2024-09-12 18:16:15,153 - xtesting.ci.run_tests - INFO - Deployment description: +-------------------------+------------------------------------------------------------+ | ENV VAR | VALUE | +-------------------------+------------------------------------------------------------+ | CI_LOOP | daily | | DEBUG | false | | DEPLOY_SCENARIO | k8-nosdn-nofeature-noha | | INSTALLER_TYPE | unknown | | BUILD_TAG | 0K41XQKXLFFQ | | NODE_NAME | v1.30 | | TEST_DB_URL | http://testresults.opnfv.org/test/api/v1/results | | TEST_DB_EXT_URL | http://testresults.opnfv.org/test/api/v1/results | | S3_ENDPOINT_URL | https://storage.googleapis.com | | S3_DST_URL | s3://artifacts.opnfv.org/functest- | | | kubernetes/0K41XQKXLFFQ/functest-kubernetes-opnfv- | | | functest-kubernetes- | | | security-v1.30-kube_bench_master-run-2 | | HTTP_DST_URL | http://artifacts.opnfv.org/functest- | | | kubernetes/0K41XQKXLFFQ/functest-kubernetes-opnfv- | | | functest-kubernetes- | | | security-v1.30-kube_bench_master-run-2 | +-------------------------+------------------------------------------------------------+ 2024-09-12 18:16:15,162 - xtesting.ci.run_tests - INFO - Loading test case 'kube_bench_master'... 2024-09-12 18:16:15,654 - xtesting.ci.run_tests - INFO - Running test case 'kube_bench_master'... 2024-09-12 18:16:15,725 - functest_kubernetes.security.security - INFO - Job kube-bench-master created 2024-09-12 18:16:19,892 - functest_kubernetes.security.security - INFO - kube-bench-master started in 4.24 sec 2024-09-12 18:16:19,937 - functest_kubernetes.security.security - INFO - {'Controls': [{'id': '1', 'version': 'cis-1.23', 'detected_version': '1.30', 'text': 'Control Plane Security Configuration', 'node_type': 'master', 'tests': [{'section': '1.1', 'type': '', 'pass': 18, 'fail': 1, 'warn': 2, 'info': 0, 'desc': 'Control Plane Node Configuration Files', 'results': [{'test_number': '1.1.1', 'test_desc': 'Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/manifests/kube-apiserver.yaml; then stat -c permissions=%a /etc/kubernetes/manifests/kube-apiserver.yaml; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the\ncontrol plane node.\nFor example, chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml\n', 'test_info': ['Run the below command (based on the file location on your system) on the\ncontrol plane node.\nFor example, chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml\n'], 'status': 'PASS', 'actual_value': 'permissions=600', 'scored': True, 'IsMultiple': False, 'expected_result': 'permissions has permissions 600, expected 644 or more restrictive'}, {'test_number': '1.1.2', 'test_desc': 'Ensure that the API server pod specification file ownership is set to root:root (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/manifests/kube-apiserver.yaml; then stat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': False, 'expected_result': "'root:root' is present"}, {'test_number': '1.1.3', 'test_desc': 'Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/manifests/kube-controller-manager.yaml; then stat -c permissions=%a /etc/kubernetes/manifests/kube-controller-manager.yaml; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml\n'], 'status': 'PASS', 'actual_value': 'permissions=600', 'scored': True, 'IsMultiple': False, 'expected_result': 'permissions has permissions 600, expected 644 or more restrictive'}, {'test_number': '1.1.4', 'test_desc': 'Ensure that the controller manager pod specification file ownership is set to root:root (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/manifests/kube-controller-manager.yaml; then stat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example, chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml\n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': False, 'expected_result': "'root:root' is present"}, {'test_number': '1.1.5', 'test_desc': 'Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/manifests/kube-scheduler.yaml; then stat -c permissions=%a /etc/kubernetes/manifests/kube-scheduler.yaml; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml\n'], 'status': 'PASS', 'actual_value': 'permissions=600', 'scored': True, 'IsMultiple': False, 'expected_result': 'permissions has permissions 600, expected 644 or more restrictive'}, {'test_number': '1.1.6', 'test_desc': 'Ensure that the scheduler pod specification file ownership is set to root:root (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/manifests/kube-scheduler.yaml; then stat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example, chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example, chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml\n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': False, 'expected_result': "'root:root' is present"}, {'test_number': '1.1.7', 'test_desc': 'Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/manifests/etcd.yaml; then find /etc/kubernetes/manifests/etcd.yaml -name '*etcd*' | xargs stat -c permissions=%a; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 /etc/kubernetes/manifests/etcd.yaml\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 /etc/kubernetes/manifests/etcd.yaml\n'], 'status': 'PASS', 'actual_value': 'permissions=600', 'scored': True, 'IsMultiple': True, 'expected_result': 'permissions has permissions 600, expected 644 or more restrictive'}, {'test_number': '1.1.8', 'test_desc': 'Ensure that the etcd pod specification file ownership is set to root:root (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/manifests/etcd.yaml; then find /etc/kubernetes/manifests/etcd.yaml -name '*etcd*' | xargs stat -c %U:%G; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root:root /etc/kubernetes/manifests/etcd.yaml\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root:root /etc/kubernetes/manifests/etcd.yaml\n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': True, 'expected_result': "'root:root' is present"}, {'test_number': '1.1.9', 'test_desc': 'Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)', 'audit': "ps -ef | grep kubelet | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\\([^ ]*\\).