跳过的测试

本节列出了 RKE 的允许性测试配置文件中跳过的测试。

所有跳过的测试和不适用的测试在 v2.5 生成的报告中都会被算作 “不适用”,跳过的测试数量只会提到用户定义的跳过测试。跳过的测试计数将只提及用户定义的跳过测试。这可以将用户跳过的测试与 RKE 允许测试配置文件中默认跳过的测试区分开来。

CIS Benchmark v1.5

CIS Benchmark v1.5 Skipped Tests

号码跳过改测试的原因
1.1.12Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)A system service account is required for etcd data directory ownership. Refer to Rancher’s hardening guide for more details on how to configure this ownership.
1.2.6Ensure that the —kubelet-certificate-authority argument is set as appropriate (Automated)When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers.
1.2.16Ensure that the admission control plugin PodSecurityPolicy is set (Automated)Enabling Pod Security Policy can cause applications to unexpectedly fail.
1.2.33Ensure that the —encryption-provider-config argument is set as appropriate (Manual)Enabling encryption changes how data can be recovered as data is encrypted.
1.2.34Ensure that encryption providers are appropriately configured (Manual)Enabling encryption changes how data can be recovered as data is encrypted.
4.2.6Ensure that the —protect-kernel-defaults argument is set to true (Automated)System level configurations are required before provisioning the cluster in order for this argument to be set to true.
4.2.10Ensure that the—tls-cert-file and —tls-private-key-file arguments are set as appropriate (Automated)When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers.
5.1.5Ensure that default service accounts are not actively used. (Automated)Kubernetes provides default service accounts to be used.
5.2.2Minimize the admission of containers wishing to share the host process ID namespace (Automated)Enabling Pod Security Policy can cause applications to unexpectedly fail.
5.2.3Minimize the admission of containers wishing to share the host IPC namespace (Automated)Enabling Pod Security Policy can cause applications to unexpectedly fail.
5.2.4Minimize the admission of containers wishing to share the host network namespace (Automated)Enabling Pod Security Policy can cause applications to unexpectedly fail.
5.2.5Minimize the admission of containers with allowPrivilegeEscalation (Automated)Enabling Pod Security Policy can cause applications to unexpectedly fail.
5.3.2Ensure that all Namespaces have Network Policies defined (Automated)Enabling Network Policies can prevent certain applications from communicating with each other.
5.6.4The default namespace should not be used (Automated)Kubernetes provides a default namespace.

CIS Benchmark v1.5 Not Applicable Tests

NumberDescriptionReason for being not applicable
1.1.1Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for kube-apiserver. All configuration is passed in as arguments at container run time.
1.1.2Ensure that the API server pod specification file ownership is set to root:root (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for kube-apiserver. All configuration is passed in as arguments at container run time.
1.1.3Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time.
1.1.4Ensure that the controller manager pod specification file ownership is set to root:root (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time.
1.1.5Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time.
1.1.6Ensure that the scheduler pod specification file ownership is set to root:root (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time.
1.1.7Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for etcd. All configuration is passed in as arguments at container run time.
1.1.8Ensure that the etcd pod specification file ownership is set to root:root (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for etcd. All configuration is passed in as arguments at container run time.
1.1.13Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)Clusters provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes.
1.1.14Ensure that the admin.conf file ownership is set to root:root (Automated)Clusters provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes.
1.1.15Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time.
1.1.16Ensure that the scheduler.conf file ownership is set to root:root (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time.
1.1.17Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time.
1.1.18Ensure that the controller-manager.conf file ownership is set to root:root (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time.
1.3.6Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)Clusters provisioned by RKE handles certificate rotation directly through RKE.
4.1.1Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. All configuration is passed in as arguments at container run time.
4.1.2Ensure that the kubelet service file ownership is set to root:root (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. All configuration is passed in as arguments at container run time.
4.1.9Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet. All configuration is passed in as arguments at container run time.
4.1.10Ensure that the kubelet configuration file ownership is set to root:root (Automated)Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet. All configuration is passed in as arguments at container run time.
4.2.12Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)Clusters provisioned by RKE handles certificate rotation directly through RKE.