2021-01-01 19:39:27,399 - xtesting.ci.run_tests - INFO - Deployment description: +-------------------------+------------------------------------------------------------+ | ENV VAR | VALUE | +-------------------------+------------------------------------------------------------+ | TEST_DB_EXT_URL | http://testresults.opnfv.org/test/api/v1/results | | S3_DST_URL | s3://artifacts.opnfv.org/functest- | | | kubernetes/1AIQE6HNKG5X/functest-kubernetes-opnfv- | | | functest-kubernetes-security-hunter- | | | kube_bench_node-run-21 | | S3_ENDPOINT_URL | https://storage.googleapis.com | | DEPLOY_SCENARIO | k8-nosdn-nofeature-noha | | BUILD_TAG | 1AIQE6HNKG5X | | DEBUG | true | | INSTALLER_TYPE | unknown | | CI_LOOP | daily | | TEST_DB_URL | http://testresults.opnfv.org/test/api/v1/results | | HTTP_DST_URL | http://artifacts.opnfv.org/functest- | | | kubernetes/1AIQE6HNKG5X/functest-kubernetes-opnfv- | | | functest-kubernetes-security-hunter- | | | kube_bench_node-run-21 | | NODE_NAME | lf-virtual1-1 | +-------------------------+------------------------------------------------------------+ 2021-01-01 19:39:27,406 - xtesting.ci.run_tests - DEBUG - No env file /var/lib/xtesting/conf/env_file found 2021-01-01 19:39:27,406 - xtesting.ci.run_tests - DEBUG - Test args: kube_bench_node 2021-01-01 19:39:27,415 - xtesting.ci.run_tests - INFO - Loading test case 'kube_bench_node'... 2021-01-01 19:39:27,612 - xtesting.ci.run_tests - INFO - Running test case 'kube_bench_node'... 2021-01-01 19:39:27,623 - kubernetes.client.rest - DEBUG - response body: {"kind":"Namespace","apiVersion":"v1","metadata":{"name":"kube-bench-4wsdq","generateName":"kube-bench-","selfLink":"/api/v1/namespaces/kube-bench-4wsdq","uid":"0f425288-4c69-11eb-8302-0242ac120002","resourceVersion":"17221197","creationTimestamp":"2021-01-01T19:39:27Z"},"spec":{"finalizers":["kubernetes"]},"status":{"phase":"Active"}} 2021-01-01 19:39:27,624 - functest_kubernetes.security.security - DEBUG - create_namespace: {'api_version': 'v1', 'kind': 'Namespace', 'metadata': {'annotations': None, 'cluster_name': None, 'creation_timestamp': datetime.datetime(2021, 1, 1, 19, 39, 27, tzinfo=tzlocal()), 'deletion_grace_period_seconds': None, 'deletion_timestamp': None, 'finalizers': None, 'generate_name': 'kube-bench-', 'generation': None, 'initializers': None, 'labels': None, 'managed_fields': None, 'name': 'kube-bench-4wsdq', 'namespace': None, 'owner_references': None, 'resource_version': '17221197', 'self_link': '/api/v1/namespaces/kube-bench-4wsdq', 'uid': '0f425288-4c69-11eb-8302-0242ac120002'}, 'spec': {'finalizers': ['kubernetes']}, 'status': {'phase': 'Active'}} 2021-01-01 19:39:27,687 - kubernetes.client.rest - DEBUG - response body: {"kind":"Job","apiVersion":"batch/v1","metadata":{"name":"kube-bench-node","namespace":"kube-bench-4wsdq","selfLink":"/apis/batch/v1/namespaces/kube-bench-4wsdq/jobs/kube-bench-node","uid":"0f46827b-4c69-11eb-8302-0242ac120002","resourceVersion":"17221201","creationTimestamp":"2021-01-01T19:39:27Z","labels":{"controller-uid":"0f46827b-4c69-11eb-8302-0242ac120002","job-name":"kube-bench-node"}},"spec":{"parallelism":1,"completions":1,"backoffLimit":6,"selector":{"matchLabels":{"controller-uid":"0f46827b-4c69-11eb-8302-0242ac120002"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"controller-uid":"0f46827b-4c69-11eb-8302-0242ac120002","job-name":"kube-bench-node"}},"spec":{"volumes":[{"name":"var-lib-kubelet","hostPath":{"path":"/var/lib/kubelet","type":""}},{"name":"etc-systemd","hostPath":{"path":"/etc/systemd","type":""}},{"name":"etc-kubernetes","hostPath":{"path":"/etc/kubernetes","type":""}},{"name":"usr-bin","hostPath":{"path":"/usr/bin","type":""}}],"containers":[{"name":"kube-bench","image":"aquasec/kube-bench:0.3.1","command":["kube-bench","node","--json"],"resources":{},"volumeMounts":[{"name":"var-lib-kubelet","readOnly":true,"mountPath":"/var/lib/kubelet"},{"name":"etc-systemd","readOnly":true,"mountPath":"/etc/systemd"},{"name":"etc-kubernetes","readOnly":true,"mountPath":"/etc/kubernetes"},{"name":"usr-bin","readOnly":true,"mountPath":"/usr/local/mount-from-host/bin"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Never","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler"}}},"status":{}} 2021-01-01 19:39:27,690 - functest_kubernetes.security.security - INFO - Job kube-bench-node created 2021-01-01 19:39:27,691 - functest_kubernetes.security.security - DEBUG - create_namespaced_job: {'api_version': 'batch/v1', 'kind': 'Job', 'metadata': {'annotations': None, 'cluster_name': None, 'creation_timestamp': datetime.datetime(2021, 1, 1, 19, 39, 27, tzinfo=tzlocal()), 'deletion_grace_period_seconds': None, 'deletion_timestamp': None, 'finalizers': None, 'generate_name': None, 'generation': None, 'initializers': None, 'labels': {u'controller-uid': '0f46827b-4c69-11eb-8302-0242ac120002', u'job-name': 'kube-bench-node'}, 'managed_fields': None, 'name': 'kube-bench-node', 'namespace': 'kube-bench-4wsdq', 'owner_references': None, 'resource_version': '17221201', 'self_link': '/apis/batch/v1/namespaces/kube-bench-4wsdq/jobs/kube-bench-node', 'uid': '0f46827b-4c69-11eb-8302-0242ac120002'}, 'spec': {'active_deadline_seconds': None, 'backoff_limit': 6, 'completions': 1, 'manual_selector': None, 'parallelism': 1, 'selector': {'match_expressions': None, 'match_labels': {u'controller-uid': '0f46827b-4c69-11eb-8302-0242ac120002'}}, 'template': {'metadata': {'annotations': None, 'cluster_name': None, 'creation_timestamp': None, 'deletion_grace_period_seconds': None, 'deletion_timestamp': None, 'finalizers': None, 'generate_name': None, 'generation': None, 'initializers': None, 'labels': {u'controller-uid': '0f46827b-4c69-11eb-8302-0242ac120002', u'job-name': 'kube-bench-node'}, 'managed_fields': None, 'name': None, 'namespace': None, 'owner_references': None, 'resource_version': None, 'self_link': None, 'uid': None}, 'spec': {'active_deadline_seconds': None, 'affinity': None, 'automount_service_account_token': None, 'containers': [{'args': None, 'command': ['kube-bench', 'node', '--json'], 'env': None, 'env_from': None, 'image': 'aquasec/kube-bench:0.3.1', 'image_pull_policy': 'IfNotPresent', 'lifecycle': None, 'liveness_probe': None, 'name': 'kube-bench', 'ports': None, 'readiness_probe': None, 'resources': {'limits': None, 'requests': None}, 'security_context': None, 'stdin': None, 'stdin_once': None, 'termination_message_path': '/dev/termination-log', 'termination_message_policy': 'File', 'tty': None, 'volume_devices': None, 'volume_mounts': [{'mount_path': '/var/lib/kubelet', 'mount_propagation': None, 'name': 'var-lib-kubelet', 'read_only': True, 'sub_path': None, 'sub_path_expr': None}, {'mount_path': '/etc/systemd', 'mount_propagation': None, 'name': 'etc-systemd', 'read_only': True, 'sub_path': None, 'sub_path_expr': None}, {'mount_path': '/etc/kubernetes', 'mount_propagation': None, 'name': 'etc-kubernetes', 'read_only': True, 'sub_path': None, 'sub_path_expr': None}, {'mount_path': '/usr/local/mount-from-host/bin', 'mount_propagation': None, 'name': 'usr-bin', 'read_only': True, 'sub_path': None, 'sub_path_expr': None}], 'working_dir': None}], 'dns_config': None, 'dns_policy': 'ClusterFirst', 'enable_service_links': None, 'host_aliases': None, 'host_ipc': None, 'host_network': None, 'host_pid': True, 'hostname': None, 'image_pull_secrets': None, 'init_containers': None, 'node_name': None, 'node_selector': None, 'priority': None, 'priority_class_name': None, 'readiness_gates': None, 'restart_policy': 'Never', 'runtime_class_name': None, 