*%\\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a\nfind /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a\n", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 644 \n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 644 \n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'IsMultiple': True, 'expected_result': "'permissions' is present"}, {'test_number': '1.1.10', 'test_desc': 'Ensure that the Container Network Interface file ownership is set to root:root (Manual)', 'audit': "ps -ef | grep kubelet | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\\([^ ]*\\).*%\\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G\nfind /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G\n", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root:root \n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root:root \n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'IsMultiple': True, 'expected_result': "'root:root' is present"}, {'test_number': '1.1.11', 'test_desc': 'Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)', 'audit': "ps -ef | grep etcd | grep -- --data-dir | sed 's%.*data-dir[= ]\\([^ ]*\\).*%\\1%' | xargs stat -c permissions=%a", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': "On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\nchmod 700 /var/lib/etcd\n", 'test_info': ["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\nchmod 700 /var/lib/etcd\n"], 'status': 'PASS', 'actual_value': 'permissions=700', 'scored': True, 'IsMultiple': False, 'expected_result': 'permissions has permissions 700, expected 700 or more restrictive'}, {'test_number': '1.1.12', 'test_desc': 'Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)', 'audit': "ps -ef | grep etcd | grep -- --data-dir | sed 's%.*data-dir[= ]\\([^ ]*\\).*%\\1%' | xargs stat -c %U:%G", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': "On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd:etcd /var/lib/etcd\n", 'test_info': ["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd:etcd /var/lib/etcd\n"], 'status': 'FAIL', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': False, 'expected_result': "'etcd:etcd' is present"}, {'test_number': '1.1.13', 'test_desc': 'Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 600 /etc/kubernetes/admin.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 600 /etc/kubernetes/admin.conf\n'], 'status': 'PASS', 'actual_value': 'permissions=600', 'scored': True, 'IsMultiple': False, 'expected_result': 'permissions has permissions 600, expected 600 or more restrictive'}, {'test_number': '1.1.14', 'test_desc': 'Ensure that the admin.conf file ownership is set to root:root (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example, chown root:root /etc/kubernetes/admin.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example, chown root:root /etc/kubernetes/admin.conf\n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': False, 'expected_result': "'root:root' is present"}, {'test_number': '1.1.15', 'test_desc': 'Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 /etc/kubernetes/scheduler.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 /etc/kubernetes/scheduler.conf\n'], 'status': 'PASS', 'actual_value': 'permissions=600', 'scored': True, 'IsMultiple': False, 'expected_result': 'permissions has permissions 600, expected 644 or more restrictive'}, {'test_number': '1.1.16', 'test_desc': 'Ensure that the scheduler.conf file ownership is set to root:root (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %U:%G /etc/kubernetes/scheduler.conf; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root:root /etc/kubernetes/scheduler.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root:root /etc/kubernetes/scheduler.conf\n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': False, 'expected_result': "'root:root' is present"}, {'test_number': '1.1.17', 'test_desc': 'Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 /etc/kubernetes/controller-manager.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 /etc/kubernetes/controller-manager.conf\n'], 'status': 'PASS', 'actual_value': 'permissions=600', 'scored': True, 'IsMultiple': False, 'expected_result': 'permissions has permissions 600, expected 644 or more restrictive'}, {'test_number': '1.1.18', 'test_desc': 'Ensure that the controller-manager.conf file ownership is set to root:root (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %U:%G /etc/kubernetes/controller-manager.conf; fi'", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root:root /etc/kubernetes/controller-manager.