From 65fb352e0e2bc7783d0a772f587149752981f1eb Mon Sep 17 00:00:00 2001
From: Huang Huang <mozillazg101@gmail.com>
Date: Tue, 18 Feb 2020 22:37:50 +0800
Subject: [PATCH] Change to checking `--disable-admission-plugins` for
cis-1.4-1.1.27 and cis-1.5-1.2.14 (#584)
Fixes #582
---
cfg/cis-1.4/master.yaml | 6 +++---
cfg/cis-1.5/master.yaml | 6 +++---
integration/testdata/job-master.data | 12 +++---------
integration/testdata/job.data | 12 +++---------
4 files changed, 12 insertions(+), 24 deletions(-)
diff --git a/cfg/cis-1.4/master.yaml b/cfg/cis-1.4/master.yaml
index fff55a8..8c030f7 100644
--- a/cfg/cis-1.4/master.yaml
+++ b/cfg/cis-1.4/master.yaml
@@ -447,12 +447,12 @@ groups:
tests:
bin_op: or
test_items:
- - flag: "--enable-admission-plugins"
+ - flag: "--disable-admission-plugins"
compare:
- op: has
+ op: nothave
value: "ServiceAccount"
set: true
- - flag: "--enable-admission-plugins"
+ - flag: "--disable-admission-plugins"
set: false
remediation: |
Follow the documentation and create ServiceAccount objects as per your environment.
diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml
index 28e31ab..a6ad3bc 100644
--- a/cfg/cis-1.5/master.yaml
+++ b/cfg/cis-1.5/master.yaml
@@ -755,12 +755,12 @@ groups:
tests:
bin_op: or
test_items:
- - flag: "--enable-admission-plugins"
+ - flag: "--disable-admission-plugins"
compare:
- op: has
+ op: nothave
value: "ServiceAccount"
set: true
- - flag: "--enable-admission-plugins"
+ - flag: "--disable-admission-plugins"
set: false
remediation: |
Follow the documentation and create ServiceAccount objects as per your environment.
diff --git a/integration/testdata/job-master.data b/integration/testdata/job-master.data
index e4c136d..c5b8d07 100644
--- a/integration/testdata/job-master.data
+++ b/integration/testdata/job-master.data
@@ -26,7 +26,7 @@
[FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
[PASS] 1.1.25 Ensure that the --service-account-key-file argument is set as appropriate (Scored)
[PASS] 1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)
-[FAIL] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
+[PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
[PASS] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[PASS] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
@@ -154,12 +154,6 @@ value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
-1.1.27 Follow the documentation and create ServiceAccount objects as per your environment.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to a
-value that includes ServiceAccount.
---enable-admission-plugins=...,ServiceAccount,...
-
1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
@@ -327,7 +321,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
== Summary ==
-48 checks PASS
-18 checks FAIL
+49 checks PASS
+17 checks FAIL
25 checks WARN
1 checks INFO
\ No newline at end of file
diff --git a/integration/testdata/job.data b/integration/testdata/job.data
index 7d23193..1ecccca 100644
--- a/integration/testdata/job.data
+++ b/integration/testdata/job.data
@@ -26,7 +26,7 @@
[FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
[PASS] 1.1.25 Ensure that the --service-account-key-file argument is set as appropriate (Scored)
[PASS] 1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)
-[FAIL] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
+[PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
[PASS] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[PASS] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
@@ -154,12 +154,6 @@ value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
-1.1.27 Follow the documentation and create ServiceAccount objects as per your environment.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to a
-value that includes ServiceAccount.
---enable-admission-plugins=...,ServiceAccount,...
-
1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
@@ -327,8 +321,8 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
== Summary ==
-48 checks PASS
-18 checks FAIL
+49 checks PASS
+17 checks FAIL
25 checks WARN
1 checks INFO
[INFO] 2 Worker Node Security Configuration
--
GitLab