github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/config.yaml (about) 1 --- 2 ## Controls Files. 3 # These are YAML files that hold all the details for running checks. 4 # 5 ## Uncomment to use different control file paths. 6 # masterControls: ./cfg/master.yaml 7 # nodeControls: ./cfg/node.yaml 8 9 master: 10 components: 11 - apiserver 12 - scheduler 13 - controllermanager 14 - etcd 15 - flanneld 16 # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark 17 - kubernetes 18 - kubelet 19 20 kubernetes: 21 defaultconf: /etc/kubernetes/config 22 23 apiserver: 24 bins: 25 - "kube-apiserver" 26 - "hyperkube apiserver" 27 - "hyperkube kube-apiserver" 28 - "apiserver" 29 - "openshift start master api" 30 - "hypershift openshift-kube-apiserver" 31 confs: 32 - /etc/kubernetes/manifests/kube-apiserver.yaml 33 - /etc/kubernetes/manifests/kube-apiserver.yml 34 - /etc/kubernetes/manifests/kube-apiserver.manifest 35 - /var/snap/kube-apiserver/current/args 36 - /var/snap/microk8s/current/args/kube-apiserver 37 - /etc/origin/master/master-config.yaml 38 - /etc/kubernetes/manifests/talos-kube-apiserver.yaml 39 - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 40 defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml 41 42 scheduler: 43 bins: 44 - "kube-scheduler" 45 - "hyperkube scheduler" 46 - "hyperkube kube-scheduler" 47 - "scheduler" 48 - "openshift start master controllers" 49 confs: 50 - /etc/kubernetes/manifests/kube-scheduler.yaml 51 - /etc/kubernetes/manifests/kube-scheduler.yml 52 - /etc/kubernetes/manifests/kube-scheduler.manifest 53 - /var/snap/kube-scheduler/current/args 54 - /var/snap/microk8s/current/args/kube-scheduler 55 - /etc/origin/master/scheduler.json 56 - /etc/kubernetes/manifests/talos-kube-scheduler.yaml 57 - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 58 defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml 59 kubeconfig: 60 - /etc/kubernetes/scheduler.conf 61 - /var/lib/kube-scheduler/kubeconfig 62 - /var/lib/kube-scheduler/config.yaml 63 - /system/secrets/kubernetes/kube-scheduler/kubeconfig 64 defaultkubeconfig: /etc/kubernetes/scheduler.conf 65 66 controllermanager: 67 bins: 68 - "kube-controller-manager" 69 - "kube-controller" 70 - "hyperkube controller-manager" 71 - "hyperkube kube-controller-manager" 72 - "controller-manager" 73 - "openshift start master controllers" 74 - "hypershift openshift-controller-manager" 75 confs: 76 - /etc/kubernetes/manifests/kube-controller-manager.yaml 77 - /etc/kubernetes/manifests/kube-controller-manager.yml 78 - /etc/kubernetes/manifests/kube-controller-manager.manifest 79 - /var/snap/kube-controller-manager/current/args 80 - /var/snap/microk8s/current/args/kube-controller-manager 81 - /etc/kubernetes/manifests/talos-kube-controller-manager.yaml 82 - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 83 defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml 84 kubeconfig: 85 - /etc/kubernetes/controller-manager.conf 86 - /var/lib/kube-controller-manager/kubeconfig 87 - /system/secrets/kubernetes/kube-controller-manager/kubeconfig 88 defaultkubeconfig: /etc/kubernetes/controller-manager.conf 89 90 etcd: 91 optional: true 92 bins: 93 - "etcd" 94 - "openshift