github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/ack-1.0/master.yaml (about) 1 --- 2 controls: 3 version: "ack-1.0" 4 id: 1 5 text: "Master Node Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Master Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)" 13 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 remediation: | 21 Run the below command (based on the file location on your system) on the 22 master node. 23 For example, chmod 644 $apiserverconf 24 scored: true 25 26 - id: 1.1.2 27 text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)" 28 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 29 tests: 30 test_items: 31 - flag: "root:root" 32 remediation: | 33 Run the below command (based on the file location on your system) on the master node. 34 For example, 35 chown root:root $apiserverconf 36 scored: true 37 38 - id: 1.1.3 39 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)" 40 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 41 tests: 42 test_items: 43 - flag: "permissions" 44 compare: 45 op: bitmask 46 value: "644" 47 remediation: | 48 Run the below command (based on the file location on your system) on the master node. 49 For example, 50 chmod 644 $controllermanagerconf 51 scored: true 52 53 - id: 1.1.4 54 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" 55 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 56 tests: 57 test_items: 58 - flag: "root:root" 59 remediation: | 60 Run the below command (based on the file location on your system) on the master node. 61 For example, 62 chown root:root $controllermanagerconf 63 scored: true 64 65 - id: 1.1.5 66 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)" 67 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 68 tests: 69 test_items: 70 - flag: "permissions" 71 compare: 72 op: bitmask 73 value: "644" 74 remediation: | 75 Run the below command (based on the file location on your system) on the master node. 76 For example, 77 chmod 644 $schedulerconf 78 scored: true 79 80 - id: 1.1.6 81 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" 82 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 83 tests: 84 test_items: 85 - flag: "root:root" 86 remediation: | 87 Run the below command (based on the file location on your system) on the master node. 88 For example, 89 chown root:root $schedulerconf 90 scored: true 91 92 - id: 1.1.7 93 text: "Ensure that the etcd service file permissions are set to 644 or more restrictive (Automated)" 94 audit: | 95 stat -c permissions=%a /usr/lib/systemd/system/etcd.service || \ 96 if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi 97 use_multiple_values: true 98 tests: 99 test_items: 100 - flag: "permissions" 101 compare: 102 op: bitmask 103 value: "644" 104 remediation: | 105 Run the below command (based on the file location on your system) on the master node. 106 For example, 107 chmod 644 $etcdconf 108 scored: true 109 110 - id: 1.1.8 111 text: "Ensure that the etcd service file ownership is set to root:root (Automated)" 112 audit: | 113 stat -c %U:%G /usr/lib/systemd/system/etcd.service || \ 114 if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c %U:%G; fi 115 use_multiple_values: true 116 tests: 117 test_items: 118 - flag: "root:root" 119 remediation: | 120 Run the below command (based on the file location on your system) on the master node. 121 For example, 122 chown root:root $etcdconf 123 scored: true 124 125 - id: 1.1.9 126 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)" 127 audit: "stat -c permissions=%a <path/to/cni/files>" 128 type: "manual" 129 remediation: | 130 Run the below command (based on the file location on your system) on the master node. 131 For example, 132 chmod 644 <path/to/cni/files> 133 scored: false 134 135 - id: 1.1.10 136 text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" 137 audit: "stat -c %U:%G <path/to/cni/files>" 138 type: "manual" 139 remediation: | 140 Run the below command (based on the file location on your system) on the master node. 141 For example, 142 chown root:root <path/to/cni/files> 143 scored: false 144 145 - id: 1.1.11 146 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" 147 audit: | 148 stat -c permissions=%a /var/lib/etcd/data.etcd || \ 149 ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a 150 tests: 151 test_items: 152 - flag: "permissions" 153 compare: 154 op: bitmask 155 value: "700" 156 remediation: | 157 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 158 from the below command: 159 ps -ef | grep etcd 160 Run the below command (based on the etcd data directory found above). For example, 161 chmod 700 /var/lib/etcd 162 scored: true 163 164 - id: 1.1.12 165 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" 166 audit: | 167 stat -c %U:%G /var/lib/etcd/data.etcd || \ 168 ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G 169 tests: 170 test_items: 171 - flag: "etcd:etcd" 172 remediation: | 173 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 174 from the below command: 175 ps -ef | grep etcd 176 Run the below command (based on the etcd data directory found above). 