github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/aks-1.0/node.yaml (about) 1 --- 2 controls: 3 version: "aks-1.0" 4 id: 3 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 3.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 3.1.1 12 text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)" 13 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 remediation: | 21 Run the below command (based on the file location on your system) on the each worker node. 22 For example, 23 chmod 644 $kubeletkubeconfig 24 scored: false 25 26 - id: 3.1.2 27 text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)" 28 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 29 tests: 30 test_items: 31 - flag: root:root 32 remediation: | 33 Run the below command (based on the file location on your system) on the each worker node. 34 For example, 35 chown root:root $kubeletkubeconfig 36 scored: false 37 38 - id: 3.1.3 39 text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)" 40 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 41 tests: 42 test_items: 43 - flag: "permissions" 44 compare: 45 op: bitmask 46 value: "644" 47 remediation: | 48 Run the following command (using the config file location identified in the Audit step) 49 chmod 644 $kubeletconf 50 scored: false 51 52 - id: 3.1.4 53 text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)" 54 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 55 tests: 56 test_items: 57 - flag: root:root 58 remediation: | 59 Run the following command (using the config file location identified in the Audit step) 60 chown root:root $kubeletconf 61 scored: false 62 63 - id: 3.2 64 text: "Kubelet" 65 checks: 66 - id: 3.2.1 67 text: "Ensure that the --anonymous-auth argument is set to false (Manual)" 68 audit: "/bin/ps -fC $kubeletbin" 69 audit_config: "/bin/cat $kubeletconf" 70 tests: 71 test_items: 72 - flag: "--anonymous-auth" 73 path: '{.authentication.anonymous.enabled}' 74 compare: 75 op: eq 76 value: false 77 remediation: | 78 If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to 79 false. 80 If using executable arguments, edit the kubelet service file 81 $kubeletsvc on each worker node and 82 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 83 --anonymous-auth=false 84 Based on your system, restart the kubelet service. For example: 85 systemctl daemon-reload 86 systemctl restart kubelet.service 87 scored: false 88 89 - id: 3.2.2 90 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Manual)" 91 audit: "/bin/ps -fC $kubeletbin" 92 audit_config: "/bin/cat $kubeletconf" 93 tests: 94 test_items: 95 - flag: --authorization-mode 96 path: '{.authorization.mode}' 97 compare: 98 op: nothave 99 value: AlwaysAllow 100 remediation: | 101 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If 102 using executable arguments, edit the kubelet service file 103 $kubeletsvc on each worker node and 104 set the below parameter in KUBELET_AUTHZ_ARGS variable. 105 --authorization-mode=Webhook 106 Based on your system, restart the kubelet service. For example: 107 systemctl daemon-reload 108 systemctl restart kubelet.service 109 scored: false 110 111 - id: 3.2.3 112 text: "Ensure that the --client-ca-file argument is set as appropriate (Manual)" 113 audit: "/bin/ps -fC $kubeletbin" 114 audit_config: "/bin/cat $kubeletconf" 115 tests: 116 test_items: 117 - flag: --client-ca-file 118 path: '{.authentication.x509.clientCAFile}' 119 set: true 120 remediation: | 121 If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to 122 the location of the client CA file. 123 If using command line arguments, edit the kubelet service file 124 $kubeletsvc on each worker node and 125 set the below parameter in KUBELET_AUTHZ_ARGS variable. 126 --client-ca-file=<path/to/client-ca-file> 127 Based on your system, restart the kubelet service. For example: 128 systemctl daemon-reload 129 systemctl restart kubelet.service 130 scored: false 131 132 - id: 3.2.4 133 text: "Ensure that the --read-only-port argument is set to 0 (Manual)" 134 audit: "/bin/ps -fC $kubeletbin" 135 audit_config: "/bin/cat $kubeletconf" 136 tests: 137 test_items: 138 - flag: "--read-only-port" 139 path: '{.readOnlyPort}' 140 set: true 141 compare: 142 op: eq 143 value: 0 144 remediation: | 145 If using a Kubelet config file, edit the file to set readOnlyPort to 0. 146 If using command line arguments, edit the kubelet service file 147 $kubeletsvc on each worker node and 148 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 149 --read-only-port=0 150 Based on your system, restart the kubelet service. For example: 151 systemctl daemon-reload 152 systemctl restart kubelet.service 153 scored: false 154 155 - id: 3.2.5 156 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 157 audit: "/bin/ps -fC $kubeletbin" 158 audit_config: "/bin/cat $kubeletconf" 159 tests: 160 test_items: 161 - flag: --streaming-connection-idle-timeout 162 path: '{.streamingConnectionIdleTimeout}' 163 set: true 164 compare: 165 op: noteq 166 value: 0 167 - flag: --streaming-connection-idle-timeout 168 path: '{.streamingConnectionIdleTimeout}' 169 set: false 170 bin_op: or 171 remediation: | 172 If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a 173 value other than 0. 