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root:root /etc/kubernetes/controller-manager.conf\n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': False, 'expected_result': "'root:root' is present"}, {'test_number': '1.1.19', 'test_desc': 'Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)', 'audit': 'find /etc/kubernetes/pki/ | xargs stat -c %U:%G', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown -R root:root /etc/kubernetes/pki/\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown -R root:root /etc/kubernetes/pki/\n'], 'status': 'PASS', 'actual_value': 'root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root', 'scored': True, 'IsMultiple': True, 'expected_result': "'root:root' is present"}, {'test_number': '1.1.20', 'test_desc': 'Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)', 'audit': "find /etc/kubernetes/pki/ -name '*.crt' | xargs stat -c permissions=%a", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 644 /etc/kubernetes/pki/*.crt\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 644 /etc/kubernetes/pki/*.crt\n'], 'status': 'PASS', 'actual_value': 'permissions=644\npermissions=644\npermissions=644\npermissions=644\npermissions=644\npermissions=644\npermissions=644\npermissions=644\npermissions=644\npermissions=644', 'scored': False, 'IsMultiple': True, 'expected_result': 'permissions has permissions 644, expected 644 or more restrictive'}, {'test_number': '1.1.21', 'test_desc': 'Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)', 'audit': "find /etc/kubernetes/pki/ -name '*.key' | xargs stat -c permissions=%a", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 600 /etc/kubernetes/pki/*.key\n', 'test_info': ['Run the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 600 /etc/kubernetes/pki/*.key\n'], 'status': 'PASS', 'actual_value': 'permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600', 'scored': False, 'IsMultiple': True, 'expected_result': 'permissions has permissions 600, expected 600 or more restrictive'}]}, {'section': '1.2', 'type': '', 'pass': 18, 'fail': 6, 'warn': 8, 'info': 0, 'desc': 'API Server', 'results': [{'test_number': '1.2.1', 'test_desc': 'Ensure that the --anonymous-auth argument is set to false (Manual)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--anonymous-auth=false\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--anonymous-auth=false\n'], 'status': 'WARN', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': False, 'IsMultiple': False, 'expected_result': "'--anonymous-auth' is present"}, {'test_number': '1.2.2', 'test_desc': 'Ensure that the --token-auth-file parameter is not set (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the documentation and configure alternate mechanisms for authentication. Then,\nedit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --token-auth-file= parameter.\n', 'test_info': ['Follow the documentation and configure alternate mechanisms for authentication. Then,\nedit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --token-auth-file= parameter.\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--token-auth-file' is not present"}, {'test_number': '1.2.3', 'test_desc': 'Ensure that the --DenyServiceExternalIPs is not set (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the `DenyServiceExternalIPs`\nfrom enabled admission plugins.\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the `DenyServiceExternalIPs`\nfrom enabled admission plugins.\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"}, {'test_number': '1.2.4', 'test_desc': 'Ensure that the --kubelet-https argument is set to true (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter.\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter.\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--kubelet-https' is present OR '--kubelet-https' is not present"}, {'test_number': '1.2.5', 'test_desc': 'Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the Kubernetes documentation and set up the TLS connection between the\napiserver and kubelets. Then, edit API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\nkubelet client certificate and key parameters as below.\n--kubelet-client-certificate=\n--kubelet-client-key=\n', 'test_info': ['Follow the Kubernetes documentation and set up the TLS connection between the\napiserver and kubelets. Then, edit API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\nkubelet client certificate and key parameters as below.\n--kubelet-client-certificate=\n--kubelet-client-key=\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"}, {'test_number': '1.2.6', 'test_desc': 'Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.\n--kubelet-certificate-authority=\n', 'test_info': ['Follow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.\n--kubelet-certificate-authority=\n'], 'status': 'FAIL', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--kubelet-certificate-authority' is present"}, {'test_number': '1.2.7', 'test_desc': 'Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow.\nOne such example could be as below.\n--authorization-mode=RBAC\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow.\nOne such example could be as below.