177 For example, chown etcd:etcd /var/lib/etcd 178 scored: true 179 180 - id: 1.1.13 181 text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)" 182 audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'" 183 tests: 184 test_items: 185 - flag: "permissions" 186 compare: 187 op: bitmask 188 value: "644" 189 remediation: | 190 Run the below command (based on the file location on your system) on the master node. 191 For example, 192 chmod 644 /etc/kubernetes/admin.conf 193 scored: true 194 195 - id: 1.1.14 196 text: "Ensure that the admin.conf file ownership is set to root:root (Automated)" 197 audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'" 198 tests: 199 test_items: 200 - flag: "root:root" 201 remediation: | 202 Run the below command (based on the file location on your system) on the master node. 203 For example, 204 chown root:root /etc/kubernetes/admin.conf 205 scored: true 206 207 - id: 1.1.15 208 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)" 209 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'" 210 tests: 211 test_items: 212 - flag: "permissions" 213 compare: 214 op: bitmask 215 value: "644" 216 remediation: | 217 Run the below command (based on the file location on your system) on the master node. 218 For example, 219 chmod 644 $schedulerkubeconfig 220 scored: true 221 222 - id: 1.1.16 223 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" 224 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'" 225 tests: 226 test_items: 227 - flag: "root:root" 228 remediation: | 229 Run the below command (based on the file location on your system) on the master node. 230 For example, 231 chown root:root $schedulerkubeconfig 232 scored: true 233 234 - id: 1.1.17 235 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)" 236 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'" 237 tests: 238 test_items: 239 - flag: "permissions" 240 compare: 241 op: bitmask 242 value: "644" 243 remediation: | 244 Run the below command (based on the file location on your system) on the master node. 245 For example, 246 chmod 644 $controllermanagerkubeconfig 247 scored: true 248 249 - id: 1.1.18 250 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" 251 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'" 252 tests: 253 test_items: 254 - flag: "root:root" 255 remediation: | 256 Run the below command (based on the file location on your system) on the master node. 257 For example, 258 chown root:root $controllermanagerkubeconfig 259 scored: true 260 261 - id: 1.1.19 262 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 263 audit: "find /etc/kubernetes/pki/ | xargs stat -c %U:%G" 264 use_multiple_values: true 265 tests: 266 test_items: 267 - flag: "root:root" 268 remediation: | 269 Run the below command (based on the file location on your system) on the master node. 270 For example, 271 chown -R root:root /etc/kubernetes/pki/ 272 scored: true 273 274 - id: 1.1.20 275 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)" 276 audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a" 277 use_multiple_values: true 278 tests: 279 test_items: 280 - flag: "permissions" 281 compare: 282 op: bitmask 283 value: "644" 284 remediation: | 285 Run the below command (based on the file location on your system) on the master node. 286 For example, 287 chmod -R 644 /etc/kubernetes/pki/*.crt 288 scored: false 289 290 - id: 1.1.21 291 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" 292 audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a" 293 use_multiple_values: true 294 tests: 295 test_items: 296 - flag: "permissions" 297 compare: 298 op: bitmask 299 value: "600" 300 remediation: | 301 Run the below command (based on the file location on your system) on the master node. 302 For example, 303 chmod -R 600 /etc/kubernetes/pki/*.key 304 scored: false 305 306 - id: 1.2 307 text: "API Server" 308 checks: 309 - id: 1.2.1 310 text: "Ensure that the --basic-auth-file argument is not set (Automated)" 311 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 312 tests: 313 test_items: 314 - flag: "--basic-auth-file" 315 set: false 316 remediation: | 317 Follow the documentation and configure alternate mechanisms for authentication. Then, 318 edit the API server pod specification file $apiserverconf 319 on the master node and remove the --basic-auth-file=<filename> parameter. 320 scored: true 321 322 - id: 1.2.2 323 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 324 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 325 tests: 326 test_items: 327 - flag: "--token-auth-file" 328 set: false 329 remediation: | 330 Follow the documentation and configure alternate mechanisms for authentication. Then, 331 edit the API server pod specification file $apiserverconf 332 on the master node and remove the --token-auth-file=<filename> parameter. 333 scored: true 334 335 - id: 1.2.3 336 text: "Ensure that the --kubelet-https argument is set to true (Automated)" 337 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 338 tests: 339 bin_op: or 340 test_items: 341 - flag: "--kubelet-https" 342 compare: 343 op: eq 344 value: true 345 - flag: "--kubelet-https" 346 set: false 347 remediation: | 348 Edit the API server pod specification file $apiserverconf 349 on the master node and remove the --kubelet-https parameter. 