github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubebench/testdata/kube-bench-gke.json (about) 1 { 2 "Controls": [ 3 { 4 "id": "3", 5 "version": "gke-1.2.0", 6 "detected_version": "none", 7 "text": "Worker Node Security Configuration", 8 "node_type": "node", 9 "tests": [ 10 { 11 "section": "3.1", 12 "type": "", 13 "pass": 4, 14 "fail": 0, 15 "warn": 0, 16 "info": 0, 17 "desc": "Worker Node Configuration Files", 18 "results": [ 19 { 20 "test_number": "3.1.4", 21 "test_desc": "Ensure that the kubelet configuration file ownership is set to root:root (Manual)", 22 "audit": "/bin/sh -c 'if test -e /home/kubernetes/kubelet-config.yaml; then stat -c %U:%G /home/kubernetes/kubelet-config.yaml; fi' ", 23 "AuditEnv": "", 24 "AuditConfig": "", 25 "type": "", 26 "remediation": "Run the following command (using the config file location identied in the Audit step)\nchown root:root /etc/kubernetes/kubelet.conf\n", 27 "test_info": [ 28 "Run the following command (using the config file location identied in the Audit step)\nchown root:root /etc/kubernetes/kubelet.conf\n" 29 ], 30 "status": "PASS", 31 "actual_value": "root:root", 32 "scored": false, 33 "IsMultiple": false, 34 "expected_result": "'root:root' is present" 35 } 36 ] 37 }, 38 { 39 "section": "3.2", 40 "type": "", 41 "pass": 8, 42 "fail": 2, 43 "warn": 2, 44 "info": 0, 45 "desc": "Kubelet", 46 "results": [ 47 { 48 "test_number": "3.2.1", 49 "test_desc": "Ensure that the --anonymous-auth argument is set to false (Automated)", 50 "audit": "/bin/ps -fC kubelet", 51 "AuditEnv": "", 52 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 53 "type": "", 54 "remediation": "If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to\nfalse.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--anonymous-auth=false\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 55 "test_info": [ 56 "If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to\nfalse.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--anonymous-auth=false\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 57 ], 58 "status": "PASS", 59 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 60 "scored": true, 61 "IsMultiple": false, 62 "expected_result": "'{.authentication.anonymous.enabled}' is equal to 'false'" 63 }, 64 { 65 "test_number": "3.2.2", 66 "test_desc": "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)", 67 "audit": "/bin/ps -fC kubelet", 68 "AuditEnv": "", 69 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 70 "type": "", 71 "remediation": "If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 72 "test_info": [ 73 "If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 74 ], 75 "status": "PASS", 76 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 77 "scored": true, 78 "IsMultiple": false, 79 "expected_result": "'{.authorization.mode}' does not have 'AlwaysAllow'" 80 }, 81 { 82 "test_number": "3.2.3", 83 "test_desc": "Ensure that the --client-ca-file argument is set as appropriate (Automated)", 84 "audit": "/bin/ps -fC kubelet", 85 "AuditEnv": "", 86 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 87 "type": "", 88 "remediation": "If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--client-ca-file=\u003cpath/to/client-ca-file\u003e\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 89 "test_info": [ 90 "If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--client-ca-file=\u003cpath/to/client-ca-file\u003e\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 91 ], 92 "status": "PASS", 93 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 94 "scored": true, 95 "IsMultiple": false, 96 "expected_result": "'{.authentication.x509.clientCAFile}' is present" 97 }, 98 { 99 "test_number": "3.2.4", 100 "test_desc": "Ensure that the --read-only-port argument is set to 0 (Manual)", 101 "audit": "/bin/ps -fC kubelet", 102 "AuditEnv": "", 103 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 104 "type": "", 105 "remediation": "If using a Kubelet config file, edit the file to set readOnlyPort to 0.\nIf using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 106 "test_info": [ 107 "If using a Kubelet config file, edit the file to set readOnlyPort to 0.\nIf using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 108 ], 109 "status": "WARN", 110 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 111 "scored": false, 112 "IsMultiple": false, 113 "expected_result": "'{.readOnlyPort}' is equal to '0'" 114 }, 115 { 116 "test_number": "3.2.5", 117 "test_desc": "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)", 118 "audit": "/bin/ps -fC kubelet", 119 "AuditEnv": "", 120 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 121 "type": "", 122 "remediation": "If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 123 "test_info": [ 124 "If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 125 ], 126 "status": "PASS", 127 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 128 "scored": true, 129 "IsMultiple": false, 130 "expected_result": "'{.streamingConnectionIdleTimeout}' is present OR '{.streamingConnectionIdleTimeout}' is not present" 131 }, 132 { 133 "test_number": "3.2.6", 134 "test_desc": "Ensure that the --protect-kernel-defaults argument is set to true (Manual)", 135 "audit": "/bin/ps -fC kubelet", 136 "AuditEnv": "", 137 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 138 "type": "", 139 "remediation": "If using a Kubelet config file, edit the file to set protectKernelDefaults: true.\nIf using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 140 "test_info": [ 141 "If using a Kubelet config file, edit the file to set protectKernelDefaults: true.\nIf using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 142 ], 143 "status": "FAIL", 144 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 145 "scored": true, 146 "IsMultiple": false, 147 "expected_result": "'{.protectKernelDefaults}' is present" 148 }, 149 { 150 "test_number": "3.2.7", 151 "test_desc": "Ensure that the --make-iptables-util-chains argument is set to true (Automated) ", 152 "audit": "/bin/ps -fC kubelet", 153 "AuditEnv": "", 154 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 155 "type": "", 156 "remediation": "If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 157 "test_info": [ 158 "If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 159 ], 160 "status": "PASS", 161 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 162 "scored": true, 163 "IsMultiple": false, 164 "expected_result": "'{.makeIPTablesUtilChains}' is present OR '{.makeIPTablesUtilChains}' is not present" 165 }, 166 { 167 "test_number": "3.2.8", 168 "test_desc": "Ensure that the --hostname-override argument is not set (Manual)", 169 "audit": "/bin/ps -fC kubelet ", 170 "AuditEnv": "", 171 "AuditConfig": "", 172 "type": "", 173 "remediation": "Edit the kubelet service file /etc/systemd/system/kubelet.service\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 174 "test_info": [ 175 "Edit the kubelet service file /etc/systemd/system/kubelet.service\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 176 ], 177 "status": "PASS", 178 "actual_value": "UID PID PPID C STIME TTY TIME CMD\nroot 1645 1 2 Aug03 ? 02:53:38 /home/kubernetes/bin/kubelet --v=2 --experimental-check-node-capabilities-before-mount=true --cloud-provider=gce --experimental-mounter-path=/home/kubernetes/containerized_mounter/mounter --cert-dir=/var/lib/kubelet/pki/ --kubeconfig=/var/lib/kubelet/kubeconfig --cni-bin-dir=/home/kubernetes/bin --image-pull-progress-deadline=5m --max-pods=110 --non-masquerade-cidr=0.0.0.0/0 --network-plugin=kubenet --volume-plugin-dir=/home/kubernetes/flexvolume --node-status-max-images=25 --container-runtime=remote --container-runtime-endpoint=unix:///run/containerd/containerd.sock --runtime-cgroups=/system.slice/containerd.service --registry-qps=10 --registry-burst=20 --config /home/kubernetes/kubelet-config.yaml --pod-sysctls=net.core.somaxconn=1024,net.ipv4.conf.all.accept_redirects=0,net.ipv4.conf.all.forwarding=1,net.ipv4.conf.all.route_localnet=1,net.ipv4.conf.default.forwarding=1,net.ipv4.ip_forward=1,net.ipv4.tcp_fin_timeout=60,net.ipv4.tcp_keepalive_intvl=60,net.ipv4.tcp_keepalive_probes=5,net.ipv4.tcp_keepalive_time=300,net.ipv4.tcp_rmem=4096 87380 6291456,net.ipv4.tcp_syn_retries=6,net.ipv4.tcp_tw_reuse=0,net.ipv4.tcp_wmem=4096 16384 4194304,net.ipv4.udp_rmem_min=4096,net.ipv4.udp_wmem_min=4096,net.ipv6.conf.all.disable_ipv6=1,net.ipv6.conf.default.accept_ra=0,net.ipv6.conf.default.disable_ipv6=1,net.netfilter.nf_conntrack_generic_timeout=600,net.netfilter.nf_conntrack_tcp_be_liberal=1,net.netfilter.nf_conntrack_tcp_timeout_close_wait=3600,net.netfilter.nf_conntrack_tcp_timeout_established=86400", 179 "scored": false, 180 "IsMultiple": false, 181 "expected_result": "'--hostname-override' is not present" 182 }, 183 { 184 "test_number": "3.2.9", 185 "test_desc": "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated)", 186 "audit": "/bin/ps -fC kubelet", 187 "AuditEnv": "", 188 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 189 "type": "", 190 "remediation": "If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.\nIf using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 191 "test_info": [ 192 "If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.\nIf using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 193 ], 194 "status": "FAIL", 195 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 196 "scored": true, 197 "IsMultiple": false, 198 "expected_result": "'{.eventRecordQPS}' is present" 199 }, 200 { 201 "test_number": "3.2.10", 202 "test_desc": "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)", 203 "audit": "/bin/ps -fC kubelet", 204 "AuditEnv": "", 205 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 206 "type": "", 207 "remediation": "If using a Kubelet config file, edit the file to set tlsCertFile to the location\nof the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable.\n--tls-cert-file=\u003cpath/to/tls-certificate-file\u003e\n--tls-private-key-file=\u003cpath/to/tls-key-file\u003e\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 208 "test_info": [ 209 "If using a Kubelet config file, edit the file to set tlsCertFile to the location\nof the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable.