You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently within the CIS 1.7 for test 1.2.3; the test is manual using ps -ef | grep kube-apiserver. Then a manual search for --disabled-admission-plugins=DenyServiceExternalIPs.
Could the test be refined to give a better result with: ps -ef | grep kube-apiserver | grep DenyServiceExternalIPs;echo $?
How did you run kube-bench?
Copy kube-bench/v0.6.15/job_master.yaml to local system
Run kubectl apply -f job_master.yaml
Environment
kube-bench: v0.6.15
Kubernetes:
kubeadm install
kubernetes v1.26.5
The text was updated successfully, but these errors were encountered:
From my perspective there are several issues with this test as it is in the current code base:
It's a manual test, but not of type manual, so in our automation it pops up as WARN regardless of state of the cluster;
Reading the description of DenyServiceExternalIPs I still feel very unsure of whether DenyServiceExternalIPs should be turned on or off, especially combined with the kube-bench remediation text: "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and remove the DenyServiceExternalIPs from enabled admission plugins."
Overview
Currently within the CIS 1.7 for test 1.2.3; the test is manual using
ps -ef | grep kube-apiserver
. Then a manual search for--disabled-admission-plugins=DenyServiceExternalIPs
.Could the test be refined to give a better result with:
ps -ef | grep kube-apiserver | grep DenyServiceExternalIPs;echo $?
How did you run kube-bench?
kubectl apply -f job_master.yaml
Environment
kube-bench: v0.6.15
Kubernetes:
kubeadm install
kubernetes v1.26.5
The text was updated successfully, but these errors were encountered: