github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.24-microk8s/master.yaml (about) 1 --- 2 controls: 3 version: "cis-1.24" 4 id: 1 5 text: "Control Plane Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Control Plane Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)" 13 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 remediation: | 21 Run the below command (based on the file location on your system) on the 22 control plane node. 23 For example, chmod 644 $apiserverconf 24 scored: true 25 26 - id: 1.1.2 27 text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)" 28 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 29 tests: 30 test_items: 31 - flag: "root:root" 32 remediation: | 33 Run the below command (based on the file location on your system) on the control plane node. 34 For example, chown root:root $apiserverconf 35 scored: true 36 37 - id: 1.1.3 38 text: "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)" 39 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 40 tests: 41 test_items: 42 - flag: "permissions" 43 compare: 44 op: bitmask 45 value: "600" 46 remediation: | 47 Run the below command (based on the file location on your system) on the control plane node. 48 For example, chmod 600 $controllermanagerconf 49 scored: true 50 51 - id: 1.1.4 52 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" 53 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 54 tests: 55 test_items: 56 - flag: "root:root" 57 remediation: | 58 Run the below command (based on the file location on your system) on the control plane node. 59 For example, chown root:root $controllermanagerconf 60 scored: true 61 62 - id: 1.1.5 63 text: "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)" 64 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 65 tests: 66 test_items: 67 - flag: "permissions" 68 compare: 69 op: bitmask 70 value: "600" 71 remediation: | 72 Run the below command (based on the file location on your system) on the control plane node. 73 For example, chmod 600 $schedulerconf 74 scored: true 75 76 - id: 1.1.6 77 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" 78 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 79 tests: 80 test_items: 81 - flag: "root:root" 82 remediation: | 83 Run the below command (based on the file location on your system) on the control plane node. 84 For example, chown root:root $schedulerconf 85 scored: true 86 87 - id: 1.1.7 88 text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)" 89 audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'" 90 use_multiple_values: true 91 tests: 92 test_items: 93 - flag: "permissions" 94 compare: 95 op: bitmask 96 value: "600" 97 remediation: | 98 Run the below command (based on the file location on your system) on the control plane node. 99 For example, 100 chmod 600 $etcdconf 101 scored: true 102 103 - id: 1.1.8 104 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" 105 audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" 106 use_multiple_values: true 107 tests: 108 test_items: 109 - flag: "root:root" 110 remediation: | 111 Run the below command (based on the file location on your system) on the control plane node. 112 For example, 113 chown root:root $etcdconf 114 scored: true 115 116 - id: 1.1.9 117 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" 118 audit: | 119 find /var/snap/microk8s/current/args/cni-network/10-calico.conflist -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a 120 use_multiple_values: true 121 tests: 122 test_items: 123 - flag: "permissions" 124 compare: 125 op: bitmask 126 value: "600" 127 remediation: | 128 Run the below command (based on the file location on your system) on the control plane node. 129 For example, chmod 600 <path/to/cni/files> 130 scored: false 131 132 - id: 1.1.10 133 text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" 134 audit: | 135 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G 136 find /var/snap/microk8s/current/args/cni-network/10-calico.conflist -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G 137 use_multiple_values: true 138 tests: 139 test_items: 140 - flag: "root:root" 141 remediation: | 142 Run the below command (based on the file location on your system) on the control plane node. 143 For example, 144 chown root:root <path/to/cni/files> 145 scored: false 146 147 # Etcd is not running on MicroK8s master nodes 148 - id: 1.1.11 149 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" 150 audit: | 151 DATA_DIR='/var/snap/microk8s/current/var/kubernetes/backend/' 152 if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi 153 stat -c permissions=%a "$DATA_DIR" 154 tests: 155 test_items: 156 - flag: "permissions" 157 compare: 158 op: bitmask 159 value: "700" 160 remediation: | 161 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 162 from the command 'ps -ef | grep etcd'. 