| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
According to kube-apiserver documentation [1] and CIS guideline 1.1.4
option "--kubelet-https=" might be absent in API server configuration.
It has secure configuration (being set to "true") by default.
[1] https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
Issue-ID: SECCOM-235
Change-Id: I604cdcace03f65185aab6a0b34d48cfec94277ab
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Apparently Linux AMD64 machines are not the only ones used for ONAP
development (author meant no harm).
Issue-ID: SECCOM-235
Change-Id: Ia78a02fb82dc5752d6b8fd2cef8e6ef583fd3ca6
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Having Rancher CLI proves itself useful on development machines as well.
Issue-ID: SECCOM-235
Change-Id: I0de3109e1236cf6dc9cbc825342593041dcfdf2c
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: I46e2f8d61c3a82613b665fb6d9b57431bb2a1868
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch adds simplified ONAP deployment environment (Kubernetes
cluster managed by Rancher). Its purpose is to provide cluster defaults
for inspection without the need to access actual ONAP application
deployment.
Default node customization scripts were extracted
("tools/get_customization_scripts.sh" run within "tools/imported/"
directory) from official documentation [1] and imported here in order
not to introduce runtime online dependencies.
This environment should probably be migrated in future to more
appropriate place like devtool [2] (or at least use the same Vagrant
boxes).
[1] https://docs.onap.org/en/casablanca/submodules/oom.git/docs/oom_setup_kubernetes_rancher.html
[2] https://git.onap.org/integration/devtool
Issue-ID: SECCOM-235
Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.6 and 1.1.7).
Issue-ID: SECCOM-235
Change-Id: I5f215a6642b177e85d7e1c70860ba0c7e558ec4e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.1 - 1.1.5, 1.1.8,
1.1.9, 1.1.20 and 1.1.23).
Issue-ID: SECCOM-235
Change-Id: Ib964b5111b616a891c3963ef9695af660810e8ba
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-235
Change-Id: I370636220151a5755f467055418f866afe11d5d9
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch introduces Rancher queries using its CLI client. It depends
on having utility binary located in PATH and providing configuration
file prior first use.
Issue-ID: SECCOM-235
Change-Id: Idb011e27b4801c5700b4482656463849736298da
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch introduces CLI utility for checking if Kubernetes cluster
follows security recommendations. Provided Makefile simplifies setup
process by setting appropriate environment variables for the build.
Further information can be found in README. Provided symlink allows
proper document rendering on VCS hosting site.
Issue-ID: SECCOM-235
Change-Id: I4a1337c9834322ee4fd742a9ccb979b9bc505f75
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
Pawel Wieczorek