start etcd" 95 datadirs: 96 - /var/lib/etcd/default.etcd 97 - /var/lib/etcd/data.etcd 98 confs: 99 - /etc/kubernetes/manifests/etcd.yaml 100 - /etc/kubernetes/manifests/etcd.yml 101 - /etc/kubernetes/manifests/etcd.manifest 102 - /etc/etcd/etcd.conf 103 - /var/snap/etcd/common/etcd.conf.yml 104 - /var/snap/etcd/common/etcd.conf.yaml 105 - /var/snap/microk8s/current/args/etcd 106 - /usr/lib/systemd/system/etcd.service 107 - /var/lib/rancher/rke2/server/db/etcd/config 108 defaultconf: /etc/kubernetes/manifests/etcd.yaml 109 defaultdatadir: /var/lib/etcd/default.etcd 110 111 flanneld: 112 optional: true 113 bins: 114 - flanneld 115 defaultconf: /etc/sysconfig/flanneld 116 117 kubelet: 118 optional: true 119 bins: 120 - "hyperkube kubelet" 121 - "kubelet" 122 123 node: 124 components: 125 - kubelet 126 - proxy 127 # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark 128 - kubernetes 129 130 kubernetes: 131 defaultconf: "/etc/kubernetes/config" 132 133 kubelet: 134 cafile: 135 - "/etc/kubernetes/pki/ca.crt" 136 - "/etc/kubernetes/certs/ca.crt" 137 - "/etc/kubernetes/cert/ca.pem" 138 - "/var/snap/microk8s/current/certs/ca.crt" 139 - "/var/lib/rancher/rke2/agent/server.crt" 140 - "/var/lib/rancher/rke2/agent/client-ca.crt" 141 - "/var/lib/rancher/k3s/agent/client-ca.crt" 142 svc: 143 # These paths must also be included 144 # in the 'confs' property below 145 - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 146 - "/etc/systemd/system/kubelet.service" 147 - "/lib/systemd/system/kubelet.service" 148 - "/etc/systemd/system/snap.kubelet.daemon.service" 149 - "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" 150 - "/etc/systemd/system/atomic-openshift-node.service" 151 - "/etc/systemd/system/origin-node.service" 152 bins: 153 - "hyperkube kubelet" 154 - "kubelet" 155 kubeconfig: 156 - "/etc/kubernetes/kubelet.conf" 157 - "/etc/kubernetes/kubelet-kubeconfig.conf" 158 - "/var/lib/kubelet/kubeconfig" 159 - "/etc/kubernetes/kubelet-kubeconfig" 160 - "/etc/kubernetes/kubelet/kubeconfig" 161 - "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" 162 - "/var/snap/microk8s/current/credentials/kubelet.config" 163 - "/etc/kubernetes/kubeconfig-kubelet" 164 - "/var/lib/rancher/rke2/agent/kubelet.kubeconfig" 165 - "/var/lib/rancher/k3s/server/cred/admin.kubeconfig" 166 - "/var/lib/rancher/k3s/agent/kubelet.kubeconfig" 167 confs: 168 - "/etc/kubernetes/kubelet-config.yaml" 169 - "/var/lib/kubelet/config.yaml" 170 - "/var/lib/kubelet/config.yml" 171 - "/etc/kubernetes/kubelet/kubelet-config.json" 172 - "/etc/kubernetes/kubelet/config" 173 - "/home/kubernetes/kubelet-config.yaml" 174 - "/home/kubernetes/kubelet-config.yml" 175 - "/etc/default/kubeletconfig.json" 176 - "/etc/default/kubelet" 177 - "/var/lib/kubelet/kubeconfig" 178 - "/var/snap/kubelet/current/args" 179 - "/var/snap/microk8s/current/args/kubelet" 180 ## Due to the fact that the kubelet might be configured 181 ## without a kubelet-config file, we use a work-around 182 ## of pointing to the systemd service file (which can also 183 ## hold kubelet configuration). 