163 Run the below command (based on the etcd data directory found above). For example, 164 chmod 700 /var/snap/microk8s/current/var/kubernetes/backend/ 165 scored: true 166 167 # Etcd is not running on MicroK8s master nodes 168 - id: 1.1.12 169 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" 170 audit: | 171 DATA_DIR='/var/snap/microk8s/current/var/kubernetes/backend/' 172 if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi 173 stat -c %U:%G "$DATA_DIR" 174 tests: 175 test_items: 176 - flag: "root:root" 177 remediation: | 178 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 179 from the command 'ps -ef | grep etcd'. 180 Run the below command (based on the etcd data directory found above). 181 For example, chown root:root /var/snap/microk8s/current/var/kubernetes/backend/ 182 scored: true 183 184 - id: 1.1.13 185 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" 186 audit: "/bin/sh -c 'if test -e /var/snap/microk8s/current/credentials/client.config; then stat -c permissions=%a /var/snap/microk8s/current/credentials/client.config; fi'" 187 tests: 188 test_items: 189 - flag: "permissions" 190 compare: 191 op: bitmask 192 value: "600" 193 remediation: | 194 Run the below command (based on the file location on your system) on the control plane node. 195 For example, chmod 600 /var/snap/microk8s/current/credentials/client.config 196 scored: true 197 198 - id: 1.1.14 199 text: "Ensure that the admin.conf file ownership is set to root:root (Automated)" 200 audit: "/bin/sh -c 'if test -e /var/snap/microk8s/current/credentials/client.config; then stat -c %U:%G /var/snap/microk8s/current/credentials/client.config; fi'" 201 tests: 202 test_items: 203 - flag: "root:root" 204 remediation: | 205 Run the below command (based on the file location on your system) on the control plane node. 206 For example, chown root:root /var/snap/microk8s/current/credentials/client.config 207 scored: true 208 209 - id: 1.1.15 210 text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)" 211 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'" 212 tests: 213 test_items: 214 - flag: "permissions" 215 compare: 216 op: bitmask 217 value: "600" 218 remediation: | 219 Run the below command (based on the file location on your system) on the control plane node. 220 For example, 221 chmod 600 $schedulerkubeconfig 222 scored: true 223 224 - id: 1.1.16 225 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" 226 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'" 227 tests: 228 test_items: 229 - flag: "root:root" 230 remediation: | 231 Run the below command (based on the file location on your system) on the control plane node. 232 For example, 233 chown root:root $schedulerkubeconfig 234 scored: true 235 236 - id: 1.1.17 237 text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)" 238 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'" 239 tests: 240 test_items: 241 - flag: "permissions" 242 compare: 243 op: bitmask 244 value: "600" 245 remediation: | 246 Run the below command (based on the file location on your system) on the control plane node. 247 For example, 248 chmod 600 $controllermanagerkubeconfig 249 scored: true 250 251 - id: 1.1.18 252 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" 253 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'" 254 tests: 255 test_items: 256 - flag: "root:root" 257 remediation: | 258 Run the below command (based on the file location on your system) on the control plane node. 259 For example, 260 chown root:root $controllermanagerkubeconfig 261 scored: true 262 263 - id: 1.1.19 264 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 265 audit: "find /var/snap/microk8s/current/certs/ | xargs stat -c %U:%G" 266 use_multiple_values: true 267 tests: 268 test_items: 269 - flag: "root:root" 270 remediation: | 271 Run the below command (based on the file location on your system) on the control plane node. 272 For example, 273 chown -R root:root /var/snap/microk8s/current/certs/ 274 scored: true 275 276 - id: 1.1.20 