mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-02 04:48:14 +00:00
3aa41db166
* starts fixes #353 * new approach to minize duplications * applied merged yaml files for v1.11 and v1.13 * yaml files json/params merged * fixes to remove double quotes from numbers and booleans * fixed bug * fixed certificate check * removed -json files * changes based on PR review * Update check/check_test.go Yay more tests! Co-Authored-By: Liz Rice <liz@lizrice.com> * changes as PR review * fixed bug when scored check is missing tests * attempt to improve the code * fixed list breaks * removes handleError function * Update check/check.go Accepting suggested log level. Co-Authored-By: Liz Rice <liz@lizrice.com>
134 lines
4.0 KiB
YAML
134 lines
4.0 KiB
YAML
---
|
|
## Controls Files.
|
|
# These are YAML files that hold all the details for running checks.
|
|
#
|
|
## Uncomment to use different control file paths.
|
|
# masterControls: ./cfg/master.yaml
|
|
# nodeControls: ./cfg/node.yaml
|
|
|
|
master:
|
|
components:
|
|
- apiserver
|
|
- scheduler
|
|
- controllermanager
|
|
- etcd
|
|
- flanneld
|
|
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
|
|
- kubernetes
|
|
|
|
kubernetes:
|
|
defaultconf: /etc/kubernetes/config
|
|
|
|
apiserver:
|
|
bins:
|
|
- "kube-apiserver"
|
|
- "hyperkube apiserver"
|
|
- "hyperkube kube-apiserver"
|
|
- "apiserver"
|
|
confs:
|
|
- /etc/kubernetes/manifests/kube-apiserver.yaml
|
|
- /etc/kubernetes/manifests/kube-apiserver.manifest
|
|
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
|
|
|
|
scheduler:
|
|
bins:
|
|
- "kube-scheduler"
|
|
- "hyperkube scheduler"
|
|
- "hyperkube kube-scheduler"
|
|
- "scheduler"
|
|
confs:
|
|
- /etc/kubernetes/manifests/kube-scheduler.yaml
|
|
- /etc/kubernetes/manifests/kube-scheduler.manifest
|
|
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
|
|
|
|
controllermanager:
|
|
bins:
|
|
- "kube-controller-manager"
|
|
- "kube-controller"
|
|
- "hyperkube controller-manager"
|
|
- "hyperkube kube-controller-manager"
|
|
- "controller-manager"
|
|
confs:
|
|
- /etc/kubernetes/manifests/kube-controller-manager.yaml
|
|
- /etc/kubernetes/manifests/kube-controller-manager.manifest
|
|
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
|
|
|
|
etcd:
|
|
optional: true
|
|
bins:
|
|
- "etcd"
|
|
confs:
|
|
- /etc/kubernetes/manifests/etcd.yaml
|
|
- /etc/kubernetes/manifests/etcd.manifest
|
|
- /etc/etcd/etcd.conf
|
|
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
|
|
|
flanneld:
|
|
optional: true
|
|
bins:
|
|
- flanneld
|
|
defaultconf: /etc/sysconfig/flanneld
|
|
|
|
node:
|
|
components:
|
|
- kubelet
|
|
- proxy
|
|
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
|
|
- kubernetes
|
|
|
|
kubernetes:
|
|
defaultconf: "/etc/kubernetes/config"
|
|
|
|
kubelet:
|
|
cafile:
|
|
- "/etc/kubernetes/pki/ca.crt"
|
|
- "/etc/kubernetes/certs/ca.crt"
|
|
- "/etc/kubernetes/cert/ca.pem"
|
|
svc:
|
|
# These paths must also be included
|
|
# in the 'confs' property below
|
|
- "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
|
|
- "/etc/systemd/system/kubelet.service"
|
|
- "/lib/systemd/system/kubelet.service"
|
|
bins:
|
|
- "hyperkube kubelet"
|
|
- "kubelet"
|
|
kubeconfig:
|
|
- "/etc/kubernetes/kubelet.conf"
|
|
- "/var/lib/kubelet/kubeconfig"
|
|
- "/etc/kubernetes/kubelet-kubeconfig"
|
|
confs:
|
|
- "/var/lib/kubelet/config.yaml"
|
|
- "/etc/kubernetes/kubelet/kubelet-config.json"
|
|
- "/home/kubernetes/kubelet-config.yaml"
|
|
- "/etc/default/kubelet"
|
|
- "/var/lib/kubelet/kubeconfig"
|
|
## Due to the fact that the kubelet might be configured
|
|
## without a kubelet-config file, we use a work-around
|
|
## of pointing to the systemd service file (which can also
|
|
## hold kubelet configuration).
|
|
## Note: The following paths must match the one under 'svc'
|
|
- "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
|
|
- "/etc/systemd/system/kubelet.service"
|
|
- "/lib/systemd/system/kubelet.service"
|
|
defaultconf: "/var/lib/kubelet/config.yaml"
|
|
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
|
|
defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
|
|
defaultcafile: "/etc/kubernetes/pki/ca.crt"
|
|
|
|
proxy:
|
|
optional: true
|
|
bins:
|
|
- "kube-proxy"
|
|
- "hyperkube proxy"
|
|
- "hyperkube kube-proxy"
|
|
- "proxy"
|
|
confs:
|
|
- /etc/kubernetes/proxy
|
|
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
|
kubeconfig:
|
|
- /etc/kubernetes/kubelet-kubeconfig
|
|
svc:
|
|
- "/lib/systemd/system/kube-proxy.service"
|
|
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
|
defaultkubeconfig: "/etc/kubernetes/proxy.conf" |