-
Alexey Pyltsyn authoredAlexey Pyltsyn authored
Test and config files
kube-bench runs checks specified in controls files that are a YAML
representation of the CIS Kubernetes Benchmark checks. There is a
controls file per Kubernetes version and node type.
controls for the various versions of Kubernetes can be found in directories
with same name as the Kubernetes versions under cfg/, for example cfg/1.12.
controls are also organized by distribution under the cfg directory for
example cfg/ocp-3.10.
Controls
controls is a YAML document that contains checks that must be run against a
specific Kubernetes node type, master or node and version.
controls is the fundamental input to kube-bench. The following is an example
of a basic controls:
---
controls:
id: 1
text: "Master Node Security Configuration"
type: "master"
groups:
- id: 1.1
text: API Server
checks:
- id: 1.1.1
text: "Ensure that the --allow-privileged argument is set (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--allow-privileged"
set: true
- flag: "--some-other-flag"
set: false
remediation: "Edit the /etc/kubernetes/config file on the master node and
set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true
- id: 1.2
text: Scheduler
checks:
- id: 1.2.1
text: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep kube-scheduler | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--profiling"
set: true
- flag: "--some-other-flag"
set: false
remediation: "Edit the /etc/kubernetes/config file on the master node and
set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: truecontrols is composed of a hierarchy of groups, sub-groups and checks. Each of
the controls components have an id and a text description which are displayed
in the kube-bench output.
type specifies what Kubernetes node type a controls is for. Possible values
for type are master and node.