メモ
「kube-bench」というツールはインフラ観点でKubernetesクラスターを診断してくれるものですが、触ってみるとこれがまたよく出来ていたので試し打ち結果と共に紹介します。v1.23.2で試しています。
# docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest run --targets=master --version 1.23
実行結果
[INFO] 1 Master Node Security Configuration [INFO] 1.1 Master Node Configuration Files [PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) [PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated) [PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated) [PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated) [PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated) [PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated) [PASS] 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated) [PASS] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated) [WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual) [WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual) [PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) [FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated) [PASS] 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated) ... 1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the below command: ps -ef | grep etcd Run the below command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd
上記に関してはetcdプロセスにて```--data-dir```で指定しているディレクトリの権限がrootになってるのでetcd:etcdにしようね・・という個人的にはどっちでもいいようなものですが、こうやって改善策まで出してくれるツール、かなりありがたい。