184 ## Note: The following paths must match the one under 'svc' 185 - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 186 - "/etc/systemd/system/kubelet.service" 187 - "/lib/systemd/system/kubelet.service" 188 - "/etc/systemd/system/snap.kubelet.daemon.service" 189 - "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" 190 - "/etc/kubernetes/kubelet.yaml" 191 - "/var/lib/rancher/rke2/agent/kubelet.kubeconfig" 192 193 defaultconf: "/var/lib/kubelet/config.yaml" 194 defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 195 defaultkubeconfig: "/etc/kubernetes/kubelet.conf" 196 defaultcafile: "/etc/kubernetes/pki/ca.crt" 197 198 proxy: 199 optional: true 200 bins: 201 - "kube-proxy" 202 - "hyperkube proxy" 203 - "hyperkube kube-proxy" 204 - "proxy" 205 - "openshift start network" 206 confs: 207 - /etc/kubernetes/proxy 208 - /etc/kubernetes/addons/kube-proxy-daemonset.yaml 209 - /etc/kubernetes/addons/kube-proxy-daemonset.yml 210 - /var/snap/kube-proxy/current/args 211 - /var/snap/microk8s/current/args/kube-proxy 212 kubeconfig: 213 - "/etc/kubernetes/kubelet-kubeconfig" 214 - "/etc/kubernetes/kubelet-kubeconfig.conf" 215 - "/etc/kubernetes/kubelet/config" 216 - "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" 217 - "/var/lib/kubelet/kubeconfig" 218 - "/var/snap/microk8s/current/credentials/proxy.config" 219 - "/var/lib/rancher/rke2/agent/kubeproxy.kubeconfig" 220 - "/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig" 221 svc: 222 - "/lib/systemd/system/kube-proxy.service" 223 - "/etc/systemd/system/snap.microk8s.daemon-proxy.service" 224 defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml 225 defaultkubeconfig: "/etc/kubernetes/proxy.conf" 226 227 etcd: 228 components: 229 - etcd 230 231 etcd: 232 bins: 233 - "etcd" 234 datadirs: 235 - /var/lib/etcd/default.etcd 236 - /var/lib/etcd/data.etcd 237 confs: 238 - /etc/kubernetes/manifests/etcd.yaml 239 - /etc/kubernetes/manifests/etcd.yml 240 - /etc/kubernetes/manifests/etcd.manifest 241 - /etc/etcd/etcd.conf 242 - /var/snap/etcd/common/etcd.conf.yml 243 - /var/snap/etcd/common/etcd.conf.yaml 244 - /var/snap/microk8s/current/args/etcd 245 - /usr/lib/systemd/system/etcd.service 246 - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 247 - /var/lib/rancher/k3s/server/db/etcd/config 248 defaultconf: /etc/kubernetes/manifests/etcd.yaml 249 defaultdatadir: /var/lib/etcd/default.etcd 250 251 controlplane: 252 components: 253 - apiserver 254 255 apiserver: 256 bins: 257 - "kube-apiserver" 258 - "hyperkube apiserver" 259 - "hyperkube kube-apiserver" 260 - "apiserver" 261 262 policies: 263 components: [] 264 265 managedservices: 266 components: [] 267 268 version_mapping: 269 "1.15": "cis-1.5" 270 "1.16": "cis-1.6" 271 "1.17": "cis-1.6" 272 "1.18": "cis-1.6" 273 "1.19": "cis-1.20" 274 "1.20": "cis-1.20" 275 "1.21": "cis-1.20" 276 "1.22": "cis-1.23" 277 "1.23": "cis-1.23" 278 "1.24": "cis-1.24" 279 "1.25": "cis-1.7" 280 "1.26": "cis-1.8" 281 "eks-1.0.1": "eks-1.0.1" 282 "eks-1.1.0": "eks-1.1.0" 283 "eks-1.2.0": "eks-1.2.0" 284 "gke-1.0": "gke-1.0" 285 "gke-1.2.0": "gke-1.2.0" 286 "ocp-3.10": "rh-0.7" 287 "ocp-3.11": "rh-0.7" 288 "ocp-4.0": "rh-1.0" 289 "aks-1.0": "aks-1.0" 290 "ack-1.0": "ack-1.0" 291 "cis-1.6-k3s": "cis-1.6-k3s" 292 "cis-1.24-microk8s": "cis-1.24-microk8s" 293 "tkgi-1.2.53": "tkgi-1.2.53" 