\n--tls-cert-file=\u003cpath/to/tls-certificate-file\u003e\n--tls-private-key-file=\u003cpath/to/tls-key-file\u003e\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 210 ], 211 "status": "WARN", 212 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 213 "scored": false, 214 "IsMultiple": false, 215 "expected_result": "'{.tlsCertFile}' is present AND '{.tlsPrivateKeyFile}' is present" 216 }, 217 { 218 "test_number": "3.2.11", 219 "test_desc": "Ensure that the --rotate-certificates argument is not set to false (Manual)", 220 "audit": "/bin/ps -fC kubelet", 221 "AuditEnv": "", 222 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 223 "type": "", 224 "remediation": "If using a Kubelet config file, edit the file to add the line rotateCertificates: true or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 225 "test_info": [ 226 "If using a Kubelet config file, edit the file to add the line rotateCertificates: true or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 227 ], 228 "status": "PASS", 229 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 230 "scored": false, 231 "IsMultiple": false, 232 "expected_result": "'{.rotateCertificates}' is present OR '{.rotateCertificates}' is not present" 233 }, 234 { 235 "test_number": "3.2.12", 236 "test_desc": "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)", 237 "audit": "/bin/ps -fC kubelet", 238 "AuditEnv": "", 239 "AuditConfig": "/bin/cat /home/kubernetes/kubelet-config.yaml", 240 "type": "", 241 "remediation": "Edit the kubelet service file /etc/systemd/system/kubelet.service\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n", 242 "test_info": [ 243 "Edit the kubelet service file /etc/systemd/system/kubelet.service\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n" 244 ], 245 "status": "PASS", 246 "actual_value": "apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n enabled: true\n x509:\n clientCAFile: /etc/srv/kubernetes/pki/ca-certificates.crt\nauthorization:\n mode: Webhook\ncgroupRoot: /\nclusterDNS:\n- 10.112.0.10\nclusterDomain: cluster.local\nenableDebuggingHandlers: true\nevictionHard:\n memory.available: 100Mi\n nodefs.available: 10%\n nodefs.inodesFree: 5%\n pid.available: 10%\nfeatureGates:\n CSIMigrationGCE: true\n DynamicKubeletConfig: false\n ExecProbeTimeout: false\n InTreePluginAWSUnregister: true\n InTreePluginAzureDiskUnregister: true\n InTreePluginOpenStackUnregister: true\n InTreePluginvSphereUnregister: true\n RotateKubeletServerCertificate: true\nkernelMemcgNotification: true\nkind: KubeletConfiguration\nkubeReserved:\n cpu: 1060m\n ephemeral-storage: 41Gi\n memory: 1019Mi\nreadOnlyPort: 10255\nserverTLSBootstrap: true\nstaticPodPath: /etc/kubernetes/manifests", 247 "scored": true, 248 "IsMultiple": false, 249 "expected_result": "'{.featureGates.RotateKubeletServerCertificate}' is equal to 'true'" 250 } 251 ] 252 } 253 ], 254 "total_pass": 12, 255 "total_fail": 2, 256 "total_warn": 2, 257 "total_info": 0 258 }, 259 { 260 "id": "4", 261 "version": "gke-1.2.0", 262 "detected_version": "none", 263 "text": "Kubernetes Policies", 264 "node_type": "policies", 265 "tests": [ 266 { 267 "section": "4.1", 268 "type": "", 269 "pass": 0, 270 "fail": 0, 271 "warn": 6, 272 "info": 0, 273 "desc": "RBAC and Service Accounts", 274 "results": [ 275 { 276 "test_number": "4.1.1", 277 "test_desc": "Ensure that the cluster-admin role is only used where required (Manual)", 278 "audit": "", 279 "AuditEnv": "", 280 "AuditConfig": "", 281 "type": "manual", 282 "remediation": "Identify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]\n", 283 "test_info": [ 284 "Identify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]\n" 285 ], 286 "status": "WARN", 287 "actual_value": "", 288 "scored": false, 289 "IsMultiple": false, 290 "expected_result": "", 291 "reason": "Test marked as a manual test" 292 }, 293 { 294 "test_number": "4.1.2", 295 "test_desc": "Minimize access to secrets (Manual)", 296 "audit": "", 297 "AuditEnv": "", 298 "AuditConfig": "", 299 "type": "manual", 300 "remediation": "Where possible, remove get, list and watch access to secret objects in the cluster.\n", 301 "test_info": [ 302 "Where possible, remove get, list and watch access to secret objects in the cluster.\n" 303 ], 304 "status": "WARN", 305 "actual_value": "", 306 "scored": false, 307 "IsMultiple": false, 308 "expected_result": "", 309 "reason": "Test marked as a manual test" 310 }, 311 { 312 "test_number": "4.1.3", 313 "test_desc": "Minimize wildcard use in Roles and ClusterRoles (Manual)", 314 "audit": "", 315 "AuditEnv": "", 316 "AuditConfig": "", 317 "type": "manual", 318 "remediation": "Where possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions.\n", 319 "test_info": [ 320 "Where possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions.\n" 321 ], 322 "status": "WARN", 323 "actual_value": "", 324 "scored": false, 325 "IsMultiple": false, 326 "expected_result": "", 327 "reason": "Test marked as a manual test" 328 }, 329 { 330 "test_number": "4.1.4", 331 "test_desc": "Minimize access to create pods (Manual)", 332 "audit": "", 333 "AuditEnv": "", 334 "AuditConfig": "", 335 "type": "manual", 336 "remediation": "Where possible, remove create access to pod objects in the cluster.\n", 337 "test_info": [ 338 "Where possible, remove create access to pod objects in the cluster.\n" 339 ], 340 "status": "WARN", 341 "actual_value": "", 342 "scored": false, 343 "IsMultiple": false, 344 "expected_result": "", 345 "reason": "Test marked as a manual test" 346 }, 347 { 348 "test_number": "4.1.5", 349 "test_desc": "Ensure that default service accounts are not actively used. (Manual)", 350 "audit": "", 351 "AuditEnv": "", 352 "AuditConfig": "", 353 "type": "manual", 354 "remediation": "Create explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false\n", 355 "test_info": [ 356 "Create explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false\n" 357 ], 358 "status": "WARN", 359 "actual_value": "", 360 "scored": true, 361 "IsMultiple": false, 362 "expected_result": "", 363 "reason": "Test marked as a manual test" 364 }, 365 { 366 "test_number": "4.1.6", 367 "test_desc": "Ensure that Service Account Tokens are only mounted where necessary (Manual)", 368 "audit": "", 369 "AuditEnv": "", 370 "AuditConfig": "", 371 "type": "manual", 372 "remediation": "Modify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it.\n", 373 "test_info": [ 374 "Modify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it.\n" 375 ], 376 "status": "WARN", 377 "actual_value": "", 378 "scored": false, 379 "IsMultiple": false, 380 "expected_result": "", 381 "reason": "Test marked as a manual test" 382 } 383 ] 384 }, 385 { 386 "section": "4.2", 387 "type": "", 388 "pass": 0, 389 "fail": 0, 390 "warn": 9, 391 "info": 0, 392 "desc": "Pod Security Policies", 393 "results": [ 394 { 395 "test_number": "4.2.1", 396 "test_desc": "Minimize the admission of privileged containers (Automated)", 397 "audit": "", 398 "AuditEnv": "", 399 "AuditConfig": "", 400 "type": "manual", 401 "remediation": "Create a PSP as described in the Kubernetes documentation, ensuring that\nthe .spec.privileged field is omitted or set to false.\n", 402 "test_info": [ 403 "Create a PSP as described in the Kubernetes documentation, ensuring that\nthe .spec.privileged field is omitted or set to false.\n" 404 ], 405 "status": "WARN", 406 "actual_value": "", 407 "scored": false, 408 "IsMultiple": false, 409 "expected_result": "", 410 "reason": "Test marked as a manual test" 411 }, 412 { 413 "test_number": "4.2.2", 414 "test_desc": "Minimize the admission of containers wishing to share the host process ID namespace (Automated)", 415 "audit": "", 416 "AuditEnv": "", 417 "AuditConfig": "", 418 "type": "manual", 419 "remediation": "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostPID field is omitted or set to false.\n", 420 "test_info": [ 421 "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostPID field is omitted or set to false.\n" 422 ], 423 "status": "WARN", 424 "actual_value": "", 425 "scored": false, 426 "IsMultiple": false, 427 "expected_result": "", 428 "reason": "Test marked as a manual test" 429 }, 430 { 431 "test_number": "4.2.3", 432 "test_desc": "Minimize the admission of containers wishing to share the host IPC namespace (Automated)", 433 "audit": "", 434 "AuditEnv": "", 435 "AuditConfig": "", 436 "type": "manual", 437 "remediation": "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostIPC field is omitted or set to false.\n", 438 "test_info": [ 439 "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostIPC field is omitted or set to false.\n" 440 ], 441 "status": "WARN", 442 "actual_value": "", 443 "scored": false, 444 "IsMultiple": false, 445 "expected_result": "", 446 "reason": "Test marked as a manual test" 447 }, 448 { 449 "test_number": "4.2.4", 450 "test_desc": "Minimize the admission of containers wishing to share the host network namespace (Automated)", 451 "audit": "", 452 "AuditEnv": "", 453 "AuditConfig": "", 454 "type": "manual", 455 "remediation": "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostNetwork field is omitted or set to false.\n", 456 "test_info": [ 457 "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.hostNetwork field is omitted or set to false.\n" 458 ], 459 "status": "WARN", 460 "actual_value": "", 461 "scored": false, 462 "IsMultiple": false, 463 "expected_result": "", 464 "reason": "Test marked as a manual test" 465 }, 466 { 467 "test_number": "4.2.5", 468 "test_desc": "Minimize the admission of containers with allowPrivilegeEscalation (Automated)", 469 "audit": "", 470 "AuditEnv": "", 471 "AuditConfig": "", 472 "type": "manual", 473 "remediation": "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.allowPrivilegeEscalation field is omitted or set to false.\n", 474 "test_info": [ 475 "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.allowPrivilegeEscalation field is omitted or set to false.\n" 476 ], 477 "status": "WARN", 478 "actual_value": "", 479 "scored": false, 480 "IsMultiple": false, 481 "expected_result": "", 482 "reason": "Test marked as a manual test" 483 }, 484 { 485 "test_number": "4.2.6", 486 "test_desc": "Minimize the admission of root containers (Automated)", 487 "audit": "", 488 "AuditEnv": "", 489 "AuditConfig": "", 490 "type": "manual", 491 "remediation": "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of\nUIDs not including 0.