2020-09-13 10:29:58,986 - xtesting.ci.run_tests - INFO - Deployment description: +-------------------------+------------------------------------------------------------+ | ENV VAR | VALUE | +-------------------------+------------------------------------------------------------+ | CI_LOOP | daily | | DEBUG | true | | DEPLOY_SCENARIO | k8-nosdn-nofeature-noha | | INSTALLER_TYPE | unknown | | BUILD_TAG | 1BVOG0KG6L87 | | NODE_NAME | lf-virtual1-5 | | TEST_DB_URL | http://testresults.opnfv.org/test/api/v1/results | | TEST_DB_EXT_URL | http://testresults.opnfv.org/test/api/v1/results | | S3_ENDPOINT_URL | https://storage.googleapis.com | | S3_DST_URL | s3://artifacts.opnfv.org/functest- | | | kubernetes/1BVOG0KG6L87/functest-kubernetes-opnfv- | | | functest-kubernetes-security-latest-kube_bench- | | | run-134 | | HTTP_DST_URL | http://artifacts.opnfv.org/functest- | | | kubernetes/1BVOG0KG6L87/functest-kubernetes-opnfv- | | | functest-kubernetes-security-latest-kube_bench- | | | run-134 | +-------------------------+------------------------------------------------------------+ 2020-09-13 10:29:58,998 - xtesting.ci.run_tests - INFO - Loading test case 'kube_bench'... 2020-09-13 10:29:59,332 - xtesting.ci.run_tests - INFO - Running test case 'kube_bench'... 2020-09-13 10:29:59,578 - functest_kubernetes.security.security - INFO - Job kube-bench created 2020-09-13 10:30:06,605 - functest_kubernetes.security.security - INFO - kube-bench started in 7.27 sec 2020-09-13 10:30:06,952 - functest_kubernetes.security.security - INFO - [{'id': '4', 'version': '1.5', 'text': 'Worker Node Security Configuration', 'node_type': 'node', 'tests': [{'section': '4.1', 'pass': 6, 'fail': 3, 'warn': 1, 'info': 0, 'desc': 'Worker Node Configuration Files', 'results': [{'test_number': '4.1.1', 'test_desc': 'Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)', 'audit': "/bin/sh -c 'if test -e /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; then stat -c permissions=%a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; fi' ", 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n'], 'status': 'FAIL', 'actual_value': '', 'scored': True, 'expected_result': ''}, {'test_number': '4.1.2', 'test_desc': 'Ensure that the kubelet service file ownership is set to root:root (Scored)', 'audit': "/bin/sh -c 'if test -e /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; then stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; fi' ", 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n'], 'status': 'PASS', 'actual_value': 'root:root\n', 'scored': True, 'expected_result': "'root:root' is present"}, {'test_number': '4.1.3', 'test_desc': 'Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/proxy.conf; then stat -c permissions=%a /etc/kubernetes/proxy.conf; fi' ", 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /etc/kubernetes/proxy.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /etc/kubernetes/proxy.conf\n'], 'status': 'FAIL', 'actual_value': '', 'scored': True, 'expected_result': ''}, {'test_number': '4.1.4', 'test_desc': 'Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/proxy.conf; then stat -c %U:%G /etc/kubernetes/proxy.conf; fi' ", 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example, chown root:root /etc/kubernetes/proxy.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example, chown root:root /etc/kubernetes/proxy.conf\n'], 'status': 'FAIL', 'actual_value': '', 'scored': True, 'expected_result': ''}, {'test_number': '4.1.5', 'test_desc': 'Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/kubelet.conf; then stat -c permissions=%a /etc/kubernetes/kubelet.conf; fi' ", 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /etc/kubernetes/kubelet.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /etc/kubernetes/kubelet.conf\n'], 'status': 'PASS', 'actual_value': 'permissions=600\n', 'scored': True, 'expected_result': "bitmask '600' AND '644'"}, {'test_number': '4.1.6', 'test_desc': 'Ensure that the kubelet.conf file ownership is set to root:root (Scored)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/kubelet.conf; then stat -c %U:%G /etc/kubernetes/kubelet.conf; fi' ", 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root:root /etc/kubernetes/kubelet.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root:root /etc/kubernetes/kubelet.conf\n'], 'status': 'PASS', 'actual_value': 'root:root\n', 'scored': True, 'expected_result': "'root:root' is equal to 'root:root'"}, {'test_number': '4.1.7', 'test_desc': 'Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)', 'audit': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the following command to modify the file permissions of the\n--client-ca-file chmod 644 \n', 'test_info': ['Run the following command to modify the file permissions of the\n--client-ca-file chmod 644 \n'], 'status': 'WARN', 'actual_value': '', 'scored': True, 'expected_result': '', 'reason': 'There are no tests'}, {'test_number': '4.1.8', 'test_desc': 'Ensure that the client certificate authorities file ownership is set to root:root (Scored)', 'audit': "CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')\nif [[ -z $CAFILE ]]; then\n CAFILE=/etc/kubernetes/pki/ca.crt\nfi\nif test -e $CAFILE; then stat -c %U:%G $CAFILE; fi\n", 'AuditConfig': '', 'type': '', 'remediation': 'Run the following command to modify the ownership of the --client-ca-file.