github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/ack-1.0/managedservices.yaml

github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/ack-1.0/managedservices.yaml (about)

     1  ---
     2  controls:
     3  version: "ack-1.0"
     4  id: 6
     5  text: "Managed Services"
     6  type: "managedservices"
     7  groups:
     8    - id: 6.1
     9      text: "Image Registry and Image Scanning"
    10      checks:
    11        - id: 6.1.1
    12          text: "Ensure Image Vulnerability Scanning using ACR image scanning or a third party provider (Manual)"
    13          type: "manual"
    14          remediation: |
    15            Ensure Image Vulnerability Scanning using ACR image scanning or a third party provider by follow the ACR document: https://www.alibabacloud.com/help/doc-detail/160146.htm
    16          scored: false
    17  
    18        - id: 6.1.2
    19          text: "Minimize user access to ACR (Manual)"
    20          type: "manual"
    21          remediation: |
    22            Minimize user access to ACR by follow the ACR document to setup network access control: https://www.alibabacloud.com/help/doc-detail/142179.htm
    23            And follow the ACR document to setup Resource Access Management (RAM) policies for ACR: https://www.alibabacloud.com/help/doc-detail/144229.htm
    24          scored: false
    25  
    26        - id: 6.1.3
    27          text: "Minimize cluster access to read-only for ACR (Manual)"
    28          type: "manual"
    29          remediation: Minimize cluster access to read-only for ACR
    30          scored: false
    31  
    32        - id: 6.1.4
    33          text: "Minimize Container Registries to only those approved (Manual)"
    34          type: "manual"
    35          remediation: Minimize Container Registries to only those approved
    36          scored: false
    37  
    38    - id: 6.2
    39      text: "Key Management Service (KMS)"
    40      checks:
    41        - id: 6.2.1
    42          text: "Ensure Kubernetes Secrets are encrypted using keys managed in KMS (Manual)"
    43          type: "manual"
    44          remediation: |
    45            Ensure Kubernetes Secrets are encrypted using keys managed in KMS by follow The ACK document: https://www.alibabacloud.com/help/zh/doc-detail/177372.htm
    46          scored: false
    47  
    48    - id: 6.3
    49      text: "Cluster Networking"
    50      checks:
    51        - id: 6.3.1
    52          text: "Restrict Access to the Control Plane Endpoint (Manual)"
    53          type: "manual"
    54          remediation: Restrict Access to the Control Plane Endpoint
    55          scored: false
    56  
    57        - id: 6.3.2
    58          text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
    59          type: "manual"
    60          remediation: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
    61          scored: false
    62  
    63        - id: 6.3.3
    64          text: "Ensure clusters are created with Private Nodes (Manual)"
    65          type: "manual"
    66          remediation: Ensure clusters are created with Private Nodes
    67          scored: false
    68  
    69        - id: 6.3.4
    70          text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
    71          type: "manual"
    72          remediation: Ensure Network Policy is Enabled and set as appropriate
    73          scored: false
    74  
    75        - id: 6.3.5
    76          text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
    77          type: "manual"
    78          remediation: Encrypt traffic to HTTPS load balancers with TLS certificates
    79          scored: false
    80  
    81    - id: 6.4
    82      text: "Storage"
    83      checks:
    84        - id: 6.4.1
    85          text: "Enable data disk encryption for Alibaba Cloud Disks (Manual)"
    86          type: "manual"
    87          remediation: Enable data disk encryption for Alibaba Cloud Disks
    88          scored: false
    89  
    90    - id: 6.5
    91      text: "Logging"
    92      checks:
    93        - id: 6.5.1
    94          text: "Ensure Cluster Auditing is Enabled (Manual)"
    95          type: "manual"
    96          remediation: Ensure Cluster Auditing is Enabled
    97          scored: false
    98  
    99    - id: 6.6
   100      text: "Other Cluster Configurations"
   101      checks:
   102        - id: 6.6.1
   103          text: "Ensure Pod Security Policy is Enabled and set as appropriate (Manual)"
   104          type: "manual"
   105          remediation: Ensure Pod Security Policy is Enabled and set as appropriate
   106          scored: false
   107  
   108        - id: 6.6.2
   109          text: "Enable Cloud Security Center (Manual)"
   110          type: "manual"
   111          remediation: Enable Cloud Security Center
   112          scored: false
   113  
   114        - id: 6.6.3
   115          text: "Consider ACK Sandboxed-Container for running untrusted workloads (Manual)"
   116          type: "manual"
   117          remediation: Consider ACK Sandboxed-Container for running untrusted workloads
   118  
   119        - id: 6.6.4
   120          text: "Consider ACK TEE-based when running confidential computing (Manual)"
   121          type: "manual"
   122          remediation: Consider ACK TEE-based when running confidential computing
   123  
   124        - id: 6.6.5
   125          text: "Consider use service account token volume projection (Manual)"
   126          type: "manual"
   127          remediation: Consider use service account token volume projection