\n", 492 "test_info": [ 493 "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of\nUIDs not including 0.\n" 494 ], 495 "status": "WARN", 496 "actual_value": "", 497 "scored": false, 498 "IsMultiple": false, 499 "expected_result": "", 500 "reason": "Test marked as a manual test" 501 }, 502 { 503 "test_number": "4.2.7", 504 "test_desc": "Minimize the admission of containers with the NET_RAW capability (Automated)", 505 "audit": "", 506 "AuditEnv": "", 507 "AuditConfig": "", 508 "type": "manual", 509 "remediation": "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.\n", 510 "test_info": [ 511 "Create a PSP as described in the Kubernetes documentation, ensuring that the\n.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.\n" 512 ], 513 "status": "WARN", 514 "actual_value": "", 515 "scored": false, 516 "IsMultiple": false, 517 "expected_result": "", 518 "reason": "Test marked as a manual test" 519 }, 520 { 521 "test_number": "4.2.8", 522 "test_desc": "Minimize the admission of containers with added capabilities (Automated)", 523 "audit": "", 524 "AuditEnv": "", 525 "AuditConfig": "", 526 "type": "manual", 527 "remediation": "Ensure that allowedCapabilities is not present in PSPs for the cluster unless\nit is set to an empty array.\n", 528 "test_info": [ 529 "Ensure that allowedCapabilities is not present in PSPs for the cluster unless\nit is set to an empty array.\n" 530 ], 531 "status": "WARN", 532 "actual_value": "", 533 "scored": false, 534 "IsMultiple": false, 535 "expected_result": "", 536 "reason": "Test marked as a manual test" 537 }, 538 { 539 "test_number": "4.2.9", 540 "test_desc": "Minimize the admission of containers with capabilities assigned (Manual) ", 541 "audit": "", 542 "AuditEnv": "", 543 "AuditConfig": "", 544 "type": "manual", 545 "remediation": "Review the use of capabilites in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities.\n", 546 "test_info": [ 547 "Review the use of capabilites in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities.\n" 548 ], 549 "status": "WARN", 550 "actual_value": "", 551 "scored": false, 552 "IsMultiple": false, 553 "expected_result": "", 554 "reason": "Test marked as a manual test" 555 } 556 ] 557 }, 558 { 559 "section": "4.3", 560 "type": "", 561 "pass": 0, 562 "fail": 0, 563 "warn": 2, 564 "info": 0, 565 "desc": "Network Policies and CNI", 566 "results": [ 567 { 568 "test_number": "4.3.1", 569 "test_desc": "Ensure that the CNI in use supports Network Policies (Manual)", 570 "audit": "", 571 "AuditEnv": "", 572 "AuditConfig": "", 573 "type": "manual", 574 "remediation": "To use a CNI plugin with Network Policy, enable Network Policy in GKE, and the CNI plugin\nwill be updated. See Recommendation 6.6.7.\n", 575 "test_info": [ 576 "To use a CNI plugin with Network Policy, enable Network Policy in GKE, and the CNI plugin\nwill be updated. See Recommendation 6.6.7.\n" 577 ], 578 "status": "WARN", 579 "actual_value": "", 580 "scored": false, 581 "IsMultiple": false, 582 "expected_result": "", 583 "reason": "Test marked as a manual test" 584 }, 585 { 586 "test_number": "4.3.2", 587 "test_desc": "Ensure that all Namespaces have Network Policies defined (Manual)", 588 "audit": "", 589 "AuditEnv": "", 590 "AuditConfig": "", 591 "type": "manual", 592 "remediation": "Follow the documentation and create NetworkPolicy objects as you need them.\n", 593 "test_info": [ 594 "Follow the documentation and create NetworkPolicy objects as you need them.\n" 595 ], 596 "status": "WARN", 597 "actual_value": "", 598 "scored": false, 599 "IsMultiple": false, 600 "expected_result": "", 601 "reason": "Test marked as a manual test" 602 } 603 ] 604 }, 605 { 606 "section": "4.4", 607 "type": "", 608 "pass": 0, 609 "fail": 0, 610 "warn": 2, 611 "info": 0, 612 "desc": "Secrets Management", 613 "results": [ 614 { 615 "test_number": "4.4.1", 616 "test_desc": "Prefer using secrets as files over secrets as environment variables (Manual)", 617 "audit": "", 618 "AuditEnv": "", 619 "AuditConfig": "", 620 "type": "manual", 621 "remediation": "if possible, rewrite application code to read secrets from mounted secret files, rather than\nfrom environment variables.\n", 622 "test_info": [ 623 "if possible, rewrite application code to read secrets from mounted secret files, rather than\nfrom environment variables.\n" 624 ], 625 "status": "WARN", 626 "actual_value": "", 627 "scored": false, 628 "IsMultiple": false, 629 "expected_result": "", 630 "reason": "Test marked as a manual test" 631 }, 632 { 633 "test_number": "4.4.2", 634 "test_desc": "Consider external secret storage (Manual)", 635 "audit": "", 636 "AuditEnv": "", 637 "AuditConfig": "", 638 "type": "manual", 639 "remediation": "Refer to the secrets management options offered by your cloud provider or a third-party\nsecrets management solution.\n", 640 "test_info": [ 641 "Refer to the secrets management options offered by your cloud provider or a third-party\nsecrets management solution.\n" 642 ], 643 "status": "WARN", 644 "actual_value": "", 645 "scored": false, 646 "IsMultiple": false, 647 "expected_result": "", 648 "reason": "Test marked as a manual test" 649 } 650 ] 651 }, 652 { 653 "section": "4.5", 654 "type": "", 655 "pass": 0, 656 "fail": 0, 657 "warn": 1, 658 "info": 0, 659 "desc": "Extensible Admission Control", 660 "results": [ 661 { 662 "test_number": "4.5.1", 663 "test_desc": "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)", 664 "audit": "", 665 "AuditEnv": "", 666 "AuditConfig": "", 667 "type": "manual", 668 "remediation": "Follow the Kubernetes documentation and setup image provenance.\nSee also Recommendation 6.10.5 for GKE specifically.\n", 669 "test_info": [ 670 "Follow the Kubernetes documentation and setup image provenance.\nSee also Recommendation 6.10.5 for GKE specifically.\n" 671 ], 672 "status": "WARN", 673 "actual_value": "", 674 "scored": false, 675 "IsMultiple": false, 676 "expected_result": "", 677 "reason": "Test marked as a manual test" 678 } 679 ] 680 }, 681 { 682 "section": "4.6", 683 "type": "", 684 "pass": 0, 685 "fail": 0, 686 "warn": 4, 687 "info": 0, 688 "desc": "General Policies", 689 "results": [ 690 { 691 "test_number": "4.6.1", 692 "test_desc": "Create administrative boundaries between resources using namespaces (Manual)", 693 "audit": "", 694 "AuditEnv": "", 695 "AuditConfig": "", 696 "type": "manual", 697 "remediation": "Follow the documentation and create namespaces for objects in your deployment as you need\nthem.\n", 698 "test_info": [ 699 "Follow the documentation and create namespaces for objects in your deployment as you need\nthem.\n" 700 ], 701 "status": "WARN", 702 "actual_value": "", 703 "scored": false, 704 "IsMultiple": false, 705 "expected_result": "", 706 "reason": "Test marked as a manual test" 707 }, 708 { 709 "test_number": "4.6.2", 710 "test_desc": "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)", 711 "audit": "", 712 "AuditEnv": "", 713 "AuditConfig": "", 714 "type": "manual", 715 "remediation": "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you\nwould need to enable alpha features in the apiserver by passing \"--feature-\ngates=AllAlpha=true\" argument.\nEdit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS\nparameter to \"--feature-gates=AllAlpha=true\"\nKUBE_API_ARGS=\"--feature-gates=AllAlpha=true\"\nBased on your system, restart the kube-apiserver service. For example:\nsystemctl restart kube-apiserver.service\nUse annotations to enable the docker/default seccomp profile in your pod definitions. An\nexample is as below:\napiVersion: v1\nkind: Pod\nmetadata:\n name: trustworthy-pod\n annotations:\n seccomp.security.alpha.kubernetes.io/pod: docker/default\nspec:\n containers:\n - name: trustworthy-container\n image: sotrustworthy:latest\n", 716 "test_info": [ 717 "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you\nwould need to enable alpha features in the apiserver by passing \"--feature-\ngates=AllAlpha=true\" argument.\nEdit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS\nparameter to \"--feature-gates=AllAlpha=true\"\nKUBE_API_ARGS=\"--feature-gates=AllAlpha=true\"\nBased on your system, restart the kube-apiserver service. For example:\nsystemctl restart kube-apiserver.service\nUse annotations to enable the docker/default seccomp profile in your pod definitions. An\nexample is as below:\napiVersion: v1\nkind: Pod\nmetadata:\n name: trustworthy-pod\n annotations:\n seccomp.security.alpha.kubernetes.io/pod: docker/default\nspec:\n containers:\n - name: trustworthy-container\n image: sotrustworthy:latest\n" 718 ], 719 "status": "WARN", 720 "actual_value": "", 721 "scored": false, 722 "IsMultiple": false, 723 "expected_result": "", 724 "reason": "Test marked as a manual test" 725 }, 726 { 727 "test_number": "4.6.3", 728 "test_desc": "Apply Security Context to Your Pods and Containers (Manual)", 729 "audit": "", 730 "AuditEnv": "", 731 "AuditConfig": "", 732 "type": "manual", 733 "remediation": "Follow the Kubernetes documentation and apply security contexts to your pods. For a\nsuggested list of security contexts, you may refer to the CIS Security Benchmark for Docker\nContainers.\n", 734 "test_info": [ 735 "Follow the Kubernetes documentation and apply security contexts to your pods. For a\nsuggested list of security contexts, you may refer to the CIS Security Benchmark for Docker\nContainers.\n" 736 ], 737 "status": "WARN", 738 "actual_value": "", 739 "scored": false, 740 "IsMultiple": false, 741 "expected_result": "", 742 "reason": "Test marked as a manual test" 743 }, 744 { 745 "test_number": "4.6.4", 746 "test_desc": "The default namespace should not be used (Manual)", 747 "audit": "", 748 "AuditEnv": "", 749 "AuditConfig": "", 750 "type": "manual", 751 "remediation": "Ensure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace.\n", 752 "test_info": [ 753 "Ensure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace.\n" 754 ], 755 "status": "WARN", 756 "actual_value": "", 757 "scored": false, 758 "IsMultiple": false, 759 "expected_result": "", 760 "reason": "Test marked as a manual test" 761 } 762 ] 763 } 764 ], 765 "total_pass": 0, 766 "total_fail": 0, 767 "total_warn": 24, 768 "total_info": 0 769 }, 770 { 771 "id": "5", 772 "version": "gke-1.2.0", 773 "detected_version": "none", 774 "text": "Managed Services", 775 "node_type": "managedservices", 776 "tests": [ 777 { 778 "section": "5.1", 779 "type": "", 780 "pass": 0, 781 "fail": 0, 782 "warn": 4, 783 "info": 0, 784 "desc": "Image Registry and Image Scanning", 785 "results": [ 786 { 787 "test_number": "5.1.1", 788 "test_desc": "Ensure Image Vulnerability Scanning using GCR Container Analysis or a third-party provider (Manual)", 789 "audit": "", 790 "AuditEnv": "", 791 "AuditConfig": "", 792 "type": "manual", 793 "remediation": "Using Command Line:\n\n gcloud services enable containerscanning.googleapis.com\n", 794 "test_info": [ 795 "Using Command Line:\n\n gcloud services enable containerscanning.googleapis.com\n" 796 ], 797 "status": "WARN", 798 "actual_value": "", 799 "scored": false, 800 "IsMultiple": false, 801 "expected_result": "", 802 "reason": "Test marked as a manual test" 803 }, 804 { 805 "test_number": "5.1.2", 806 "test_desc": "Minimize user access to GCR (Manual)", 807 "audit": "", 808 "AuditEnv": "", 809 "AuditConfig": "", 810 "type": "manual", 811 "remediation": "Using Command Line:\n To change roles at the GCR bucket level:\n Firstly, run the following if read permissions are required:\n\n gsutil iam ch [TYPE]:[EMAIL-ADDRESS]:objectViewer\n gs://artifacts.[PROJECT_ID].appspot.com\n\n Then remove the excessively privileged role (Storage Admin / Storage Object Admin /\n Storage Object Creator) using:\n\n gsutil iam ch -d [TYPE]:[EMAIL-ADDRESS]:[ROLE]\n gs://artifacts.[PROJECT_ID].appspot.com\n\n where:\n [TYPE] can be one of the following:\n o user, if the [EMAIL-ADDRESS] is a Google account\n o serviceAccount, if [EMAIL-ADDRESS] specifies a Service account\n [EMAIL-ADDRESS] can be one of the following:\n o a Google account (for example, someone@example.com)\n o a Cloud IAM service account\n To modify roles defined at the project level and subsequently inherited within the GCR\n bucket, or the Service Account User role, extract the IAM policy file, modify it accordingly\n and apply it using:\n\n gcloud projects set-iam-policy [PROJECT_ID] [POLICY_FILE]\n", 812 "test_info": [ 813 "Using Command Line:\n To change roles at the GCR bucket level:\n Firstly, run the following if read permissions are required:\n\n gsutil iam ch [TYPE]:[EMAIL-ADDRESS]:objectViewer\n gs://artifacts.[PROJECT_ID].appspot.com\n\n Then remove the excessively privileged role (Storage Admin / Storage Object Admin /\n Storage Object Creator) using:\n\n gsutil iam ch -d [TYPE]:[EMAIL-ADDRESS]:[ROLE]\n gs://artifacts.[PROJECT_ID].appspot.com\n\n where:\n [TYPE] can be one of the following:\n o user, if the [EMAIL-ADDRESS] is a Google account\n o serviceAccount, if [EMAIL-ADDRESS] specifies a Service account\n [EMAIL-ADDRESS] can be one of the following:\n o a Google account (for example, someone@example.com)\n o a Cloud IAM service account\n To modify roles defined at the project level and subsequently inherited within the GCR\n bucket, or the Service Account User role, extract the IAM policy file, modify it accordingly\n and apply it using:\n\n gcloud projects set-iam-policy [PROJECT_ID] [POLICY_FILE]\n" 814 ], 815 "status": "WARN", 816 "actual_value": "", 817 "scored": false, 818 "IsMultiple": false, 819 "expected_result": "", 820 "reason": "Test marked as a manual test" 821 }, 822 { 823 "test_number": "5.1.3", 824 "test_desc": "Minimize cluster access to read-only for GCR (Manual)", 825 "audit": "", 826 "AuditEnv": "", 827 "AuditConfig": "", 828 "type": "manual", 829 "remediation": "Using Command Line:\n For an account explicitly granted to the bucket. First, add read access to the Kubernetes\n Service Account\n\n gsutil iam ch [TYPE]:[EMAIL-ADDRESS]:objectViewer\n gs://artifacts.[PROJECT_ID].appspot.com\n\n where:\n [TYPE] can be one of the following:\n o user, if the [EMAIL-ADDRESS] is a Google account\n o serviceAccount, if [EMAIL-ADDRESS] specifies a Service account\n [EMAIL-ADDRESS] can be one of the following:\n o a Google account (for example, someone@example.com)\n o a Cloud IAM service account\n\n Then remove the excessively privileged role (Storage Admin / Storage Object Admin /\n Storage Object Creator) using:\n\n gsutil iam ch -d [TYPE]:[EMAIL-ADDRESS]:[ROLE]\n gs://artifacts.[PROJECT_ID].appspot.com\n\n For an account that inherits access to the GCR Bucket through Project level permissions,\n modify the Projects IAM policy file accordingly, then upload it using:\n\n gcloud projects set-iam-policy [PROJECT_ID] [POLICY_FILE]\n", 830 "test_info": [ 831 "Using Command Line:\n For an account explicitly granted to the bucket. First, add read access to the Kubernetes\n Service Account\n\n gsutil iam ch [TYPE]:[EMAIL-ADDRESS]:objectViewer\n gs://artifacts.[PROJECT_ID].appspot.com\n\n where:\n [TYPE] can be one of the following:\n o user, if the [EMAIL-ADDRESS] is a Google account\n o serviceAccount, if [EMAIL-ADDRESS] specifies a Service account\n [EMAIL-ADDRESS] can be one of the following:\n o a Google account (for example, someone@example.com)\n o a Cloud IAM service account\n\n Then remove the excessively privileged role (Storage Admin / Storage Object Admin /\n Storage Object Creator) using:\n\n gsutil iam ch -d [TYPE]:[EMAIL-ADDRESS]:[ROLE]\n gs://artifacts.[PROJECT_ID].appspot.com\n\n For an account that inherits access to the GCR Bucket through Project level permissions,\n modify the Projects IAM policy file accordingly, then upload it using:\n\n gcloud projects set-iam-policy [PROJECT_ID] [POLICY_FILE]\n" 832 ], 833 "status": "WARN", 834 "actual_value": "", 835 "scored": false, 836 "IsMultiple": false, 837 "expected_result": "", 838 "reason": "Test marked as a manual test" 839 }, 840 { 841 "test_number": "5.1.4", 842 "test_desc": "Minimize Container Registries to only those approved (Manual)", 843 "audit": "", 844 "AuditEnv": "", 845 "AuditConfig": "", 846 "type": "manual", 847 "remediation": "Using Command Line:\n First, update the cluster to enable Binary Authorization:\n\n gcloud container cluster update [CLUSTER_NAME] \\\n --enable-binauthz\n\n Create a Binary Authorization Policy using the Binary Authorization Policy Reference\n (https://cloud.google.com/binary-authorization/docs/policy-yaml-reference) for guidance.\n Import the policy file into Binary Authorization:\n\n gcloud container binauthz policy import [YAML_POLICY]\n", 848 "test_info": [ 849 "Using Command Line:\n First, update the cluster to enable Binary Authorization:\n\n gcloud container cluster update [CLUSTER_NAME] \\\n --enable-binauthz\n\n Create a Binary Authorization Policy using the Binary Authorization Policy Reference\n (https://cloud.google.com/binary-authorization/docs/policy-yaml-reference) for guidance.\n Import the policy file into Binary Authorization:\n\n gcloud container binauthz policy import [YAML_POLICY]\n" 850 ], 851 "status": "WARN", 852 "actual_value": "", 853 "scored": false, 854 "IsMultiple": false, 855 "expected_result": "", 856 "reason": "Test marked as a manual test" 857 } 858 ] 859 }, 860 { 861 "section": "5.2", 862 "type": "", 863 "pass": 0, 864 "fail": 0, 865 "warn": 2, 866 "info": 0, 867 "desc": "Identity and Access Management (IAM)", 868 "results": [ 869 { 870 "test_number": "5.2.1", 871 "test_desc": "Ensure GKE clusters are not running using the Compute Engine default service account (Manual)", 872 "audit": "", 873 "AuditEnv": "", 874 "AuditConfig": "", 875 "type": "manual", 876 "remediation": "Using Command Line:\n Firstly, create a minimally privileged service account:\n\n gcloud iam service-accounts create [SA_NAME] \\\n --display-name \"GKE Node Service Account\"\n export NODE_SA_EMAIL=`gcloud iam service-accounts list \\\n --format='value(email)' \\\n --filter='displayName:GKE Node Service Account'`\n\n Grant the following roles to the service account:\n\n export PROJECT_ID=`gcloud config get-value project`\n gcloud projects add-iam-policy-binding $PROJECT_ID \\\n --member serviceAccount:$NODE_SA_EMAIL \\\n --role roles/monitoring.metricWriter\n gcloud projects add-iam-policy-binding $PROJECT_ID \\\n --member serviceAccount:$NODE_SA_EMAIL \\\n --role roles/monitoring.viewer\n gcloud projects add-iam-policy-binding $PROJECT_ID \\\n --member serviceAccount:$NODE_SA_EMAIL \\\n --role roles/logging.logWriter\n\n To create a new Node pool using the Service account, run the following command:\n\n gcloud container node-pools create [NODE_POOL] \\\n --service-account=[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com \\\n --cluster=[CLUSTER_NAME] --zone [COMPUTE_ZONE]\n\n You will need to migrate your workloads to the new Node pool, and delete Node pools that\n use the default service account to complete the remediation.\n", 877 "test_info": [ 878 "Using Command Line:\n Firstly, create a minimally privileged service account:\n\n gcloud iam service-accounts create [SA_NAME] \\\n --display-name \"GKE Node Service Account\"\n export NODE_SA_EMAIL=`gcloud iam service-accounts list \\\n --format='value(email)' \\\n --filter='displayName:GKE Node Service Account'`\n\n Grant the following roles to the service account:\n\n export PROJECT_ID=`gcloud config get-value project`\n gcloud projects add-iam-policy-binding $PROJECT_ID \\\n --member serviceAccount:$NODE_SA_EMAIL \\\n --role roles/monitoring.metricWriter\n gcloud projects add-iam-policy-binding $PROJECT_ID \\\n --member serviceAccount:$NODE_SA_EMAIL \\\n --role roles/monitoring.viewer\n gcloud projects add-iam-policy-binding $PROJECT_ID \\\n --member serviceAccount:$NODE_SA_EMAIL \\\n --role roles/logging.logWriter\n\n To create a new Node pool using the Service account, run the following command:\n\n gcloud container node-pools create [NODE_POOL] \\\n --service-account=[SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com \\\n --cluster=[CLUSTER_NAME] --zone [COMPUTE_ZONE]\n\n You will need to migrate your workloads to the new Node pool, and delete Node pools that\n use the default service account to complete the remediation.\n" 879 ], 880 "status": "WARN", 881 "actual_value": "", 882 "scored": false, 883 "IsMultiple": false, 884 "expected_result": "", 885 "reason": "Test marked as a manual test" 886 }, 887 { 888 "test_number": "5.2.2", 889 "test_desc": "Prefer using dedicated GCP Service Accounts and Workload Identity (Manual)", 890 "audit": "", 891 "AuditEnv": "", 892 "AuditConfig": "", 893 "type": "manual", 894 "remediation": "Using Command Line:\n\n gcloud beta container clusters update [CLUSTER_NAME] --zone [CLUSTER_ZONE] \\\n --identity-namespace=[PROJECT_ID].svc.id.goog\n\n Note that existing Node pools are unaffected. New Node pools default to --workload-\n metadata-from-node=GKE_METADATA_SERVER .