Required fixes for rke-cis 1.7 / 1.28 / 1.29 #1780
Assignees
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Following issues has to be updated
1.1.11 => folder name should be updated from /node/var/lib/etcd to /var/lib/etcd
1.3.7 / 1.4.2 => the check is wrong - the reuqired logic is to find if bind-address is exists and equal to 127.0.0.1
id: 1.3.7
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
- flag: "--bind-address"
set: false
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and ensure the correct value for the --bind-address parameter
scored: true
run example:
ubuntu@ip-10-0-5-7: /bin/ps -ef | grep kube-controller-manager | grep -v grep
root 2333 2313 1 Jan19 ? 00:14:07 kube-controller-manager --kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-controller-manager.yaml --v=2 --cloud-provider= --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=1000 --cluster-cidr=10.42.0.0/16 --enable-hostpath-provisioner=false --allocate-node-cidrs=true --allow-untagged-cloud=true --configure-cloud-routes=false --leader-elect=true --profiling=false --authentication-kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-controller-manager.yaml --service-account-private-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem --authorization-kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-controller-manager.yaml --node-monitor-grace-period=40s --pod-eviction-timeout=5m0s --root-ca-file=/etc/kubernetes/ssl/kube-ca.pem --use-service-account-credentials=true
ubuntu@ip-10-0-5-7:
but the expected result shows:
Expected Result
'--bind-address' is present OR '--bind-address' is not present
The text was updated successfully, but these errors were encountered: