From 946a48ca74fb400e6ae00f52b4d6123d077a690a Mon Sep 17 00:00:00 2001
From: Nick Keenan <nkeenan38@gmail.com>
Date: Mon, 30 Aug 2021 06:33:59 -0600
Subject: [PATCH] Fix 4.1.9, skip irremediable checks, add /home/kubernetes
mount (#976)
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
---
cfg/gke-1.0/node.yaml | 88 +++++--------------------------------------
job-gke.yaml | 9 +++++
2 files changed, 18 insertions(+), 79 deletions(-)
diff --git a/cfg/gke-1.0/node.yaml b/cfg/gke-1.0/node.yaml
index 95021ae..1d6b3b6 100644
--- a/cfg/gke-1.0/node.yaml
+++ b/cfg/gke-1.0/node.yaml
@@ -78,7 +78,7 @@ groups:
- flag: "permissions"
set: true
compare:
- op: eq
+ op: bitmask
value: "644"
remediation: |
Run the following command (using the config file location identified in the Audit step)
@@ -167,24 +167,8 @@ groups:
- id: 4.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
- audit: "/bin/ps -fC $kubeletbin"
- audit_config: "/bin/cat $kubeletconf"
- tests:
- test_items:
- - flag: "--read-only-port"
- path: '{.readOnlyPort}'
- compare:
- op: eq
- value: 0
- remediation: |
- If using a Kubelet config file, edit the file to set readOnlyPort to 0.
- If using command line arguments, edit the kubelet service file
- $kubeletsvc on each worker node and
- set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
- --read-only-port=0
- Based on your system, restart the kubelet service. For example:
- systemctl daemon-reload
- systemctl restart kubelet.service
+ type: skip
+ remediation: "This control cannot be modified in GKE."
scored: true
- id: 4.2.5
@@ -216,25 +200,8 @@ groups:
- id: 4.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
- audit: "/bin/ps -fC $kubeletbin"
- audit_config: "/bin/cat $kubeletconf"
- tests:
- test_items:
- - flag: --protect-kernel-defaults
- path: '{.protectKernelDefaults}'
- compare:
- op: eq
- value: true
- remediation: |
- If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
- If using command line arguments, edit the kubelet service file
- $kubeletsvc on each worker node and
- set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
- --protect-kernel-defaults=true
- Based on your system, restart the kubelet service. For example:
- systemctl daemon-reload
- systemctl restart kubelet.service
- scored: true
+ type: skip
+ remediation: "This control cannot be modified in GKE."
- id: 4.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) "
@@ -280,50 +247,13 @@ groups:
- id: 4.2.9
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)"
- audit: "/bin/ps -fC $kubeletbin"
- audit_config: "/bin/cat $kubeletconf"
- tests:
- test_items:
- - flag: --event-qps
- path: '{.eventRecordQPS}'
- set: true
- compare:
- op: eq
- value: 0
- remediation: |
- If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
- If using command line arguments, edit the kubelet service file
- $kubeletsvc on each worker node and
- set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
- Based on your system, restart the kubelet service. For example:
- systemctl daemon-reload
- systemctl restart kubelet.service
- scored: true
+ type: skip
+ remediation: "This control cannot be modified in GKE."
- id: 4.2.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
- audit: "/bin/ps -fC $kubeletbin"
- audit_config: "/bin/cat $kubeletconf"
- tests:
- bin_op: and
- test_items:
- - flag: --tls-cert-file
- path: '{.tlsCertFile}'
- - flag: --tls-private-key-file
- path: '{.tlsPrivateKeyFile}'
- remediation: |
- If using a Kubelet config file, edit the file to set tlsCertFile to the location
- of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
- to the location of the corresponding private key file.
- If using command line arguments, edit the kubelet service file
- $kubeletsvc on each worker node and
- set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
- --tls-cert-file=<path/to/tls-certificate-file>
- --tls-private-key-file=<path/to/tls-key-file>
- Based on your system, restart the kubelet service. For example:
- systemctl daemon-reload
- systemctl restart kubelet.service
- scored: true
+ type: skip
+ remediation: "This control cannot be modified in GKE."
- id: 4.2.11
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
diff --git a/job-gke.yaml b/job-gke.yaml
index 3c38722..8a1b6f0 100644
--- a/job-gke.yaml
+++ b/job-gke.yaml
@@ -14,10 +14,16 @@ spec:
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
+ readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
+ readOnly: true
+ - name: home-kubernetes
+ mountPath: /home/kubernetes
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-kubelet
@@ -29,3 +35,6 @@ spec:
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
+ - name: home-kubernetes
+ hostPath:
+ path: "/home/kubernetes"
--
GitLab