\n\n Then, modify existing Node pools to enable GKE_METADATA_SERVER:\n\n gcloud beta container node-pools update [NODEPOOL_NAME] \\\n --cluster=[CLUSTER_NAME] --zone [CLUSTER_ZONE] \\\n --workload-metadata-from-node=GKE_METADATA_SERVER\n\n You may also need to modify workloads in order for them to use Workload Identity as\n described within https://cloud.google.com/kubernetes-engine/docs/how-to/workload-\n identity. Also consider the effects on the availability of your hosted workloads as Node\n pools are updated, it may be more appropriate to create new Node Pools.\n", 895 "test_info": [ 896 "Using Command Line:\n\n gcloud beta container clusters update [CLUSTER_NAME] --zone [CLUSTER_ZONE] \\\n --identity-namespace=[PROJECT_ID].svc.id.goog\n\n Note that existing Node pools are unaffected. New Node pools default to --workload-\n metadata-from-node=GKE_METADATA_SERVER .\n\n Then, modify existing Node pools to enable GKE_METADATA_SERVER:\n\n gcloud beta container node-pools update [NODEPOOL_NAME] \\\n --cluster=[CLUSTER_NAME] --zone [CLUSTER_ZONE] \\\n --workload-metadata-from-node=GKE_METADATA_SERVER\n\n You may also need to modify workloads in order for them to use Workload Identity as\n described within https://cloud.google.com/kubernetes-engine/docs/how-to/workload-\n identity. Also consider the effects on the availability of your hosted workloads as Node\n pools are updated, it may be more appropriate to create new Node Pools.\n" 897 ], 898 "status": "WARN", 899 "actual_value": "", 900 "scored": false, 901 "IsMultiple": false, 902 "expected_result": "", 903 "reason": "Test marked as a manual test" 904 } 905 ] 906 }, 907 { 908 "section": "5.3", 909 "type": "", 910 "pass": 0, 911 "fail": 0, 912 "warn": 1, 913 "info": 0, 914 "desc": "Cloud Key Management Service (Cloud KMS)", 915 "results": [ 916 { 917 "test_number": "5.3.1", 918 "test_desc": "Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Manual)", 919 "audit": "", 920 "AuditEnv": "", 921 "AuditConfig": "", 922 "type": "manual", 923 "remediation": "Using Command Line:\n To create a key\n\n Create a key ring:\n\n gcloud kms keyrings create [RING_NAME] \\\n --location [LOCATION] \\\n --project [KEY_PROJECT_ID]\n\n Create a key:\n\n gcloud kms keys create [KEY_NAME] \\\n --location [LOCATION] \\\n --keyring [RING_NAME] \\\n --purpose encryption \\\n --project [KEY_PROJECT_ID]\n\n Grant the Kubernetes Engine Service Agent service account the Cloud KMS CryptoKey\n Encrypter/Decrypter role:\n\n gcloud kms keys add-iam-policy-binding [KEY_NAME] \\\n --location [LOCATION] \\\n --keyring [RING_NAME] \\\n --member serviceAccount:[SERVICE_ACCOUNT_NAME] \\\n --role roles/cloudkms.cryptoKeyEncrypterDecrypter \\\n --project [KEY_PROJECT_ID]\n\n To create a new cluster with Application-layer Secrets Encryption:\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --cluster-version=latest \\\n --zone [ZONE] \\\n --database-encryption-key projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKey s/[KEY_NAME] \\\n --project [CLUSTER_PROJECT_ID]\n\n To enable on an existing cluster:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [ZONE] \\\n --database-encryption-key projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKey s/[KEY_NAME] \\\n --project [CLUSTER_PROJECT_ID]\n", 924 "test_info": [ 925 "Using Command Line:\n To create a key\n\n Create a key ring:\n\n gcloud kms keyrings create [RING_NAME] \\\n --location [LOCATION] \\\n --project [KEY_PROJECT_ID]\n\n Create a key:\n\n gcloud kms keys create [KEY_NAME] \\\n --location [LOCATION] \\\n --keyring [RING_NAME] \\\n --purpose encryption \\\n --project [KEY_PROJECT_ID]\n\n Grant the Kubernetes Engine Service Agent service account the Cloud KMS CryptoKey\n Encrypter/Decrypter role:\n\n gcloud kms keys add-iam-policy-binding [KEY_NAME] \\\n --location [LOCATION] \\\n --keyring [RING_NAME] \\\n --member serviceAccount:[SERVICE_ACCOUNT_NAME] \\\n --role roles/cloudkms.cryptoKeyEncrypterDecrypter \\\n --project [KEY_PROJECT_ID]\n\n To create a new cluster with Application-layer Secrets Encryption:\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --cluster-version=latest \\\n --zone [ZONE] \\\n --database-encryption-key projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKey s/[KEY_NAME] \\\n --project [CLUSTER_PROJECT_ID]\n\n To enable on an existing cluster:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [ZONE] \\\n --database-encryption-key projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKey s/[KEY_NAME] \\\n --project [CLUSTER_PROJECT_ID]\n" 926 ], 927 "status": "WARN", 928 "actual_value": "", 929 "scored": false, 930 "IsMultiple": false, 931 "expected_result": "", 932 "reason": "Test marked as a manual test" 933 } 934 ] 935 }, 936 { 937 "section": "5.4", 938 "type": "", 939 "pass": 0, 940 "fail": 0, 941 "warn": 2, 942 "info": 0, 943 "desc": "Node Metadata", 944 "results": [ 945 { 946 "test_number": "5.4.1", 947 "test_desc": "Ensure legacy Compute Engine instance metadata APIs are Disabled (Automated)", 948 "audit": "", 949 "AuditEnv": "", 950 "AuditConfig": "", 951 "type": "manual", 952 "remediation": "Using Command Line:\n To update an existing cluster, create a new Node pool with the legacy GCE metadata\n endpoint disabled:\n\n gcloud container node-pools create [POOL_NAME] \\\n --metadata disable-legacy-endpoints=true \\\n --cluster [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE]\n\n You will need to migrate workloads from any existing non-conforming Node pools, to the\n new Node pool, then delete non-conforming Node pools to complete the remediation.\n", 953 "test_info": [ 954 "Using Command Line:\n To update an existing cluster, create a new Node pool with the legacy GCE metadata\n endpoint disabled:\n\n gcloud container node-pools create [POOL_NAME] \\\n --metadata disable-legacy-endpoints=true \\\n --cluster [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE]\n\n You will need to migrate workloads from any existing non-conforming Node pools, to the\n new Node pool, then delete non-conforming Node pools to complete the remediation.\n" 955 ], 956 "status": "WARN", 957 "actual_value": "", 958 "scored": false, 959 "IsMultiple": false, 960 "expected_result": "", 961 "reason": "Test marked as a manual test" 962 }, 963 { 964 "test_number": "5.4.2", 965 "test_desc": "Ensure the GKE Metadata Server is Enabled (Automated)", 966 "audit": "", 967 "AuditEnv": "", 968 "AuditConfig": "", 969 "type": "manual", 970 "remediation": "Using Command Line:\n gcloud beta container clusters update [CLUSTER_NAME] \\\n --identity-namespace=[PROJECT_ID].svc.id.goog\n Note that existing Node pools are unaffected. New Node pools default to --workload-\n metadata-from-node=GKE_METADATA_SERVER .\n\n To modify an existing Node pool to enable GKE Metadata Server:\n\n gcloud beta container node-pools update [NODEPOOL_NAME] \\\n --cluster=[CLUSTER_NAME] \\\n --workload-metadata-from-node=GKE_METADATA_SERVER\n\n You may also need to modify workloads in order for them to use Workload Identity as\n described within https://cloud.google.com/kubernetes-engine/docs/how-to/workload-\n identity.\n", 971 "test_info": [ 972 "Using Command Line:\n gcloud beta container clusters update [CLUSTER_NAME] \\\n --identity-namespace=[PROJECT_ID].svc.id.goog\n Note that existing Node pools are unaffected. New Node pools default to --workload-\n metadata-from-node=GKE_METADATA_SERVER .\n\n To modify an existing Node pool to enable GKE Metadata Server:\n\n gcloud beta container node-pools update [NODEPOOL_NAME] \\\n --cluster=[CLUSTER_NAME] \\\n --workload-metadata-from-node=GKE_METADATA_SERVER\n\n You may also need to modify workloads in order for them to use Workload Identity as\n described within https://cloud.google.com/kubernetes-engine/docs/how-to/workload-\n identity.\n" 973 ], 974 "status": "WARN", 975 "actual_value": "", 976 "scored": false, 977 "IsMultiple": false, 978 "expected_result": "", 979 "reason": "Test marked as a manual test" 980 } 981 ] 982 }, 983 { 984 "section": "5.5", 985 "type": "", 986 "pass": 0, 987 "fail": 0, 988 "warn": 7, 989 "info": 0, 990 "desc": "Node Configuration and Maintenance", 991 "results": [ 992 { 993 "test_number": "5.5.1", 994 "test_desc": "Ensure Container-Optimized OS (COS) is used for GKE node images (Automated)", 995 "audit": "", 996 "AuditEnv": "", 997 "AuditConfig": "", 998 "type": "manual", 999 "remediation": "Using Command Line:\n To set the node image to cos for an existing cluster's Node pool:\n\n gcloud container clusters upgrade [CLUSTER_NAME]\\\n --image-type cos \\\n --zone [COMPUTE_ZONE] --node-pool [POOL_NAME]\n", 1000 "test_info": [ 1001 "Using Command Line:\n To set the node image to cos for an existing cluster's Node pool:\n\n gcloud container clusters upgrade [CLUSTER_NAME]\\\n --image-type cos \\\n --zone [COMPUTE_ZONE] --node-pool [POOL_NAME]\n" 1002 ], 1003 "status": "WARN", 1004 "actual_value": "", 1005 "scored": false, 1006 "IsMultiple": false, 1007 "expected_result": "", 1008 "reason": "Test marked as a manual test" 1009 }, 1010 { 1011 "test_number": "5.5.2", 1012 "test_desc": "Ensure Node Auto-Repair is enabled for GKE nodes (Automated)", 1013 "audit": "", 1014 "AuditEnv": "", 1015 "AuditConfig": "", 1016 "type": "manual", 1017 "remediation": "Using Command Line:\n To enable node auto-repair for an existing cluster with Node pool, run the following\n command:\n\n gcloud container node-pools update [POOL_NAME] \\\n --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --enable-autorepair\n", 1018 "test_info": [ 1019 "Using Command Line:\n To enable node auto-repair for an existing cluster with Node pool, run the following\n command:\n\n gcloud container node-pools update [POOL_NAME] \\\n --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --enable-autorepair\n" 1020 ], 1021 "status": "WARN", 1022 "actual_value": "", 1023 "scored": false, 1024 "IsMultiple": false, 1025 "expected_result": "", 1026 "reason": "Test marked as a manual test" 1027 }, 1028 { 1029 "test_number": "5.5.3", 1030 "test_desc": "Ensure Node Auto-Upgrade is enabled for GKE nodes (Automated)", 1031 "audit": "", 1032 "AuditEnv": "", 1033 "AuditConfig": "", 1034 "type": "manual", 1035 "remediation": "Using Command Line:\n To enable node auto-upgrade for an existing cluster's Node pool, run the following\n command:\n\n gcloud container node-pools update [NODE_POOL] \\\n --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --enable-autoupgrade\n", 1036 "test_info": [ 1037 "Using Command Line:\n To enable node auto-upgrade for an existing cluster's Node pool, run the following\n command:\n\n gcloud container node-pools update [NODE_POOL] \\\n --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --enable-autoupgrade\n" 1038 ], 1039 "status": "WARN", 1040 "actual_value": "", 1041 "scored": false, 1042 "IsMultiple": false, 1043 "expected_result": "", 1044 "reason": "Test marked as a manual test" 1045 }, 1046 { 1047 "test_number": "5.5.4", 1048 "test_desc": "Automate GKE version management using Release Channels (Manual)", 1049 "audit": "", 1050 "AuditEnv": "", 1051 "AuditConfig": "", 1052 "type": "manual", 1053 "remediation": "Using Command Line:\n Create a new cluster by running the following command:\n\n gcloud beta container clusters create [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --release-channel [RELEASE_CHANNEL]\n\n where [RELEASE_CHANNEL] is stable or regular according to your needs.