Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge Add oke support to Main #4

Merged
merged 5 commits into from
Jun 13, 2024
Merged

Merge Add oke support to Main #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2148409
Crawl paths from ENVs
rootxrishabh Jun 10, 2024
a70243f
Fixed typos
rootxrishabh Jun 10, 2024
5414877
Update config.yaml
rootxrishabh Jun 11, 2024
6ed1721
changes made
rootxrishabh Jun 11, 2024
45dfc51
Merge pull request #3 from nirmata/error-testing-oke
rootxrishabh Jun 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cfg/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ node:
- "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
- "/var/lib/rancher/k3s/agent/kubelet.kubeconfig"
confs:
- "/etc/kubernetes/kubelet-config.json"
- "/etc/kubernetes/kubelet-config.yaml"
- "/var/lib/kubelet/config.yaml"
- "/var/lib/kubelet/config.yml"
Expand Down
90 changes: 48 additions & 42 deletions cfg/oke-1.26/node.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
---
controls:
version: "oke-1.26"
id: 3.1
text: "Worker Nodes"
id: 3
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 3.1
text: "Worker Node Configuration Files"
checks:
- id: 3.1.1
text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)"
audit: "stat -c %a /etc/kubernetes/kubelet.conf; stat -c %a /etc/kubernetes/bootstrap-kubelet.conf"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
tests:
test_items:
- flag: "permissions"
Expand All @@ -22,9 +22,10 @@ groups:
For example,
chmod 644 $kubeletkubeconfig
scored: false