'scheduler_name': 'default-scheduler', 'security_context': {'fs_group': None, 'run_as_group': None, 'run_as_non_root': None, 'run_as_user': None, 'se_linux_options': None, 'supplemental_groups': None, 'sysctls': None}, 'service_account': None, 'service_account_name': None, 'share_process_namespace': None, 'subdomain': None, 'termination_grace_period_seconds': 30, 'tolerations': None, 'volumes': [{'aws_elastic_block_store': None, 'azure_disk': None, 'azure_file': None, 'cephfs': None, 'cinder': None, 'config_map': None, 'csi': None, 'downward_api': None, 'empty_dir': None, 'fc': None, 'flex_volume': None, 'flocker': None, 'gce_persistent_disk': None, 'git_repo': None, 'glusterfs': None, 'host_path': {'path': '/var/lib/kubelet', 'type': ''}, 'iscsi': None, 'name': 'var-lib-kubelet', 'nfs': None, 'persistent_volume_claim': None, 'photon_persistent_disk': None, 'portworx_volume': None, 'projected': None, 'quobyte': None, 'rbd': None, 'scale_io': None, 'secret': None, 'storageos': None, 'vsphere_volume': None}, {'aws_elastic_block_store': None, 'azure_disk': None, 'azure_file': None, 'cephfs': None, 'cinder': None, 'config_map': None, 'csi': None, 'downward_api': None, 'empty_dir': None, 'fc': None, 'flex_volume': None, 'flocker': None, 'gce_persistent_disk': None, 'git_repo': None, 'glusterfs': None, 'host_path': {'path': '/etc/systemd', 'type': ''}, 'iscsi': None, 'name': 'etc-systemd', 'nfs': None, 'persistent_volume_claim': None, 'photon_persistent_disk': None, 'portworx_volume': None, 'projected': None, 'quobyte': None, 'rbd': None, 'scale_io': None, 'secret': None, 'storageos': None, 'vsphere_volume': None}, {'aws_elastic_block_store': None, 'azure_disk': None, 'azure_file': None, 'cephfs': None, 'cinder': None, 'config_map': None, 'csi': None, 'downward_api': None, 'empty_dir': None, 'fc': None, 'flex_volume': None, 'flocker': None, 'gce_persistent_disk': None, 'git_repo': None, 'glusterfs': None, 'host_path': {'path': '/etc/kubernetes', 'type': ''}, 'iscsi': None, 'name': 'etc-kubernetes', 'nfs': None, 'persistent_volume_claim': None, 'photon_persistent_disk': None, 'portworx_volume': None, 'projected': None, 'quobyte': None, 'rbd': None, 'scale_io': None, 'secret': None, 'storageos': None, 'vsphere_volume': None}, {'aws_elastic_block_store': None, 'azure_disk': None, 'azure_file': None, 'cephfs': None, 'cinder': None, 'config_map': None, 'csi': None, 'downward_api': None, 'empty_dir': None, 'fc': None, 'flex_volume': None, 'flocker': None, 'gce_persistent_disk': None, 'git_repo': None, 'glusterfs': None, 'host_path': {'path': '/usr/bin', 'type': ''}, 'iscsi': None, 'name': 'usr-bin', 'nfs': None, 'persistent_volume_claim': None, 'photon_persistent_disk': None, 'portworx_volume': None, 'projected': None, 'quobyte': None, 'rbd': None, 'scale_io': None, 'secret': None, 'storageos': None, 'vsphere_volume': None}]}}, 'ttl_seconds_after_finished': None}, 'status': {'active': None, 'completion_time': None, 'conditions': None, 'failed': None, 'start_time': None, 'succeeded': None}} 2021-01-01 19:39:32,649 - functest_kubernetes.security.security - INFO - kube-bench-node started in 5.04 sec 2021-01-01 19:39:32,657 - kubernetes.client.rest - DEBUG - response body: {"kind":"PodList","apiVersion":"v1","metadata":{"selfLink":"/api/v1/namespaces/kube-bench-4wsdq/pods","resourceVersion":"17221230"},"items":[{"metadata":{"name":"kube-bench-node-4569j","generateName":"kube-bench-node-","namespace":"kube-bench-4wsdq","selfLink":"/api/v1/namespaces/kube-bench-4wsdq/pods/kube-bench-node-4569j","uid":"0f4eb59a-4c69-11eb-8302-0242ac120002","resourceVersion":"17221229","creationTimestamp":"2021-01-01T19:39:27Z","labels":{"controller-uid":"0f46827b-4c69-11eb-8302-0242ac120002","job-name":"kube-bench-node"},"ownerReferences":[{"apiVersion":"batch/v1","kind":"Job","name":"kube-bench-node","uid":"0f46827b-4c69-11eb-8302-0242ac120002","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"var-lib-kubelet","hostPath":{"path":"/var/lib/kubelet","type":""}},{"name":"etc-systemd","hostPath":{"path":"/etc/systemd","type":""}},{"name":"etc-kubernetes","hostPath":{"path":"/etc/kubernetes","type":""}},{"name":"usr-bin","hostPath":{"path":"/usr/bin","type":""}},{"name":"default-token-z5876","secret":{"secretName":"default-token-z5876","defaultMode":420}}],"containers":[{"name":"kube-bench","image":"aquasec/kube-bench:0.3.1","command":["kube-bench","node","--json"],"resources":{},"volumeMounts":[{"name":"var-lib-kubelet","readOnly":true,"mountPath":"/var/lib/kubelet"},{"name":"etc-systemd","readOnly":true,"mountPath":"/etc/systemd"},{"name":"etc-kubernetes","readOnly":true,"mountPath":"/etc/kubernetes"},{"name":"usr-bin","readOnly":true,"mountPath":"/usr/local/mount-from-host/bin"},{"name":"default-token-z5876","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Never","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"hunter-worker","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Succeeded","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-01-01T19:39:27Z","reason":"PodCompleted"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2021-01-01T19:39:32Z","reason":"PodCompleted"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2021-01-01T19:39:32Z","reason":"PodCompleted"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-01-01T19:39:27Z"}],"hostIP":"172.18.0.4","podIP":"10.244.1.100","startTime":"2021-01-01T19:39:27Z","containerStatuses":[{"name":"kube-bench","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2021-01-01T19:39:31Z","finishedAt":"2021-01-01T19:39:31Z","containerID":"containerd://6b355c104508e2f39c15df0afaf09f5c7c1a7d4d94268ca8d8c897458ce86bd9"}},"lastState":{},"ready":false,"restartCount":0,"image":"docker.io/aquasec/kube-bench:0.3.1","imageID":"docker.io/aquasec/kube-bench@sha256:3544f6662feb73d36fdba35b17652e2fd73aae45bd4b60e76d7ab928220b3cc6","containerID":"containerd://6b355c104508e2f39c15df0afaf09f5c7c1a7d4d94268ca8d8c897458ce86bd9"}],"qosClass":"BestEffort"}}]} 2021-01-01 19:39:32,666 - kubernetes.client.rest - DEBUG - response body: [{"id":"2","version":"1.13","text":"Worker Node Security Configuration","node_type":"node","tests":[{"section":"2.1","pass":7,"fail":5,"warn":1,"info":1,"desc":"Kubelet","results":[{"test_number":"2.1.1","test_desc":"Ensure that the --anonymous-auth argument is set to false (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to\nfalse .\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--anonymous-auth=false\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to\nfalse .\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--anonymous-auth=false\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"PASS","actual_value":"address: 0.0.0.0\napiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 2m0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 5m0s\n cacheUnauthorizedTTL: 30s\ncgroupDriver: cgroupfs\ncgroupsPerQOS: true\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\nconfigMapAndSecretChangeDetectionStrategy: Cache\ncontainerLogMaxFiles: 5\ncontainerLogMaxSize: 10Mi\ncontentType: application/vnd.kubernetes.protobuf\ncpuCFSQuota: true\ncpuCFSQuotaPeriod: 100ms\ncpuManagerPolicy: none\ncpuManagerReconcilePeriod: 10s\nenableControllerAttachDetach: true\nenableDebuggingHandlers: true\nenforceNodeAllocatable:\n- pods\neventBurst: 10\neventRecordQPS: 5\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 5m0s\nfailSwapOn: true\nfileCheckFrequency: 20s\nhairpinMode: promiscuous-bridge\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 20s\nimageGCHighThresholdPercent: 100\nimageGCLowThresholdPercent: 80\nimageMinimumGCAge: 2m0s\niptablesDropBit: 15\niptablesMasqueradeBit: 14\nkind: KubeletConfiguration\nkubeAPIBurst: 10\nkubeAPIQPS: 5\nmakeIPTablesUtilChains: true\nmaxOpenFiles: 1000000\nmaxPods: 110\nnodeLeaseDurationSeconds: 40\nnodeStatusReportFrequency: 1m0s\nnodeStatusUpdateFrequency: 10s\noomScoreAdj: -999\npodPidsLimit: -1\nport: 10250\nregistryBurst: 10\nregistryPullQPS: 5\nresolvConf: /etc/resolv.conf\nrotateCertificates: true\nruntimeRequestTimeout: 2m0s\nserializeImagePulls: true\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 4h0m0s\nsyncFrequency: 1m0s\nvolumeStatsAggPeriod: 1m0s\n","scored":true,"expected_result":"'false' is equal to 'false'"},{"test_number":"2.1.2","test_desc":"Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to set authorization: mode to Webhook.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["If using a Kubelet config file, edit the file to set authorization: mode to Webhook.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"PASS","actual_value":"address: 0.0.0.0\napiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 2m0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 5m0s\n cacheUnauthorizedTTL: 30s\ncgroupDriver: cgroupfs\ncgroupsPerQOS: true\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\nconfigMapAndSecretChangeDetectionStrategy: Cache\ncontainerLogMaxFiles: 5\ncontainerLogMaxSize: 10Mi\ncontentType: application/vnd.kubernetes.protobuf\ncpuCFSQuota: true\ncpuCFSQuotaPeriod: 100ms\ncpuManagerPolicy: none\ncpuManagerReconcilePeriod: 10s\nenableControllerAttachDetach: true\nenableDebuggingHandlers: true\nenforceNodeAllocatable:\n- pods\neventBurst: 10\neventRecordQPS: 5\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 5m0s\nfailSwapOn: true\nfileCheckFrequency: 20s\nhairpinMode: promiscuous-bridge\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 20s\nimageGCHighThresholdPercent: 100\nimageGCLowThresholdPercent: 80\nimageMinimumGCAge: 2m0s\niptablesDropBit: 15\niptablesMasqueradeBit: 14\nkind: KubeletConfiguration\nkubeAPIBurst: 10\nkubeAPIQPS: 5\nmakeIPTablesUtilChains: true\nmaxOpenFiles: 1000000\nmaxPods: 110\nnodeLeaseDurationSeconds: 40\nnodeStatusReportFrequency: 1m0s\nnodeStatusUpdateFrequency: 10s\noomScoreAdj: -999\npodPidsLimit: -1\nport: 10250\nregistryBurst: 10\nregistryPullQPS: 5\nresolvConf: /etc/resolv.conf\nrotateCertificates: true\nruntimeRequestTimeout: 2m0s\nserializeImagePulls: true\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 4h0m0s\nsyncFrequency: 1m0s\nvolumeStatsAggPeriod: 1m0s\n","scored":true,"expected_result":" 'Webhook' not have 'AlwaysAllow'"},{"test_number":"2.1.3","test_desc":"Ensure that the --client-ca-file argument is set as appropriate (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--client-ca-file=\u003cpath/to/client-ca-file\u003e\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--client-ca-file=\u003cpath/to/client-ca-file\u003e\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"PASS","actual_value":"address: 0.0.0.0\napiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 2m0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 5m0s\n cacheUnauthorizedTTL: 30s\ncgroupDriver: cgroupfs\ncgroupsPerQOS: true\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\nconfigMapAndSecretChangeDetectionStrategy: Cache\ncontainerLogMaxFiles: 5\ncontainerLogMaxSize: 10Mi\ncontentType: application/vnd.kubernetes.protobuf\ncpuCFSQuota: true\ncpuCFSQuotaPeriod: 100ms\ncpuManagerPolicy: none\ncpuManagerReconcilePeriod: 10s\nenableControllerAttachDetach: true\nenableDebuggingHandlers: true\nenforceNodeAllocatable:\n- pods\neventBurst: 10\neventRecordQPS: 5\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 5m0s\nfailSwapOn: true\nfileCheckFrequency: 20s\nhairpinMode: promiscuous-bridge\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 20s\nimageGCHighThresholdPercent: 100\nimageGCLowThresholdPercent: 80\nimageMinimumGCAge: 2m0s\niptablesDropBit: 15\niptablesMasqueradeBit: 14\nkind: KubeletConfiguration\nkubeAPIBurst: 10\nkubeAPIQPS: 5\nmakeIPTablesUtilChains: true\nmaxOpenFiles: 1000000\nmaxPods: 110\nnodeLeaseDurationSeconds: 40\nnodeStatusReportFrequency: 1m0s\nnodeStatusUpdateFrequency: 10s\noomScoreAdj: -999\npodPidsLimit: -1\nport: 10250\nregistryBurst: 10\nregistryPullQPS: 5\nresolvConf: /etc/resolv.conf\nrotateCertificates: true\nruntimeRequestTimeout: 2m0s\nserializeImagePulls: true\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 4h0m0s\nsyncFrequency: 1m0s\nvolumeStatsAggPeriod: 1m0s\n","scored":true,"expected_result":"'' is present"},{"test_number":"2.1.4","test_desc":"Ensure that the --read-only-port argument is set to 0 (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to set readOnlyPort to 0 .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["If using a Kubelet config file, edit the file to set readOnlyPort to 0 .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"FAIL","actual_value":"","scored":true,"expected_result":""},{"test_number":"2.1.5","test_desc":"Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"PASS","actual_value":"UID PID PPID C STIME TTY TIME CMD\nroot 1092 1 3 2020 ? 3-17:21:17 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --fail-swap-on=false --node-ip=172.18.0.4 --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false\n","scored":true,"expected_result":"'--streaming-connection-idle-timeout' is present OR '--streaming-connection-idle-timeout' is not present"},{"test_number":"2.1.6","test_desc":"Ensure that the --protect-kernel-defaults argument is set to true (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to set protectKernelDefaults: true .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["If using a Kubelet config file, edit the file to set protectKernelDefaults: true .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"FAIL","actual_value":"","scored":true,"expected_result":""},{"test_number":"2.1.7","test_desc":"Ensure that the --make-iptables-util-chains argument is set to true (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"PASS","actual_value":"UID PID PPID C STIME TTY TIME CMD\nroot 1092 1 3 2020 ? 3-17:21:17 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --fail-swap-on=false --node-ip=172.18.0.4 --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false\n","scored":true,"expected_result":"'--make-iptables-util-chains' is present OR '--make-iptables-util-chains' is not present"},{"test_number":"2.1.8","test_desc":"Ensure that the --hostname-override argument is not set (Scored)","audit":"/bin/ps -fC kubelet ","AuditConfig":"","type":"","remediation":"Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"PASS","actual_value":"UID PID PPID C STIME TTY TIME CMD\nroot 1092 1 3 2020 ? 3-17:21:17 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --fail-swap-on=false --node-ip=172.18.0.4 --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false\n","scored":true,"expected_result":"'--hostname-override' is not present"},{"test_number":"2.1.9","test_desc":"Ensure that the --event-qps argument is set to 0 (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--event-qps=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--event-qps=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"FAIL","actual_value":"","scored":true,"expected_result":""},{"test_number":"2.1.10","test_desc":"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate\nfile to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the\ncorresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable.\n--tls-cert-file=\u003cpath/to/tls-certificate-file\u003e\nfile=\u003cpath/to/tls-key-file\u003e\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate\nfile to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the\ncorresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable.\n--tls-cert-file=\u003cpath/to/tls-certificate-file\u003e\nfile=\u003cpath/to/tls-key-file\u003e\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"FAIL","actual_value":"","scored":true,"expected_result":""},{"test_number":"2.1.11","test_desc":"[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0","audit":"/bin/ps -fC kubelet ","AuditConfig":"","type":"skip","remediation":"Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.\n--cadvisor-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.\n--cadvisor-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"INFO","actual_value":"","scored":false,"expected_result":"","reason":"Test marked as skip"},{"test_number":"2.1.12","test_desc":"Ensure that the --rotate-certificates argument is not set to false (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to add the line rotateCertificates: true.\nIf using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["If using a Kubelet config file, edit the file to add the line rotateCertificates: true.\nIf using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"PASS","actual_value":"UID PID PPID C STIME TTY TIME CMD\nroot 1092 1 3 2020 ? 3-17:21:17 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --fail-swap-on=false --node-ip=172.18.0.4 --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false\n","scored":true,"expected_result":"'--rotate-certificates' is present OR '--rotate-certificates' is not present"},{"test_number":"2.1.13","test_desc":"Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n","test_info":["Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n"],"status":"FAIL","actual_value":"","scored":true,"expected_result":""},{"test_number":"2.1.14","test_desc":"Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)","audit":"/bin/ps -fC kubelet","AuditConfig":"/bin/cat /var/lib/kubelet/config.yaml","type":"","remediation":"If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nIf using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n","test_info":["If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nIf using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n"],"status":"WARN","actual_value":"","scored":false,"expected_result":""}]},{"section":"2.2","pass":7,"fail":3,"warn":0,"info":0,"desc":"Configuration Files","results":[{"test_number":"2.2.1","test_desc":"Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)","audit":"/bin/sh -c 'if test -e /etc/kubernetes/kubelet.conf; then stat -c permissions=%a /etc/kubernetes/kubelet.conf; fi' ","AuditConfig":"","type":"","remediation":"Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/kubernetes/kubelet.conf\n","test_info":["Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/kubernetes/kubelet.conf\n"],"status":"PASS","actual_value":"permissions=600\n","scored":true,"expected_result":"bitmask '600' AND '644'"},{"test_number":"2.2.2","test_desc":"Ensure that the kubelet.conf file ownership is set to root:root (Scored)","audit":"/bin/sh -c 'if test -e /etc/kubernetes/kubelet.conf; then stat -c %U:%G /etc/kubernetes/kubelet.conf; fi' ","AuditConfig":"","type":"","remediation":"Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/kubernetes/kubelet.conf\n","test_info":["Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/kubernetes/kubelet.conf\n"],"status":"PASS","actual_value":"root:root\n","scored":true,"expected_result":"'root:root' is equal to 'root:root'"},{"test_number":"2.2.3","test_desc":"Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)","audit":"/bin/sh -c 'if test -e /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; then stat -c permissions=%a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; fi' ","AuditConfig":"","type":"","remediation":"Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n","test_info":["Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n"],"status":"FAIL","actual_value":"","scored":true,"expected_result":""},{"test_number":"2.2.4","test_desc":"Ensure that the kubelet service file ownership is set to root:root (Scored)","audit":"/bin/sh -c 'if test -e /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; then stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; fi' ","AuditConfig":"","type":"","remediation":"Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n","test_info":["Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n"],"status":"PASS","actual_value":"root:root\n","scored":true,"expected_result":"'root:root' is present"},{"test_number":"2.2.5","test_desc":"Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)","audit":"/bin/sh -c 'if test -e /etc/kubernetes/proxy.conf; then stat -c permissions=%a /etc/kubernetes/proxy.conf; fi' ","AuditConfig":"","type":"","remediation":"Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/kubernetes/proxy.conf\n","test_info":["Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/kubernetes/proxy.conf\n"],"status":"FAIL","actual_value":"","scored":true,"expected_result":""},{"test_number":"2.2.6","test_desc":"Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)","audit":"/bin/sh -c 'if test -e /etc/kubernetes/proxy.conf; then stat -c %U:%G /etc/kubernetes/proxy.conf; fi' ","AuditConfig":"","type":"","remediation":"Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/kubernetes/proxy.conf\n","test_info":["Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/kubernetes/proxy.conf\n"],"status":"FAIL","actual_value":"","scored":true,"expected_result":""},{"test_number":"2.2.7","test_desc":"Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)","audit":"/bin/sh -c 'if test -e /etc/kubernetes/pki/ca.crt; then stat -c permissions=%a /etc/kubernetes/pki/ca.crt; fi'","AuditConfig":"","type":"","remediation":"Run the following command to modify the file permissions of the --client-ca-file\nchmod 644 \u003cfilename\u003e\n","test_info":["Run the following command to modify the file permissions of the --client-ca-file\nchmod 644 \u003cfilename\u003e\n"],"status":"PASS","actual_value":"permissions=644\n","scored":true,"expected_result":"bitmask '644' AND '644'"},{"test_number":"2.2.8","test_desc":"Ensure that the client certificate authorities file ownership is set to root:root (Scored)","audit":"CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')\nif [[ -z $CAFILE ]]; then\n CAFILE=/etc/kubernetes/pki/ca.crt\nfi\nif test -e $CAFILE; then stat -c %U:%G $CAFILE; fi\n","AuditConfig":"","type":"","remediation":"Run the following command to modify the ownership of the --client-ca-file .\nchown root:root \u003cfilename\u003e\n","test_info":["Run the following command to modify the ownership of the --client-ca-file .