkubeconfig to fix the failures. And replace hard coded values with variables. Signed-off-by: Masashi Honma --- cfg/config.yaml | 2 ++ cfg/rke2-cis-1.23/master.yaml | 10 +++++----- cfg/rke2-cis-1.24/master.yaml | 10 +++++----- cfg/rke2-cis-1.7/master.yaml | 6 +++--- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/cfg/config.yaml b/cfg/config.yaml index e656166..88e8424 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -60,6 +60,7 @@ master: - /etc/kubernetes/scheduler.conf - /var/lib/kube-scheduler/kubeconfig - /var/lib/kube-scheduler/config.yaml + - /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig - /system/secrets/kubernetes/kube-scheduler/kubeconfig defaultkubeconfig: /etc/kubernetes/scheduler.conf @@ -84,6 +85,7 @@ master: kubeconfig: - /etc/kubernetes/controller-manager.conf - /var/lib/kube-controller-manager/kubeconfig + - /var/lib/rancher/rke2/server/cred/controller.kubeconfig - /system/secrets/kubernetes/kube-controller-manager/kubeconfig defaultkubeconfig: /etc/kubernetes/controller-manager.conf diff --git a/cfg/rke2-cis-1.23/master.yaml b/cfg/rke2-cis-1.23/master.yaml index aeb766a..a3db762 100644 --- a/cfg/rke2-cis-1.23/master.yaml +++ b/cfg/rke2-cis-1.23/master.yaml @@ -223,7 +223,7 @@ groups: - id: 1.1.15 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)" - audit: "stat -c %a /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" + audit: "stat -c %a $schedulerkubeconfig" tests: test_items: - flag: "644" @@ -239,7 +239,7 @@ groups: - id: 1.1.16 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" - audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" + audit: "stat -c %U:%G $schedulerkubeconfig" tests: test_items: - flag: "root:root" @@ -255,7 +255,7 @@ groups: - id: 1.1.17 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)" - audit: "stat -c %a /var/lib/rancher/rke2/server/cred/controller.kubeconfig" + audit: "stat -c %a $controllermanagerkubeconfig" tests: test_items: - flag: "644" @@ -271,7 +271,7 @@ groups: - id: 1.1.18 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" - audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" + audit: "stat -c %U:%G $controllermanagerkubeconfig" tests: test_items: - flag: "root:root" @@ -282,7 +282,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the control plane node. For example, - chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig + chown root:root $controllermanagerkubeconfig scored: true - id: 1.1.19 diff --git a/cfg/rke2-cis-1.24/master.yaml b/cfg/rke2-cis-1.24/master.yaml index a11048d..3c9dd6e 100644 --- a/cfg/rke2-cis-1.24/master.yaml +++ b/cfg/rke2-cis-1.24/master.yaml @@ -229,7 +229,7 @@ groups: - id: 1.1.15 text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)" - audit: "stat -c %a /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" + audit: "stat -c %a $schedulerkubeconfig" tests: test_items: - flag: "600" @@ -245,7 +245,7 @@ groups: - id: 1.1.16 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" - audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" + audit: "stat -c %U:%G $schedulerkubeconfig" tests: test_items: - flag: "root:root" @@ -261,7 +261,7 @@ groups: - id: 1.1.17 text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)" - audit: "stat -c %a /var/lib/rancher/rke2/server/cred/controller.kubeconfig" + audit: "stat -c %a $controllermanagerkubeconfig" tests: test_items: - flag: "600" @@ -277,7 +277,7 @@ groups: - id: 1.1.18 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" - audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" + audit: "stat -c %U:%G $controllermanagerkubeconfig" tests: test_items: - flag: "root:root" @@ -288,7 +288,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the control plane node. For example, - chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig + chown root:root $controllermanagerkubeconfig scored: true - id: 1.1.19 diff --git a/cfg/rke2-cis-1.7/master.yaml b/cfg/rke2-cis-1.7/master.yaml index f7734b8..bb28af2 100644 --- a/cfg/rke2-cis-1.7/master.yaml +++ b/cfg/rke2-cis-1.7/master.yaml @@ -239,7 +239,7 @@ groups: - id: 1.1.16 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" - audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" + audit: "stat -c %U:%G $schedulerkubeconfig" tests: test_items: - flag: "root:root" @@ -271,7 +271,7 @@ groups: - id: 1.1.18 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" - audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" + audit: "stat -c %U:%G $controllermanagerkubeconfig" tests: test_items: - flag: "root:root" @@ -282,7 +282,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the control plane node. For example, - chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig + chown root:root $controllermanagerkubeconfig scored: true - id: 1.1.19 From d28ea670c8a4e88989f23245aecec3a0249b3bae Mon Sep 17 00:00:00 2001 From: Bastian Nutzinger Date: Thu, 3 Apr 2025 10:47:07 +0200 Subject: [PATCH 2/2] add necessary mounts for /var/vcap/data/jobs & sys (#1841) --- job-tkgi.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/job-tkgi.yaml b/job-tkgi.yaml index 3ac760c..7c87a53 100644 --- a/job-tkgi.yaml +++ b/job-tkgi.yaml @@ -23,6 +23,9 @@ spec: - name: var-vcap-jobs mountPath: /var/vcap/jobs readOnly: true + - name: var-vcap-data-jobs + mountPath: /var/vcap/data/jobs + readOnly: true - name: var-vcap-packages mountPath: /var/vcap/packages readOnly: true @@ -32,6 +35,9 @@ spec: - name: var-vcap-sys mountPath: /var/vcap/sys readOnly: true + - name: var-vcap-data-sys + mountPath: /var/vcap/data/sys + readOnly: true - name: etc-kubernetes mountPath: /etc/kubernetes readOnly: true @@ -40,6 +46,9 @@ spec: - name: var-vcap-jobs hostPath: path: "/var/vcap/jobs" + - name: var-vcap-data-jobs + hostPath: + path: "/var/vcap/data/jobs" - name: var-vcap-packages hostPath: path: "/var/vcap/packages" @@ -49,6 +58,9 @@ spec: - name: var-vcap-sys hostPath: path: "/var/vcap/sys" + - name: var-vcap-data-sys + hostPath: + path: "/var/vcap/data/sys" - name: etc-kubernetes hostPath: path: "/etc/kubernetes"