350 scored: true 351 352 - id: 1.2.4 353 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 354 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 355 tests: 356 bin_op: and 357 test_items: 358 - flag: "--kubelet-client-certificate" 359 - flag: "--kubelet-client-key" 360 remediation: | 361 Follow the Kubernetes documentation and set up the TLS connection between the 362 apiserver and kubelets. Then, edit API server pod specification file 363 $apiserverconf on the master node and set the 364 kubelet client certificate and key parameters as below. 365 --kubelet-client-certificate=<path/to/client-certificate-file> 366 --kubelet-client-key=<path/to/client-key-file> 367 scored: true 368 369 - id: 1.2.5 370 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 371 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 372 tests: 373 test_items: 374 - flag: "--authorization-mode" 375 compare: 376 op: nothave 377 value: "AlwaysAllow" 378 remediation: | 379 Edit the API server pod specification file $apiserverconf 380 on the master node and set the --authorization-mode parameter to values other than AlwaysAllow. 381 One such example could be as below. 382 --authorization-mode=RBAC 383 scored: true 384 385 - id: 1.2.6 386 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 387 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 388 tests: 389 test_items: 390 - flag: "--authorization-mode" 391 compare: 392 op: has 393 value: "Node" 394 remediation: | 395 Edit the API server pod specification file $apiserverconf 396 on the master node and set the --authorization-mode parameter to a value that includes Node. 397 --authorization-mode=Node,RBAC 398 scored: true 399 400 - id: 1.2.7 401 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 402 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 403 tests: 404 test_items: 405 - flag: "--authorization-mode" 406 compare: 407 op: has 408 value: "RBAC" 409 remediation: | 410 Edit the API server pod specification file $apiserverconf 411 on the master node and set the --authorization-mode parameter to a value that includes RBAC, 412 for example: 413 --authorization-mode=Node,RBAC 414 scored: true 415 416 - id: 1.2.8 417 text: "Ensure that the admission control plugin EventRateLimit is set (Manual)" 418 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 419 tests: 420 test_items: 421 - flag: "--enable-admission-plugins" 422 compare: 423 op: has 424 value: "EventRateLimit" 425 remediation: | 426 Follow the Kubernetes documentation and set the desired limits in a configuration file. 427 Then, edit the API server pod specification file $apiserverconf 428 and set the below parameters. 429 --enable-admission-plugins=...,EventRateLimit,... 430 --admission-control-config-file=<path/to/configuration/file> 431 scored: false 432 433 - id: 1.2.9 434 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 435 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 436 tests: 437 bin_op: or 438 test_items: 439 - flag: "--enable-admission-plugins" 440 compare: 441 op: nothave 442 value: AlwaysAdmit 443 - flag: "--enable-admission-plugins" 444 set: false 445 remediation: | 446 Edit the API server pod specification file $apiserverconf 447 on the master node and either remove the --enable-admission-plugins parameter, or set it to a 448 value that does not include AlwaysAdmit. 449 scored: true 450 451 - id: 1.2.10 452 text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)" 453 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 454 tests: 455 test_items: 456 - flag: "--enable-admission-plugins" 457 compare: 458 op: has 459 value: "AlwaysPullImages" 460 remediation: | 461 Edit the API server pod specification file $apiserverconf 462 on the master node and set the --enable-admission-plugins parameter to include 463 AlwaysPullImages. 464 --enable-admission-plugins=...,AlwaysPullImages,... 465 scored: false 466 467 - id: 1.2.11 468 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" 469 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 470 tests: 471 bin_op: or 472 test_items: 473 - flag: "--enable-admission-plugins" 474 compare: 475 op: has 476 value: "SecurityContextDeny" 477 - flag: "--enable-admission-plugins" 478 compare: 479 op: has 480 value: "PodSecurityPolicy" 481 remediation: | 482 Edit the API server pod specification file $apiserverconf 483 on the master node and set the --enable-admission-plugins parameter to include 484 SecurityContextDeny, unless PodSecurityPolicy is already in place. 485 --enable-admission-plugins=...,SecurityContextDeny,... 486 scored: false 487 488 - id: 1.2.12 489 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 490 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 491 tests: 492 bin_op: or 493 test_items: 494 - flag: "--disable-admission-plugins" 495 compare: 496 op: nothave 497 value: "ServiceAccount" 498 - flag: "--disable-admission-plugins" 499 set: false 500 remediation: | 501 Follow the documentation and create ServiceAccount objects as per your environment. 