277 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" 278 audit: "find /var/snap/microk8s/current/certs/ -name '*.crt' | xargs stat -c permissions=%a" 279 use_multiple_values: true 280 tests: 281 test_items: 282 - flag: "permissions" 283 compare: 284 op: bitmask 285 value: "600" 286 remediation: | 287 Run the below command (based on the file location on your system) on the control plane node. 288 For example, 289 chmod -R 600 /var/snap/microk8s/current/certs/*.crt 290 scored: false 291 292 - id: 1.1.21 293 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" 294 audit: "find /var/snap/microk8s/current/certs/ -name '*.key' | xargs stat -c permissions=%a" 295 use_multiple_values: true 296 tests: 297 test_items: 298 - flag: "permissions" 299 compare: 300 op: bitmask 301 value: "600" 302 remediation: | 303 Run the below command (based on the file location on your system) on the control plane node. 304 For example, 305 chmod -R 600 /var/snap/microk8s/current/certs/*.key 306 scored: false 307 308 - id: 1.2 309 text: "API Server" 310 checks: 311 - id: 1.2.1 312 text: "Ensure that the --anonymous-auth argument is set to false (Manual)" 313 audit: "cat $apiserverconf | grep -v grep" 314 tests: 315 bin_op: or 316 test_items: 317 - flag: "--anonymous-auth" 318 compare: 319 op: eq 320 value: false 321 - flag: "--anonymous-auth" 322 set: false 323 remediation: | 324 Edit the API server pod specification file $apiserverconf 325 on the control plane node and set the below parameter. 326 --anonymous-auth=false 327 scored: false 328 329 - id: 1.2.2 330 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 331 audit: "cat $apiserverconf | grep -v grep" 332 tests: 333 test_items: 334 - flag: "--token-auth-file" 335 set: false 336 remediation: | 337 Follow the documentation and configure alternate mechanisms for authentication. Then, 338 edit the API server pod specification file $apiserverconf 339 on the control plane node and remove the --token-auth-file=<filename> parameter. 340 scored: true 341 342 - id: 1.2.3 343 text: "Ensure that the --DenyServiceExternalIPs is not set (Automated)" 344 audit: "cat $apiserverconf | grep -v grep" 345 tests: 346 bin_op: or 347 test_items: 348 - flag: "--enable-admission-plugins" 349 compare: 350 op: nothave 351 value: "DenyServiceExternalIPs" 352 - flag: "--enable-admission-plugins" 353 set: false 354 remediation: | 355 Edit the API server pod specification file $apiserverconf 356 on the control plane node and remove the `DenyServiceExternalIPs` 357 from enabled admission plugins. 358 scored: true 359 360 - id: 1.2.4 361 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 362 audit: "cat $apiserverconf | grep -v grep" 363 tests: 364 bin_op: and 365 test_items: 366 - flag: "--kubelet-client-certificate" 367 - flag: "--kubelet-client-key" 368 remediation: | 369 Follow the Kubernetes documentation and set up the TLS connection between the 370 apiserver and kubelets. Then, edit API server pod specification file 371 $apiserverconf on the control plane node and set the 372 kubelet client certificate and key parameters as below. 373 --kubelet-client-certificate=<path/to/client-certificate-file> 374 --kubelet-client-key=<path/to/client-key-file> 375 scored: true 376 377 - id: 1.2.5 378 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" 379 audit: "cat $apiserverconf | grep -v grep" 380 tests: 381 test_items: 382 - flag: "--kubelet-certificate-authority" 383 remediation: | 384 Follow the Kubernetes documentation and setup the TLS connection between 385 the apiserver and kubelets. Then, edit the API server pod specification file 386 $apiserverconf on the control plane node and set the 387 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. 388 --kubelet-certificate-authority=<ca-string> 389 scored: true 390 391 - id: 1.2.6 392 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 393 audit: "cat $apiserverconf | grep -v grep" 394 tests: 395 test_items: 396 - flag: "--authorization-mode" 397 compare: 398 op: nothave 399 value: "AlwaysAllow" 400 remediation: | 401 Edit the API server pod specification file $apiserverconf 402 on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow. 403 One such example could be as below. 