diff --git a/cfg/cis-1.6/master.yaml b/cfg/cis-1.6/master.yaml
index e4f971a40d36c4880763b7a664924341dc769b00..726df72c8e3da4176c9c6911f3fdbbb2750b2ee3 100644
--- a/cfg/cis-1.6/master.yaml
+++ b/cfg/cis-1.6/master.yaml
@@ -120,8 +120,16 @@ groups:
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
- audit: "stat -c permissions=%a <path/to/cni/files>"
- type: "manual"
+ audit: |
+ ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c permissions=%a
+ find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c permissions=%a
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@@ -130,8 +138,13 @@ groups:
- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
- audit: "stat -c %U:%G <path/to/cni/files>"
- type: "manual"
+ audit: |
+ ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs stat -c %U:%G
+ find /var/lib/cni/networks -type f | xargs --no-run-if-empty stat -c %U:%G
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
diff --git a/cfg/config.yaml b/cfg/config.yaml
index 328590d2c9175f1b12db7287f947756efc8a6867..a97165fc677d8c4a21a12c5e4da81f2cea63c9ee 100644
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@@ -15,6 +15,7 @@ master:
- flanneld
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
- kubernetes
+ - kubelet
kubernetes:
defaultconf: /etc/kubernetes/config
@@ -53,6 +54,8 @@ master:
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
kubeconfig:
- /etc/kubernetes/scheduler.conf
+ - /var/lib/kube-scheduler/kubeconfig
+ - /var/lib/kube-scheduler/config.yaml
defaultkubeconfig: /etc/kubernetes/scheduler.conf
controllermanager:
@@ -73,6 +76,7 @@ master:
defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
kubeconfig:
- /etc/kubernetes/controller-manager.conf
+ - /var/lib/kube-controller-manager/kubeconfig
defaultkubeconfig: /etc/kubernetes/controller-manager.conf
etcd:
@@ -97,6 +101,12 @@ master:
- flanneld
defaultconf: /etc/sysconfig/flanneld
+ kubelet:
+ optional: true
+ bins:
+ - "hyperkube kubelet"
+ - "kubelet"
+
node:
components:
- kubelet
diff --git a/job-master.yaml b/job-master.yaml
index 415450670f0b31aa32c0930e026358787fb38581..347d9f07829bd971185f72f0f9f08e7fe12b721f 100644
--- a/job-master.yaml
+++ b/job-master.yaml
@@ -21,6 +21,24 @@ spec:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
+ - name: var-lib-kubelet
+ mountPath: /var/lib/kubelet
+ readOnly: true
+ - name: var-lib-kube-scheduler
+ mountPath: /var/lib/kube-scheduler
+ readOnly: true
+ - name: var-lib-kube-controller-manager
+ mountPath: /var/lib/kube-controller-manager
+ readOnly: true
+ - name: etc-systemd
+ mountPath: /etc/systemd
+ readOnly: true
+ - name: lib-systemd
+ mountPath: /lib/systemd/
+ readOnly: true
+ - name: srv-kubernetes
+ mountPath: /srv/kubernetes/
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
@@ -29,14 +47,44 @@ spec:
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
+ - name: etc-cni-netd
+ mountPath: /etc/cni/net.d/
+ readOnly: true
+ - name: opt-cni-bin
+ mountPath: /opt/cni/bin/
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
+ - name: var-lib-kubelet
+ hostPath:
+ path: "/var/lib/kubelet"
+ - name: var-lib-kube-scheduler
+ hostPath:
+ path: "/var/lib/kube-scheduler"
+ - name: var-lib-kube-controller-manager
+ hostPath:
+ path: "/var/lib/kube-controller-manager"
+ - name: etc-systemd
+ hostPath:
+ path: "/etc/systemd"
+ - name: lib-systemd
+ hostPath:
+ path: "/lib/systemd"
+ - name: srv-kubernetes
+ hostPath:
+ path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
+ - name: etc-cni-netd
+ hostPath:
+ path: "/etc/cni/net.d/"
+ - name: opt-cni-bin
+ hostPath:
+ path: "/opt/cni/bin/"
diff --git a/job-node.yaml b/job-node.yaml
index 6d4bbcee55b6b3cf261b547eba032724e08e05fe..a9307482e91db0bb5bf84ad898394e5516239d66 100644
--- a/job-node.yaml
+++ b/job-node.yaml
@@ -12,12 +12,27 @@ spec:
image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets=node"]
volumeMounts:
+ - name: var-lib-etcd
+ mountPath: /var/lib/etcd
+ readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
+ - name: var-lib-kube-scheduler
+ mountPath: /var/lib/kube-scheduler
+ readOnly: true
+ - name: var-lib-kube-controller-manager
+ mountPath: /var/lib/kube-controller-manager
+ readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
+ - name: lib-systemd
+ mountPath: /lib/systemd/
+ readOnly: true
+ - name: srv-kubernetes
+ mountPath: /srv/kubernetes/
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
@@ -26,17 +41,44 @@ spec:
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
+ - name: etc-cni-netd
+ mountPath: /etc/cni/net.d/
+ readOnly: true
+ - name: opt-cni-bin
+ mountPath: /opt/cni/bin/
+ readOnly: true
restartPolicy: Never
volumes:
+ - name: var-lib-etcd
+ hostPath:
+ path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
+ - name: var-lib-kube-scheduler
+ hostPath:
+ path: "/var/lib/kube-scheduler"
+ - name: var-lib-kube-controller-manager
+ hostPath:
+ path: "/var/lib/kube-controller-manager"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
+ - name: lib-systemd
+ hostPath:
+ path: "/lib/systemd"
+ - name: srv-kubernetes
+ hostPath:
+ path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
+ - name: etc-cni-netd
+ hostPath:
+ path: "/etc/cni/net.d/"
+ - name: opt-cni-bin
+ hostPath:
+ path: "/opt/cni/bin/"
diff --git a/job.yaml b/job.yaml
index ec42ba16c2559579c56dce2b1989f2b7f26a296d..a79af59879becef7297b158c8d69f21ef03609ee 100644
--- a/job.yaml
+++ b/job.yaml
@@ -21,9 +21,21 @@ spec:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
+ - name: var-lib-kube-scheduler
+ mountPath: /var/lib/kube-scheduler
+ readOnly: true
+ - name: var-lib-kube-controller-manager
+ mountPath: /var/lib/kube-controller-manager
+ readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
+ - name: lib-systemd
+ mountPath: /lib/systemd/
+ readOnly: true
+ - name: srv-kubernetes
+ mountPath: /srv/kubernetes/
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
@@ -32,6 +44,12 @@ spec:
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
+ - name: etc-cni-netd
+ mountPath: /etc/cni/net.d/
+ readOnly: true
+ - name: opt-cni-bin
+ mountPath: /opt/cni/bin/
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-etcd
@@ -40,12 +58,30 @@ spec:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
+ - name: var-lib-kube-scheduler
+ hostPath:
+ path: "/var/lib/kube-scheduler"
+ - name: var-lib-kube-controller-manager
+ hostPath:
+ path: "/var/lib/kube-controller-manager"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
+ - name: lib-systemd
+ hostPath:
+ path: "/lib/systemd"
+ - name: srv-kubernetes
+ hostPath:
+ path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
+ - name: etc-cni-netd
+ hostPath:
+ path: "/etc/cni/net.d/"
+ - name: opt-cni-bin
+ hostPath:
+ path: "/opt/cni/bin/"