502 Then, edit the API server pod specification file $apiserverconf 503 on the master node and ensure that the --disable-admission-plugins parameter is set to a 504 value that does not include ServiceAccount. 505 scored: true 506 507 - id: 1.2.13 508 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 509 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 510 tests: 511 bin_op: or 512 test_items: 513 - flag: "--disable-admission-plugins" 514 compare: 515 op: nothave 516 value: "NamespaceLifecycle" 517 - flag: "--disable-admission-plugins" 518 set: false 519 remediation: | 520 Edit the API server pod specification file $apiserverconf 521 on the master node and set the --disable-admission-plugins parameter to 522 ensure it does not include NamespaceLifecycle. 523 scored: true 524 525 - id: 1.2.14 526 text: "Ensure that the admission control plugin PodSecurityPolicy is set (Automated)" 527 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 528 tests: 529 test_items: 530 - flag: "--enable-admission-plugins" 531 compare: 532 op: has 533 value: "PodSecurityPolicy" 534 remediation: | 535 Follow the documentation and create Pod Security Policy objects as per your environment. 536 Then, edit the API server pod specification file $apiserverconf 537 on the master node and set the --enable-admission-plugins parameter to a 538 value that includes PodSecurityPolicy: 539 --enable-admission-plugins=...,PodSecurityPolicy,... 540 Then restart the API Server. 541 scored: true 542 543 - id: 1.2.15 544 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 545 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 546 tests: 547 test_items: 548 - flag: "--enable-admission-plugins" 549 compare: 550 op: has 551 value: "NodeRestriction" 552 remediation: | 553 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 554 Then, edit the API server pod specification file $apiserverconf 555 on the master node and set the --enable-admission-plugins parameter to a 556 value that includes NodeRestriction. 557 --enable-admission-plugins=...,NodeRestriction,... 558 scored: true 559 560 - id: 1.2.16 561 text: "Ensure that the --insecure-bind-address argument is not set (Automated)" 562 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 563 tests: 564 test_items: 565 - flag: "--insecure-bind-address" 566 set: false 567 remediation: | 568 Edit the API server pod specification file $apiserverconf 569 on the master node and remove the --insecure-bind-address parameter. 570 scored: true 571 572 - id: 1.2.17 573 text: "Ensure that the --insecure-port argument is set to 0 (Automated)" 574 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 575 tests: 576 test_items: 577 - flag: "--insecure-port" 578 compare: 579 op: eq 580 value: 0 581 remediation: | 582 Edit the API server pod specification file $apiserverconf 583 on the master node and set the below parameter. 584 --insecure-port=0 585 scored: true 586 587 - id: 1.2.18 588 text: "Ensure that the --secure-port argument is not set to 0 (Automated)" 589 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 590 tests: 591 bin_op: or 592 test_items: 593 - flag: "--secure-port" 594 compare: 595 op: gt 596 value: 0 597 - flag: "--secure-port" 598 set: false 599 remediation: | 600 Edit the API server pod specification file $apiserverconf 601 on the master node and either remove the --secure-port parameter or 602 set it to a different (non-zero) desired port. 603 scored: true 604 605 - id: 1.2.19 606 text: "Ensure that the --profiling argument is set to false (Automated)" 607 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 608 tests: 609 test_items: 610 - flag: "--profiling" 611 compare: 612 op: eq 613 value: false 614 remediation: | 615 Edit the API server pod specification file $apiserverconf 616 on the master node and set the below parameter. 617 --profiling=false 618 scored: true 619 620 - id: 1.2.20 621 text: "Ensure that the --audit-log-path argument is set (Automated)" 622 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 623 tests: 624 test_items: 625 - flag: "--audit-log-path" 626 remediation: | 627 Edit the API server pod specification file $apiserverconf 628 on the master node and set the --audit-log-path parameter to a suitable path and 629 file where you would like audit logs to be written, for example: 630 --audit-log-path=/var/log/apiserver/audit.log 631 scored: true 632 633 - id: 1.2.21 634 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 635 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 636 tests: 637 test_items: 638 - flag: "--audit-log-maxage" 639 compare: 640 op: gte 641 value: 30 642 remediation: | 643 Edit the API server pod specification file $apiserverconf 644 on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days: 645 --audit-log-maxage=30 646 scored: true 647 648 - id: 1.2.22 649 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 650 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 651 tests: 652 test_items: 653 - flag: "--audit-log-maxbackup" 654 compare: 655 op: gte 656 value: 10 657 remediation: | 658 Edit the API server pod specification file $apiserverconf 659 on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 660 value. 