404 --authorization-mode=RBAC 405 scored: true 406 407 - id: 1.2.7 408 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 409 audit: "cat $apiserverconf | grep -v grep" 410 tests: 411 test_items: 412 - flag: "--authorization-mode" 413 compare: 414 op: has 415 value: "Node" 416 remediation: | 417 Edit the API server pod specification file $apiserverconf 418 on the control plane node and set the --authorization-mode parameter to a value that includes Node. 419 --authorization-mode=Node,RBAC 420 scored: true 421 422 - id: 1.2.8 423 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 424 audit: "cat $apiserverconf | grep -v grep" 425 tests: 426 test_items: 427 - flag: "--authorization-mode" 428 compare: 429 op: has 430 value: "RBAC" 431 remediation: | 432 Edit the API server pod specification file $apiserverconf 433 on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, 434 for example `--authorization-mode=Node,RBAC`. 435 scored: true 436 437 - id: 1.2.9 438 text: "Ensure that the admission control plugin EventRateLimit is set (Manual)" 439 audit: "cat $apiserverconf | grep -v grep" 440 tests: 441 test_items: 442 - flag: "--enable-admission-plugins" 443 compare: 444 op: has 445 value: "EventRateLimit" 446 remediation: | 447 Follow the Kubernetes documentation and set the desired limits in a configuration file. 448 Then, edit the API server pod specification file $apiserverconf 449 and set the below parameters. 450 --enable-admission-plugins=...,EventRateLimit,... 451 --admission-control-config-file=<path/to/configuration/file> 452 scored: false 453 454 - id: 1.2.10 455 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 456 audit: "cat $apiserverconf | grep -v grep" 457 tests: 458 bin_op: or 459 test_items: 460 - flag: "--enable-admission-plugins" 461 compare: 462 op: nothave 463 value: AlwaysAdmit 464 - flag: "--enable-admission-plugins" 465 set: false 466 remediation: | 467 Edit the API server pod specification file $apiserverconf 468 on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a 469 value that does not include AlwaysAdmit. 470 scored: true 471 472 - id: 1.2.11 473 text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)" 474 audit: "cat $apiserverconf | grep -v grep" 475 tests: 476 test_items: 477 - flag: "--enable-admission-plugins" 478 compare: 479 op: has 480 value: "AlwaysPullImages" 481 remediation: | 482 Edit the API server pod specification file $apiserverconf 483 on the control plane node and set the --enable-admission-plugins parameter to include 484 AlwaysPullImages. 485 --enable-admission-plugins=...,AlwaysPullImages,... 486 scored: false 487 488 - id: 1.2.12 489 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" 490 audit: "cat $apiserverconf | grep -v grep" 491 tests: 492 bin_op: or 493 test_items: 494 - flag: "--enable-admission-plugins" 495 compare: 496 op: has 497 value: "SecurityContextDeny" 498 - flag: "--enable-admission-plugins" 499 compare: 500 op: has 501 value: "PodSecurityPolicy" 502 remediation: | 503 Edit the API server pod specification file $apiserverconf 504 on the control plane node and set the --enable-admission-plugins parameter to include 505 SecurityContextDeny, unless PodSecurityPolicy is already in place. 506 --enable-admission-plugins=...,SecurityContextDeny,... 507 scored: false 508 509 - id: 1.2.13 510 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 511 audit: "cat $apiserverconf | grep -v grep" 512 tests: 513 bin_op: or 514 test_items: 515 - flag: "--disable-admission-plugins" 516 compare: 517 op: nothave 518 value: "ServiceAccount" 519 - flag: "--disable-admission-plugins" 520 set: false 521 remediation: | 522 Follow the documentation and create ServiceAccount objects as per your environment. 523 Then, edit the API server pod specification file $apiserverconf 524 on the control plane node and ensure that the --disable-admission-plugins parameter is set to a 525 value that does not include ServiceAccount. 526 scored: true 527 528 - id: 1.2.14 529 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 530 audit: "cat $apiserverconf | grep -v grep" 531 tests: 532 bin_op: or 533 test_items: 534 - flag: "--disable-admission-plugins" 535 compare: 536 op: nothave 537 value: "NamespaceLifecycle" 538 - flag: "--disable-admission-plugins" 539 set: false 540 remediation: | 541 Edit the API server pod specification file $apiserverconf 542 on the control plane node and set the --disable-admission-plugins parameter to 543 ensure it does not include NamespaceLifecycle. 