github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.5/policies.yaml (about) 1 --- 2 controls: 3 version: "cis-1.5" 4 id: 5 5 text: "Kubernetes Policies" 6 type: "policies" 7 groups: 8 - id: 5.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 5.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Not Scored)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 5.1.2 23 text: "Minimize access to secrets (Not Scored)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to secret objects in the cluster. 27 scored: false 28 29 - id: 5.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Not Scored)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 scored: false 36 37 - id: 5.1.4 38 text: "Minimize access to create pods (Not Scored)" 39 type: "manual" 40 remediation: | 41 Where possible, remove create access to pod objects in the cluster. 42 scored: false 43 44 - id: 5.1.5 45 text: "Ensure that default service accounts are not actively used. (Scored)" 46 type: "manual" 47 remediation: | 48 Create explicit service accounts wherever a Kubernetes workload requires specific access 49 to the Kubernetes API server. 50 Modify the configuration of each default service account to include this value 51 automountServiceAccountToken: false 52 scored: true 53 54 - id: 5.1.6 55 text: "Ensure that Service Account Tokens are only mounted where necessary (Not Scored)" 56 type: "manual" 57 remediation: | 58 Modify the definition of pods and service accounts which do not need to mount service 59 account tokens to disable it. 60 scored: false 61 62 - id: 5.2 63 text: "Pod Security Policies" 64 checks: 65 - id: 5.2.1 66 text: "Minimize the admission of privileged containers (Not Scored)" 67 type: "manual" 68 remediation: | 69 Create a PSP as described in the Kubernetes documentation, ensuring that 70 the .spec.privileged field is omitted or set to false. 71 scored: false 72 73 - id: 5.2.2 74 text: "Minimize the admission of containers wishing to share the host process ID namespace (Scored)" 75 type: "manual" 76 remediation: | 77 Create a PSP as described in the Kubernetes documentation, ensuring that the 78 .spec.hostPID field is omitted or set to false. 79 scored: true 80 81 - id: 5.2.3 82 text: "Minimize the admission of containers wishing to share the host IPC namespace (Scored)" 83 type: "manual" 84 remediation: | 85 Create a PSP as described in the Kubernetes documentation, ensuring that the 86 .spec.hostIPC field is omitted or set to false. 87 scored: true 88 89 - id: 5.2.4 90 text: "Minimize the admission of containers wishing to share the host network namespace (Scored)" 91 type: "manual" 92 remediation: | 93 Create a PSP as described in the Kubernetes documentation, ensuring that the 94 .spec.hostNetwork field is omitted or set to false. 95 scored: true 96 97 - id: 5.2.5 98 text: "Minimize the admission of containers with allowPrivilegeEscalation (Scored)" 99 type: "manual" 100 remediation: | 101 Create a PSP as described in the Kubernetes documentation, ensuring that the 102 .spec.allowPrivilegeEscalation field is omitted or set to false. 103 scored: true 104 105 - id: 5.2.6 106 text: "Minimize the admission of root containers (Not Scored)" 107 type: "manual" 108 remediation: | 109 Create a PSP as described in the Kubernetes documentation, ensuring that the 110 .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of 111 UIDs not including 0. 112 scored: false 113 114 - id: 5.2.7 115 text: "Minimize the admission of containers with the NET_RAW capability (Not Scored)" 116 type: "manual" 117 remediation: | 118 Create a PSP as described in the Kubernetes documentation, ensuring that the 119 .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. 120 scored: false 121 122 - id: 5.2.8 123 text: "Minimize the admission of containers with added capabilities (Not Scored)" 124 type: "manual" 125 remediation: | 126 Ensure that allowedCapabilities is not present in PSPs for the cluster unless 127 it is set to an empty array. 128 scored: false 129 130 - id: 5.2.9 131 text: "Minimize the admission of containers with capabilities assigned (Not Scored)" 132 type: "manual" 133 remediation: | 134 Review the use of capabilites in applications running on your cluster. Where a namespace 135 contains applicaions which do not require any Linux capabities to operate consider adding 136 a PSP which forbids the admission of containers which do not drop all capabilities. 137 scored: false 138 139 - id: 5.3 140 text: "Network Policies and CNI" 141 checks: 142 - id: 5.3.1 143 text: "Ensure that the CNI in use supports Network Policies (Not Scored)" 144 type: "manual" 145 remediation: | 146 If the CNI plugin in use does not support network policies, consideration should be given to 147 making use of a different plugin, or finding an alternate mechanism for restricting traffic 148 in the Kubernetes cluster. 149 scored: false 150 151 - id: 5.3.2 152 text: "Ensure that all Namespaces have Network Policies defined (Scored)" 153 type: "manual" 154 remediation: | 155 Follow the documentation and create NetworkPolicy objects as you need them. 156 scored: true 157 158 - id: 5.4 159 text: "Secrets Management" 160 checks: 161 - id: 5.4.1 162 text: "Prefer using secrets as files over secrets as environment variables (Not Scored)" 163 type: "manual" 164 remediation: | 165 if possible, rewrite application code to read secrets from mounted secret files, rather than 166 from environment variables. 167 scored: false 168 169 - id: 5.4.2 170 text: "Consider external secret storage (Not Scored)" 171 type: "manual" 172 remediation: | 173 Refer to the secrets management options offered by your cloud provider or a third-party 174 secrets management solution. 175 scored: false 176 177 - id: 5.5 178 text: "Extensible Admission Control" 179 checks: 180 - id: 5.5.1 181 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" 182 type: "manual" 183 remediation: | 184 Follow the Kubernetes documentation and setup image provenance. 185 scored: false 186 187 - id: 5.7 188 text: "General Policies" 189 checks: 190 - id: 5.7.1 191 text: "Create administrative boundaries between resources using namespaces (Not Scored)" 192 type: "manual" 193 remediation: | 194 Follow the documentation and create namespaces for objects in your deployment as you need 195 them. 196 scored: false 197 198 - id: 5.7.2 199 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" 200 type: "manual" 201 remediation: | 202 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you 203 would need to enable alpha features in the apiserver by passing "--feature- 204 gates=AllAlpha=true" argument. 205 Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS 206 parameter to "--feature-gates=AllAlpha=true" 207 KUBE_API_ARGS="--feature-gates=AllAlpha=true" 208 Based on your system, restart the kube-apiserver service. For example: 209 systemctl restart kube-apiserver.service 210 Use annotations to enable the docker/default seccomp profile in your pod definitions. An 211 example is as below: 212 apiVersion: v1 213 kind: Pod 214 metadata: 215 name: trustworthy-pod 216 annotations: 217 seccomp.security.alpha.kubernetes.io/pod: docker/default 218 spec: 219 containers: 220 - name: trustworthy-container 221 image: sotrustworthy:latest 222 scored: false 223 224 - id: 5.7.3 225 text: "Apply Security Context to Your Pods and Containers (Not Scored)" 226 type: "manual" 227 remediation: | 228 Follow the Kubernetes documentation and apply security contexts to your pods. For a 229 suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker 230 Containers. 231 scored: false 232 233 - id: 5.7.4 234 text: "The default namespace should not be used (Scored)" 235 type: "manual" 236 remediation: | 237 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 238 resources and that all new resources are created in a specific namespace. 239 scored: true