github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.20/policies.yaml (about) 1 --- 2 controls: 3 version: "cis-1.20" 4 id: 5 5 text: "Kubernetes Policies" 6 type: "policies" 7 groups: 8 - id: 5.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 5.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Manual)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 5.1.2 23 text: "Minimize access to secrets (Manual)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to secret objects in the cluster. 27 scored: false 28 29 - id: 5.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 scored: false 36 37 - id: 5.1.4 38 text: "Minimize access to create pods (Manual)" 39 type: "manual" 40 remediation: | 41 Where possible, remove create access to pod objects in the cluster. 42 scored: false 43 44 - id: 5.1.5 45 text: "Ensure that default service accounts are not actively used. (Manual)" 46 type: "manual" 47 remediation: | 48 Create explicit service accounts wherever a Kubernetes workload requires specific access 49 to the Kubernetes API server. 50 Modify the configuration of each default service account to include this value 51 automountServiceAccountToken: false 52 scored: false 53 54 - id: 5.1.6 55 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" 56 type: "manual" 57 remediation: | 58 Modify the definition of pods and service accounts which do not need to mount service 59 account tokens to disable it. 60 scored: false 61 62 - id: 5.1.7 63 text: "Avoid use of system:masters group (Manual)" 64 type: "manual" 65 remediation: | 66 Remove the system:masters group from all users in the cluster. 67 scored: false 68 69 - id: 5.1.8 70 text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)" 71 type: "manual" 72 remediation: | 73 Where possible, remove the impersonate, bind and escalate rights from subjects. 74 scored: false 75 76 - id: 5.2 77 text: "Pod Security Policies" 78 checks: 79 - id: 5.2.1 80 text: "Minimize the admission of privileged containers (Automated)" 81 type: "manual" 82 remediation: | 83 Create a PSP as described in the Kubernetes documentation, ensuring that 84 the .spec.privileged field is omitted or set to false. 85 scored: false 86 87 - id: 5.2.2 88 text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" 89 type: "manual" 90 remediation: | 91 Create a PSP as described in the Kubernetes documentation, ensuring that the 92 .spec.hostPID field is omitted or set to false. 93 scored: false 94 95 - id: 5.2.3 96 text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" 97 type: "manual" 98 remediation: | 99 Create a PSP as described in the Kubernetes documentation, ensuring that the 100 .spec.hostIPC field is omitted or set to false. 101 scored: false 102 103 - id: 5.2.4 104 text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" 105 type: "manual" 106 remediation: | 107 Create a PSP as described in the Kubernetes documentation, ensuring that the 108 .spec.hostNetwork field is omitted or set to false. 109 scored: false 110 111 - id: 5.2.5 112 text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" 113 type: "manual" 114 remediation: | 115 Create a PSP as described in the Kubernetes documentation, ensuring that the 116 .spec.allowPrivilegeEscalation field is omitted or set to false. 117 scored: false 118 119 - id: 5.2.6 120 text: "Minimize the admission of root containers (Automated)" 121 type: "manual" 122 remediation: | 123 Create a PSP as described in the Kubernetes documentation, ensuring that the 124 .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of 125 UIDs not including 0. 126 scored: false 127 128 - id: 5.2.7 129 text: "Minimize the admission of containers with the NET_RAW capability (Automated)" 130 type: "manual" 131 remediation: | 132 Create a PSP as described in the Kubernetes documentation, ensuring that the 133 .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. 134 scored: false 135 136 - id: 5.2.8 137 text: "Minimize the admission of containers with added capabilities (Automated)" 138 type: "manual" 139 remediation: | 140 Ensure that allowedCapabilities is not present in PSPs for the cluster unless 141 it is set to an empty array. 142 scored: false 143 144 - id: 5.2.9 145 text: "Minimize the admission of containers with capabilities assigned (Manual)" 146 type: "manual" 147 remediation: | 148 Review the use of capabilites in applications running on your cluster. Where a namespace 149 contains applicaions which do not require any Linux capabities to operate consider adding 150 a PSP which forbids the admission of containers which do not drop all capabilities. 151 scored: false 152 153 - id: 5.3 154 text: "Network Policies and CNI" 155 checks: 156 - id: 5.3.1 157 text: "Ensure that the CNI in use supports Network Policies (Manual)" 158 type: "manual" 159 remediation: | 160 If the CNI plugin in use does not support network policies, consideration should be given to 161 making use of a different plugin, or finding an alternate mechanism for restricting traffic 162 in the Kubernetes cluster. 163 scored: false 164 165 - id: 5.3.2 166 text: "Ensure that all Namespaces have Network Policies defined (Manual)" 167 type: "manual" 168 remediation: | 169 Follow the documentation and create NetworkPolicy objects as you need them. 170 scored: false 171 172 - id: 5.4 173 text: "Secrets Management" 174 checks: 175 - id: 5.4.1 176 text: "Prefer using secrets as files over secrets as environment variables (Manual)" 177 type: "manual" 178 remediation: | 179 if possible, rewrite application code to read secrets from mounted secret files, rather than 180 from environment variables. 181 scored: false 182 183 - id: 5.4.2 184 text: "Consider external secret storage (Manual)" 185 type: "manual" 186 remediation: | 187 Refer to the secrets management options offered by your cloud provider or a third-party 188 secrets management solution. 189 scored: false 190 191 - id: 5.5 192 text: "Extensible Admission Control" 193 checks: 194 - id: 5.5.1 195 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" 196 type: "manual" 197 remediation: | 198 Follow the Kubernetes documentation and setup image provenance. 199 scored: false 200 201 - id: 5.7 202 text: "General Policies" 203 checks: 204 - id: 5.7.1 205 text: "Create administrative boundaries between resources using namespaces (Manual)" 206 type: "manual" 207 remediation: | 208 Follow the documentation and create namespaces for objects in your deployment as you need 209 them. 210 scored: false 211 212 - id: 5.7.2 213 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" 214 type: "manual" 215 remediation: | 216 Use security context to enable the docker/default seccomp profile in your pod definitions. 217 An example is as below: 218 securityContext: 219 seccompProfile: 220 type: RuntimeDefault 221 scored: false 222 223 - id: 5.7.3 224 text: "Apply Security Context to Your Pods and Containers (Manual)" 225 type: "manual" 226 remediation: | 227 Follow the Kubernetes documentation and apply security contexts to your pods. For a 228 suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker 229 Containers. 230 scored: false 231 232 - id: 5.7.4 233 text: "The default namespace should not be used (Manual)" 234 type: "manual" 235 remediation: | 236 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 237 resources and that all new resources are created in a specific namespace. 238 scored: false