arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-06-02 06:08:50 +00:00
Code Issues Releases Wiki Activity

Merge branch 'main' into dependabot/github_actions/golangci/golangci-lint-action-7

Browse Source
This commit is contained in:
afdesk 2025-04-03 14:48:40 +06:00 committed by GitHub
commit cbbd643cd4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cfg/config.yaml
View File

@ -60,6 +60,7 @@ master:
- /etc/kubernetes/scheduler.conf - /etc/kubernetes/scheduler.conf
- /var/lib/kube-scheduler/kubeconfig - /var/lib/kube-scheduler/kubeconfig
- /var/lib/kube-scheduler/config.yaml - /var/lib/kube-scheduler/config.yaml
- /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig
- /system/secrets/kubernetes/kube-scheduler/kubeconfig - /system/secrets/kubernetes/kube-scheduler/kubeconfig
defaultkubeconfig: /etc/kubernetes/scheduler.conf defaultkubeconfig: /etc/kubernetes/scheduler.conf
@ -84,6 +85,7 @@ master:
kubeconfig: kubeconfig:
- /etc/kubernetes/controller-manager.conf - /etc/kubernetes/controller-manager.conf
- /var/lib/kube-controller-manager/kubeconfig - /var/lib/kube-controller-manager/kubeconfig
- /var/lib/rancher/rke2/server/cred/controller.kubeconfig
- /system/secrets/kubernetes/kube-controller-manager/kubeconfig - /system/secrets/kubernetes/kube-controller-manager/kubeconfig
defaultkubeconfig: /etc/kubernetes/controller-manager.conf defaultkubeconfig: /etc/kubernetes/controller-manager.conf

10
cfg/rke2-cis-1.23/master.yaml
View File

@ -223,7 +223,7 @@ groups:
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)" text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" audit: "stat -c %a $schedulerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -239,7 +239,7 @@ groups:
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" audit: "stat -c %U:%G $schedulerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -255,7 +255,7 @@ groups:
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)" text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/controller.kubeconfig" audit: "stat -c %a $controllermanagerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
@ -271,7 +271,7 @@ groups:
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" audit: "stat -c %U:%G $controllermanagerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -282,7 +282,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig chown root:root $controllermanagerkubeconfig
scored: true scored: true
- id: 1.1.19 - id: 1.1.19

10
cfg/rke2-cis-1.24/master.yaml
View File

@ -229,7 +229,7 @@ groups:
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)" text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" audit: "stat -c %a $schedulerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "600" - flag: "600"
@ -245,7 +245,7 @@ groups:
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" audit: "stat -c %U:%G $schedulerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -261,7 +261,7 @@ groups:
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)" text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/rke2/server/cred/controller.kubeconfig" audit: "stat -c %a $controllermanagerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "600" - flag: "600"
@ -277,7 +277,7 @@ groups:
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" audit: "stat -c %U:%G $controllermanagerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -288,7 +288,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig chown root:root $controllermanagerkubeconfig
scored: true scored: true
- id: 1.1.19 - id: 1.1.19

6
cfg/rke2-cis-1.7/master.yaml
View File

@ -239,7 +239,7 @@ groups:
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" audit: "stat -c %U:%G $schedulerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -271,7 +271,7 @@ groups:
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" audit: "stat -c %U:%G $controllermanagerkubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
@ -282,7 +282,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig chown root:root $controllermanagerkubeconfig
scored: true scored: true
- id: 1.1.19 - id: 1.1.19

12
job-tkgi.yaml
View File

@ -23,6 +23,9 @@ spec:
- name: var-vcap-jobs - name: var-vcap-jobs
mountPath: /var/vcap/jobs mountPath: /var/vcap/jobs
readOnly: true readOnly: true
- name: var-vcap-data-jobs
mountPath: /var/vcap/data/jobs
readOnly: true
- name: var-vcap-packages - name: var-vcap-packages
mountPath: /var/vcap/packages mountPath: /var/vcap/packages
readOnly: true readOnly: true
@ -32,6 +35,9 @@ spec:
- name: var-vcap-sys - name: var-vcap-sys
mountPath: /var/vcap/sys mountPath: /var/vcap/sys
readOnly: true readOnly: true
- name: var-vcap-data-sys
mountPath: /var/vcap/data/sys
readOnly: true
- name: etc-kubernetes - name: etc-kubernetes
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
readOnly: true readOnly: true
@ -40,6 +46,9 @@ spec:
- name: var-vcap-jobs - name: var-vcap-jobs
hostPath: hostPath:
path: "/var/vcap/jobs" path: "/var/vcap/jobs"
- name: var-vcap-data-jobs
hostPath:
path: "/var/vcap/data/jobs"
- name: var-vcap-packages - name: var-vcap-packages
hostPath: hostPath:
path: "/var/vcap/packages" path: "/var/vcap/packages"
@ -49,6 +58,9 @@ spec:
- name: var-vcap-sys - name: var-vcap-sys
hostPath: hostPath:
path: "/var/vcap/sys" path: "/var/vcap/sys"
- name: var-vcap-data-sys
hostPath:
path: "/var/vcap/data/sys"
- name: etc-kubernetes - name: etc-kubernetes
hostPath: hostPath:
path: "/etc/kubernetes" path: "/etc/kubernetes"