-
Notifications
You must be signed in to change notification settings - Fork 77
Expand file tree
/
Copy path4_1_worker_node_configuration_files.rb
More file actions
executable file
·251 lines (210 loc) · 10 KB
/
4_1_worker_node_configuration_files.rb
File metadata and controls
executable file
·251 lines (210 loc) · 10 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
# frozen_string_literal: true
title '4.1.1 Worker Node: Configuration Files'
kubelet = input('kubelet')
# fallback if kubelet attribute is not defined
kubelet = kubernetes.kubelet_bin if kubelet.empty?
kubelet_conf = input('kubelet-conf')
only_if('kubelet not found') do
processes(kubelet).exists?
end
control 'cis-kubernetes-benchmark-4.1.1' do
title 'Ensure that the kubelet service file permissions are set to 644 or more restrictive'
desc "Ensure that the `kubelet` service file has permissions of `644` or more restrictive.\n\nRationale: The `kubelet` service file controls various parameters that set the behavior of the `kubelet` service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
impact 1.0
tag cis: 'kubernetes:4.1.1'
tag level: 1
if file('/etc/systemd/system/kubelet.service.d/10-kubeadm.conf').exist?
describe file('/etc/systemd/system/kubelet.service.d/10-kubeadm.conf').mode.to_s(8) do
it { should match(/[0246][024][024]/) }
end
else
describe 'cis-kubernetes-benchmark-4.1.1' do
skip 'Review the permissions on your Kubelet systemd service file.'
end
end
end
control 'cis-kubernetes-benchmark-4.1.2' do
title 'Ensure that the kubelet.conf file ownership is set to root:root'
desc "Ensure that the `kubelet.conf` file ownership is set to `root:root`.\n\nRationale: The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root.`"
impact 1.0
tag cis: 'kubernetes:4.1.2'
tag level: 1
only_if do
file(kubelet_conf).exist?
end
describe file(kubelet_conf) do
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
end
end
control 'cis-kubernetes-benchmark-4.1.3' do
title 'Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive'
desc "If `kube-proxy` is running, ensure that the proxy kubeconfig file has permissions of `644` or more restrictive.\n\nRationale: The `kube-proxy` kubeconfig file controls various parameters of the `kube-proxy` service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
impact 1.0
tag cis: 'kubernetes:4.1.3'
tag level: 1
if processes('kube-proxy').exists?
conf_file = processes('kube-proxy').commands.first.scan(/--kubeconfig=(\S+)/).last.first
if file(conf_file).exist?
describe file(conf_file).mode.to_s(8) do
it { should match(/[0246][024][024]/) }
end
else
describe 'cis-kubernetes-benchmark-4.1.3' do
skip 'kube-proxy config file configured but not found'
end
end
else
describe 'cis-kubernetes-benchmark-4.1.3' do
skip 'kube-proxy process not found'
end
end
end
control 'cis-kubernetes-benchmark-4.1.4' do
title 'Ensure that the proxy kubeconfig file ownership is set to root:root'
desc "If `kube-proxy` is running, ensure that the file ownership of its kubeconfig file is set to `root:root`.\n\nRationale: The kubeconfig file for `kube-proxy` controls various parameters for the `kube-proxy` service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`."
impact 1.0
tag cis: 'kubernetes:4.1.4'
tag level: 1
if processes('kube-proxy').exists?
conf_file = processes('kube-proxy').commands.first.scan(/--kubeconfig=(\S+)/).last.first
if file(conf_file).exist?
describe file(conf_file) do
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
end
else
describe 'cis-kubernetes-benchmark-4.1.4' do
skip 'kube-proxy config file configured but not found'
end
end
else
describe 'cis-kubernetes-benchmark-4.1.4' do
skip 'kube-proxy process not found'
end
end
end
control 'cis-kubernetes-benchmark-4.1.5' do
title 'Ensure that the kubelet.conf file permissions are set to 644 or more restrictive'
desc "Ensure that the `kubelet.conf` file has permissions of `644` or more restrictive.\n\nRationale: The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
impact 1.0
tag cis: 'kubernetes:4.1.5'
tag level: 1
only_if do
file(kubelet_conf).exist?
