mirror of
https://github.com/rancher/rancher-docs.git
synced 2026-05-17 10:25:16 +00:00
EIO-4: corrections needed to address issues found in 5.1.5 tests
This commit is contained in:
Nelson Roberts
committed by
Catherine Luse
Catherine Luse
parent
32b98275b1
commit
178f2cf3af
@@ -1975,7 +1975,7 @@ systemctl restart kubelet.service
|
||||
|
||||
#### 5.1.5 Ensure that default service accounts are not actively used. (Scored)
|
||||
|
||||
**Result:** PASS
|
||||
**Result:** FAIL
|
||||
|
||||
**Remediation:**
|
||||
Create explicit service accounts wherever a Kubernetes workload requires specific access
|
||||
|
||||
@@ -1975,7 +1975,7 @@ systemctl restart kubelet.service
|
||||
|
||||
#### 5.1.5 Ensure that default service accounts are not actively used. (Scored)
|
||||
|
||||
**Result:** PASS
|
||||
**Result:** FAIL
|
||||
|
||||
**Remediation:**
|
||||
Create explicit service accounts wherever a Kubernetes workload requires specific access
|
||||
@@ -2006,7 +2006,7 @@ if [[ "${accounts}" != "" ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
default_binding="$(kubectl get rolebindings,clusterrolebindings -A -o json | jq -r '.items[] | select(.subjects[].kind=="ServiceAccount" and .subjects[].name=="default" and .metadata.name=="default").metadata.uid' | wc -l)"
|
||||
default_binding="$(kubectl get rolebindings,clusterrolebindings -A -o json | jq -r '.items[] | select(.subjects[].kind=="ServiceAccount" and .subjects[].name=="default" and .metadata.name!="default").metadata.uid' | wc -l)"
|
||||
|
||||
if [[ "${default_binding}" -gt 0 ]]; then
|
||||
echo "fail: default service accounts have non default bindings"
|
||||
|
||||
@@ -24,7 +24,8 @@ For more detail about evaluating a hardened cluster against the official CIS ben
|
||||
|
||||
#### Known Issues
|
||||
|
||||
Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes.
|
||||
- Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes.
|
||||
- When setting the `default_pod_security_policy_template_id:` to `restricted` Rancher creates **RoleBindings** and **ClusterRoleBindings** on the default service accounts. The default service accounts should be configured such that it does not provide a service account token and does not have any explicit rights assignments.
|
||||
|
||||
### Configure Kernel Runtime Parameters
|
||||
|
||||
|
||||
@@ -24,7 +24,8 @@ For more detail about evaluating a hardened cluster against the official CIS ben
|
||||
|
||||
#### Known Issues
|
||||
|
||||
Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes.
|
||||
- Rancher **exec shell** and **view logs** for pods are **not** functional in a cis 1.5 hardened setup when only public ip is provided when registering custom nodes.
|
||||
- When setting the `default_pod_security_policy_template_id:` to `restricted` Rancher creates **RoleBindings** and **ClusterRoleBindings** on the default service accounts. The default service accounts should be configured such that it does not provide a service account token and does not have any explicit rights assignments.
|
||||
|
||||
### Configure Kernel Runtime Parameters
|
||||
|
||||
|
||||
Reference in New Issue
Block a user