github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/aks-1.0/policies.yaml (about) 1 --- 2 controls: 3 version: "aks-1.0" 4 id: 4 5 text: "Policies" 6 type: "policies" 7 groups: 8 - id: 4.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Manual)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 4.1.2 23 text: "Minimize access to secrets (Manual)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to secret objects in the cluster. 27 scored: false 28 29 - id: 4.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 scored: false 36 37 - id: 4.1.4 38 text: "Minimize access to create pods (Manual)" 39 type: "manual" 40 remediation: | 41 Where possible, remove create access to pod objects in the cluster. 42 scored: false 43 44 - id: 4.1.5 45 text: "Ensure that default service accounts are not actively used. (Manual)" 46 type: "manual" 47 remediation: | 48 Create explicit service accounts wherever a Kubernetes workload requires specific access 49 to the Kubernetes API server. 50 Modify the configuration of each default service account to include this value 51 automountServiceAccountToken: false 52 scored: false 53 54 - id: 4.1.6 55 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" 56 type: "manual" 57 remediation: | 58 Modify the definition of pods and service accounts which do not need to mount service 59 account tokens to disable it. 60 scored: false 61 62 - id: 4.2 63 text: "Pod Security Policies" 64 checks: 65 - id: 4.2.1 66 text: "Minimize the admission of privileged containers (Automated)" 67 type: "manual" 68 remediation: | 69 Create a PSP as described in the Kubernetes documentation, ensuring that 70 the .spec.privileged field is omitted or set to false. 71 scored: false 72 73 - id: 4.2.2 74 text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" 75 type: "manual" 76 remediation: | 77 Create a PSP as described in the Kubernetes documentation, ensuring that the 78 .spec.hostPID field is omitted or set to false. 79 scored: false 80 81 - id: 4.2.3 82 text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" 83 type: "manual" 84 remediation: | 85 Create a PSP as described in the Kubernetes documentation, ensuring that the 86 .spec.hostIPC field is omitted or set to false. 87 scored: false 88 89 - id: 4.2.4 90 text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" 91 type: "manual" 92 remediation: | 93 Create a PSP as described in the Kubernetes documentation, ensuring that the 94 .spec.hostNetwork field is omitted or set to false. 95 scored: false 96 97 - id: 4.2.5 98 text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" 99 type: "manual" 100 remediation: | 101 Create a PSP as described in the Kubernetes documentation, ensuring that the 102 .spec.allowPrivilegeEscalation field is omitted or set to false. 103 scored: false 104 105 - id: 4.2.6 106 text: "Minimize the admission of root containers (Automated)" 107 type: "manual" 108 remediation: | 109 Create a PSP as described in the Kubernetes documentation, ensuring that the 110 .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of 111 UIDs not including 0. 112 scored: false 113 114 - id: 4.2.7 115 text: "Minimize the admission of containers with the NET_RAW capability (Automated)" 116 type: "manual" 117 remediation: | 118 Create a PSP as described in the Kubernetes documentation, ensuring that the 119 .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. 120 scored: false 121 122 - id: 4.2.8 123 text: "Minimize the admission of containers with added capabilities (Automated)" 124 type: "manual" 125 remediation: | 126 Ensure that allowedCapabilities is not present in PSPs for the cluster unless 127 it is set to an empty array. 128 scored: false 129 130 - id: 4.2.9 131 text: "Minimize the admission of containers with capabilities assigned (Manual)" 132 type: "manual" 133 remediation: | 134 Review the use of capabilities in applications running on your cluster. Where a namespace 135 contains applications which do not require any Linux capabities to operate consider adding 136 a PSP which forbids the admission of containers which do not drop all capabilities. 137 scored: false 138 139 - id: 4.3 140 text: "Azure Policy / OPA" 141 checks: [] 142 143 - id: 4.4 144 text: "CNI Plugin" 145 checks: 146 - id: 4.4.1 147 text: "Ensure that the latest CNI version is used (Manual)" 148 type: "manual" 149 remediation: | 150 Review the documentation of AWS CNI plugin, and ensure latest CNI version is used. 151 scored: false 152 153 - id: 4.4.2 154 text: "Ensure that all Namespaces have Network Policies defined (Manual)" 155 type: "manual" 156 remediation: | 157 Follow the documentation and create NetworkPolicy objects as you need them. 158 scored: false 159 160 - id: 4.5 161 text: "Secrets Management" 162 checks: 163 - id: 4.5.1 164 text: "Prefer using secrets as files over secrets as environment variables (Manual)" 165 type: "manual" 166 remediation: | 167 If possible, rewrite application code to read secrets from mounted secret files, rather than 168 from environment variables. 169 scored: false 170 171 - id: 4.5.2 172 text: "Consider external secret storage (Manual)" 173 type: "manual" 174 remediation: | 175 Refer to the secrets management options offered by your cloud provider or a third-party 176 secrets management solution. 177 scored: false 178 179 - id: 4.6 180 text: "Extensible Admission Control" 181 checks: 182 - id: 4.6.1 183 text: "Verify that admission controllers are working as expected (Manual)" 184 type: "manual" 185 remediation: "No remediation" 186 scored: false 187 188 - id: 4.7 189 text: "General Policies" 190 checks: 191 - id: 4.7.1 192 text: "Create administrative boundaries between resources using namespaces (Manual)" 193 type: "manual" 194 remediation: | 195 Follow the documentation and create namespaces for objects in your deployment as you need 196 them. 197 scored: false 198 199 - id: 4.7.2 200 text: "Apply Security Context to Your Pods and Containers (Manual)" 201 type: "manual" 202 remediation: | 203 Follow the Kubernetes documentation and apply security contexts to your pods. For a 204 suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker 205 Containers. 206 scored: false 207 208 - id: 4.7.3 209 text: "The default namespace should not be used (Manual)" 210 type: "manual" 211 remediation: | 212 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 213 resources and that all new resources are created in a specific namespace. 214 scored: false