Skip to content
Snippets Groups Projects
Select Git revision
  • 5ee7c1b0dbb9a69595c44d61881eab7d7cdae11c
  • main default protected
  • dependabot/docker/alpine-3.22.1
  • dependabot/go_modules/github.com/aws/aws-sdk-go-v2-1.36.6
  • dependabot/go_modules/k8s.io/apimachinery-0.33.3
  • dependabot/go_modules/k8s.io/client-go-0.33.3
  • dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/securityhub-1.58.2
  • dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.29.18
  • dependabot/docker/golang-1.24.5
  • lihiz_preflight
  • release/prepare-v0.10.7
  • dependabot/github_actions/golangci/golangci-lint-action-7
  • release/prepare-v0.9.1
  • gh-pages
  • aquadev
  • v0.11.1
  • v0.11.0
  • v0.10.7
  • v0.10.6
  • v0.10.5
  • v0.10.4
  • v0.10.3
  • v0.10.2
  • v0.10.1
  • v0.10.0
  • v0.9.4
  • v0.9.3
  • v0.9.2
  • v0.9.1
  • v0.9.0
  • v0.8.0
  • v0.7.3
  • v0.7.2
  • v0.7.1
  • v0.7.0
35 results

data

Blame
  • user avatar
    Liz Rice authored
    e8579ade
    History
    data 3.51 KiB
    ---
    controls:
    id: 1
    text: "Master Checks"
    type: "master"
    groups:
    - id: 1.1
      text: "Kube-apiserver"
      checks:
        - id: 0
          text: "flag is set"
          tests:
            test_items:
              - flag: "--allow-privileged"
                set: true
    
        - id: 1
          text: "flag is not set"
          tests:
            test_item:
              - flag: "--basic-auth"
                set: false
    
        - id: 2
          text: "flag value is set to some value"
          tests:
            test_items:
              - flag: "--insecure-port"
                compare:
                  op: eq
                  value: 0
                set: true
    
        - id: 3
          text: "flag value is greater than or equal some number"
          tests:
            test_items:
              - flag: "--audit-log-maxage"
                compare:
                  op: gte
                  value: 30
                set: true
    
        - id: 4
          text: "flag value is less than some number"
          tests:
            test_items:
              - flag: "--max-backlog"
                compare:
                  op: lt
                  value: 30
                set: true
    
        - id: 5
          text: "flag value does not have some value"
          tests:
            test_items:
              - flag: "--admission-control"
                compare:
                  op: nothave
                  value: AlwaysAdmit
                set: true
    
        - id: 6
          text: "test AND binary operation"
          tests:
            bin_op: and
            test_items:
            - flag: "--kubelet-client-certificate"
              set: true
            - flag: "--kubelet-clientkey"
              set: true
    
        - id: 7
          text: "test OR binary operation"
          tests:
            bin_op: or
            test_items:
              - flag:  "--secure-port"
                compare:
                  op: eq
                  value: 0
                set: true
              -
                flag: "--secure-port"
                set: false
    
        - id: 8
          text: "test flag with arbitrary text"
          tests:
            test_items:
            - flag: "644"
              compare:
                op: eq
                value: "644"
              set: true
    
        - id: 9
          text: "test permissions"
          audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
          tests:
            bin_op: or
            test_items:
            - flag: "644"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
    
        - id: 10
          text: "flag value includes some value in a comma-separated list, value is last in list"
          tests:
            test_items:
              - flag: "--admission-control"
                compare:
                  op: has
                  value: RBAC
                set: true
    
        - id: 11
          text: "flag value includes some value in a comma-separated list, value is first in list"
          tests:
            test_items:
              - flag: "--admission-control"
                compare:
                  op: has
                  value: WebHook
                set: true
    
        - id: 12
          text: "flag value includes some value in a comma-separated list, value middle of list"
          tests:
            test_items:
              - flag: "--admission-control"
                compare:
                  op: has
                  value: Something
                set: true
    
        - id: 13
          text: "flag value includes some value in a comma-separated list, value only one in list"
          tests:
            test_items:
              - flag: "--admission-control"
                compare:
                  op: has
                  value: Something
                set: true