\n--authorization-mode=RBAC\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--authorization-mode' does not have 'AlwaysAllow'"}, {'test_number': '1.2.8', 'test_desc': 'Ensure that the --authorization-mode argument includes Node (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes Node.\n--authorization-mode=Node,RBAC\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes Node.\n--authorization-mode=Node,RBAC\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--authorization-mode' has 'Node'"}, {'test_number': '1.2.9', 'test_desc': 'Ensure that the --authorization-mode argument includes RBAC (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes RBAC,\nfor example `--authorization-mode=Node,RBAC`.\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes RBAC,\nfor example `--authorization-mode=Node,RBAC`.\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--authorization-mode' has 'RBAC'"}, {'test_number': '1.2.10', 'test_desc': 'Ensure that the admission control plugin EventRateLimit is set (Manual)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\nand set the below parameters.\n--enable-admission-plugins=...,EventRateLimit,...\n--admission-control-config-file=\n', 'test_info': ['Follow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\nand set the below parameters.\n--enable-admission-plugins=...,EventRateLimit,...\n--admission-control-config-file=\n'], 'status': 'WARN', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': False, 'IsMultiple': False, 'expected_result': "'--enable-admission-plugins' has 'EventRateLimit'"}, {'test_number': '1.2.11', 'test_desc': 'Ensure that the admission control plugin AlwaysAdmit is not set (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --enable-admission-plugins parameter, or set it to a\nvalue that does not include AlwaysAdmit.\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --enable-admission-plugins parameter, or set it to a\nvalue that does not include AlwaysAdmit.\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"}, {'test_number': '1.2.12', 'test_desc': 'Ensure that the admission control plugin AlwaysPullImages is set (Manual)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nAlwaysPullImages.\n--enable-admission-plugins=...,AlwaysPullImages,...\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nAlwaysPullImages.\n--enable-admission-plugins=...,AlwaysPullImages,...\n'], 'status': 'WARN', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': False, 'IsMultiple': False, 'expected_result': "'--enable-admission-plugins' has 'AlwaysPullImages'"}, {'test_number': '1.2.13', 'test_desc': 'Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,...\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,...\n'], 'status': 'WARN', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': False, 'IsMultiple': False, 'expected_result': "'--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'"}, {'test_number': '1.2.14', 'test_desc': 'Ensure that the admission control plugin ServiceAccount is set (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the documentation and create ServiceAccount objects as per your environment.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and ensure that the --disable-admission-plugins parameter is set to a\nvalue that does not include ServiceAccount.\n', 'test_info': ['Follow the documentation and create ServiceAccount objects as per your environment.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and ensure that the --disable-admission-plugins parameter is set to a\nvalue that does not include ServiceAccount.\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"}, {'test_number': '1.2.15', 'test_desc': 'Ensure that the admission control plugin NamespaceLifecycle is set (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --disable-admission-plugins parameter to\nensure it does not include NamespaceLifecycle.\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --disable-admission-plugins parameter to\nensure it does not include NamespaceLifecycle.\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"}, {'test_number': '1.2.16', 'test_desc': 'Ensure that the admission control plugin NodeRestriction is set (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to a\nvalue that includes NodeRestriction.\n--enable-admission-plugins=...,NodeRestriction,...\n', 'test_info': ['Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to a\nvalue that includes NodeRestriction.\n--enable-admission-plugins=...,NodeRestriction,...\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--enable-admission-plugins' has 'NodeRestriction'"}, {'test_number': '1.2.17', 'test_desc': 'Ensure that the --secure-port argument is not set to 0 (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --secure-port parameter or\nset it to a different (non-zero) desired port.\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --secure-port parameter or\nset it to a different (non-zero) desired port.