mtpereira/kube-bench-1030-status-fail-output.log

## kube-bench-1030-status-fail-output.log
[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
[FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
[FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
[FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated)
[FAIL] 1.2.21 Ensure that the --audit-log-path argument is set (Automated)
[FAIL] 1.2.22 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
[FAIL] 1.2.23 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
[FAIL] 1.2.24 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)

== Remediations master ==
1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the below command:
ps -ef | grep etcd
Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd

1.2.5 Follow the Kubernetes documentation and setup the TLS connection between
the apiserver and kubelets. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>

1.2.15 Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins parameter to a
value that includes PodSecurityPolicy:
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.

1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--profiling=false

1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-path parameter to a suitable path and
file where you would like audit logs to be written, for example:
--audit-log-path=/var/log/apiserver/audit.log

1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
--audit-log-maxage=30

1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
value.
--audit-log-maxbackup=10

1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
For example, to set it as 100 MB:
--audit-log-maxsize=100

1.3.2 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the below parameter.
--profiling=false

1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file
on the master node and set the below parameter.
--profiling=false


== Summary master ==
10 checks FAIL


== Summary etcd ==
0 checks FAIL


== Summary controlplane ==
0 checks FAIL

[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

== Remediations node ==
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service


== Summary node ==
1 checks FAIL


== Summary policies ==
0 checks FAIL

== Summary total ==
11 checks FAIL
	[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
	[FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
	[FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
	[FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated)
	[FAIL] 1.2.21 Ensure that the --audit-log-path argument is set (Automated)
	[FAIL] 1.2.22 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
	[FAIL] 1.2.23 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
	[FAIL] 1.2.24 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
	[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
	[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)

	== Remediations master ==
	1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
	from the below command:
	ps -ef \| grep etcd
	Run the below command (based on the etcd data directory found above).
	For example, chown etcd:etcd /var/lib/etcd

	1.2.5 Follow the Kubernetes documentation and setup the TLS connection between
	the apiserver and kubelets. Then, edit the API server pod specification file
	/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
	--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
	--kubelet-certificate-authority=<ca-string>

	1.2.15 Follow the documentation and create Pod Security Policy objects as per your environment.
	Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the --enable-admission-plugins parameter to a
	value that includes PodSecurityPolicy:
	--enable-admission-plugins=...,PodSecurityPolicy,...
	Then restart the API Server.

	1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the below parameter.
	--profiling=false

	1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the --audit-log-path parameter to a suitable path and
	file where you would like audit logs to be written, for example:
	--audit-log-path=/var/log/apiserver/audit.log

	1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
	--audit-log-maxage=30

	1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
	value.
	--audit-log-maxbackup=10

	1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
	on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
	For example, to set it as 100 MB:
	--audit-log-maxsize=100

	1.3.2 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
	on the master node and set the below parameter.
	--profiling=false

	1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file
	on the master node and set the below parameter.
	--profiling=false


	== Summary master ==
	10 checks FAIL


	== Summary etcd ==
	0 checks FAIL


	== Summary controlplane ==
	0 checks FAIL

	[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

	== Remediations node ==
	4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
	If using command line arguments, edit the kubelet service file
	/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
	set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
	--protect-kernel-defaults=true
	Based on your system, restart the kubelet service. For example:
	systemctl daemon-reload
	systemctl restart kubelet.service


	== Summary node ==
	1 checks FAIL


	== Summary policies ==
	0 checks FAIL

	== Summary total ==
	11 checks FAIL