\nchown root:root \u003cfilename\u003e\n"],"status":"PASS","actual_value":"root:root\n","scored":true,"expected_result":"'root:root' is equal to 'root:root'"},{"test_number":"2.2.9","test_desc":"Ensure that the kubelet configuration file ownership is set to root:root (Scored)","audit":"/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml; fi' ","AuditConfig":"","type":"","remediation":"Run the following command (using the config file location identified in the Audit step)\nchown root:root /var/lib/kubelet/config.yaml\n","test_info":["Run the following command (using the config file location identified in the Audit step)\nchown root:root /var/lib/kubelet/config.yaml\n"],"status":"PASS","actual_value":"root:root\n","scored":true,"expected_result":"'root:root' is present"},{"test_number":"2.2.10","test_desc":"Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)","audit":"/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c permissions=%a /var/lib/kubelet/config.yaml; fi' ","AuditConfig":"","type":"","remediation":"Run the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml\n","test_info":["Run the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml\n"],"status":"PASS","actual_value":"permissions=644\n","scored":true,"expected_result":"bitmask '644' AND '644'"}]}],"total_pass":14,"total_fail":8,"total_warn":1,"total_info":1}] 2021-01-01 19:39:32,668 - functest_kubernetes.security.security - INFO - [{u'tests': [{u'info': 1, u'section': u'2.1', u'results': [{u'audit': u'/bin/ps -fC kubelet', u'status': u'PASS', u'scored': True, u'test_info': [u'If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to\nfalse .\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--anonymous-auth=false\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --anonymous-auth argument is set to false (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to\nfalse .\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--anonymous-auth=false\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'address: 0.0.0.0\napiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 2m0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 5m0s\n cacheUnauthorizedTTL: 30s\ncgroupDriver: cgroupfs\ncgroupsPerQOS: true\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\nconfigMapAndSecretChangeDetectionStrategy: Cache\ncontainerLogMaxFiles: 5\ncontainerLogMaxSize: 10Mi\ncontentType: application/vnd.kubernetes.protobuf\ncpuCFSQuota: true\ncpuCFSQuotaPeriod: 100ms\ncpuManagerPolicy: none\ncpuManagerReconcilePeriod: 10s\nenableControllerAttachDetach: true\nenableDebuggingHandlers: true\nenforceNodeAllocatable:\n- pods\neventBurst: 10\neventRecordQPS: 5\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 5m0s\nfailSwapOn: true\nfileCheckFrequency: 20s\nhairpinMode: promiscuous-bridge\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 20s\nimageGCHighThresholdPercent: 100\nimageGCLowThresholdPercent: 80\nimageMinimumGCAge: 2m0s\niptablesDropBit: 15\niptablesMasqueradeBit: 14\nkind: KubeletConfiguration\nkubeAPIBurst: 10\nkubeAPIQPS: 5\nmakeIPTablesUtilChains: true\nmaxOpenFiles: 1000000\nmaxPods: 110\nnodeLeaseDurationSeconds: 40\nnodeStatusReportFrequency: 1m0s\nnodeStatusUpdateFrequency: 10s\noomScoreAdj: -999\npodPidsLimit: -1\nport: 10250\nregistryBurst: 10\nregistryPullQPS: 5\nresolvConf: /etc/resolv.conf\nrotateCertificates: true\nruntimeRequestTimeout: 2m0s\nserializeImagePulls: true\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 4h0m0s\nsyncFrequency: 1m0s\nvolumeStatsAggPeriod: 1m0s\n', u'expected_result': u"'false' is equal to 'false'", u'type': u'', u'test_number': u'2.1.1'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'PASS', u'scored': True, u'test_info': [u'If using a Kubelet config file, edit the file to set authorization: mode to Webhook.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to set authorization: mode to Webhook.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'address: 0.0.0.0\napiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 2m0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 5m0s\n cacheUnauthorizedTTL: 30s\ncgroupDriver: cgroupfs\ncgroupsPerQOS: true\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\nconfigMapAndSecretChangeDetectionStrategy: Cache\ncontainerLogMaxFiles: 5\ncontainerLogMaxSize: 10Mi\ncontentType: application/vnd.kubernetes.protobuf\ncpuCFSQuota: true\ncpuCFSQuotaPeriod: 100ms\ncpuManagerPolicy: none\ncpuManagerReconcilePeriod: 10s\nenableControllerAttachDetach: true\nenableDebuggingHandlers: true\nenforceNodeAllocatable:\n- pods\neventBurst: 10\neventRecordQPS: 5\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 5m0s\nfailSwapOn: true\nfileCheckFrequency: 20s\nhairpinMode: promiscuous-bridge\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 20s\nimageGCHighThresholdPercent: 100\nimageGCLowThresholdPercent: 80\nimageMinimumGCAge: 2m0s\niptablesDropBit: 15\niptablesMasqueradeBit: 14\nkind: KubeletConfiguration\nkubeAPIBurst: 10\nkubeAPIQPS: 5\nmakeIPTablesUtilChains: true\nmaxOpenFiles: 1000000\nmaxPods: 110\nnodeLeaseDurationSeconds: 40\nnodeStatusReportFrequency: 1m0s\nnodeStatusUpdateFrequency: 10s\noomScoreAdj: -999\npodPidsLimit: -1\nport: 10250\nregistryBurst: 10\nregistryPullQPS: 5\nresolvConf: /etc/resolv.conf\nrotateCertificates: true\nruntimeRequestTimeout: 2m0s\nserializeImagePulls: true\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 4h0m0s\nsyncFrequency: 1m0s\nvolumeStatsAggPeriod: 1m0s\n', u'expected_result': u" 'Webhook' not have 'AlwaysAllow'", u'type': u'', u'test_number': u'2.1.2'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'PASS', u'scored': True, u'test_info': [u'If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--client-ca-file=\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --client-ca-file argument is set as appropriate (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--client-ca-file=\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'address: 0.0.0.0\napiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 2m0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 5m0s\n cacheUnauthorizedTTL: 30s\ncgroupDriver: cgroupfs\ncgroupsPerQOS: true\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\nconfigMapAndSecretChangeDetectionStrategy: Cache\ncontainerLogMaxFiles: 5\ncontainerLogMaxSize: 10Mi\ncontentType: application/vnd.kubernetes.protobuf\ncpuCFSQuota: true\ncpuCFSQuotaPeriod: 100ms\ncpuManagerPolicy: none\ncpuManagerReconcilePeriod: 10s\nenableControllerAttachDetach: true\nenableDebuggingHandlers: true\nenforceNodeAllocatable:\n- pods\neventBurst: 10\neventRecordQPS: 5\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 5m0s\nfailSwapOn: true\nfileCheckFrequency: 20s\nhairpinMode: promiscuous-bridge\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 20s\nimageGCHighThresholdPercent: 100\nimageGCLowThresholdPercent: 80\nimageMinimumGCAge: 2m0s\niptablesDropBit: 15\niptablesMasqueradeBit: 14\nkind: KubeletConfiguration\nkubeAPIBurst: 10\nkubeAPIQPS: 5\nmakeIPTablesUtilChains: true\nmaxOpenFiles: 1000000\nmaxPods: 110\nnodeLeaseDurationSeconds: 40\nnodeStatusReportFrequency: 1m0s\nnodeStatusUpdateFrequency: 10s\noomScoreAdj: -999\npodPidsLimit: -1\nport: 10250\nregistryBurst: 10\nregistryPullQPS: 5\nresolvConf: /etc/resolv.conf\nrotateCertificates: true\nruntimeRequestTimeout: 2m0s\nserializeImagePulls: true\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 4h0m0s\nsyncFrequency: 1m0s\nvolumeStatsAggPeriod: 1m0s\n', u'expected_result': u"'' is present", u'type': u'', u'test_number': u'2.1.3'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'FAIL', u'scored': True, u'test_info': [u'If using a Kubelet config file, edit the file to set readOnlyPort to 0 .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --read-only-port argument is set to 0 (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to set readOnlyPort to 0 .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'', u'expected_result': u'', u'type': u'', u'test_number': u'2.1.4'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'PASS', u'scored': True, u'test_info': [u'If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'UID PID PPID C STIME TTY TIME CMD\nroot 1092 1 3 2020 ? 