mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-17 05:19:27 +00:00
e4d6ed2e8e
* Add example IAM policy * Pass RotateKubeletServerCertificate related checks if it's not found (#767) * Allow for environment variables to be checked in tests (#755) * Initial commit for checking environment variables for etcd * Revert config changes * Remove redundant struct data * Fix issues with failing tests * Initial changes based on code review * Add option to disable envTesting + Update docs * Initial tests * Finished testing * Fix broken tests * Add a total summary and always show all tests. (#759) Whether the total summary is shown can be specified with an option. Fixes #528 Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud> * Update Readme.md file with link to Contribution guide (#754) * Update License with the year and the owner name Please add this to make your license agreement strong * Updated Readme.md file with license and proper documentation links I have added a proper license agreement to the documentation. Also shortened the links to the issues so that it does not break in any on the forks. * Update LICENSE * Update README.md * Update README.md * Remove erroneous license info Co-authored-by: Liz Rice <liz@lizrice.com> * Support auto-detect platform when running on EKS or GKE (#683) * Support auto-detect platform when running on EKS or GKE * Change to get platform name from `kubectl version` * fix regexp and add test * Update Server Version match for EKS * try to get version info from api sever at first * Refactor group skip changed group 'skip' from being a bool to be 'type' string as done in check * Change skip: true -> type: skip Co-authored-by: Huang Huang <mozillazg101@gmail.com> Co-authored-by: Wicked <jason_attwood@hotmail.co.uk> Co-authored-by: Christian Zunker <827818+czunker@users.noreply.github.com> Co-authored-by: Kaiwalya Koparkar <kaiwalyakoparkar@gmail.com> Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
69 lines
3.9 KiB
Plaintext
69 lines
3.9 KiB
Plaintext
[INFO] 4 Worker Node Security Configuration
|
|
[INFO] 4.1 Worker Node Configuration Files
|
|
[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
|
|
[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Scored)
|
|
[PASS] 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
|
[PASS] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
|
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
|
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
|
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
|
[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
|
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
|
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
|
[INFO] 4.2 Kubelet
|
|
[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored)
|
|
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
|
|
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
|
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
|
|
[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
|
|
[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
|
|
[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Scored)
|
|
[PASS] 4.2.8 Ensure that the --hostname-override argument is not set (Not Scored)
|
|
[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored)
|
|
[FAIL] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
|
|
[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Scored)
|
|
[PASS] 4.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
|
|
[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
|
|
|
|
== Remediations node ==
|
|
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
|
|
If using command line arguments, edit the kubelet service file
|
|
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
--protect-kernel-defaults=true
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
|
|
4.2.9 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
|
|
If using command line arguments, edit the kubelet service file
|
|
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
|
|
4.2.10 If using a Kubelet config file, edit the file to set tlsCertFile to the location
|
|
of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
|
|
to the location of the corresponding private key file.
|
|
If using command line arguments, edit the kubelet service file
|
|
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
|
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
|
|
--tls-cert-file=<path/to/tls-certificate-file>
|
|
--tls-private-key-file=<path/to/tls-key-file>
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
|
|
|
|
== Summary node ==
|
|
20 checks PASS
|
|
2 checks FAIL
|
|
1 checks WARN
|
|
0 checks INFO
|
|
|
|
== Summary total ==
|
|
20 checks PASS
|
|
2 checks FAIL
|
|
1 checks WARN
|
|
0 checks INFO |