Kubernetes Control Plane Charm

  1. Bug #1841262
  2. Comment #1

Comment 1 for bug 1841262

Revision history for this message
Kevin W Monroe (kwmonroe) wrote : Re: snap config for kube-bench conformance

k8s-master failures (4 etcd failures can be ignored given we use standalone etcd):

-----
$ ./kube-bench master --version 1.13-snap | grep FAIL
[FAIL] 1.1.2 Ensure that the --basic-auth-file argument is not set (Scored)
[FAIL] 1.1.5 Ensure that the --insecure-bind-address argument is not set (Scored)
[FAIL] 1.1.6 Ensure that the --insecure-port argument is set to 0 (Scored)
[FAIL] 1.1.8 Ensure that the --profiling argument is set to false (Scored)
[FAIL] 1.1.9 Ensure that the --repair-malformed-updates argument is set to false (Scored)
[FAIL] 1.1.11 Ensure that the admission control plugin AlwaysPullImages is set (Scored)
[FAIL] 1.1.16 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)
[FAIL] 1.1.17 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)
[FAIL] 1.1.19 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[FAIL] 1.1.20 Ensure that the --token-auth-file parameter is not set (Scored)
[FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
[FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
[FAIL] 1.1.36 Ensure that the admission control plugin EventRateLimit is set (Scored)
[FAIL] 1.1.39 Ensure that the --authorization-mode argument includes RBAC (Scored)
[FAIL] 1.2.1 Ensure that the --profiling argument is set to false (Scored)
[FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
[FAIL] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
[FAIL] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
[FAIL] 1.4.7 Ensure that the etcd snap config file permissions are set to 644 or more restrictive (Scored)
[FAIL] 1.4.8 Ensure that the etcd snap config file ownership is set to root:root (Scored)
[FAIL] 1.4.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)
[FAIL] 1.4.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)
[FAIL] 1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)
[FAIL] 1.5.2 Ensure that the --client-cert-auth argument is set to true (Scored)
26 checks FAIL
-----