3-17:21:17 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --fail-swap-on=false --node-ip=172.18.0.4 --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false\n', u'expected_result': u"'--streaming-connection-idle-timeout' is present OR '--streaming-connection-idle-timeout' is not present", u'type': u'', u'test_number': u'2.1.5'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'FAIL', u'scored': True, u'test_info': [u'If using a Kubelet config file, edit the file to set protectKernelDefaults: true .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --protect-kernel-defaults argument is set to true (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to set protectKernelDefaults: true .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'', u'expected_result': u'', u'type': u'', u'test_number': u'2.1.6'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'PASS', u'scored': True, u'test_info': [u'If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --make-iptables-util-chains argument is set to true (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'UID PID PPID C STIME TTY TIME CMD\nroot 1092 1 3 2020 ? 3-17:21:17 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --fail-swap-on=false --node-ip=172.18.0.4 --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false\n', u'expected_result': u"'--make-iptables-util-chains' is present OR '--make-iptables-util-chains' is not present", u'type': u'', u'test_number': u'2.1.7'}, {u'audit': u'/bin/ps -fC kubelet ', u'status': u'PASS', u'scored': True, u'test_info': [u'Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --hostname-override argument is not set (Scored)', u'AuditConfig': u'', u'remediation': u'Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'UID PID PPID C STIME TTY TIME CMD\nroot 1092 1 3 2020 ? 3-17:21:17 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --fail-swap-on=false --node-ip=172.18.0.4 --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false\n', u'expected_result': u"'--hostname-override' is not present", u'type': u'', u'test_number': u'2.1.8'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'FAIL', u'scored': True, u'test_info': [u'If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--event-qps=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --event-qps argument is set to 0 (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--event-qps=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'', u'expected_result': u'', u'type': u'', u'test_number': u'2.1.9'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'FAIL', u'scored': True, u'test_info': [u'If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate\nfile to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the\ncorresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable.\n--tls-cert-file=\nfile=\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate\nfile to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the\ncorresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable.\n--tls-cert-file=\nfile=\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'', u'expected_result': u'', u'type': u'', u'test_number': u'2.1.10'}, {u'audit': u'/bin/ps -fC kubelet ', u'status': u'INFO', u'scored': False, u'test_info': [u'Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.\n--cadvisor-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0', u'reason': u'Test marked as skip', u'AuditConfig': u'', u'remediation': u'Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.\n--cadvisor-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'', u'expected_result': u'', u'type': u'skip', u'test_number': u'2.1.11'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'PASS', u'scored': True, u'test_info': [u'If using a Kubelet config file, edit the file to add the line rotateCertificates: true.\nIf using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the --rotate-certificates argument is not set to false (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to add the line rotateCertificates: true.\nIf using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'UID PID PPID C STIME TTY TIME CMD\nroot 1092 1 3 2020 ? 3-17:21:17 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --fail-swap-on=false --node-ip=172.18.0.4 --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false\n', u'expected_result': u"'--rotate-certificates' is present OR '--rotate-certificates' is not present", u'type': u'', u'test_number': u'2.1.12'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'FAIL', u'scored': True, u'test_info': [u'Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], u'test_desc': u'Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', u'actual_value': u'', u'expected_result': u'', u'type': u'', u'test_number': u'2.1.13'}, {u'audit': u'/bin/ps -fC kubelet', u'status': u'WARN', u'scored': False, u'test_info': [u'If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nIf using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n'], u'test_desc': u'Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)', u'AuditConfig': u'/bin/cat /var/lib/kubelet/config.yaml', u'remediation': u'If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nIf using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\n', u'actual_value': u'', u'expected_result': u'', u'type': u'', u'test_number': u'2.1.14'}], u'warn': 1, u'pass': 7, u'fail': 5, u'desc': u'Kubelet'}, {u'info': 0, u'section': u'2.2', u'results': [{u'audit': u"/bin/sh -c 'if test -e /etc/kubernetes/kubelet.conf; then stat -c permissions=%a /etc/kubernetes/kubelet.conf; fi' ", u'status': u'PASS', u'scored': True, u'test_info': [u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/kubernetes/kubelet.conf\n'], u'test_desc': u'Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)', u'AuditConfig': u'', u'remediation': u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/kubernetes/kubelet.conf\n', u'actual_value': u'permissions=600\n', u'expected_result': u"bitmask '600' AND '644'", u'type': u'', u'test_number': u'2.2.1'}, {u'audit': u"/bin/sh -c 'if test -e /etc/kubernetes/kubelet.conf; then stat -c %U:%G /etc/kubernetes/kubelet.conf; fi' ", u'status': u'PASS', u'scored': True, u'test_info': [u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/kubernetes/kubelet.conf\n'], u'test_desc': u'Ensure that the kubelet.conf file ownership is set to root:root (Scored)', u'AuditConfig': u'', u'remediation': u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/kubernetes/kubelet.conf\n', u'actual_value': u'root:root\n', u'expected_result': u"'root:root' is equal to 'root:root'", u'type': u'', u'test_number': u'2.2.2'}, {u'audit': u"/bin/sh -c 'if test -e /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; then stat -c permissions=%a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; fi' ", u'status': u'FAIL', u'scored': True, u'test_info': [u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n'], u'test_desc': u'Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)', u'AuditConfig': u'', u'remediation': u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n', u'actual_value': u'', u'expected_result': u'', u'type': u'', u'test_number': u'2.2.3'}, {u'audit': u"/bin/sh -c 'if test -e /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; then stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; fi' ", u'status': u'PASS', u'scored': True, u'test_info': [u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n'], u'test_desc': u'Ensure