661 --audit-log-maxbackup=10 662 scored: true 663 664 - id: 1.2.23 665 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 666 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 667 tests: 668 test_items: 669 - flag: "--audit-log-maxsize" 670 compare: 671 op: gte 672 value: 100 673 remediation: | 674 Edit the API server pod specification file $apiserverconf 675 on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB. 676 For example, to set it as 100 MB: 677 --audit-log-maxsize=100 678 scored: true 679 680 - id: 1.2.24 681 text: "Ensure that the --request-timeout argument is set as appropriate (Automated)" 682 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 683 type: manual 684 remediation: | 685 Edit the API server pod specification file $apiserverconf 686 and set the below parameter as appropriate and if needed. 687 For example, 688 --request-timeout=300s 689 scored: true 690 691 - id: 1.2.25 692 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 693 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 694 tests: 695 bin_op: or 696 test_items: 697 - flag: "--service-account-lookup" 698 set: false 699 - flag: "--service-account-lookup" 700 compare: 701 op: eq 702 value: true 703 remediation: | 704 Edit the API server pod specification file $apiserverconf 705 on the master node and set the below parameter. 706 --service-account-lookup=true 707 Alternatively, you can delete the --service-account-lookup parameter from this file so 708 that the default takes effect. 709 scored: true 710 711 - id: 1.2.26 712 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 713 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 714 tests: 715 test_items: 716 - flag: "--service-account-key-file" 717 remediation: | 718 Edit the API server pod specification file $apiserverconf 719 on the master node and set the --service-account-key-file parameter 720 to the public key file for service accounts: 721 --service-account-key-file=<filename> 722 scored: true 723 724 - id: 1.2.27 725 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 726 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 727 tests: 728 bin_op: and 729 test_items: 730 - flag: "--etcd-certfile" 731 - flag: "--etcd-keyfile" 732 remediation: | 733 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 734 Then, edit the API server pod specification file $apiserverconf 735 on the master node and set the etcd certificate and key file parameters. 736 --etcd-certfile=<path/to/client-certificate-file> 737 --etcd-keyfile=<path/to/client-key-file> 738 scored: true 739 740 - id: 1.2.28 741 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 742 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 743 tests: 744 bin_op: and 745 test_items: 746 - flag: "--tls-cert-file" 747 - flag: "--tls-private-key-file" 748 remediation: | 749 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 750 Then, edit the API server pod specification file $apiserverconf 751 on the master node and set the TLS certificate and private key file parameters. 752 --tls-cert-file=<path/to/tls-certificate-file> 753 --tls-private-key-file=<path/to/tls-key-file> 754 scored: true 755 756 - id: 1.2.29 757 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 758 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 759 tests: 760 test_items: 761 - flag: "--client-ca-file" 762 remediation: | 763 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 764 Then, edit the API server pod specification file $apiserverconf 765 on the master node and set the client certificate authority file. 766 --client-ca-file=<path/to/client-ca-file> 767 scored: true 768 769 - id: 1.2.30 770 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 771 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 772 tests: 773 test_items: 774 - flag: "--etcd-cafile" 775 remediation: | 776 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 777 Then, edit the API server pod specification file $apiserverconf 778 on the master node and set the etcd certificate authority file parameter. 779 --etcd-cafile=<path/to/ca-file> 780 scored: true 781 782 - id: 1.2.31 783 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" 784 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 785 tests: 786 test_items: 787 - flag: "--encryption-provider-config" 788 remediation: | 789 Follow the Kubernetes documentation and configure a EncryptionConfig file. 790 Then, edit the API server pod specification file $apiserverconf 791 on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File> 792 scored: false 793 794 - id: 1.2.32 795 text: "Ensure that encryption providers are appropriately configured (Manual)" 796 audit: | 797 ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%') 798 if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi 799 tests: 800 test_items: 801 - flag: "provider" 802 compare: 803 op: valid_elements 804 value: "aescbc,kms,secretbox" 805 remediation: | 806 Follow the Kubernetes documentation and configure a EncryptionConfig file. 807 In this file, choose aescbc, kms or secretbox as the encryption provider. 