\nchown root:root \n', 'test_info': ['Run the following command to modify the ownership of the --client-ca-file.\nchown root:root \n'], 'status': 'PASS', 'actual_value': 'root:root\n', 'scored': True, 'expected_result': "'root:root' is equal to 'root:root'"}, {'test_number': '4.1.9', 'test_desc': 'Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)', 'audit': "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c permissions=%a /var/lib/kubelet/config.yaml; fi' ", 'AuditConfig': '', 'type': '', 'remediation': 'Run the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml\n', 'test_info': ['Run the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml\n'], 'status': 'PASS', 'actual_value': 'permissions=644\n', 'scored': True, 'expected_result': "bitmask '644' AND '644'"}, {'test_number': '4.1.10', 'test_desc': 'Ensure that the kubelet configuration file ownership is set to root:root (Scored)', 'audit': "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml; fi' ", 'AuditConfig': '', 'type': '', 'remediation': 'Run the following command (using the config file location identified in the Audit step)\nchown root:root /var/lib/kubelet/config.yaml\n', 'test_info': ['Run the following command (using the config file location identified in the Audit step)\nchown root:root /var/lib/kubelet/config.yaml\n'], 'status': 'PASS', 'actual_value': 'root:root\n', 'scored': True, 'expected_result': "'root:root' is present"}]}, {'section': '4.2', 'pass': 7, 'fail': 4, 'warn': 2, 'info': 0, 'desc': 'Kubelet', 'results': [{'test_number': '4.2.1', 'test_desc': 'Ensure that the --anonymous-auth argument is set to false (Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to\nfalse.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--anonymous-auth=false\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to\nfalse.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--anonymous-auth=false\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s\n', 'scored': True, 'expected_result': "'false' is equal to 'false'"}, {'test_number': '4.2.2', 'test_desc': 'Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s\n', 'scored': True, 'expected_result': " 'Webhook' not have 'AlwaysAllow'"}, {'test_number': '4.2.3', 'test_desc': 'Ensure that the --client-ca-file argument is set as appropriate (Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--client-ca-file=\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--client-ca-file=\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s\n', 'scored': True, 'expected_result': "'' is present"}, {'test_number': '4.2.4', 'test_desc': 'Ensure that the --read-only-port argument is set to 0 (Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set readOnlyPort to 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set readOnlyPort to 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'FAIL', 'actual_value': '', 'scored': True, 'expected_result': ''}, {'test_number': '4.2.5', 'test_desc': 'Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'UID PID PPID C STIME TTY TIME CMD\nroot 1153 1 2 Sep06 ? 04:13:07 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false --node-ip= --fail-swap-on=false\n', 'scored': True, 'expected_result': "'--streaming-connection-idle-timeout' is present OR '--streaming-connection-idle-timeout' is not present"}, {'test_number': '4.2.6', 'test_desc': 'Ensure that the --protect-kernel-defaults argument is set to true (Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set protectKernelDefaults: true.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set protectKernelDefaults: true.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'FAIL', 'actual_value': '', 'scored': True, 'expected_result': ''}, {'test_number': '4.2.7', 'test_desc': 'Ensure that the --make-iptables-util-chains argument is set to true (Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'UID PID PPID C STIME TTY TIME CMD\nroot 1153 1 2 Sep06 ? 04:13:07 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false --node-ip= --fail-swap-on=false\n', 'scored': True, 'expected_result': "'--make-iptables-util-chains' is present OR '--make-iptables-util-chains' is not present"}, {'test_number': '4.2.8', 'test_desc': 'Ensure that the --hostname-override argument is not set (Not Scored)', 'audit': '/bin/ps -fC kubelet ', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'UID PID PPID C STIME TTY TIME CMD\nroot 1153 1 2 Sep06 ? 04:13:07 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false --node-ip= --fail-swap-on=false\n', 'scored': False, 'expected_result': "'--hostname-override' is not present"}, {'test_number': '4.2.9', 'test_desc': 'Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': ''}, {'test_number': '4.2.10', 'test_desc': 'Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set tlsCertFile to the location\nof the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable.\n--tls-cert-file=\n--tls-private-key-file=\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set tlsCertFile to the location\nof the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable.\n--tls-cert-file=\n--tls-private-key-file=\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'FAIL', 'actual_value': '', 'scored': True, 'expected_result': ''}, {'test_number': '4.2.11', 'test_desc': 'Ensure that the --rotate-certificates argument is not set to false (Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to add the line rotateCertificates: true or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to add the line rotateCertificates: true or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'UID PID PPID C STIME TTY TIME CMD\nroot 1153 1 2 Sep06 ? 04:13:07 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false --node-ip= --fail-swap-on=false\n', 'scored': True, 'expected_result': "'--rotate-certificates' is present OR '--rotate-certificates' is not present"}, {'test_number': '4.2.12', 'test_desc': 'Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'FAIL', 'actual_value': '', 'scored': True, 'expected_result': ''}, {'test_number': '4.2.13', 'test_desc': 'Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)', 'audit': '/bin/ps -fC kubelet', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set TLSCipherSuites: to\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nor to a subset of these values.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the --tls-cipher-suites parameter as follows, or to a subset of these values.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set TLSCipherSuites: to\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nor to a subset of these values.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the --tls-cipher-suites parameter as follows, or to a subset of these values.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': ''}]}], 'total_pass': 13, 'total_fail': 7, 'total_warn': 3, 'total_info': 0}, {'id': '5', 'version': '1.5', 'text': 'Kubernetes Policies', 'node_type': 'policies', 'tests': [{'section': '5.1', 'pass': 0, 'fail': 0, 'warn': 6, 'info': 0, 'desc': 'RBAC and Service Accounts', 'results': [{'test_number': '5.1.1', 'test_desc': 'Ensure that the cluster-admin role is only used where required (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Identify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]\n', 'test_info': ['Identify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.1.2', 'test_desc': 'Minimize access to secrets (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Where possible, remove get, list and watch access to secret objects in the cluster.\n', 'test_info': ['Where possible, remove get, list and watch access to secret objects in the cluster.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.1.3', 'test_desc': 'Minimize wildcard use in Roles and ClusterRoles (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Where possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions.\n', 'test_info': ['Where possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.1.4', 'test_desc': 'Minimize access to create pods (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Where possible, remove create access to pod objects in the cluster.\n', 'test_info': ['Where possible, remove create access to pod objects in the cluster.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.1.5', 'test_desc': 'Ensure that default service accounts are not actively used. (Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Create explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false\n', 'test_info': ['Create explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false\n'], 'status': 'WARN', 'actual_value': '', 'scored': True, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.1.6', 'test_desc': 'Ensure that Service Account Tokens are only mounted where necessary (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Modify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it.\n', 'test_info': ['Modify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}]}, {'section': '5.2', 'pass': 0, 'fail': 0, 'warn': 9, 'info': 0, 'desc': 'Pod Security Policies', 'results': [{'test_number': '5.2.1', 'test_desc': 'Minimize the admission of privileged containers (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Create a PSP as described in the Kubernetes documentation, ensuring that\nthe .spec.privileged field is omitted or set to false.\n', 'test_info': ['Create a PSP as described in the Kubernetes documentation, ensuring that\nthe .spec.privileged field is omitted or set to false.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.2.2', 'test_desc': 'Minimize the admission of containers wishing to share the host process ID namespace (Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostPID field is omitted or set to false.\n', 'test_info': ['Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostPID field is omitted or set to false.\n'], 'status': 'WARN', 'actual_value': '', 'scored': True, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.2.3', 'test_desc': 'Minimize the admission of containers wishing to share the host IPC namespace (Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostIPC field is omitted or set to false.\n', 'test_info': ['Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostIPC field is omitted or set to false.\n'], 'status': 'WARN', 'actual_value': '', 'scored': True, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.2.4', 'test_desc': 'Minimize the admission of containers wishing to share the host network namespace (Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostNetwork field is omitted or set to false.