end
describe file(kubelet_conf).mode.to_s(8) do
it { should match(/[0246][024][024]/) }
end
end
control 'cis-kubernetes-benchmark-4.1.6' do
title 'Ensure that the kubelet service file ownership is set to root:root'
desc "Ensure that the `kubelet` service file ownership is set to `root:root`.\n\nRationale: The `kubelet` service file controls various parameters that set the behavior of the `kubelet` service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`."
impact 1.0
tag cis: 'kubernetes:4.1.6'
tag level: 1
if file('/etc/systemd/system/kubelet.service.d/10-kubeadm.conf').exist?
describe file('/etc/systemd/system/kubelet.service.d/10-kubeadm.conf') do
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
end
else
describe 'cis-kubernetes-benchmark-4.1.6' do
skip 'Review the ownership of your Kubelet systemd service file.'
end
end
end
control 'cis-kubernetes-benchmark-4.1.7' do
title 'Ensure that the certificate authorities file permissions are set to 644 or more restrictive'
desc "Ensure that the certificate authorities file has permissions of `644` or more restrictive.\n\nRationale: The certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
impact 1.0
tag cis: 'kubernetes:4.1.7'
tag level: 1
if processes('kubelet').exists?
ca_cert_path = processes('kubelet').commands.first.scan(/--client-ca-file=(\S+)/)
if ca_cert_path.empty?
describe 'cis-kubernetes-benchmark-4.1.7' do
skip 'No client CA file specified for `kubelet` process'
end
else
describe file(ca_cert_path.last.first).mode.to_s(8) do
it { should match(/[0246][024][024]/) }
end
end
else
describe 'cis-kubernetes-benchmark-4.1.7' do
skip 'kubelet process not found'
end
end
end
control 'cis-kubernetes-benchmark-4.1.8' do
title 'Ensure that the client certificate authorities file ownership is set to root:root'
desc "Ensure that the certificate authorities file ownership is set to `root:root`.\n\nRationale: The certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`."
impact 1.0
tag cis: 'kubernetes:4.1.8'
tag level: 1
if processes('kubelet').exists?
ca_cert_path = processes('kubelet').commands.to_s.scan(/--client-ca-file=(\S+)/)
if ca_cert_path.empty?
describe 'cis-kubernetes-benchmark-4.1.8' do
skip 'No client CA file specified for `kubelet` process'
end
else
describe file(ca_cert_path.last.first) do
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
end
end
else
describe 'cis-kubernetes-benchmark-4.1.8' do
skip 'kubelet process not found'
end
end
end
control 'cis-kubernetes-benchmark-4.1.9' do
title 'Ensure that the kubelet configuration file has permissions set to 644 or more restrictive'
desc "Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\nRationale: The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
impact 1.0
tag cis: 'kubernetes:4.1.9'
tag level: 1
if processes('kubelet').exists?
config_path = processes('kubelet').commands.first.scan(/--config=(\S+)/)
if config_path.empty?
describe 'cis-kubernetes-benchmark-4.1.9' do
skip 'No config file specified for `kubelet` process'
end
else
describe file(config_path.last.first).mode.to_s(8) do
it { should match(/[0246][024][024]/) }
end
end
else
describe 'cis-kubernetes-benchmark-4.1.9' do
skip 'kubelet process not found'
end
end
end
control 'cis-kubernetes-benchmark-4.1.10' do
title 'Ensure that the kubelet configuration file ownership is set to root:root'
desc "Ensure that if the kubelet refers to a configuration file with the --config argument, that file is owned by root:root.\n\nRationale: The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root."
impact 1.0
tag cis: 'kubernetes:4.1.10'
tag level: 1
if processes('kubelet').exists?
config_path = processes('kubelet').commands.first.scan(/--config=(\S+)/)
if config_path.empty?
describe 'cis-kubernetes-benchmark-4.1.10' do
skip 'No config file specified for `kubelet` process'
end
else
describe file(config_path.last.first) do
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
end
end
else
describe 'cis-kubernetes-benchmark-4.1.10' do
skip 'kubelet process not found'
end
end
end