808 scored: false 809 810 - id: 1.2.33 811 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" 812 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 813 tests: 814 test_items: 815 - flag: "--tls-cipher-suites" 816 compare: 817 op: valid_elements 818 value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" 819 remediation: | 820 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 821 on the master node and set the below parameter. 822 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM 823 _SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM 824 _SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM 825 _SHA384 826 scored: false 827 828 - id: 1.3 829 text: "Controller Manager" 830 checks: 831 - id: 1.3.1 832 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" 833 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 834 tests: 835 test_items: 836 - flag: "--terminated-pod-gc-threshold" 837 remediation: | 838 Edit the Controller Manager pod specification file $controllermanagerconf 839 on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, 840 for example: 841 --terminated-pod-gc-threshold=10 842 scored: false 843 844 - id: 1.3.2 845 text: "Ensure that the --profiling argument is set to false (Automated)" 846 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 847 tests: 848 test_items: 849 - flag: "--profiling" 850 compare: 851 op: eq 852 value: false 853 remediation: | 854 Edit the Controller Manager pod specification file $controllermanagerconf 855 on the master node and set the below parameter. 856 --profiling=false 857 scored: true 858 859 - id: 1.3.3 860 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 861 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 862 tests: 863 test_items: 864 - flag: "--use-service-account-credentials" 865 compare: 866 op: noteq 867 value: false 868 remediation: | 869 Edit the Controller Manager pod specification file $controllermanagerconf 870 on the master node to set the below parameter. 871 --use-service-account-credentials=true 872 scored: true 873 874 - id: 1.3.4 875 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 876 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 877 tests: 878 test_items: 879 - flag: "--service-account-private-key-file" 880 remediation: | 881 Edit the Controller Manager pod specification file $controllermanagerconf 882 on the master node and set the --service-account-private-key-file parameter 883 to the private key file for service accounts. 884 --service-account-private-key-file=<filename> 885 scored: true 886 887 - id: 1.3.5 888 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 889 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 890 tests: 891 test_items: 892 - flag: "--root-ca-file" 893 remediation: | 894 Edit the Controller Manager pod specification file $controllermanagerconf 895 on the master node and set the --root-ca-file parameter to the certificate bundle file`. 896 --root-ca-file=<path/to/file> 897 scored: true 898 899 - id: 1.3.6 900 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 901 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 902 tests: 903 bin_op: or 904 test_items: 905 - flag: "--feature-gates" 906 compare: 907 op: nothave 908 value: "RotateKubeletServerCertificate=false" 909 set: true 910 - flag: "--feature-gates" 911 set: false 912 remediation: | 913 Edit the Controller Manager pod specification file $controllermanagerconf 914 on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 915 --feature-gates=RotateKubeletServerCertificate=true 916 scored: true 917 918 - id: 1.3.7 919 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 920 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 921 tests: 922 bin_op: or 923 test_items: 924 - flag: "--bind-address" 925 compare: 926 op: eq 927 value: "127.0.0.1" 928 - flag: "--bind-address" 929 set: false 930 remediation: | 931 Edit the Controller Manager pod specification file $controllermanagerconf 932 on the master node and ensure the correct value for the --bind-address parameter 933 scored: true 934 935 - id: 1.4 936 text: "Scheduler" 937 checks: 938 - id: 1.4.1 939 text: "Ensure that the --profiling argument is set to false (Automated)" 940 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 941 tests: 942 test_items: 943 - flag: "--profiling" 944 compare: 945 op: eq 946 value: false 947 remediation: | 948 Edit the Scheduler pod specification file $schedulerconf file 949 on the master node and set the below parameter. 950 --profiling=false 951 scored: true 952 953 - id: 1.4.2 954 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 955 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 956 tests: 957 bin_op: or 958 test_items: 959 - flag: "--bind-address" 960 compare: 961 op: eq 962 value: "127.0.0.1" 963 - flag: "--bind-address" 964 set: false 965 remediation: | 966 Edit the Scheduler pod specification file $schedulerconf 967 on the master node and ensure the correct value for the --bind-address parameter 968 scored: true