- id: 3.1.2
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)"
audit: "stat -c %U:%G etc/kubernetes/kubelet.conf; stat -c %U:%G etc/kubernetes/bootstrap-kubelet.conf"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
tests:
bin_op: or
test_items:
Expand All @@ -37,7 +38,7 @@ groups:
scored: false
- id: 3.1.3
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)"
audit: "stat -c %a etc/kubernetes/kubelet.conf; stat -c %a etc/kubernetes/bootstrap-kubelet.conf"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "permissions"
Expand All @@ -51,7 +52,7 @@ groups:
scored: true
- id: 3.1.4
text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)"
audit: "stat -c %U:%G etc/kubernetes/kubelet.conf; stat -c %U:%G etc/kubernetes/bootstrap-kubelet.conf"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
- flag: root:root
Expand All @@ -64,8 +65,8 @@ groups:
checks:
- id: 3.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
Expand All @@ -75,7 +76,7 @@ groups:
value: false
remediation: |
If modifying the Kubelet service config file, edit the kubelet.service file
/etc/systemd/system/kubelet.service and set the below parameter
/etc/kubernetes/kubelet-config.json and set the below parameter
--anonymous-auth=false
Based on your system, restart the kubelet service and check status
systemctl daemon-reload
Expand All @@ -84,8 +85,8 @@ groups:
scored: true
- id: 3.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
Expand All @@ -95,7 +96,7 @@ groups:
value: AlwaysAllow
remediation: |
iff modifying the Kubelet service config file, edit the kubelet.service file
/etc/systemd/system/kubelet.service and set the below parameter
/etc/kubernetes/kubelet-config.json and set the below parameter
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
Expand All @@ -104,15 +105,15 @@ groups:
scored: true
- id: 3.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --client-ca-file
path: '{.authentication.x509.clientCAFile}'
remediation: |
If modifying the Kubelet service config file, edit the kubelet.service file
/etc/systemd/system/kubelet.service and set the below parameter
/etc/kubernetes/kubelet-config.json and set the below parameter
--client-ca-file=/etc/kubernetes/ca.crt \
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
Expand All @@ -121,8 +122,8 @@ groups:
scored: false
- id: 3.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
Expand All @@ -145,8 +146,8 @@ groups:
scored: false
- id: 3.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
Expand All @@ -160,7 +161,7 @@ groups:
bin_op: or
remediation: |
If modifying the Kubelet service config file, edit the kubelet.service file
/etc/systemd/system/kubelet.service and set the below parameter
/etc/kubernetes/kubelet-config.json and set the below parameter
--streaming-connection-idle-timeout
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
Expand All @@ -169,8 +170,8 @@ groups:
scored: false
- id: 3.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Manual)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "cat /etc/systemd/system/kubelet.service"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
Expand All @@ -181,7 +182,7 @@ groups:
value: true
remediation: |
If modifying the Kubelet service config file, edit the kubelet.service file
/etc/systemd/system/kubelet.service and set the below parameter
/etc/kubernetes/kubelet-config.json and set the below parameter
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
Expand All @@ -190,8 +191,8 @@ groups:
scored: false
- id: 3.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --make-iptables-util-chains
Expand All @@ -205,7 +206,7 @@ groups:
bin_op: or
remediation: |
If modifying the Kubelet service config file, edit the kubelet.service file
/etc/systemd/system/kubelet.service and set the below parameter
/etc/kubernetes/kubelet-config.json and set the below parameter
--make-iptables-util-chains:true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
Expand All @@ -217,23 +218,25 @@ groups:
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "cat /etc/systemd/system/kubelet.service"
audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag: --hostname-override
set: false
remediation: |
If modifying the Kubelet config file, edit the kubelet.service file
/etc/systemd/system/kubelet-.service and set the below parameter
--hostname-override=NODE NAME (where NODE NAME is the internal IP ex.
10.0.10.4, as assigned my OKE on build)
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
scored: false
- id: 3.2.9
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --event-qps
Expand All @@ -244,9 +247,9 @@ groups:
value: 0
remediation: |
If modifying the Kubelet service config file, edit the kubelet.service file
/etc/systemd/system/kubelet.service and set the below parameter
/etc/kubernetes/kubelet-config.json and set the below parameter
--event-qps=0
If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet-config.json.d/10-kubeadm.conf
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
Expand All @@ -255,15 +258,18 @@ groups:
scored: true
- id: 3.2.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: and
test_items:
- flag: "--tls-cert-file"
- flag: "--tls-private-key-file"
- flag: --tls-cert-file
path: '{.tlsCertFile}'
- flag: --tls-private-key-file
path: '{.tlsPrivateKeyFile}'
remediation: |
If modifying the Kubelet service config file, edit the kubelet.service file
/etc/systemd/system/kubelet.service and set the below parameter
If modifying the Kubelet service config file, edit the kubelet.service file
/etc/kubernetes/kubelet-config.json and set the below parameter
Verify that the `tls-cert-file=/var/lib/kubelet/pki/tls.pem`.
Verify that the `tls-private-key-file=/var/lib/kubelet/pki/tls.key`.
Based on your system, restart the kubelet service and check status
Expand All @@ -273,8 +279,8 @@ groups:
scored: true
- id: 3.2.11
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --rotate-certificates
Expand All @@ -288,7 +294,7 @@ groups:
bin_op: or
remediation: |
If modifying the Kubelet service config file, edit the kubelet.service file
/etc/systemd/system/kubelet.service and set the below parameter
/etc/kubernetes/kubelet-config.json and set the below parameter
Verify that the `--rotate-certificates` is present.
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
Expand All @@ -297,8 +303,8 @@ groups:
scored: true
- id: 3.2.12
text: "Ensure that the --rotate-server-certificates argument is set to true (Manual)"
audit: "cat /etc/systemd/system/kubelet.service"
# audit_config: "/bin/cat $kubeletconf"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --rotate-certificates
Expand All @@ -312,7 +318,7 @@ groups:
bin_op: or
remediation: |
If modifying the Kubelet service config file, edit the kubelet.service file
/etc/systemd/system/kubelet.service and set the below parameter
/etc/kubernetes/kubelet-config.json and set the below parameter
--rotate-server-certificates=true
Based on your system, restart the kubelet service and check status
systemctl daemon-reload
Expand Down