544 scored: true 545 546 - id: 1.2.15 547 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 548 audit: "cat $apiserverconf | grep -v grep" 549 tests: 550 test_items: 551 - flag: "--enable-admission-plugins" 552 compare: 553 op: has 554 value: "NodeRestriction" 555 remediation: | 556 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 557 Then, edit the API server pod specification file $apiserverconf 558 on the control plane node and set the --enable-admission-plugins parameter to a 559 value that includes NodeRestriction. 560 --enable-admission-plugins=...,NodeRestriction,... 561 scored: true 562 563 - id: 1.2.16 564 text: "Ensure that the --secure-port argument is not set to 0 (Automated)" 565 audit: "cat $apiserverconf | grep -v grep" 566 tests: 567 bin_op: or 568 test_items: 569 - flag: "--secure-port" 570 compare: 571 op: gt 572 value: 0 573 - flag: "--secure-port" 574 set: false 575 remediation: | 576 Edit the API server pod specification file $apiserverconf 577 on the control plane node and either remove the --secure-port parameter or 578 set it to a different (non-zero) desired port. 579 scored: true 580 581 - id: 1.2.17 582 text: "Ensure that the --profiling argument is set to false (Automated)" 583 audit: "cat $apiserverconf | grep -v grep" 584 tests: 585 test_items: 586 - flag: "--profiling" 587 compare: 588 op: eq 589 value: false 590 remediation: | 591 Edit the API server pod specification file $apiserverconf 592 on the control plane node and set the below parameter. 593 --profiling=false 594 scored: true 595 596 - id: 1.2.18 597 text: "Ensure that the --audit-log-path argument is set (Automated)" 598 audit: "cat $apiserverconf | grep -v grep" 599 tests: 600 test_items: 601 - flag: "--audit-log-path" 602 remediation: | 603 Edit the API server pod specification file $apiserverconf 604 on the control plane node and set the --audit-log-path parameter to a suitable path and 605 file where you would like audit logs to be written, for example, 606 --audit-log-path=/var/log/apiserver/audit.log 607 scored: true 608 609 - id: 1.2.19 610 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 611 audit: "cat $apiserverconf | grep -v grep" 612 tests: 613 test_items: 614 - flag: "--audit-log-maxage" 615 compare: 616 op: gte 617 value: 30 618 remediation: | 619 Edit the API server pod specification file $apiserverconf 620 on the control plane node and set the --audit-log-maxage parameter to 30 621 or as an appropriate number of days, for example, 622 --audit-log-maxage=30 623 scored: true 624 625 - id: 1.2.20 626 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 627 audit: "cat $apiserverconf | grep -v grep" 628 tests: 629 test_items: 630 - flag: "--audit-log-maxbackup" 631 compare: 632 op: gte 633 value: 10 634 remediation: | 635 Edit the API server pod specification file $apiserverconf 636 on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 637 value. For example, 638 --audit-log-maxbackup=10 639 scored: true 640 641 - id: 1.2.21 642 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 643 audit: "cat $apiserverconf | grep -v grep" 644 tests: 645 test_items: 646 - flag: "--audit-log-maxsize" 647 compare: 648 op: gte 649 value: 100 650 remediation: | 651 Edit the API server pod specification file $apiserverconf 652 on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. 653 For example, to set it as 100 MB, --audit-log-maxsize=100 654 scored: true 655 656 - id: 1.2.22 657 text: "Ensure that the --request-timeout argument is set as appropriate (Manual)" 658 audit: "cat $apiserverconf | grep -v grep" 659 type: manual 660 remediation: | 661 Edit the API server pod specification file $apiserverconf 662 and set the below parameter as appropriate and if needed. 663 For example, --request-timeout=300s 664 scored: false 665 666 - id: 1.2.23 667 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 668 audit: "cat $apiserverconf | grep -v grep" 669 tests: 670 bin_op: or 671 test_items: 672 - flag: "--service-account-lookup" 673 set: false 674 - flag: "--service-account-lookup" 675 compare: 676 op: eq 677 value: true 678 remediation: | 679 Edit the API server pod specification file $apiserverconf 680 on the control plane node and set the below parameter. 681 --service-account-lookup=true 682 Alternatively, you can delete the --service-account-lookup parameter from this file so 683 that the default takes effect. 