\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--secure-port' is greater than 0 OR '--secure-port' is not present"}, {'test_number': '1.2.18', 'test_desc': 'Ensure that the --profiling argument is set to false (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--profiling=false\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--profiling=false\n'], 'status': 'FAIL', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--profiling' is present"}, {'test_number': '1.2.19', 'test_desc': 'Ensure that the --audit-log-path argument is set (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,\n--audit-log-path=/var/log/apiserver/audit.log\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,\n--audit-log-path=/var/log/apiserver/audit.log\n'], 'status': 'FAIL', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--audit-log-path' is present"}, {'test_number': '1.2.20', 'test_desc': 'Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxage parameter to 30\nor as an appropriate number of days, for example,\n--audit-log-maxage=30\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxage parameter to 30\nor as an appropriate number of days, for example,\n--audit-log-maxage=30\n'], 'status': 'FAIL', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--audit-log-maxage' is present"}, {'test_number': '1.2.21', 'test_desc': 'Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate\nvalue. For example,\n--audit-log-maxbackup=10\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate\nvalue. For example,\n--audit-log-maxbackup=10\n'], 'status': 'FAIL', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--audit-log-maxbackup' is present"}, {'test_number': '1.2.22', 'test_desc': 'Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB.\nFor example, to set it as 100 MB, --audit-log-maxsize=100\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB.\nFor example, to set it as 100 MB, --audit-log-maxsize=100\n'], 'status': 'FAIL', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--audit-log-maxsize' is present"}, {'test_number': '1.2.23', 'test_desc': 'Ensure that the --request-timeout argument is set as appropriate (Manual)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\nand set the below parameter as appropriate and if needed.\nFor example, --request-timeout=300s\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\nand set the below parameter as appropriate and if needed.\nFor example, --request-timeout=300s\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'IsMultiple': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '1.2.24', 'test_desc': 'Ensure that the --service-account-lookup argument is set to true (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--service-account-lookup=true\nAlternatively, you can delete the --service-account-lookup parameter from this file so\nthat the default takes effect.\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--service-account-lookup=true\nAlternatively, you can delete the --service-account-lookup parameter from this file so\nthat the default takes effect.\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--service-account-lookup' is not present OR '--service-account-lookup' is present"}, {'test_number': '1.2.25', 'test_desc': 'Ensure that the --service-account-key-file argument is set as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --service-account-key-file parameter\nto the public key file for service accounts. For example,\n--service-account-key-file=\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --service-account-key-file parameter\nto the public key file for service accounts. For example,\n--service-account-key-file=\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--service-account-key-file' is present"}, {'test_number': '1.2.26', 'test_desc': 'Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate and key file parameters.\n--etcd-certfile=\n--etcd-keyfile=\n', 'test_info': ['Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate and key file parameters.\n--etcd-certfile=\n--etcd-keyfile=\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--etcd-certfile' is present AND '--etcd-keyfile' is present"}, {'test_number': '1.2.27', 'test_desc': 'Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the TLS certificate and private key file parameters.\n--tls-cert-file=\n--tls-private-key-file=\n', 'test_info': ['Follow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the TLS certificate and private key file parameters.\n--tls-cert-file=\n--tls-private-key-file=\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--tls-cert-file' is present AND '--tls-private-key-file' is present"}, {'test_number': '1.2.28', 'test_desc': 'Ensure that the --client-ca-file argument is set as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the client certificate authority file.\n--client-ca-file=\n', 'test_info': ['Follow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the client certificate authority file.\n--client-ca-file=\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--client-ca-file' is present"}, {'test_number': '1.2.29', 'test_desc': 'Ensure that the --etcd-cafile argument is set as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate authority file parameter.\n--etcd-cafile=\n', 'test_info': ['Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate authority file parameter.\n--etcd-cafile=\n'], 'status': 'PASS', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': True, 'IsMultiple': False, 'expected_result': "'--etcd-cafile' is present"}, {'test_number': '1.2.30', 'test_desc': 'Ensure that the --encryption-provider-config argument is set as appropriate (Manual)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the Kubernetes documentation and configure a EncryptionConfig file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --encryption-provider-config parameter to the path of that file.