\n", 1054 "test_info": [ 1055 "Using Command Line:\n Create a new cluster by running the following command:\n\n gcloud beta container clusters create [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --release-channel [RELEASE_CHANNEL]\n\n where [RELEASE_CHANNEL] is stable or regular according to your needs.\n" 1056 ], 1057 "status": "WARN", 1058 "actual_value": "", 1059 "scored": false, 1060 "IsMultiple": false, 1061 "expected_result": "", 1062 "reason": "Test marked as a manual test" 1063 }, 1064 { 1065 "test_number": "5.5.5", 1066 "test_desc": "Ensure Shielded GKE Nodes are Enabled (Manual)", 1067 "audit": "", 1068 "AuditEnv": "", 1069 "AuditConfig": "", 1070 "type": "manual", 1071 "remediation": "Using Command Line:\n To create a Node pool within the cluster with Integrity Monitoring enabled, run the\n following command:\n\n gcloud beta container node-pools create [NODEPOOL_NAME] \\\n --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --shielded-integrity-monitoring\n\n You will also need to migrate workloads from existing non-conforming Node pools to the\n newly created Node pool, then delete the non-conforming pools.\n", 1072 "test_info": [ 1073 "Using Command Line:\n To create a Node pool within the cluster with Integrity Monitoring enabled, run the\n following command:\n\n gcloud beta container node-pools create [NODEPOOL_NAME] \\\n --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --shielded-integrity-monitoring\n\n You will also need to migrate workloads from existing non-conforming Node pools to the\n newly created Node pool, then delete the non-conforming pools.\n" 1074 ], 1075 "status": "WARN", 1076 "actual_value": "", 1077 "scored": false, 1078 "IsMultiple": false, 1079 "expected_result": "", 1080 "reason": "Test marked as a manual test" 1081 }, 1082 { 1083 "test_number": "5.5.6", 1084 "test_desc": "Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled (Automated)", 1085 "audit": "", 1086 "AuditEnv": "", 1087 "AuditConfig": "", 1088 "type": "manual", 1089 "remediation": "Using Command Line:\n To create a Node pool within the cluster with Integrity Monitoring enabled, run the\n following command:\n\n gcloud beta container node-pools create [NODEPOOL_NAME] \\\n --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --shielded-integrity-monitoring\n\nYou will also need to migrate workloads from existing non-conforming Node pools to the newly created Node pool,\nthen delete the non-conforming pools.\n", 1090 "test_info": [ 1091 "Using Command Line:\n To create a Node pool within the cluster with Integrity Monitoring enabled, run the\n following command:\n\n gcloud beta container node-pools create [NODEPOOL_NAME] \\\n --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --shielded-integrity-monitoring\n\nYou will also need to migrate workloads from existing non-conforming Node pools to the newly created Node pool,\nthen delete the non-conforming pools.\n" 1092 ], 1093 "status": "WARN", 1094 "actual_value": "", 1095 "scored": false, 1096 "IsMultiple": false, 1097 "expected_result": "", 1098 "reason": "Test marked as a manual test" 1099 }, 1100 { 1101 "test_number": "5.5.7", 1102 "test_desc": "Ensure Secure Boot for Shielded GKE Nodes is Enabled (Automated)", 1103 "audit": "", 1104 "AuditEnv": "", 1105 "AuditConfig": "", 1106 "type": "manual", 1107 "remediation": "Using Command Line:\n To create a Node pool within the cluster with Secure Boot enabled, run the following\n command:\n\n gcloud beta container node-pools create [NODEPOOL_NAME] \\\n --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --shielded-secure-boot\n\n You will also need to migrate workloads from existing non-conforming Node pools to the\n newly created Node pool, then delete the non-conforming pools.\n", 1108 "test_info": [ 1109 "Using Command Line:\n To create a Node pool within the cluster with Secure Boot enabled, run the following\n command:\n\n gcloud beta container node-pools create [NODEPOOL_NAME] \\\n --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --shielded-secure-boot\n\n You will also need to migrate workloads from existing non-conforming Node pools to the\n newly created Node pool, then delete the non-conforming pools.\n" 1110 ], 1111 "status": "WARN", 1112 "actual_value": "", 1113 "scored": false, 1114 "IsMultiple": false, 1115 "expected_result": "", 1116 "reason": "Test marked as a manual test" 1117 } 1118 ] 1119 }, 1120 { 1121 "section": "5.6", 1122 "type": "", 1123 "pass": 0, 1124 "fail": 0, 1125 "warn": 8, 1126 "info": 0, 1127 "desc": "Cluster Networking", 1128 "results": [ 1129 { 1130 "test_number": "5.6.1", 1131 "test_desc": "Enable VPC Flow Logs and Intranode Visibility (Automated)", 1132 "audit": "", 1133 "AuditEnv": "", 1134 "AuditConfig": "", 1135 "type": "manual", 1136 "remediation": "Using Command Line:\n To enable intranode visibility on an existing cluster, run the following command:\n\n gcloud beta container clusters update [CLUSTER_NAME] \\\n --enable-intra-node-visibility\n", 1137 "test_info": [ 1138 "Using Command Line:\n To enable intranode visibility on an existing cluster, run the following command:\n\n gcloud beta container clusters update [CLUSTER_NAME] \\\n --enable-intra-node-visibility\n" 1139 ], 1140 "status": "WARN", 1141 "actual_value": "", 1142 "scored": false, 1143 "IsMultiple": false, 1144 "expected_result": "", 1145 "reason": "Test marked as a manual test" 1146 }, 1147 { 1148 "test_number": "5.6.2", 1149 "test_desc": "Ensure use of VPC-native clusters (Automated)", 1150 "audit": "", 1151 "AuditEnv": "", 1152 "AuditConfig": "", 1153 "type": "manual", 1154 "remediation": "Using Command Line:\n To enable Alias IP on a new cluster, run the following command:\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --enable-ip-alias\n", 1155 "test_info": [ 1156 "Using Command Line:\n To enable Alias IP on a new cluster, run the following command:\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --enable-ip-alias\n" 1157 ], 1158 "status": "WARN", 1159 "actual_value": "", 1160 "scored": false, 1161 "IsMultiple": false, 1162 "expected_result": "", 1163 "reason": "Test marked as a manual test" 1164 }, 1165 { 1166 "test_number": "5.6.3", 1167 "test_desc": "Ensure Master Authorized Networks is Enabled (Manual)", 1168 "audit": "", 1169 "AuditEnv": "", 1170 "AuditConfig": "", 1171 "type": "manual", 1172 "remediation": "Using Command Line:\n To check Master Authorized Networks status for an existing cluster, run the following\n command;\n\n gcloud container clusters describe [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --format json | jq '.masterAuthorizedNetworksConfig'\n\n The output should return\n\n {\n \"enabled\": true\n }\n\n if Master Authorized Networks is enabled.\n\n If Master Authorized Networks is disabled, the\n above command will return null ( { } ).\n", 1173 "test_info": [ 1174 "Using Command Line:\n To check Master Authorized Networks status for an existing cluster, run the following\n command;\n\n gcloud container clusters describe [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --format json | jq '.masterAuthorizedNetworksConfig'\n\n The output should return\n\n {\n \"enabled\": true\n }\n\n if Master Authorized Networks is enabled.\n\n If Master Authorized Networks is disabled, the\n above command will return null ( { } ).\n" 1175 ], 1176 "status": "WARN", 1177 "actual_value": "", 1178 "scored": false, 1179 "IsMultiple": false, 1180 "expected_result": "", 1181 "reason": "Test marked as a manual test" 1182 }, 1183 { 1184 "test_number": "5.6.4", 1185 "test_desc": "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)", 1186 "audit": "", 1187 "AuditEnv": "", 1188 "AuditConfig": "", 1189 "type": "manual", 1190 "remediation": "Using Command Line:\n Create a cluster with a Private Endpoint enabled and Public Access disabled by including\n the --enable-private-endpoint flag within the cluster create command:\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --enable-private-endpoint\n\n Setting this flag also requires the setting of --enable-private-nodes , --enable-ip-alias\n and --master-ipv4-cidr=[MASTER_CIDR_RANGE] .\n", 1191 "test_info": [ 1192 "Using Command Line:\n Create a cluster with a Private Endpoint enabled and Public Access disabled by including\n the --enable-private-endpoint flag within the cluster create command:\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --enable-private-endpoint\n\n Setting this flag also requires the setting of --enable-private-nodes , --enable-ip-alias\n and --master-ipv4-cidr=[MASTER_CIDR_RANGE] .