684 scored: true 685 686 - id: 1.2.24 687 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 688 audit: "cat $apiserverconf | grep -v grep" 689 tests: 690 test_items: 691 - flag: "--service-account-key-file" 692 remediation: | 693 Edit the API server pod specification file $apiserverconf 694 on the control plane node and set the --service-account-key-file parameter 695 to the public key file for service accounts. For example, 696 --service-account-key-file=<filename> 697 scored: true 698 699 # MicroK8s does not use etcd. The API server talk to a local dqlite instance 700 - id: 1.2.25 701 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 702 audit: "cat $apiserverconf | grep -v grep" 703 tests: 704 bin_op: and 705 test_items: 706 - flag: "--etcd-certfile" 707 - flag: "--etcd-keyfile" 708 remediation: | 709 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 710 Then, edit the API server pod specification file $apiserverconf 711 on the control plane node and set the etcd certificate and key file parameters. 712 --etcd-certfile=<path/to/client-certificate-file> 713 --etcd-keyfile=<path/to/client-key-file> 714 scored: false 715 716 - id: 1.2.26 717 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 718 audit: "cat $apiserverconf | grep -v grep" 719 tests: 720 bin_op: and 721 test_items: 722 - flag: "--tls-cert-file" 723 - flag: "--tls-private-key-file" 724 remediation: | 725 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 726 Then, edit the API server pod specification file $apiserverconf 727 on the control plane node and set the TLS certificate and private key file parameters. 728 --tls-cert-file=<path/to/tls-certificate-file> 729 --tls-private-key-file=<path/to/tls-key-file> 730 scored: true 731 732 - id: 1.2.27 733 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 734 audit: "cat $apiserverconf | grep -v grep" 735 tests: 736 test_items: 737 - flag: "--client-ca-file" 738 remediation: | 739 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 740 Then, edit the API server pod specification file $apiserverconf 741 on the control plane node and set the client certificate authority file. 742 --client-ca-file=<path/to/client-ca-file> 743 scored: true 744 745 - id: 1.2.28 746 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 747 audit: "cat $apiserverconf | grep -v grep" 748 tests: 749 test_items: 750 - flag: "--etcd-cafile" 751 remediation: | 752 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 753 Then, edit the API server pod specification file $apiserverconf 754 on the control plane node and set the etcd certificate authority file parameter. 755 --etcd-cafile=<path/to/ca-file> 756 scored: false 757 758 - id: 1.2.29 759 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" 760 audit: "cat $apiserverconf | grep -v grep" 761 tests: 762 test_items: 763 - flag: "--encryption-provider-config" 764 remediation: | 765 Follow the Kubernetes documentation and configure a EncryptionConfig file. 766 Then, edit the API server pod specification file $apiserverconf 767 on the control plane node and set the --encryption-provider-config parameter to the path of that file. 768 For example, --encryption-provider-config=</path/to/EncryptionConfig/File> 769 scored: false 770 771 - id: 1.2.30 772 text: "Ensure that encryption providers are appropriately configured (Manual)" 773 audit: | 774 ENCRYPTION_PROVIDER_CONFIG=$(cat $apiserverconf | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%') 775 if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi 776 tests: 777 test_items: 778 - flag: "provider" 779 compare: 780 op: valid_elements 781 value: "aescbc,kms,secretbox" 782 remediation: | 783 Follow the Kubernetes documentation and configure a EncryptionConfig file. 784 In this file, choose aescbc, kms or secretbox as the encryption provider. 785 scored: false 786 787 - id: 1.2.31 788 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" 789 audit: "cat $apiserverconf | grep -v grep" 790 tests: 791 test_items: 792 - flag: "--tls-cipher-suites" 793 compare: 794 op: valid_elements 795 value: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" 796 remediation: | 797 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 798 on the control plane node and set the below parameter. 