mtpereira · November 5, 2021 08:59
diff --git a/kube-bench-1030-status-fail-output.log b/kube-bench-1030-status-fail-output.log
 [FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
 [FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
 [FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
 [FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated)
 [FAIL] 1.2.21 Ensure that the --audit-log-path argument is set (Automated)
 [FAIL] 1.2.22 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
 [FAIL] 1.2.23 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
 [FAIL] 1.2.24 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
 [FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
 [FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)

 == Remediations master ==
 1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
 from the below command:
 ps -ef | grep etcd
 Run the below command (based on the etcd data directory found above).
 For example, chown etcd:etcd /var/lib/etcd

 1.2.5 Follow the Kubernetes documentation and setup the TLS connection between
 the apiserver and kubelets. Then, edit the API server pod specification file
 /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
 --kubelet-certificate-authority=<ca-string>

 1.2.15 Follow the documentation and create Pod Security Policy objects as per your environment.
 Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the --enable-admission-plugins parameter to a
 value that includes PodSecurityPolicy:
 --enable-admission-plugins=...,PodSecurityPolicy,...
 Then restart the API Server.

 1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the below parameter.
 --profiling=false

 1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the --audit-log-path parameter to a suitable path and
 file where you would like audit logs to be written, for example:
 --audit-log-path=/var/log/apiserver/audit.log

 1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
 --audit-log-maxage=30

 1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
 value.
 --audit-log-maxbackup=10

 1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
 For example, to set it as 100 MB:
 --audit-log-maxsize=100

 1.3.2 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
 on the master node and set the below parameter.
 --profiling=false

 1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file
 on the master node and set the below parameter.
 --profiling=false


 == Summary master ==
 10 checks FAIL


 == Summary etcd ==
 0 checks FAIL


 == Summary controlplane ==
 0 checks FAIL

 [FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

 == Remediations node ==
 4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
 If using command line arguments, edit the kubelet service file
 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
 --protect-kernel-defaults=true
 Based on your system, restart the kubelet service. For example:
 systemctl daemon-reload
 systemctl restart kubelet.service


 == Summary node ==
 1 checks FAIL


 == Summary policies ==
 0 checks FAIL

 == Summary total ==
 11 checks FAIL
	[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
	[FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
	[FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
	[FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated)
	[FAIL] 1.2.21 Ensure that the --audit-log-path argument is set (Automated)
	[FAIL] 1.2.22 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
	[FAIL] 1.2.23 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
	[FAIL] 1.2.24 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
	[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
	[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)

	== Remediations master ==
	1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
	from the below command:
	ps -ef \| grep etcd
	Run the below command (based on the etcd data directory found above).
	For example, chown etcd:etcd /var/lib/etcd

	1.2.5 Follow the Kubernetes documentation and setup the TLS connection between
	the apiserver and kubelets. Then, edit the API server pod specification file
	/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
	--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
	--kubelet-certificate-authority=<ca-string>

	1.2.15 Follow the documentation and create Pod Security Policy objects as per your environment.
	Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the --enable-admission-plugins parameter to a
	value that includes PodSecurityPolicy:
	--enable-admission-plugins=...,PodSecurityPolicy,...
	Then restart the API Server.

	1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the below parameter.
	--profiling=false

	1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the --audit-log-path parameter to a suitable path and
	file where you would like audit logs to be written, for example:
	--audit-log-path=/var/log/apiserver/audit.log

	1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
	--audit-log-maxage=30

	1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
	value.
	--audit-log-maxbackup=10

	1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
	For example, to set it as 100 MB:
	--audit-log-maxsize=100

	1.3.2 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
	on the master node and set the below parameter.
	--profiling=false

	1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file
	on the master node and set the below parameter.
	--profiling=false


	== Summary master ==
	10 checks FAIL


	== Summary etcd ==
	0 checks FAIL


	== Summary controlplane ==
	0 checks FAIL

	[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

	== Remediations node ==
	4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
	If using command line arguments, edit the kubelet service file
	/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
	set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
	--protect-kernel-defaults=true
	Based on your system, restart the kubelet service. For example:
	systemctl daemon-reload
	systemctl restart kubelet.service


	== Summary node ==
	1 checks FAIL


	== Summary policies ==
	0 checks FAIL

	== Summary total ==
	11 checks FAIL