aquasecurity / kube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
Apache License 2.0
7.03k stars 1.22k forks source link

Test 1.1.7 (etcd spec file permissions) Fail Because ETCD is on separate server. #632

Open medined opened 4 years ago

medined commented 4 years ago

The file /etc/kubernetes/manifests/etcd.yaml does not exist on my master node because etcd is running on a separate server. I don't know the correct way to determine this situation but my kube-apiserver process has its --etcd-servers parameters pointing to the etcd0 server.

This same issue exists for test 1.1.8.

Perhaps a file existence check so the two tests can be skipped?

lizrice commented 3 years ago

I've raised a ticket against the benchmark spec, which currently assumes etcd is running as a Kubernetes pod.

I would be supportive of an enhancement that skips these checks if there is no etcd manifest file. (Meanwhile, you could manually modify the test files to skip these checks.)