that the kubelet service file ownership is set to root:root (Scored)', u'AuditConfig': u'', u'remediation': u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n', u'actual_value': u'root:root\n', u'expected_result': u"'root:root' is present", u'type': u'', u'test_number': u'2.2.4'}, {u'audit': u"/bin/sh -c 'if test -e /etc/kubernetes/proxy.conf; then stat -c permissions=%a /etc/kubernetes/proxy.conf; fi' ", u'status': u'FAIL', u'scored': True, u'test_info': [u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/kubernetes/proxy.conf\n'], u'test_desc': u'Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)', u'AuditConfig': u'', u'remediation': u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchmod 644 /etc/kubernetes/proxy.conf\n', u'actual_value': u'', u'expected_result': u'', u'type': u'', u'test_number': u'2.2.5'}, {u'audit': u"/bin/sh -c 'if test -e /etc/kubernetes/proxy.conf; then stat -c %U:%G /etc/kubernetes/proxy.conf; fi' ", u'status': u'FAIL', u'scored': True, u'test_info': [u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/kubernetes/proxy.conf\n'], u'test_desc': u'Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)', u'AuditConfig': u'', u'remediation': u'Run the below command (based on the file location on your system) on the each worker\nnode. For example,\nchown root:root /etc/kubernetes/proxy.conf\n', u'actual_value': u'', u'expected_result': u'', u'type': u'', u'test_number': u'2.2.6'}, {u'audit': u"/bin/sh -c 'if test -e /etc/kubernetes/pki/ca.crt; then stat -c permissions=%a /etc/kubernetes/pki/ca.crt; fi'", u'status': u'PASS', u'scored': True, u'test_info': [u'Run the following command to modify the file permissions of the --client-ca-file\nchmod 644 \n'], u'test_desc': u'Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)', u'AuditConfig': u'', u'remediation': u'Run the following command to modify the file permissions of the --client-ca-file\nchmod 644 \n', u'actual_value': u'permissions=644\n', u'expected_result': u"bitmask '644' AND '644'", u'type': u'', u'test_number': u'2.2.7'}, {u'audit': u"CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')\nif [[ -z $CAFILE ]]; then\n CAFILE=/etc/kubernetes/pki/ca.crt\nfi\nif test -e $CAFILE; then stat -c %U:%G $CAFILE; fi\n", u'status': u'PASS', u'scored': True, u'test_info': [u'Run the following command to modify the ownership of the --client-ca-file .\nchown root:root \n'], u'test_desc': u'Ensure that the client certificate authorities file ownership is set to root:root (Scored)', u'AuditConfig': u'', u'remediation': u'Run the following command to modify the ownership of the --client-ca-file .\nchown root:root \n', u'actual_value': u'root:root\n', u'expected_result': u"'root:root' is equal to 'root:root'", u'type': u'', u'test_number': u'2.2.8'}, {u'audit': u"/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml; fi' ", u'status': u'PASS', u'scored': True, u'test_info': [u'Run the following command (using the config file location identified in the Audit step)\nchown root:root /var/lib/kubelet/config.yaml\n'], u'test_desc': u'Ensure that the kubelet configuration file ownership is set to root:root (Scored)', u'AuditConfig': u'', u'remediation': u'Run the following command (using the config file location identified in the Audit step)\nchown root:root /var/lib/kubelet/config.yaml\n', u'actual_value': u'root:root\n', u'expected_result': u"'root:root' is present", u'type': u'', u'test_number': u'2.2.9'}, {u'audit': u"/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c permissions=%a /var/lib/kubelet/config.yaml; fi' ", u'status': u'PASS', u'scored': True, u'test_info': [u'Run the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml\n'], u'test_desc': u'Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)', u'AuditConfig': u'', u'remediation': u'Run the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml\n', u'actual_value': u'permissions=644\n', u'expected_result': u"bitmask '644' AND '644'", u'type': u'', u'test_number': u'2.2.10'}], u'warn': 0, u'pass': 7, u'fail': 3, u'desc': u'Configuration Files'}], u'text': u'Worker Node Security Configuration', u'total_pass': 14, u'node_type': u'node', u'version': u'1.13', u'total_fail': 8, u'total_info': 1, u'id': u'2', u'total_warn': 1}] 2021-01-01 19:39:32,672 - functest_kubernetes.security.security - ERROR - Ensure that the --read-only-port argument is set to 0 (Scored) If using a Kubelet config file, edit the file to set readOnlyPort to 0 . If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --read-only-port=0 Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 2021-01-01 19:39:32,672 - functest_kubernetes.security.security - ERROR - Ensure that the --protect-kernel-defaults argument is set to true (Scored) If using a Kubelet config file, edit the file to set protectKernelDefaults: true . If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 2021-01-01 19:39:32,672 - functest_kubernetes.security.security - ERROR - Ensure that the --event-qps argument is set to 0 (Scored) If using a Kubelet config file, edit the file to set eventRecordQPS: 0 . If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --event-qps=0 Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 2021-01-01 19:39:32,673 - functest_kubernetes.security.security - ERROR - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameters in KUBELET_CERTIFICATE_ARGS variable. --tls-cert-file= file= Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 2021-01-01 19:39:32,673 - functest_kubernetes.security.security - ERROR - Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. --feature-gates=RotateKubeletServerCertificate=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 2021-01-01 19:39:32,673 - functest_kubernetes.security.security - ERROR - Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored) Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf 2021-01-01 19:39:32,673 - functest_kubernetes.security.security - ERROR - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /etc/kubernetes/proxy.conf 2021-01-01 19:39:32,673 - functest_kubernetes.security.security - ERROR - Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /etc/kubernetes/proxy.conf 2021-01-01 19:39:32,674 - functest_kubernetes.security.security - WARNING - Targets: +-------------------+-----------------+-----------------------------+--------------+--------------+--------------+ | NODE_TYPE | VERSION | TEST_DESC | PASS | FAIL | WARN | +-------------------+-----------------+-----------------------------+--------------+--------------+--------------+ | node | 1.13 | Kubelet | 7 | 5 | 1 | | node | 1.13 | Configuration Files | 7 | 3 | 0 | +-------------------+-----------------+-----------------------------+--------------+--------------+--------------+ 2021-01-01 19:39:32,674 - xtesting.ci.run_tests - INFO - Test result: +-------------------------+------------------+------------------+----------------+ | TEST CASE | PROJECT | DURATION | RESULT | +-------------------------+------------------+------------------+----------------+ | kube_bench_node | functest | 00:05 | PASS | +-------------------------+------------------+------------------+----------------+ 2021-01-01 19:39:32,744 - kubernetes.client.rest - DEBUG - response body: {"kind":"Pod","apiVersion":"v1","metadata":{"name":"kube-bench-node-4569j","generateName":"kube-bench-node-","namespace":"kube-bench-4wsdq","selfLink":"/api/v1/namespaces/kube-bench-4wsdq/pods/kube-bench-node-4569j","uid":"0f4eb59a-4c69-11eb-8302-0242ac120002","resourceVersion":"17221231","creationTimestamp":"2021-01-01T19:39:27Z","deletionTimestamp":"2021-01-01T19:39:32Z","deletionGracePeriodSeconds":0,"labels":{"controller-uid":"0f46827b-4c69-11eb-8302-0242ac120002","job-name":"kube-bench-node"},"ownerReferences":[{"apiVersion":"batch/v1","kind":"Job","name":"kube-bench-node","uid":"0f46827b-4c69-11eb-8302-0242ac120002","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"var-lib-kubelet","hostPath":{"path":"/var/lib/kubelet","type":""}},{"name":"etc-systemd","hostPath":{"path":"/etc/systemd","type":""}},{"name":"etc-kubernetes","hostPath":{"path":"/etc/kubernetes","type":""}},{"name":"usr-bin","hostPath":{"path":"/usr/bin","type":""}},{"name":"default-token-z5876","secret":{"secretName":"default-token-z5876","defaultMode":420}}],"containers":[{"name":"kube-bench","image":"aquasec/kube-bench:0.3.1","command":["kube-bench","node","--json"],"resources":{},"volumeMounts":[{"name":"var-lib-kubelet","readOnly":true,"mountPath":"/var/lib/kubelet"},{"name":"etc-systemd","readOnly":true,"mountPath":"/etc/systemd"},{"name":"etc-kubernetes","readOnly":true,"mountPath":"/etc/kubernetes"},{"name":"usr-bin","readOnly":true,"mountPath":"/usr/local/mount-from-host/bin"},{"name":"default-token-z5876","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Never","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"hunter-worker","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Succeeded","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-01-01T19:39:27Z","reason":"PodCompleted"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2021-01-01T19:39:32Z","reason":"PodCompleted"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2021-01-01T19:39:32Z","reason":"PodCompleted"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-01-01T19:39:27Z"}],"hostIP":"172.18.0.4","podIP":"10.244.1.100","startTime":"2021-01-01T19:39:27Z","containerStatuses":[{"name":"kube-bench","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2021-01-01T19:39:31Z","finishedAt":"2021-01-01T19:39:31Z","containerID":"containerd://6b355c104508e2f39c15df0afaf09f5c7c1a7d4d94268ca8d8c897458ce86bd9"}},"lastState":{},"ready":false,"restartCount":0,"image":"docker.io/aquasec/kube-bench:0.3.1","imageID":"docker.io/aquasec/kube-bench@sha256:3544f6662feb73d36fdba35b17652e2fd73aae45bd4b60e76d7ab928220b3cc6","containerID":"containerd://6b355c104508e2f39c15df0afaf09f5c7c1a7d4d94268ca8d8c897458ce86bd9"}],"qosClass":"BestEffort"}} 2021-01-01 19:39:32,745 - functest_kubernetes.security.security - DEBUG - delete_namespaced_pod: {'api_version': 'v1', 'code': None, 'details': None, 'kind': 'Pod', 'message': None, 'metadata': {'_continue': None, 'resource_version': '17221231', 'self_link': '/api/v1/namespaces/kube-bench-4wsdq/pods/kube-bench-node-4569j'}, 'reason': None, 'status': "{u'qosClass': u'BestEffort', u'containerStatuses': [{u'restartCount': 0, u'name': u'kube-bench', u'image': u'docker.io/aquasec/kube-bench:0.3.1', u'imageID': u'docker.io/aquasec/kube-bench@sha256:3544f6662feb73d36fdba35b17652e2fd73aae45bd4b60e76d7ab928220b3cc6', u'state': {u'terminated': {u'startedAt': u'2021-01-01T19:39:31Z', u'reason': u'Completed', u'finishedAt': u'2021-01-01T19:39:31Z', u'containerID': u'containerd://6b355c104508e2f39c15df0afaf09f5c7c1a7d4d94268ca8d8c897458ce86bd9', u'exitCode': 0}}, u'ready': False, u'lastState': {}, u'containerID': u'containerd://6b355c104508e2f39c15df0afaf09f5c7c1a7d4d94268ca8d8c897458ce86bd9'}], u'podIP': u'10.244.1.100', u'startTime': u'2021-01-01T19:39:27Z', u'hostIP': u'172.18.0.4', u'phase': u'Succeeded', u'conditions': [{u'status': u'True', u'lastProbeTime': None, u'reason': u'PodCompleted', u'type': u'Initialized', u'lastTransitionTime': u'2021-01-01T19:39:27Z'}, {u'status': u'False', u'lastProbeTime': None, u'reason': u'PodCompleted', u'type': u'Ready', u'lastTransitionTime': u'2021-01-01T19:39:32Z'}, {u'status': u'False', u'lastProbeTime': None, u'reason': u'PodCompleted', u'type': u'ContainersReady', u'lastTransitionTime': u'2021-01-01T19:39:32Z'}, {u'status': u'True', u'lastProbeTime': None, u'type': u'PodScheduled', u'lastTransitionTime': u'2021-01-01T19:39:27Z'}]}"} 2021-01-01 19:39:32,767 - kubernetes.client.rest - DEBUG - response body: {"kind":"Job","apiVersion":"batch/v1","metadata":{"name":"kube-bench-node","namespace":"kube-bench-4wsdq","selfLink":"/apis/batch/v1/namespaces/kube-bench-4wsdq/jobs/kube-bench-node","uid":"0f46827b-4c69-11eb-8302-0242ac120002","resourceVersion":"17221233","creationTimestamp":"2021-01-01T19:39:27Z","deletionTimestamp":"2021-01-01T19:39:32Z","deletionGracePeriodSeconds":0,"labels":{"controller-uid":"0f46827b-4c69-11eb-8302-0242ac120002","job-name":"kube-bench-node"},"finalizers":["orphan"]},"spec":{"parallelism":1,"completions":1,"backoffLimit":6,"selector":{"matchLabels":{"controller-uid":"0f46827b-4c69-11eb-8302-0242ac120002"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"controller-uid":"0f46827b-4c69-11eb-8302-0242ac120002","job-name":"kube-bench-node"}},"spec":{"volumes":[{"name":"var-lib-kubelet","hostPath":{"path":"/var/lib/kubelet","type":""}},{"name":"etc-systemd","hostPath":{"path":"/etc/systemd","type":""}},{"name":"etc-kubernetes","hostPath":{"path":"/etc/kubernetes","type":""}},{"name":"usr-bin","hostPath":{"path":"/usr/bin","type":""}}],"containers":[{"name":"kube-bench","image":"aquasec/kube-bench:0.3.1","command":["kube-bench","node","--json"],"resources":{},"volumeMounts":[{"name":"var-lib-kubelet","readOnly":true,"mountPath":"/var/lib/kubelet"},{"name":"etc-systemd","readOnly":true,"mountPath":"/etc/systemd"},{"name":"etc-kubernetes","readOnly":true,"mountPath":"/etc/kubernetes"},{"name":"usr-bin","readOnly":true,"mountPath":"/usr/local/mount-from-host/bin"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Never","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler"}}},"status":{"conditions":[{"type":"Complete","status":"True","lastProbeTime":"2021-01-01T19:39:32Z","lastTransitionTime":"2021-01-01T19:39:32Z"}],"startTime":"2021-01-01T19:39:27Z","completionTime":"2021-01-01T19:39:32Z","succeeded":1}} 2021-01-01 19:39:32,787 - functest_kubernetes.security.security - DEBUG - delete_namespaced_deployment: {'api_version': 'batch/v1', 'code': None, 'details': None, 'kind': 'Job', 'message': None, 'metadata': {'_continue': None, 'resource_version': '17221233', 'self_link': '/apis/batch/v1/namespaces/kube-bench-4wsdq/jobs/kube-bench-node'}, 'reason': None, 'status': "{u'completionTime': u'2021-01-01T19:39:32Z', u'conditions': [{u'status': u'True', u'lastProbeTime': u'2021-01-01T19:39:32Z', u'type': u'Complete', u'lastTransitionTime': u'2021-01-01T19:39:32Z'}], u'succeeded': 1, u'startTime': u'2021-01-01T19:39:27Z'}"} 2021-01-01 19:39:32,815 - kubernetes.client.rest - DEBUG - response body: {"kind":"Namespace","apiVersion":"v1","metadata":{"name":"kube-bench-4wsdq","generateName":"kube-bench-","selfLink":"/api/v1/namespaces/kube-bench-4wsdq","uid":"0f425288-4c69-11eb-8302-0242ac120002","resourceVersion":"17221234","creationTimestamp":"2021-01-01T19:39:27Z","deletionTimestamp":"2021-01-01T19:39:32Z"},"spec":{"finalizers":["kubernetes"]},"status":{"phase":"Terminating"}} 2021-01-01 19:39:32,815 - functest_kubernetes.security.security - DEBUG - delete_namespace: kube-bench-4wsdq 2021-01-01 19:39:33,084 - xtesting.core.testcase - DEBUG - Publishing /var/lib/xtesting/results/functest-kubernetes.log ('text/plain', None) 2021-01-01 19:39:33,263 - xtesting.core.testcase - DEBUG - Publishing /var/lib/xtesting/results/functest-kubernetes.debug.log ('text/plain', None)