294 "k3s-cis-1.7": "k3s-cis-1.7" 295 "k3s-cis-1.23": "k3s-cis-1.23" 296 "k3s-cis-1.24": "k3s-cis-1.24" 297 "rke-cis-1.7": "rke-cis-1.7" 298 "rke-cis-1.23": "rke-cis-1.23" 299 "rke-cis-1.24": "rke-cis-1.24" 300 "rke2-cis-1.7": "rke2-cis-1.7" 301 "rke2-cis-1.23": "rke2-cis-1.23" 302 "rke2-cis-1.24": "rke2-cis-1.24" 303 304 target_mapping: 305 "cis-1.5": 306 - "master" 307 - "node" 308 - "controlplane" 309 - "etcd" 310 - "policies" 311 "cis-1.6": 312 - "master" 313 - "node" 314 - "controlplane" 315 - "etcd" 316 - "policies" 317 "cis-1.6-k3s": 318 - "master" 319 - "node" 320 - "controlplane" 321 - "etcd" 322 - "policies" 323 "cis-1.20": 324 - "master" 325 - "node" 326 - "controlplane" 327 - "etcd" 328 - "policies" 329 "cis-1.23": 330 - "master" 331 - "node" 332 - "controlplane" 333 - "etcd" 334 - "policies" 335 "cis-1.24": 336 - "master" 337 - "node" 338 - "controlplane" 339 - "etcd" 340 - "policies" 341 "cis-1.24-microk8s": 342 - "master" 343 - "etcd" 344 - "node" 345 - "controlplane" 346 - "policies" 347 "cis-1.7": 348 - "master" 349 - "node" 350 - "controlplane" 351 - "etcd" 352 - "policies" 353 "cis-1.8": 354 - "master" 355 - "node" 356 - "controlplane" 357 - "etcd" 358 - "policies" 359 "gke-1.0": 360 - "master" 361 - "node" 362 - "controlplane" 363 - "etcd" 364 - "policies" 365 - "managedservices" 366 "gke-1.2.0": 367 - "master" 368 - "node" 369 - "controlplane" 370 - "policies" 371 - "managedservices" 372 "eks-1.0.1": 373 - "master" 374 - "node" 375 - "controlplane" 376 - "policies" 377 - "managedservices" 378 "eks-1.1.0": 379 - "master" 380 - "node" 381 - "controlplane" 382 - "policies" 383 - "managedservices" 384 "eks-1.2.0": 385 - "master" 386 - "node" 387 - "controlplane" 388 - "policies" 389 - "managedservices" 390 "rh-0.7": 391 - "master" 392 - "node" 393 "aks-1.0": 394 - "master" 395 - "node" 396 - "controlplane" 397 - "policies" 398 - "managedservices" 399 "ack-1.0": 400 - "master" 401 - "node" 402 - "controlplane" 403 - "etcd" 404 - "policies" 405 - "managedservices" 406 "rh-1.0": 407 - "master" 408 - "node" 409 - "controlplane" 410 - "policies" 411 - "etcd" 412 "eks-stig-kubernetes-v1r6": 413 - "node" 414 - "controlplane" 415 - "policies" 416 - "managedservices" 417 "tkgi-1.2.53": 418 - "master" 419 - "etcd" 420 - "controlplane" 421 - "node" 422 - "policies" 423 "k3s-cis-1.7": 424 - "master" 425 - "etcd" 426 - "controlplane" 427 - "node" 428 - "policies" 429 "k3s-cis-1.23": 430 - "master" 431 - "etcd" 432 - "controlplane" 433 - "node" 434 - "policies" 435 "k3s-cis-1.24": 436 - "master" 437 - "etcd" 438 - "controlplane" 439 - "node" 440 - "policies" 441 "rke-cis-1.7": 442 - "master" 443 - "etcd" 444 - "controlplane" 445 - "node" 446 - "policies" 447 "rke-cis-1.23": 448 - "master" 449 - "etcd" 450 - "controlplane" 451 - "node" 452 - "policies" 453 "rke-cis-1.24": 454 - "master" 455 - "etcd" 456 - "controlplane" 457 - "node" 458 - "policies" 459 "rke2-cis-1.7": 460 - "master" 461 - "etcd" 462 - "controlplane" 463 - "node" 464 - "policies" 465 "rke2-cis-1.23": 466 - "master" 467 - "etcd" 468 - "controlplane" 469 - "node" 470 - "policies" 471 "rke2-cis-1.24": 472 - "master" 473 - "etcd" 474 - "controlplane" 475 - "node" 476 - "policies"