\nFor example, --encryption-provider-config=\n', 'test_info': ['Follow the Kubernetes documentation and configure a EncryptionConfig file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --encryption-provider-config parameter to the path of that file.\nFor example, --encryption-provider-config=\n'], 'status': 'WARN', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': False, 'IsMultiple': False, 'expected_result': "'--encryption-provider-config' is present"}, {'test_number': '1.2.31', 'test_desc': 'Ensure that encryption providers are appropriately configured (Manual)', 'audit': 'ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep kube-apiserver | grep -- --encryption-provider-config | sed \'s%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%\')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 \'providers:\' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed \'s/^/provider=/\'; fi\n', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Follow the Kubernetes documentation and configure a EncryptionConfig file.\nIn this file, choose aescbc, kms or secretbox as the encryption provider.\n', 'test_info': ['Follow the Kubernetes documentation and configure a EncryptionConfig file.\nIn this file, choose aescbc, kms or secretbox as the encryption provider.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'IsMultiple': False, 'expected_result': "'provider' is present"}, {'test_number': '1.2.32', 'test_desc': 'Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)', 'audit': '/bin/ps -ef | grep kube-apiserver | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\nTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,\nTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,\nTLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384\n', 'test_info': ['Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\nTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,\nTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,\nTLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384\n'], 'status': 'WARN', 'actual_value': 'root 667 378 16 10:12 ? 01:17:28 kube-apiserver --admission-control-config-file=/etc/config/cluster-level-pss.yaml --advertise-address=172.24.0.8 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --runtime-config= --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key', 'scored': False, 'IsMultiple': False, 'expected_result': "'--tls-cipher-suites' is present"}]}, {'section': '1.3', 'type': '', 'pass': 5, 'fail': 1, 'warn': 1, 'info': 0, 'desc': 'Controller Manager', 'results': [{'test_number': '1.3.1', 'test_desc': 'Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)', 'audit': '/bin/ps -ef | grep kube-controller-manager | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,\nfor example, --terminated-pod-gc-threshold=10\n', 'test_info': ['Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,\nfor example, --terminated-pod-gc-threshold=10\n'], 'status': 'WARN', 'actual_value': 'root 653 410 3 10:12 ? 00:18:32 kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf --bind-address=127.0.0.1 --client-ca-file=/etc/kubernetes/pki/ca.crt --cluster-cidr=10.244.0.0/16 --cluster-name=v130 --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt --cluster-signing-key-file=/etc/kubernetes/pki/ca.key --controllers=*,bootstrapsigner,tokencleaner --enable-hostpath-provisioner=true --kubeconfig=/etc/kubernetes/controller-manager.conf --leader-elect=true --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --use-service-account-credentials=true', 'scored': False, 'IsMultiple': False, 'expected_result': "'--terminated-pod-gc-threshold' is present"}, {'test_number': '1.3.2', 'test_desc': 'Ensure that the --profiling argument is set to false (Automated)', 'audit': '/bin/ps -ef | grep kube-controller-manager | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the below parameter.\n--profiling=false\n', 'test_info': ['Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the below parameter.\n--profiling=false\n'], 'status': 'FAIL', 'actual_value': 'root 653 410 3 10:12 ? 00:18:32 kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf --bind-address=127.0.0.1 --client-ca-file=/etc/kubernetes/pki/ca.crt --cluster-cidr=10.244.0.0/16 --cluster-name=v130 --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt --cluster-signing-key-file=/etc/kubernetes/pki/ca.key --controllers=*,bootstrapsigner,tokencleaner --enable-hostpath-provisioner=true --kubeconfig=/etc/kubernetes/controller-manager.conf --leader-elect=true --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --use-service-account-credentials=true', 'scored': True, 'IsMultiple': False, 'expected_result': "'--profiling' is present"}, {'test_number': '1.3.3', 'test_desc': 'Ensure that the --use-service-account-credentials argument is set to true (Automated)', 'audit': '/bin/ps -ef | grep kube-controller-manager | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node to set the below parameter.\n--use-service-account-credentials=true\n', 'test_info': ['Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node to set the below parameter.\n--use-service-account-credentials=true\n'], 'status': 'PASS', 'actual_value': 'root 653 410 3 10:12 ? 