799 --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, 800 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 801 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 802 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 803 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 804 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 805 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, 806 TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 807 scored: false 808 809 - id: 1.3 810 text: "Controller Manager" 811 checks: 812 - id: 1.3.1 813 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" 814 audit: "cat $controllermanagerconf | grep -v grep" 815 tests: 816 test_items: 817 - flag: "--terminated-pod-gc-threshold" 818 remediation: | 819 Edit the Controller Manager pod specification file $controllermanagerconf 820 on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, 821 for example, --terminated-pod-gc-threshold=10 822 scored: false 823 824 - id: 1.3.2 825 text: "Ensure that the --profiling argument is set to false (Automated)" 826 audit: "cat $controllermanagerconf | grep -v grep" 827 tests: 828 test_items: 829 - flag: "--profiling" 830 compare: 831 op: eq 832 value: false 833 remediation: | 834 Edit the Controller Manager pod specification file $controllermanagerconf 835 on the control plane node and set the below parameter. 836 --profiling=false 837 scored: true 838 839 - id: 1.3.3 840 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 841 audit: "cat $controllermanagerconf | grep -v grep" 842 tests: 843 test_items: 844 - flag: "--use-service-account-credentials" 845 compare: 846 op: noteq 847 value: false 848 remediation: | 849 Edit the Controller Manager pod specification file $controllermanagerconf 850 on the control plane node to set the below parameter. 851 --use-service-account-credentials=true 852 scored: true 853 854 - id: 1.3.4 855 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 856 audit: "cat $controllermanagerconf | grep -v grep" 857 tests: 858 test_items: 859 - flag: "--service-account-private-key-file" 860 remediation: | 861 Edit the Controller Manager pod specification file $controllermanagerconf 862 on the control plane node and set the --service-account-private-key-file parameter 863 to the private key file for service accounts. 864 --service-account-private-key-file=<filename> 865 scored: true 866 867 - id: 1.3.5 868 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 869 audit: "cat $controllermanagerconf | grep -v grep" 870 tests: 871 test_items: 872 - flag: "--root-ca-file" 873 remediation: | 874 Edit the Controller Manager pod specification file $controllermanagerconf 875 on the control plane node and set the --root-ca-file parameter to the certificate bundle file`. 876 --root-ca-file=<path/to/file> 877 scored: true 878 879 - id: 1.3.6 880 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 881 audit: "cat $controllermanagerconf | grep -v grep" 882 tests: 883 bin_op: or 884 test_items: 885 - flag: "--feature-gates" 886 compare: 887 op: nothave 888 value: "RotateKubeletServerCertificate=false" 889 set: true 890 - flag: "--feature-gates" 891 set: false 892 remediation: | 893 Edit the Controller Manager pod specification file $controllermanagerconf 894 on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 895 --feature-gates=RotateKubeletServerCertificate=true 896 scored: true 897 898 - id: 1.3.7 899 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 900 audit: "cat $controllermanagerconf | grep -v grep" 901 tests: 902 bin_op: or 903 test_items: 904 - flag: "--bind-address" 905 compare: 906 op: eq 907 value: "127.0.0.1" 908 - flag: "--bind-address" 909 set: false 910 remediation: | 911 Edit the Controller Manager pod specification file $controllermanagerconf 912 on the control plane node and ensure the correct value for the --bind-address parameter 913 scored: true 914 915 - id: 1.4 916 text: "Scheduler" 917 checks: 918 - id: 1.4.1 919 text: "Ensure that the --profiling argument is set to false (Automated)" 920 audit: "cat $schedulerconf | grep -v grep" 921 tests: 922 test_items: 923 - flag: "--profiling" 924 compare: 925 op: eq 926 value: false 927 remediation: | 928 Edit the Scheduler pod specification file $schedulerconf file 929 on the control plane node and set the below parameter. 930 --profiling=false 931 scored: true 932 933 - id: 1.4.2 934 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 935 audit: "cat $schedulerconf | grep -v grep" 936 tests: 937 bin_op: or 938 test_items: 939 - flag: "--bind-address" 940 compare: 941 op: eq 942 value: "127.0.0.1" 943 - flag: "--bind-address" 944 set: false 945 remediation: | 946 Edit the Scheduler pod specification file $schedulerconf 947 on the control plane node and ensure the correct value for the --bind-address parameter 948 scored: true