Google GKE Compliance Audit Configuration File Paths
This table displays all possible configuration file paths of compliance audits performed on Kubernetes clusters of Google Kubernetes Engine (GKE).
ID | Name | Audit | All Possible Configuration Paths |
---|---|---|---|
3.1.1 | Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) | /bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' |
"/etc/kubernetes/kubelet-kubeconfig" "/var/lib/kubelet/kubeconfig" "/var/snap/microk8s/current/credentials/proxy.config" |
3.1.2 | Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) | /bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' |
"/etc/kubernetes/kubelet-kubeconfig" "/var/lib/kubelet/kubeconfig" "/var/snap/microk8s/current/credentials/proxy.config" |
3.1.3 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) | /bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' |
"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.1.4 | Ensure that the kubelet configuration file ownership is set to root:root (Scored) | /bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' |
"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.1 | Ensure that the --anonymous-auth argument is set to false (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.2 | Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.3 | Ensure that the --client-ca-file argument is set as appropriate (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.4 | Ensure that the --read-only-port argument is set to 0 (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.5 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.6 | Ensure that the --protect-kernel-defaults argument is set to true (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.7 | Ensure that the --make-iptables-util-chains argument is set to true (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.8 | Ensure that the --hostname-override argument is not set (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.9 | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
3.2.10 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.11 | Ensure that the --rotate-certificates argument is not set to false (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |
3.2.12 | Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) |
/bin/ps -fC $kubeletbin or /bin/cat $kubeletconf |
"hyperkube kubelet" "kubelet" "/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet" "/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" |