00:18:32 kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf --bind-address=127.0.0.1 --client-ca-file=/etc/kubernetes/pki/ca.crt --cluster-cidr=10.244.0.0/16 --cluster-name=v130 --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt --cluster-signing-key-file=/etc/kubernetes/pki/ca.key --controllers=*,bootstrapsigner,tokencleaner --enable-hostpath-provisioner=true --kubeconfig=/etc/kubernetes/controller-manager.conf --leader-elect=true --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --use-service-account-credentials=true', 'scored': True, 'IsMultiple': False, 'expected_result': "'--use-service-account-credentials' is not equal to 'false'"}, {'test_number': '1.3.4', 'test_desc': 'Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-controller-manager | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --service-account-private-key-file parameter\nto the private key file for service accounts.\n--service-account-private-key-file=\n', 'test_info': ['Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --service-account-private-key-file parameter\nto the private key file for service accounts.\n--service-account-private-key-file=\n'], 'status': 'PASS', 'actual_value': 'root 653 410 3 10:12 ? 00:18:32 kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf --bind-address=127.0.0.1 --client-ca-file=/etc/kubernetes/pki/ca.crt --cluster-cidr=10.244.0.0/16 --cluster-name=v130 --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt --cluster-signing-key-file=/etc/kubernetes/pki/ca.key --controllers=*,bootstrapsigner,tokencleaner --enable-hostpath-provisioner=true --kubeconfig=/etc/kubernetes/controller-manager.conf --leader-elect=true --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --use-service-account-credentials=true', 'scored': True, 'IsMultiple': False, 'expected_result': "'--service-account-private-key-file' is present"}, {'test_number': '1.3.5', 'test_desc': 'Ensure that the --root-ca-file argument is set as appropriate (Automated)', 'audit': '/bin/ps -ef | grep kube-controller-manager | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --root-ca-file parameter to the certificate bundle file`.\n--root-ca-file=\n', 'test_info': ['Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --root-ca-file parameter to the certificate bundle file`.\n--root-ca-file=\n'], 'status': 'PASS', 'actual_value': 'root 653 410 3 10:12 ? 00:18:32 kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf --bind-address=127.0.0.1 --client-ca-file=/etc/kubernetes/pki/ca.crt --cluster-cidr=10.244.0.0/16 --cluster-name=v130 --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt --cluster-signing-key-file=/etc/kubernetes/pki/ca.key --controllers=*,bootstrapsigner,tokencleaner --enable-hostpath-provisioner=true --kubeconfig=/etc/kubernetes/controller-manager.conf --leader-elect=true --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --use-service-account-credentials=true', 'scored': True, 'IsMultiple': False, 'expected_result': "'--root-ca-file' is present"}, {'test_number': '1.3.6', 'test_desc': 'Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)', 'audit': '/bin/ps -ef | grep kube-controller-manager | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.\n--feature-gates=RotateKubeletServerCertificate=true\n', 'test_info': ['Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.\n--feature-gates=RotateKubeletServerCertificate=true\n'], 'status': 'PASS', 'actual_value': 'root 653 410 3 10:12 ? 00:18:32 kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf --bind-address=127.0.0.1 --client-ca-file=/etc/kubernetes/pki/ca.crt --cluster-cidr=10.244.0.0/16 --cluster-name=v130 --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt --cluster-signing-key-file=/etc/kubernetes/pki/ca.key --controllers=*,bootstrapsigner,tokencleaner --enable-hostpath-provisioner=true --kubeconfig=/etc/kubernetes/controller-manager.conf --leader-elect=true --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --use-service-account-credentials=true', 'scored': True, 'IsMultiple': False, 'expected_result': "'--feature-gates' is present OR '--feature-gates' is not present"}, {'test_number': '1.3.7', 'test_desc': 'Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)', 'audit': '/bin/ps -ef | grep kube-controller-manager | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and ensure the correct value for the --bind-address parameter\n', 'test_info': ['Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and ensure the correct value for the --bind-address parameter\n'], 'status': 'PASS', 'actual_value': 'root 653 410 3 10:12 ? 00:18:32 kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf --bind-address=127.0.0.1 --client-ca-file=/etc/kubernetes/pki/ca.crt --cluster-cidr=10.244.0.0/16 --cluster-name=v130 --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt --cluster-signing-key-file=/etc/kubernetes/pki/ca.key --controllers=*,bootstrapsigner,tokencleaner --enable-hostpath-provisioner=true --kubeconfig=/etc/kubernetes/controller-manager.conf --leader-elect=true --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=10.96.0.0/16 --use-service-account-credentials=true', 'scored': True, 'IsMultiple': False, 'expected_result': "'--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"}]}, {'section': '1.4', 'type': '', 'pass': 1, 'fail': 1, 'warn': 0, 'info': 0, 'desc': 'Scheduler', 'results': [{'test_number': '1.4.1', 'test_desc': 'Ensure that the --profiling argument is set to false (Automated)', 'audit': '/bin/ps -ef | grep kube-scheduler | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file\non the control plane node and set the below parameter.