\n', 'test_info': ['Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostNetwork field is omitted or set to false.\n'], 'status': 'WARN', 'actual_value': '', 'scored': True, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.2.5', 'test_desc': 'Minimize the admission of containers with allowPrivilegeEscalation (Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.allowPrivilegeEscalation field is omitted or set to false.\n', 'test_info': ['Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.allowPrivilegeEscalation field is omitted or set to false.\n'], 'status': 'WARN', 'actual_value': '', 'scored': True, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.2.6', 'test_desc': 'Minimize the admission of root containers (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of\nUIDs not including 0.\n', 'test_info': ['Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of\nUIDs not including 0.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.2.7', 'test_desc': 'Minimize the admission of containers with the NET_RAW capability (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.\n', 'test_info': ['Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.2.8', 'test_desc': 'Minimize the admission of containers with added capabilities (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Ensure that allowedCapabilities is not present in PSPs for the cluster unless\nit is set to an empty array.\n', 'test_info': ['Ensure that allowedCapabilities is not present in PSPs for the cluster unless\nit is set to an empty array.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.2.9', 'test_desc': 'Minimize the admission of containers with capabilities assigned (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Review the use of capabilites in applications runnning on your cluster. Where a namespace\ncontains applicaions which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities.\n', 'test_info': ['Review the use of capabilites in applications runnning on your cluster. Where a namespace\ncontains applicaions which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}]}, {'section': '5.3', 'pass': 0, 'fail': 0, 'warn': 2, 'info': 0, 'desc': 'Network Policies and CNI', 'results': [{'test_number': '5.3.1', 'test_desc': 'Ensure that the CNI in use supports Network Policies (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'If the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster.\n', 'test_info': ['If the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.3.2', 'test_desc': 'Ensure that all Namespaces have Network Policies defined (Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Follow the documentation and create NetworkPolicy objects as you need them.\n', 'test_info': ['Follow the documentation and create NetworkPolicy objects as you need them.\n'], 'status': 'WARN', 'actual_value': '', 'scored': True, 'expected_result': '', 'reason': 'Test marked as a manual test'}]}, {'section': '5.4', 'pass': 0, 'fail': 0, 'warn': 2, 'info': 0, 'desc': 'Secrets Management', 'results': [{'test_number': '5.4.1', 'test_desc': 'Prefer using secrets as files over secrets as environment variables (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'if possible, rewrite application code to read secrets from mounted secret files, rather than\nfrom environment variables.\n', 'test_info': ['if possible, rewrite application code to read secrets from mounted secret files, rather than\nfrom environment variables.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.4.2', 'test_desc': 'Consider external secret storage (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Refer to the secrets management options offered by your cloud provider or a third-party\nsecrets management solution.\n', 'test_info': ['Refer to the secrets management options offered by your cloud provider or a third-party\nsecrets management solution.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}]}, {'section': '5.5', 'pass': 0, 'fail': 0, 'warn': 1, 'info': 0, 'desc': 'Extensible Admission Control', 'results': [{'test_number': '5.5.1', 'test_desc': 'Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Follow the Kubernetes documentation and setup image provenance.\n', 'test_info': ['Follow the Kubernetes documentation and setup image provenance.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}]}, {'section': '5.6', 'pass': 0, 'fail': 0, 'warn': 4, 'info': 0, 'desc': 'General Policies', 'results': [{'test_number': '5.6.1', 'test_desc': 'Create administrative boundaries between resources using namespaces (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Follow the documentation and create namespaces for objects in your deployment as you need\nthem.\n', 'test_info': ['Follow the documentation and create namespaces for objects in your deployment as you need\nthem.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.6.2', 'test_desc': 'Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you\nwould need to enable alpha features in the apiserver by passing "--feature-\ngates=AllAlpha=true" argument.