--- ## Controls Files. # These are YAML files that hold all the details for running checks. # ## Uncomment to use different control file paths. # masterControls: ./cfg/master.yaml # nodeControls: ./cfg/node.yaml master: components: - apiserver - scheduler - controllermanager - etcd - flanneld # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark - kubernetes - kubelet kubernetes: defaultconf: /etc/kubernetes/config apiserver: bins: - "kube-apiserver" - "hyperkube apiserver" - "hyperkube kube-apiserver" - "apiserver" - "openshift start master api" - "hypershift openshift-kube-apiserver" confs: - /etc/kubernetes/manifests/kube-apiserver.yaml - /etc/kubernetes/manifests/kube-apiserver.yml - /etc/kubernetes/manifests/kube-apiserver.manifest - /var/snap/kube-apiserver/current/args - /var/snap/microk8s/current/args/kube-apiserver - /etc/origin/master/master-config.yaml - /etc/kubernetes/manifests/talos-kube-apiserver.yaml - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml scheduler: bins: - "kube-scheduler" - "hyperkube scheduler" - "hyperkube kube-scheduler" - "scheduler" - "openshift start master controllers" confs: - /etc/kubernetes/manifests/kube-scheduler.yaml - /etc/kubernetes/manifests/kube-scheduler.yml - /etc/kubernetes/manifests/kube-scheduler.manifest - /var/snap/kube-scheduler/current/args - /var/snap/microk8s/current/args/kube-scheduler - /etc/origin/master/scheduler.json - /etc/kubernetes/manifests/talos-kube-scheduler.yaml - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml kubeconfig: - /etc/kubernetes/scheduler.conf - /var/lib/kube-scheduler/kubeconfig - /var/lib/kube-scheduler/config.yaml - /system/secrets/kubernetes/kube-scheduler/kubeconfig defaultkubeconfig: /etc/kubernetes/scheduler.conf controllermanager: bins: - "kube-controller-manager" - "kube-controller" - "hyperkube controller-manager" - "hyperkube kube-controller-manager" - "controller-manager" - "openshift start master controllers" - "hypershift openshift-controller-manager" confs: - /etc/kubernetes/manifests/kube-controller-manager.yaml - /etc/kubernetes/manifests/kube-controller-manager.yml - /etc/kubernetes/manifests/kube-controller-manager.manifest - /var/snap/kube-controller-manager/current/args - /var/snap/microk8s/current/args/kube-controller-manager - /etc/kubernetes/manifests/talos-kube-controller-manager.yaml - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml kubeconfig: - /etc/kubernetes/controller-manager.conf - /var/lib/kube-controller-manager/kubeconfig - /system/secrets/kubernetes/kube-controller-manager/kubeconfig defaultkubeconfig: /etc/kubernetes/controller-manager.conf etcd: optional: true bins: - "etcd" - "openshift start etcd" datadirs: - /var/lib/etcd/default.etcd - /var/lib/etcd/data.etcd - /var/lib/rancher/k3s/server/db/etcd confs: - /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yml - /etc/kubernetes/manifests/etcd.manifest - /etc/etcd/etcd.conf - /var/snap/etcd/common/etcd.conf.yml - /var/snap/etcd/common/etcd.conf.yaml - /var/snap/microk8s/current/args/etcd - /usr/lib/systemd/system/etcd.service - /var/lib/rancher/rke2/server/db/etcd/config - /var/lib/rancher/k3s/server/db/etcd/config defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultdatadir: /var/lib/etcd/default.etcd flanneld: optional: true bins: - flanneld defaultconf: /etc/sysconfig/flanneld kubelet: optional: true bins: - "hyperkube kubelet" - "kubelet" node: components: - kubelet - proxy # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark - kubernetes kubernetes: defaultconf: "/etc/kubernetes/config" kubelet: cafile: - "/etc/kubernetes/pki/ca.crt" - "/etc/kubernetes/certs/ca.crt" - "/etc/kubernetes/cert/ca.pem" - "/var/snap/microk8s/current/certs/ca.crt" - "/var/lib/rancher/rke2/agent/server.crt" - "/var/lib/rancher/rke2/agent/client-ca.crt" - "/var/lib/rancher/k3s/agent/client-ca.crt" svc: # These paths must also be included # in the 'confs' property below - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" - "/etc/systemd/system/kubelet.service" - "/lib/systemd/system/kubelet.service" - "/etc/systemd/system/snap.kubelet.daemon.service" - "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" - "/etc/systemd/system/atomic-openshift-node.service" - "/etc/systemd/system/origin-node.service" bins: - "hyperkube kubelet" - "kubelet" kubeconfig: - "/etc/kubernetes/kubelet.conf" - "/etc/kubernetes/kubelet-kubeconfig.conf" - "/var/lib/kubelet/kubeconfig" - "/etc/kubernetes/kubelet-kubeconfig" - "/etc/kubernetes/kubelet/kubeconfig" - "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" - "/var/snap/microk8s/current/credentials/kubelet.config" - "/etc/kubernetes/kubeconfig-kubelet" - "/var/lib/rancher/rke2/agent/kubelet.kubeconfig" - "/var/lib/rancher/k3s/server/cred/admin.kubeconfig" - "/var/lib/rancher/k3s/agent/kubelet.kubeconfig" confs: - "/etc/kubernetes/kubelet-config.yaml" - "/var/lib/kubelet/config.yaml" - "/var/lib/kubelet/config.yml" - "/etc/kubernetes/kubelet/kubelet-config.json" - "/etc/kubernetes/kubelet/config" - "/home/kubernetes/kubelet-config.yaml" - "/home/kubernetes/kubelet-config.yml" - "/etc/default/kubeletconfig.json" - "/etc/default/kubelet" - "/var/lib/kubelet/kubeconfig" - "/var/snap/kubelet/current/args" - "/var/snap/microk8s/current/args/kubelet" ## Due to the fact that the kubelet might be configured ## without a kubelet-config file, we use a work-around ## of pointing to the systemd service file (which can also ## hold kubelet configuration). ## Note: The following paths must match the one under 'svc' - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" - "/etc/systemd/system/kubelet.service" - "/lib/systemd/system/kubelet.service" - "/etc/systemd/system/snap.kubelet.daemon.service" - "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" - "/etc/kubernetes/kubelet.yaml" - "/var/lib/rancher/rke2/agent/kubelet.kubeconfig" defaultconf: "/var/lib/kubelet/config.yaml" defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" defaultkubeconfig: "/etc/kubernetes/kubelet.conf" defaultcafile: "/etc/kubernetes/pki/ca.crt" proxy: optional: true bins: - "kube-proxy" - "hyperkube proxy" - "hyperkube kube-proxy" - "proxy" - "openshift start network" confs: - /etc/kubernetes/proxy - /etc/kubernetes/addons/kube-proxy-daemonset.yaml - /etc/kubernetes/addons/kube-proxy-daemonset.yml - /var/snap/kube-proxy/current/args - /var/snap/microk8s/current/args/kube-proxy kubeconfig: - "/etc/kubernetes/kubelet-kubeconfig" - "/etc/kubernetes/kubelet-kubeconfig.conf" - "/etc/kubernetes/kubelet/config" - "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" - "/var/lib/kubelet/kubeconfig" - "/var/snap/microk8s/current/credentials/proxy.config" - "/var/lib/rancher/rke2/agent/kubeproxy.kubeconfig" - "/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig" svc: - "/lib/systemd/system/kube-proxy.service" - "/etc/systemd/system/snap.microk8s.daemon-proxy.service" defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml defaultkubeconfig: "/etc/kubernetes/proxy.conf" etcd: components: - etcd etcd: bins: - "etcd" datadirs: - /var/lib/etcd/default.etcd - /var/lib/etcd/data.etcd - /var/lib/rancher/k3s/server/db/etcd confs: - /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yml - /etc/kubernetes/manifests/etcd.manifest - /etc/etcd/etcd.conf - /var/snap/etcd/common/etcd.conf.yml - /var/snap/etcd/common/etcd.conf.yaml - /var/snap/microk8s/current/args/etcd - /usr/lib/systemd/system/etcd.service - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml - /var/lib/rancher/k3s/server/db/etcd/config defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultdatadir: /var/lib/etcd/default.etcd controlplane: components: - apiserver apiserver: bins: - "kube-apiserver" - "hyperkube apiserver" - "hyperkube kube-apiserver" - "apiserver" policies: components: [] managedservices: components: [] version_mapping: "1.15": "cis-1.5" "1.16": "cis-1.6" "1.17": "cis-1.6" "1.18": "cis-1.6" "1.19": "cis-1.20" "1.20": "cis-1.20" "1.21": "cis-1.20" "1.22": "cis-1.23" "1.23": "cis-1.23" "1.24": "cis-1.24" "1.25": "cis-1.7" "1.26": "cis-1.8" "1.27": "cis-1.9" "1.28": "cis-1.9" "1.29": "cis-1.9" "eks-1.0.1": "eks-1.0.1" "eks-1.1.0": "eks-1.1.0" "eks-1.2.0": "eks-1.2.0" "eks-1.5.0": "eks-1.5.0" "gke-1.0": "gke-1.0" "gke-1.2.0": "gke-1.2.0" "ocp-3.10": "rh-0.7" "ocp-3.11": "rh-0.7" "ocp-4.0": "rh-1.0" "aks-1.0": "aks-1.0" "ack-1.0": "ack-1.0" "cis-1.6-k3s": "cis-1.6-k3s" "cis-1.24-microk8s": "cis-1.24-microk8s" "tkgi-1.2.53": "tkgi-1.2.53" "k3s-cis-1.7": "k3s-cis-1.7" "k3s-cis-1.23": "k3s-cis-1.23" "k3s-cis-1.24": "k3s-cis-1.24" "rke-cis-1.7": "rke-cis-1.7" "rke-cis-1.23": "rke-cis-1.23" "rke-cis-1.24": "rke-cis-1.24" "rke2-cis-1.7": "rke2-cis-1.7" "rke2-cis-1.23": "rke2-cis-1.23" "rke2-cis-1.24": "rke2-cis-1.24" target_mapping: "cis-1.5": - "master" - "node" - "controlplane" - "etcd" - "policies" "cis-1.6": - "master" - "node" - "controlplane" - "etcd" - "policies" "cis-1.6-k3s": - "master" - "node" - "controlplane" - "etcd" - "policies" "cis-1.20": - "master" - "node" - "controlplane" - "etcd" - "policies" "cis-1.23": - "master" - "node" - "controlplane" - "etcd" - "policies" "cis-1.24": - "master" - "node" - "controlplane" - "etcd" - "policies" "cis-1.24-microk8s": - "master" - "etcd" - "node" - "controlplane" - "policies" "cis-1.7": - "master" - "node" - "controlplane" - "etcd" - "policies" "cis-1.8": - "master" - "node" - "controlplane" - "etcd" - "policies" "cis-1.9": - "master" - "node" - "controlplane" - "etcd" - "policies" "gke-1.0": - "master" - "node" - "controlplane" - "etcd" - "policies" - "managedservices" "gke-1.2.0": - "master" - "node" - "controlplane" - "policies" - "managedservices" "eks-1.0.1": - "master" - "node" - "controlplane" - "policies" - "managedservices" "eks-1.1.0": - "master" - "node" - "controlplane" - "policies" - "managedservices" "eks-1.2.0": - "master" - "node" - "controlplane" - "policies" - "managedservices" "rh-0.7": - "master" - "node" "aks-1.0": - "master" - "node" - "controlplane" - "policies" - "managedservices" "ack-1.0": - "master" - "node" - "controlplane" - "etcd" - "policies" - "managedservices" "rh-1.0": - "master" - "node" - "controlplane" - "policies" - "etcd" "eks-stig-kubernetes-v1r6": - "node" - "controlplane" - "policies" - "managedservices" "tkgi-1.2.53": - "master" - "etcd" - "controlplane" - "node" - "policies" "k3s-cis-1.7": - "master" - "etcd" - "controlplane" - "node" - "policies" "k3s-cis-1.23": - "master" - "etcd" - "controlplane" - "node" - "policies" "k3s-cis-1.24": - "master" - "etcd" - "controlplane" - "node" - "policies" "rke-cis-1.7": - "master" - "etcd" - "controlplane" - "node" - "policies" "rke-cis-1.23": - "master" - "etcd" - "controlplane" - "node" - "policies" "rke-cis-1.24": - "master" - "etcd" - "controlplane" - "node" - "policies" "rke2-cis-1.7": - "master" - "etcd" - "controlplane" - "node" - "policies" "rke2-cis-1.23": - "master" - "etcd" - "controlplane" - "node" - "policies" "rke2-cis-1.24": - "master" - "etcd" - "controlplane" - "node" - "policies"