| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.22, 1.1.25 -
1.1.26 and 1.1.28).
Issue-ID: SECCOM-235
Change-Id: Ic61a796653dc868d20fe69c3ed508e7fa8ba52db
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.21, 1.1.29
and 1.1.31).
Issue-ID: SECCOM-235
Change-Id: Ia2f55f6962885a7aa878c970a406189902cfab10
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.16 - 1.1.18).
Issue-ID: SECCOM-235
Change-Id: I27b63e37fc3203cf3574b9e1cdc43333041f2a36
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.15).
Issue-ID: SECCOM-235
Change-Id: Ia1d27ed7a9e439bb0abf4bd8941bdd4573a50bd5
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: I25ebd2930afec6eb259f0a678fffbf7727eb315b
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.19).
Issue-ID: SECCOM-235
Change-Id: I00c9600fd0d351afb7141a5fa16f348eab67b12d
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.14).
Issue-ID: SECCOM-235
Change-Id: I63c2f8a5b94bfd6c9963805aae85595e6b6ad6d7
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.11 - 1.1.13,
1.1.24, 1.1.27, 1.1.33 and 1.1.36).
Issue-ID: SECCOM-235
Change-Id: I920bfd42014b8458126be251648f5bf3dcd84c16
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.10).
However, CIS Kubernetes Benchmark v1.3.0 mismatches official
documentation: Kubernetes 1.10+ already provides safe defaults from
security standpoint [1] (ONAP Casablanca uses 1.11).
Deprecated admission control plugin flag has also been validated since
it was still available in Kubernetes provided by Rancher [2].
[1] https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use
[2] https://github.com/rancher/rancher/issues/15064
Issue-ID: SECCOM-235
Change-Id: I0e8fe9f885861f155cb8265df085fa93dbdff6d2
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
RKE is used as a Kubernetes cluster deployment method from ONAP Dublin
release. RKE cluster definition is used to get access to necessary
information.
Issue-ID: SECCOM-235
Change-Id: I588598011ea746b5f7ba327a48f1cea605e56d31
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: Ie6d43b9db767f191f883a2912916bc8abf9d3ad6
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
So far CIS-compliant configuration has been validated first unless
configuration used in ONAP release did not pass given benchmark.
Issue-ID: SECCOM-235
Change-Id: Ibdb523ab7ab6b8285757719721f75aca57beeb82
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch also adds convenience target to the Makefile and updates
documentation on relevant dependencies.
Issue-ID: SECCOM-235
Change-Id: I57e00af3cd4c60af3128e3094607cc61bc1e5dbe
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
According to kube-apiserver documentation [1] and CIS guideline 1.1.4
option "--kubelet-https=" might be absent in API server configuration.
It has secure configuration (being set to "true") by default.
[1] https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
Issue-ID: SECCOM-235
Change-Id: I604cdcace03f65185aab6a0b34d48cfec94277ab
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.6 and 1.1.7).
Issue-ID: SECCOM-235
Change-Id: I5f215a6642b177e85d7e1c70860ba0c7e558ec4e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.1 - 1.1.5, 1.1.8,
1.1.9, 1.1.20 and 1.1.23).
Issue-ID: SECCOM-235
Change-Id: Ib964b5111b616a891c3963ef9695af660810e8ba
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch introduces Rancher queries using its CLI client. It depends
on having utility binary located in PATH and providing configuration
file prior first use.
Issue-ID: SECCOM-235
Change-Id: Idb011e27b4801c5700b4482656463849736298da
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch introduces CLI utility for checking if Kubernetes cluster
follows security recommendations. Provided Makefile simplifies setup
process by setting appropriate environment variables for the build.
Further information can be found in README. Provided symlink allows
proper document rendering on VCS hosting site.
Issue-ID: SECCOM-235
Change-Id: I4a1337c9834322ee4fd742a9ccb979b9bc505f75
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
Pawel Wieczorek