\nEdit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS\nparameter to "--feature-gates=AllAlpha=true"\nKUBE_API_ARGS="--feature-gates=AllAlpha=true"\nBased on your system, restart the kube-apiserver service. For example:\nsystemctl restart kube-apiserver.service\nUse annotations to enable the docker/default seccomp profile in your pod definitions. An\nexample is as below:\napiVersion: v1\nkind: Pod\nmetadata:\n name: trustworthy-pod\n annotations:\n seccomp.security.alpha.kubernetes.io/pod: docker/default\nspec:\n containers:\n - name: trustworthy-container\n image: sotrustworthy:latest\n', 'test_info': ['Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you\nwould need to enable alpha features in the apiserver by passing "--feature-\ngates=AllAlpha=true" argument.\nEdit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS\nparameter to "--feature-gates=AllAlpha=true"\nKUBE_API_ARGS="--feature-gates=AllAlpha=true"\nBased on your system, restart the kube-apiserver service. For example:\nsystemctl restart kube-apiserver.service\nUse annotations to enable the docker/default seccomp profile in your pod definitions. An\nexample is as below:\napiVersion: v1\nkind: Pod\nmetadata:\n name: trustworthy-pod\n annotations:\n seccomp.security.alpha.kubernetes.io/pod: docker/default\nspec:\n containers:\n - name: trustworthy-container\n image: sotrustworthy:latest\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.6.3', 'test_desc': 'Apply Security Context to Your Pods and Containers (Not Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Follow the Kubernetes documentation and apply security contexts to your pods. For a\nsuggested list of security contexts, you may refer to the CIS Security Benchmark for Docker\nContainers.\n', 'test_info': ['Follow the Kubernetes documentation and apply security contexts to your pods. For a\nsuggested list of security contexts, you may refer to the CIS Security Benchmark for Docker\nContainers.\n'], 'status': 'WARN', 'actual_value': '', 'scored': False, 'expected_result': '', 'reason': 'Test marked as a manual test'}, {'test_number': '5.6.4', 'test_desc': 'The default namespace should not be used (Scored)', 'audit': '', 'AuditConfig': '', 'type': 'manual', 'remediation': 'Ensure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace.\n', 'test_info': ['Ensure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace.\n'], 'status': 'WARN', 'actual_value': '', 'scored': True, 'expected_result': '', 'reason': 'Test marked as a manual test'}]}], 'total_pass': 0, 'total_fail': 0, 'total_warn': 24, 'total_info': 0}] 2020-09-13 10:30:06,960 - functest_kubernetes.security.security - ERROR - Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored) Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf 2020-09-13 10:30:06,960 - functest_kubernetes.security.security - ERROR - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /etc/kubernetes/proxy.conf 2020-09-13 10:30:06,960 - functest_kubernetes.security.security - ERROR - Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /etc/kubernetes/proxy.conf 2020-09-13 10:30:06,960 - functest_kubernetes.security.security - ERROR - Ensure that the --read-only-port argument is set to 0 (Scored) If using a Kubelet config file, edit the file to set readOnlyPort to 0. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --read-only-port=0 Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 2020-09-13 10:30:06,960 - functest_kubernetes.security.security - ERROR - Ensure that the --protect-kernel-defaults argument is set to true (Scored) If using a Kubelet config file, edit the file to set protectKernelDefaults: true. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 2020-09-13 10:30:06,960 - functest_kubernetes.security.security - ERROR - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameters in KUBELET_CERTIFICATE_ARGS variable. --tls-cert-file= --tls-private-key-file= Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 2020-09-13 10:30:06,961 - functest_kubernetes.security.security - ERROR - Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. --feature-gates=RotateKubeletServerCertificate=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 2020-09-13 10:30:06,963 - functest_kubernetes.security.security - WARNING - Targets: +-------------------+-----------------+-----------------------------------------+--------------+--------------+--------------+ | NODE_TYPE | VERSION | TEST_DESC | PASS | FAIL | WARN | +-------------------+-----------------+-----------------------------------------+--------------+--------------+--------------+ | node | 1.5 | Worker Node Configuration Files | 6 | 3 | 1 | | node | 1.5 | Kubelet | 7 | 4 | 2 | | policies | 1.5 | RBAC and Service Accounts | 0 | 0 | 6 | | policies | 1.5 | Pod Security Policies | 0 | 0 | 9 | | policies | 1.5 | Network Policies and CNI | 0 | 0 | 2 | | policies | 1.5 | Secrets Management | 0 | 0 | 2 | | policies | 1.5 | Extensible Admission Control | 0 | 0 | 1 | | policies | 1.5 | General Policies | 0 | 0 | 4 | +-------------------+-----------------+-----------------------------------------+--------------+--------------+--------------+ 2020-09-13 10:30:06,963 - xtesting.ci.run_tests - INFO - Test result: +--------------------+------------------+------------------+----------------+ | TEST CASE | PROJECT | DURATION | RESULT | +--------------------+------------------+------------------+----------------+ | kube_bench | functest | 00:07 | PASS | +--------------------+------------------+------------------+----------------+