\n" 1193 ], 1194 "status": "WARN", 1195 "actual_value": "", 1196 "scored": false, 1197 "IsMultiple": false, 1198 "expected_result": "", 1199 "reason": "Test marked as a manual test" 1200 }, 1201 { 1202 "test_number": "5.6.5", 1203 "test_desc": "Ensure clusters are created with Private Nodes (Manual)", 1204 "audit": "", 1205 "AuditEnv": "", 1206 "AuditConfig": "", 1207 "type": "manual", 1208 "remediation": "Using Command Line:\n To create a cluster with Private Nodes enabled, include the --enable-private-nodes flag\n within the cluster create command:\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --enable-private-nodes\n\n Setting this flag also requires the setting of --enable-ip-alias and --master-ipv4-\n cidr=[MASTER_CIDR_RANGE] .\n", 1209 "test_info": [ 1210 "Using Command Line:\n To create a cluster with Private Nodes enabled, include the --enable-private-nodes flag\n within the cluster create command:\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --enable-private-nodes\n\n Setting this flag also requires the setting of --enable-ip-alias and --master-ipv4-\n cidr=[MASTER_CIDR_RANGE] .\n" 1211 ], 1212 "status": "WARN", 1213 "actual_value": "", 1214 "scored": false, 1215 "IsMultiple": false, 1216 "expected_result": "", 1217 "reason": "Test marked as a manual test" 1218 }, 1219 { 1220 "test_number": "5.6.6", 1221 "test_desc": "Consider firewalling GKE worker nodes (Manual)", 1222 "audit": "", 1223 "AuditEnv": "", 1224 "AuditConfig": "", 1225 "type": "manual", 1226 "remediation": "Using Command Line:\n Use the following command to generate firewall rules, setting the variables as appropriate.\n You may want to use the target [TAG] and [SERVICE_ACCOUNT] previously identified.\n\n gcloud compute firewall-rules create FIREWALL_RULE_NAME \\\n --network [NETWORK] \\\n --priority [PRIORITY] \\\n --direction [DIRECTION] \\\n --action [ACTION] \\\n --target-tags [TAG] \\\n --target-service-accounts [SERVICE_ACCOUNT] \\\n --source-ranges [SOURCE_CIDR-RANGE] \\\n --source-tags [SOURCE_TAGS] \\\n --source-service-accounts=[SOURCE_SERVICE_ACCOUNT] \\\n --destination-ranges [DESTINATION_CIDR_RANGE] \\\n --rules [RULES]\n", 1227 "test_info": [ 1228 "Using Command Line:\n Use the following command to generate firewall rules, setting the variables as appropriate.\n You may want to use the target [TAG] and [SERVICE_ACCOUNT] previously identified.\n\n gcloud compute firewall-rules create FIREWALL_RULE_NAME \\\n --network [NETWORK] \\\n --priority [PRIORITY] \\\n --direction [DIRECTION] \\\n --action [ACTION] \\\n --target-tags [TAG] \\\n --target-service-accounts [SERVICE_ACCOUNT] \\\n --source-ranges [SOURCE_CIDR-RANGE] \\\n --source-tags [SOURCE_TAGS] \\\n --source-service-accounts=[SOURCE_SERVICE_ACCOUNT] \\\n --destination-ranges [DESTINATION_CIDR_RANGE] \\\n --rules [RULES]\n" 1229 ], 1230 "status": "WARN", 1231 "actual_value": "", 1232 "scored": false, 1233 "IsMultiple": false, 1234 "expected_result": "", 1235 "reason": "Test marked as a manual test" 1236 }, 1237 { 1238 "test_number": "5.6.7", 1239 "test_desc": "Ensure Network Policy is Enabled and set as appropriate (Manual)", 1240 "audit": "", 1241 "AuditEnv": "", 1242 "AuditConfig": "", 1243 "type": "manual", 1244 "remediation": "Using Command Line:\n To enable Network Policy for an existing cluster, firstly enable the Network Policy add-on:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --update-addons NetworkPolicy=ENABLED\n\n Then, enable Network Policy:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --enable-network-policy\n", 1245 "test_info": [ 1246 "Using Command Line:\n To enable Network Policy for an existing cluster, firstly enable the Network Policy add-on:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --update-addons NetworkPolicy=ENABLED\n\n Then, enable Network Policy:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --enable-network-policy\n" 1247 ], 1248 "status": "WARN", 1249 "actual_value": "", 1250 "scored": false, 1251 "IsMultiple": false, 1252 "expected_result": "", 1253 "reason": "Test marked as a manual test" 1254 }, 1255 { 1256 "test_number": "5.6.8", 1257 "test_desc": "Ensure use of Google-managed SSL Certificates (Manual)", 1258 "audit": "", 1259 "AuditEnv": "", 1260 "AuditConfig": "", 1261 "type": "manual", 1262 "remediation": "If services of type:LoadBalancer are discovered, consider replacing the Service with an\nIngress.\n\nTo configure the Ingress and use Google-managed SSL certificates, follow the instructions\nas listed at https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs.\n", 1263 "test_info": [ 1264 "If services of type:LoadBalancer are discovered, consider replacing the Service with an\nIngress.\n\nTo configure the Ingress and use Google-managed SSL certificates, follow the instructions\nas listed at https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs.\n" 1265 ], 1266 "status": "WARN", 1267 "actual_value": "", 1268 "scored": false, 1269 "IsMultiple": false, 1270 "expected_result": "", 1271 "reason": "Test marked as a manual test" 1272 } 1273 ] 1274 }, 1275 { 1276 "section": "5.7", 1277 "type": "", 1278 "pass": 0, 1279 "fail": 0, 1280 "warn": 2, 1281 "info": 0, 1282 "desc": "Logging", 1283 "results": [ 1284 { 1285 "test_number": "5.7.1", 1286 "test_desc": "Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled (Automated)", 1287 "audit": "", 1288 "AuditEnv": "", 1289 "AuditConfig": "", 1290 "type": "manual", 1291 "remediation": "Using Command Line:\n\n STACKDRIVER KUBERNETES ENGINE MONITORING SUPPORT (PREFERRED):\n To enable Stackdriver Kubernetes Engine Monitoring for an existing cluster, run the\n following command:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --enable-stackdriver-kubernetes\n\n LEGACY STACKDRIVER SUPPORT:\n Both Logging and Monitoring support must be enabled.\n To enable Legacy Stackdriver Logging for an existing cluster, run the following command:\n\n gcloud container clusters update [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --logging-service logging.googleapis.com\n\n To enable Legacy Stackdriver Monitoring for an existing cluster, run the following\n command:\n\n gcloud container clusters update [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --monitoring-service monitoring.googleapis.com\n", 1292 "test_info": [ 1293 "Using Command Line:\n\n STACKDRIVER KUBERNETES ENGINE MONITORING SUPPORT (PREFERRED):\n To enable Stackdriver Kubernetes Engine Monitoring for an existing cluster, run the\n following command:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --enable-stackdriver-kubernetes\n\n LEGACY STACKDRIVER SUPPORT:\n Both Logging and Monitoring support must be enabled.\n To enable Legacy Stackdriver Logging for an existing cluster, run the following command:\n\n gcloud container clusters update [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --logging-service logging.googleapis.com\n\n To enable Legacy Stackdriver Monitoring for an existing cluster, run the following\n command:\n\n gcloud container clusters update [CLUSTER_NAME] --zone [COMPUTE_ZONE] \\\n --monitoring-service monitoring.googleapis.com\n" 1294 ], 1295 "status": "WARN", 1296 "actual_value": "", 1297 "scored": false, 1298 "IsMultiple": false, 1299 "expected_result": "", 1300 "reason": "Test marked as a manual test" 1301 }, 1302 { 1303 "test_number": "5.7.2", 1304 "test_desc": "Enable Linux auditd logging (Manual)", 1305 "audit": "", 1306 "AuditEnv": "", 1307 "AuditConfig": "", 1308 "type": "manual", 1309 "remediation": "Using Command Line:\n Download the example manifests:\n\n curl https://raw.githubusercontent.com/GoogleCloudPlatform/k8s-node-tools/master/os-audit/cos-auditd-logging.yaml \\\n \u003e cos-auditd-logging.yaml\n\n Edit the example manifests if needed. Then, deploy them:\n\n kubectl apply -f cos-auditd-logging.yaml\n\n Verify that the logging Pods have started. If you defined a different Namespace in your\n manifests, replace cos-auditd with the name of the namespace you're using:\n\n kubectl get pods --namespace=cos-auditd\n", 1310 "test_info": [ 1311 "Using Command Line:\n Download the example manifests:\n\n curl https://raw.githubusercontent.com/GoogleCloudPlatform/k8s-node-tools/master/os-audit/cos-auditd-logging.yaml \\\n \u003e cos-auditd-logging.yaml\n\n Edit the example manifests if needed. Then, deploy them:\n\n kubectl apply -f cos-auditd-logging.yaml\n\n Verify that the logging Pods have started. If you defined a different Namespace in your\n manifests, replace cos-auditd with the name of the namespace you're using:\n\n kubectl get pods --namespace=cos-auditd\n" 1312 ], 1313 "status": "WARN", 1314 "actual_value": "", 1315 "scored": false, 1316 "IsMultiple": false, 1317 "expected_result": "", 1318 "reason": "Test marked as a manual test" 1319 } 1320 ] 1321 }, 1322 { 1323 "section": "5.8", 1324 "type": "", 1325 "pass": 0, 1326 "fail": 0, 1327 "warn": 4, 1328 "info": 0, 1329 "desc": "Authentication and Authorization", 1330 "results": [ 1331 { 1332 "test_number": "5.8.1", 1333 "test_desc": "Ensure Basic Authentication using static passwords is Disabled (Automated)", 1334 "audit": "", 1335 "AuditEnv": "", 1336 "AuditConfig": "", 1337 "type": "manual", 1338 "remediation": "Using Command Line:\n To update an existing cluster and disable Basic Authentication by removing the static\n password:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --no-enable-basic-auth\n", 1339 "test_info": [ 1340 "Using Command Line:\n To update an existing cluster and disable Basic Authentication by removing the static\n password:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --no-enable-basic-auth\n" 1341 ], 1342 "status": "WARN", 1343 "actual_value": "", 1344 "scored": false, 1345 "IsMultiple": false, 1346 "expected_result": "", 1347 "reason": "Test marked as a manual test" 1348 }, 1349 { 1350 "test_number": "5.8.2", 1351 "test_desc": "Ensure authentication using Client Certificates is Disabled (Automated)", 1352 "audit": "", 1353 "AuditEnv": "", 1354 "AuditConfig": "", 1355 "type": "manual", 1356 "remediation": "Using Command Line:\n Create a new cluster without a Client Certificate:\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --no-issue-client-certificate\n", 1357 "test_info": [ 1358 "Using Command Line:\n Create a new cluster without a Client Certificate:\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --no-issue-client-certificate\n" 1359 ], 1360 "status": "WARN", 1361 "actual_value": "", 1362 "scored": false, 1363 "IsMultiple": false, 1364 "expected_result": "", 1365 "reason": "Test marked as a manual test" 1366 }, 1367 { 1368 "test_number": "5.8.3", 1369 "test_desc": "Manage Kubernetes RBAC users with Google Groups for GKE (Manual)", 1370 "audit": "", 1371 "AuditEnv": "", 1372 "AuditConfig": "", 1373 "type": "manual", 1374 "remediation": "Using Command Line:\n Follow the G Suite Groups instructions at https://cloud.google.com/kubernetes-\n engine/docs/how-to/role-based-access-control#google-groups-for-gke.