174 If using command line arguments, edit the kubelet service file 175 $kubeletsvc on each worker node and 176 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 177 --streaming-connection-idle-timeout=5m 178 Based on your system, restart the kubelet service. For example: 179 systemctl daemon-reload 180 systemctl restart kubelet.service 181 scored: false 182 183 - id: 3.2.6 184 text: "Ensure that the --protect-kernel-defaults argument is set to true (Manual)" 185 audit: "/bin/ps -fC $kubeletbin" 186 audit_config: "/bin/cat $kubeletconf" 187 tests: 188 test_items: 189 - flag: --protect-kernel-defaults 190 path: '{.protectKernelDefaults}' 191 set: true 192 compare: 193 op: eq 194 value: true 195 remediation: | 196 If using a Kubelet config file, edit the file to set protectKernelDefaults: true. 197 If using command line arguments, edit the kubelet service file 198 $kubeletsvc on each worker node and 199 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 200 --protect-kernel-defaults=true 201 Based on your system, restart the kubelet service. For example: 202 systemctl daemon-reload 203 systemctl restart kubelet.service 204 scored: false 205 206 - id: 3.2.7 207 text: "Ensure that the --make-iptables-util-chains argument is set to true (Manual) " 208 audit: "/bin/ps -fC $kubeletbin" 209 audit_config: "/bin/cat $kubeletconf" 210 tests: 211 test_items: 212 - flag: --make-iptables-util-chains 213 path: '{.makeIPTablesUtilChains}' 214 set: true 215 compare: 216 op: eq 217 value: true 218 - flag: --make-iptables-util-chains 219 path: '{.makeIPTablesUtilChains}' 220 set: false 221 bin_op: or 222 remediation: | 223 If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true. 224 If using command line arguments, edit the kubelet service file 225 $kubeletsvc on each worker node and 226 remove the --make-iptables-util-chains argument from the 227 KUBELET_SYSTEM_PODS_ARGS variable. 228 Based on your system, restart the kubelet service. For example: 229 systemctl daemon-reload 230 systemctl restart kubelet.service 231 scored: false 232 233 - id: 3.2.8 234 text: "Ensure that the --hostname-override argument is not set (Manual)" 235 # This is one of those properties that can only be set as a command line argument. 236 # To check if the property is set as expected, we need to parse the kubelet command 237 # instead reading the Kubelet Configuration file. 238 audit: "/bin/ps -fC $kubeletbin " 239 tests: 240 test_items: 241 - flag: --hostname-override 242 set: false 243 remediation: | 244 Edit the kubelet service file $kubeletsvc 245 on each worker node and remove the --hostname-override argument from the 246 KUBELET_SYSTEM_PODS_ARGS variable. 247 Based on your system, restart the kubelet service. For example: 248 systemctl daemon-reload 249 systemctl restart kubelet.service 250 scored: false 251 252 - id: 3.2.9 253 text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)" 254 audit: "/bin/ps -fC $kubeletbin" 255 audit_config: "/bin/cat $kubeletconf" 256 tests: 257 test_items: 258 - flag: --event-qps 259 path: '{.eventRecordQPS}' 260 set: true 261 compare: 262 op: eq 263 value: 0 264 remediation: | 265 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. 266 If using command line arguments, edit the kubelet service file 267 $kubeletsvc on each worker node and 268 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 269 Based on your system, restart the kubelet service. For example: 270 systemctl daemon-reload 271 systemctl restart kubelet.service 272 scored: false 273 274 - id: 3.2.10 275 text: "Ensure that the --rotate-certificates argument is not set to false (Manual)" 276 audit: "/bin/ps -fC $kubeletbin" 277 audit_config: "/bin/cat $kubeletconf" 278 tests: 279 test_items: 280 - flag: --rotate-certificates 281 path: '{.rotateCertificates}' 282 set: true 283 compare: 284 op: eq 285 value: true 286 - flag: --rotate-certificates 287 path: '{.rotateCertificates}' 288 set: false 289 bin_op: or 290 remediation: | 291 If using a Kubelet config file, edit the file to add the line rotateCertificates: true or 292 remove it altogether to use the default value. 293 If using command line arguments, edit the kubelet service file 294 $kubeletsvc on each worker node and 295 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 296 variable. 297 Based on your system, restart the kubelet service. For example: 298 systemctl daemon-reload 299 systemctl restart kubelet.service 300 scored: false 301 302 - id: 3.2.11 303 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)" 304 audit: "/bin/ps -fC $kubeletbin" 305 audit_config: "/bin/cat $kubeletconf" 306 tests: 307 test_items: 308 - flag: RotateKubeletServerCertificate 309 path: '{.featureGates.RotateKubeletServerCertificate}' 310 set: true 311 compare: 312 op: eq 313 value: true 314 remediation: | 315 Edit the kubelet service file $kubeletsvc 316 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 317 --feature-gates=RotateKubeletServerCertificate=true 318 Based on your system, restart the kubelet service. For example: 319 systemctl daemon-reload 320 systemctl restart kubelet.service 321 scored: false