\n--profiling=false\n', 'test_info': ['Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file\non the control plane node and set the below parameter.\n--profiling=false\n'], 'status': 'FAIL', 'actual_value': 'root 603 413 0 10:12 ? 00:03:14 kube-scheduler --authentication-kubeconfig=/etc/kubernetes/scheduler.conf --authorization-kubeconfig=/etc/kubernetes/scheduler.conf --bind-address=127.0.0.1 --kubeconfig=/etc/kubernetes/scheduler.conf --leader-elect=true', 'scored': True, 'IsMultiple': False, 'expected_result': "'--profiling' is present"}, {'test_number': '1.4.2', 'test_desc': 'Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)', 'audit': '/bin/ps -ef | grep kube-scheduler | grep -v grep', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml\non the control plane node and ensure the correct value for the --bind-address parameter\n', 'test_info': ['Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml\non the control plane node and ensure the correct value for the --bind-address parameter\n'], 'status': 'PASS', 'actual_value': 'root 603 413 0 10:12 ? 00:03:14 kube-scheduler --authentication-kubeconfig=/etc/kubernetes/scheduler.conf --authorization-kubeconfig=/etc/kubernetes/scheduler.conf --bind-address=127.0.0.1 --kubeconfig=/etc/kubernetes/scheduler.conf --leader-elect=true', 'scored': True, 'IsMultiple': False, 'expected_result': "'--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"}]}], 'total_pass': 42, 'total_fail': 9, 'total_warn': 11, 'total_info': 0}], 'Totals': {'total_pass': 42, 'total_fail': 9, 'total_warn': 11, 'total_info': 0}} 2024-09-12 18:16:19,952 - functest_kubernetes.security.security - ERROR - Ensure that the etcd data directory ownership is set to etcd:etcd (Automated) On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the command 'ps -ef | grep etcd'. Run the below command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd 2024-09-12 18:16:19,952 - functest_kubernetes.security.security - ERROR - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated) Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. --kubelet-certificate-authority= 2024-09-12 18:16:19,954 - functest_kubernetes.security.security - ERROR - Ensure that the --profiling argument is set to false (Automated) Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the below parameter. --profiling=false 2024-09-12 18:16:19,954 - functest_kubernetes.security.security - ERROR - Ensure that the --audit-log-path argument is set (Automated) Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example, --audit-log-path=/var/log/apiserver/audit.log 2024-09-12 18:16:19,954 - functest_kubernetes.security.security - ERROR - Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated) Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days, for example, --audit-log-maxage=30 2024-09-12 18:16:19,954 - functest_kubernetes.security.security - ERROR - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated) Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate value. For example, --audit-log-maxbackup=10 2024-09-12 18:16:19,954 - functest_kubernetes.security.security - ERROR - Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated) Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. For example, to set it as 100 MB, --audit-log-maxsize=100 2024-09-12 18:16:19,954 - functest_kubernetes.security.security - ERROR - Ensure that the --profiling argument is set to false (Automated) Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the control plane node and set the below parameter. --profiling=false 2024-09-12 18:16:19,954 - functest_kubernetes.security.security - ERROR - Ensure that the --profiling argument is set to false (Automated) Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the control plane node and set the below parameter. --profiling=false 2024-09-12 18:16:19,956 - functest_kubernetes.security.security - WARNING - Targets: +-------------------+------------------+------------------------------------------------+--------------+--------------+--------------+ | NODE_TYPE | VERSION | TEST_DESC | PASS | FAIL | WARN | +-------------------+------------------+------------------------------------------------+--------------+--------------+--------------+ | master | cis-1.23 | Control Plane Node Configuration Files | 18 | 1 | 2 | | master | cis-1.23 | API Server | 18 | 6 | 8 | | master | cis-1.23 | Controller Manager | 5 | 1 | 1 | | master | cis-1.23 | Scheduler | 1 | 1 | 0 | +-------------------+------------------+------------------------------------------------+--------------+--------------+--------------+ 2024-09-12 18:16:19,956 - xtesting.ci.run_tests - INFO - Test result: +---------------------------+------------------+------------------+----------------+ | TEST CASE | PROJECT | DURATION | RESULT | +---------------------------+------------------+------------------+----------------+ | kube_bench_master | functest | 00:04 | PASS | +---------------------------+------------------+------------------+----------------+