\n\n Then, create a cluster with\n\n gcloud beta container clusters create my-cluster \\\n --security-group=\"gke-security-groups@[yourdomain.com]\"\n\n Finally create Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings that\n reference your G Suite Groups.\n", 1375 "test_info": [ 1376 "Using Command Line:\n Follow the G Suite Groups instructions at https://cloud.google.com/kubernetes-\n engine/docs/how-to/role-based-access-control#google-groups-for-gke.\n\n Then, create a cluster with\n\n gcloud beta container clusters create my-cluster \\\n --security-group=\"gke-security-groups@[yourdomain.com]\"\n\n Finally create Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings that\n reference your G Suite Groups.\n" 1377 ], 1378 "status": "WARN", 1379 "actual_value": "", 1380 "scored": false, 1381 "IsMultiple": false, 1382 "expected_result": "", 1383 "reason": "Test marked as a manual test" 1384 }, 1385 { 1386 "test_number": "5.8.4", 1387 "test_desc": "Ensure Legacy Authorization (ABAC) is Disabled (Automated)", 1388 "audit": "", 1389 "AuditEnv": "", 1390 "AuditConfig": "", 1391 "type": "manual", 1392 "remediation": "Using Command Line:\n To disable Legacy Authorization for an existing cluster, run the following command:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --no-enable-legacy-authorization\n", 1393 "test_info": [ 1394 "Using Command Line:\n To disable Legacy Authorization for an existing cluster, run the following command:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --no-enable-legacy-authorization\n" 1395 ], 1396 "status": "WARN", 1397 "actual_value": "", 1398 "scored": false, 1399 "IsMultiple": false, 1400 "expected_result": "", 1401 "reason": "Test marked as a manual test" 1402 } 1403 ] 1404 }, 1405 { 1406 "section": "5.9", 1407 "type": "", 1408 "pass": 0, 1409 "fail": 0, 1410 "warn": 1, 1411 "info": 0, 1412 "desc": "Storage", 1413 "results": [ 1414 { 1415 "test_number": "5.9.1", 1416 "test_desc": "Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) (Manual)", 1417 "audit": "", 1418 "AuditEnv": "", 1419 "AuditConfig": "", 1420 "type": "manual", 1421 "remediation": "Using Command Line:\n FOR NODE BOOT DISKS:\n Create a new node pool using customer-managed encryption keys for the node boot disk, of\n [DISK_TYPE] either pd-standard or pd-ssd :\n\n gcloud beta container node-pools create [CLUSTER_NAME] \\\n --disk-type [DISK_TYPE] \\\n --boot-disk-kms-key \\\n projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]\n\n Create a cluster using customer-managed encryption keys for the node boot disk, of\n [DISK_TYPE] either pd-standard or pd-ssd :\n\n gcloud beta container clusters create [CLUSTER_NAME] \\\n --disk-type [DISK_TYPE] \\\n --boot-disk-kms-key \\\n projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]\n\n FOR ATTACHED DISKS:\n Follow the instructions detailed at https://cloud.google.com/kubernetes-\n engine/docs/how-to/using-cmek.\n", 1422 "test_info": [ 1423 "Using Command Line:\n FOR NODE BOOT DISKS:\n Create a new node pool using customer-managed encryption keys for the node boot disk, of\n [DISK_TYPE] either pd-standard or pd-ssd :\n\n gcloud beta container node-pools create [CLUSTER_NAME] \\\n --disk-type [DISK_TYPE] \\\n --boot-disk-kms-key \\\n projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]\n\n Create a cluster using customer-managed encryption keys for the node boot disk, of\n [DISK_TYPE] either pd-standard or pd-ssd :\n\n gcloud beta container clusters create [CLUSTER_NAME] \\\n --disk-type [DISK_TYPE] \\\n --boot-disk-kms-key \\\n projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]\n\n FOR ATTACHED DISKS:\n Follow the instructions detailed at https://cloud.google.com/kubernetes-\n engine/docs/how-to/using-cmek.\n" 1424 ], 1425 "status": "WARN", 1426 "actual_value": "", 1427 "scored": false, 1428 "IsMultiple": false, 1429 "expected_result": "", 1430 "reason": "Test marked as a manual test" 1431 } 1432 ] 1433 }, 1434 { 1435 "section": "5.10", 1436 "type": "", 1437 "pass": 0, 1438 "fail": 0, 1439 "warn": 6, 1440 "info": 0, 1441 "desc": "Other Cluster Configurations", 1442 "results": [ 1443 { 1444 "test_number": "5.10.1", 1445 "test_desc": "Ensure Kubernetes Web UI is Disabled (Automated)", 1446 "audit": "", 1447 "AuditEnv": "", 1448 "AuditConfig": "", 1449 "type": "manual", 1450 "remediation": "Using Command Line:\n To disable the Kubernetes Dashboard on an existing cluster, run the following command:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [ZONE] \\\n --update-addons=KubernetesDashboard=DISABLED\n", 1451 "test_info": [ 1452 "Using Command Line:\n To disable the Kubernetes Dashboard on an existing cluster, run the following command:\n\n gcloud container clusters update [CLUSTER_NAME] \\\n --zone [ZONE] \\\n --update-addons=KubernetesDashboard=DISABLED\n" 1453 ], 1454 "status": "WARN", 1455 "actual_value": "", 1456 "scored": false, 1457 "IsMultiple": false, 1458 "expected_result": "", 1459 "reason": "Test marked as a manual test" 1460 }, 1461 { 1462 "test_number": "5.10.2", 1463 "test_desc": "Ensure that Alpha clusters are not used for production workloads (Automated)", 1464 "audit": "", 1465 "AuditEnv": "", 1466 "AuditConfig": "", 1467 "type": "manual", 1468 "remediation": "Using Command Line:\n Upon creating a new cluster\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE]\n\n Do not use the --enable-kubernetes-alpha argument.\n", 1469 "test_info": [ 1470 "Using Command Line:\n Upon creating a new cluster\n\n gcloud container clusters create [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE]\n\n Do not use the --enable-kubernetes-alpha argument.\n" 1471 ], 1472 "status": "WARN", 1473 "actual_value": "", 1474 "scored": false, 1475 "IsMultiple": false, 1476 "expected_result": "", 1477 "reason": "Test marked as a manual test" 1478 }, 1479 { 1480 "test_number": "5.10.3", 1481 "test_desc": "Ensure Pod Security Policy is Enabled and set as appropriate (Manual)", 1482 "audit": "", 1483 "AuditEnv": "", 1484 "AuditConfig": "", 1485 "type": "manual", 1486 "remediation": "Using Command Line:\n To enable Pod Security Policy for an existing cluster, run the following command:\n\n gcloud beta container clusters update [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --enable-pod-security-policy\n", 1487 "test_info": [ 1488 "Using Command Line:\n To enable Pod Security Policy for an existing cluster, run the following command:\n\n gcloud beta container clusters update [CLUSTER_NAME] \\\n --zone [COMPUTE_ZONE] \\\n --enable-pod-security-policy\n" 1489 ], 1490 "status": "WARN", 1491 "actual_value": "", 1492 "scored": false, 1493 "IsMultiple": false, 1494 "expected_result": "", 1495 "reason": "Test marked as a manual test" 1496 }, 1497 { 1498 "test_number": "5.10.4", 1499 "test_desc": "Consider GKE Sandbox for running untrusted workloads (Manual)", 1500 "audit": "", 1501 "AuditEnv": "", 1502 "AuditConfig": "", 1503 "type": "manual", 1504 "remediation": "Using Command Line:\n To enable GKE Sandbox on an existing cluster, a new Node pool must be created.\n\n gcloud container node-pools create [NODE_POOL_NAME] \\\n --zone=[COMPUTE-ZONE] \\\n --cluster=[CLUSTER_NAME] \\\n --image-type=cos_containerd \\\n --sandbox type=gvisor\n", 1505 "test_info": [ 1506 "Using Command Line:\n To enable GKE Sandbox on an existing cluster, a new Node pool must be created.\n\n gcloud container node-pools create [NODE_POOL_NAME] \\\n --zone=[COMPUTE-ZONE] \\\n --cluster=[CLUSTER_NAME] \\\n --image-type=cos_containerd \\\n --sandbox type=gvisor\n" 1507 ], 1508 "status": "WARN", 1509 "actual_value": "", 1510 "scored": false, 1511 "IsMultiple": false, 1512 "expected_result": "", 1513 "reason": "Test marked as a manual test" 1514 }, 1515 { 1516 "test_number": "5.10.5", 1517 "test_desc": "Ensure use of Binary Authorization (Automated)", 1518 "audit": "", 1519 "AuditEnv": "", 1520 "AuditConfig": "", 1521 "type": "manual", 1522 "remediation": "Using Command Line:\n Firstly, update the cluster to enable Binary Authorization:\n\n gcloud container cluster update [CLUSTER_NAME] \\\n --zone [COMPUTE-ZONE] \\\n --enable-binauthz\n\n Create a Binary Authorization Policy using the Binary Authorization Policy Reference\n (https://cloud.google.com/binary-authorization/docs/policy-yaml-reference) for\n guidance.\n\n Import the policy file into Binary Authorization:\n\n gcloud container binauthz policy import [YAML_POLICY]\n", 1523 "test_info": [ 1524 "Using Command Line:\n Firstly, update the cluster to enable Binary Authorization:\n\n gcloud container cluster update [CLUSTER_NAME] \\\n --zone [COMPUTE-ZONE] \\\n --enable-binauthz\n\n Create a Binary Authorization Policy using the Binary Authorization Policy Reference\n (https://cloud.google.com/binary-authorization/docs/policy-yaml-reference) for\n guidance.\n\n Import the policy file into Binary Authorization:\n\n gcloud container binauthz policy import [YAML_POLICY]\n" 1525 ], 1526 "status": "WARN", 1527 "actual_value": "", 1528 "scored": false, 1529 "IsMultiple": false, 1530 "expected_result": "", 1531 "reason": "Test marked as a manual test" 1532 }, 1533 { 1534 "test_number": "5.10.6", 1535 "test_desc": "Enable Cloud Security Command Center (Cloud SCC) (Manual)", 1536 "audit": "", 1537 "AuditEnv": "", 1538 "AuditConfig": "", 1539 "type": "manual", 1540 "remediation": "Using Command Line:\n Follow the instructions at https://cloud.google.com/security-command-\n center/docs/quickstart-scc-setup.\n", 1541 "test_info": [ 1542 "Using Command Line:\n Follow the instructions at https://cloud.google.com/security-command-\n center/docs/quickstart-scc-setup.\n" 1543 ], 1544 "status": "WARN", 1545 "actual_value": "", 1546 "scored": false, 1547 "IsMultiple": false, 1548 "expected_result": "", 1549 "reason": "Test marked as a manual test" 1550 } 1551 ] 1552 } 1553 ], 1554 "total_pass": 0, 1555 "total_fail": 0, 1556 "total_warn": 37, 1557 "total_info": 0 1558 } 1559 ] 1560 }