github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.6-k3s/master.yaml (about) 1 --- 2 controls: 3 version: "cis-1.6-k3s" 4 id: 1 5 text: "Master Node Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Master Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Applicable)" 13 scored: false 14 15 - id: 1.1.2 16 text: "Ensure that the API server pod specification file ownership is set to root:root (Not Applicable)" 17 scored: false 18 19 - id: 1.1.3 20 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Not Applicable)" 21 scored: false 22 23 - id: 1.1.4 24 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Not Applicable)" 25 scored: false 26 27 - id: 1.1.5 28 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Not Applicable)" 29 scored: false 30 31 - id: 1.1.6 32 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Not Applicable)" 33 scored: false 34 35 - id: 1.1.7 36 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Not Applicable)" 37 scored: false 38 39 - id: 1.1.8 40 text: "Ensure that the etcd pod specification file ownership is set to root:root (Not Applicable)" 41 scored: false 42 43 - id: 1.1.9 44 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Applicable)" 45 scored: false 46 47 - id: 1.1.10 48 text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Applicable)" 49 scored: false 50 51 - id: 1.1.11 52 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive if etcd is used (Automated)" 53 audit: stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd 54 tests: 55 test_items: 56 - flag: "permissions" 57 compare: 58 op: bitmask 59 value: "700" 60 remediation: | 61 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 62 from the below command: 63 journalctl -u k3s | grep 'Managed etcd' | grep -v grep 64 Run the below command (based on the etcd data directory found above). For example, 65 chmod 700 /var/lib/rancher/k3s/server/db/etcd 66 scored: true 67 68 - id: 1.1.12 69 text: "Ensure that the etcd data directory ownership is set to etcd:etcd if etcd is used (Not Applicable)" 70 scored: false 71 72 - id: 1.1.13 73 text: "Ensure that the admin.kubeconfig file permissions are set to 644 or more restrictive (Automated)" 74 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'" 75 tests: 76 test_items: 77 - flag: "permissions" 78 compare: 79 op: bitmask 80 value: "644" 81 remediation: | 82 Run the below command (based on the file location on your system) on the k3s node. 83 For example, 84 chmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig 85 scored: true 86 87 - id: 1.1.14 88 text: "Ensure that the admin.kubeconfig file ownership is set to root:root (Automated)" 89 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'" 90 tests: 91 test_items: 92 - flag: "root:root" 93 remediation: | 94 Run the below command (based on the file location on your system) on the k3s node. 95 For example, 96 chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig 97 scored: true 98 99 - id: 1.1.15 100 text: "Ensure that the scheduler.kubeconfig file permissions are set to 644 or more restrictive (Automated)" 101 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'" 102 tests: 103 test_items: 104 - flag: "permissions" 105 compare: 106 op: bitmask 107 value: "644" 108 remediation: | 109 Run the below command (based on the file location on your system) on the k3s node. 110 For example, 111 chmod 644 $schedulerkubeconfig 112 scored: true 113 114 - id: 1.1.16 115 text: "Ensure that the scheduler.kubeconfig file ownership is set to root:root (Automated)" 116 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'" 117 tests: 118 test_items: 119 - flag: "root:root" 120 remediation: | 121 Run the below command (based on the file location on your system) on the k3s node. 122 For example, 123 chown root:root $schedulerkubeconfig 124 scored: true 125 126 - id: 1.1.17 127 text: "Ensure that the cloud-controller.kubeconfig file permissions are set to 644 or more restrictive (Automated)" 128 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'" 129 tests: 130 test_items: 131 - flag: "permissions" 132 compare: 133 op: bitmask 134 value: "644" 135 remediation: | 136 Run the below command (based on the file location on your system) on the master node. 137 For example, 138 chmod 644 $controllermanagerkubeconfig 139 scored: true 140 141 - id: 1.1.18 142 text: "Ensure that the $controllermanagerkubeconfig file ownership is set to root:root (Automated)" 143 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'" 144 tests: 145 test_items: 146 - flag: "root:root" 147 remediation: | 148 Run the below command (based on the file location on your system) on the master node. 149 For example, 150 chown root:root $controllermanagerkubeconfig 151 scored: true 152 153 - id: 1.1.19 154 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 155 audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls" 156 use_multiple_values: true 157 tests: 158 test_items: 159 - flag: "root:root" 160 remediation: | 161 Run the below command (based on the file location on your system) on the k3s node. 162 For example, 163 chown -R root:root /var/lib/rancher/k3s/server/tls 164 scored: true 165 166 - id: 1.1.20 167 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated)" 168 audit: "find /var/lib/rancher/k3s/server/tls/ -name '*.crt' | xargs stat -c permissions=%a" 169 use_multiple_values: true 170 tests: 171 test_items: 172 - flag: "permissions" 173 compare: 174 op: bitmask 175 value: "644" 176 remediation: | 177 Run the below command (based on the file location on your system) on the master node. 178 For example, 179 chmod -R 644 /var/lib/rancher/k3s/server/tls/*.crt 180 scored: true 181 182 - id: 1.1.21 183 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)" 184 audit: "find /var/lib/rancher/k3s/server/tls/ -name '*.key' | xargs stat -c permissions=%a" 185 use_multiple_values: true 186 tests: 187 test_items: 188 - flag: "permissions" 189 compare: 190 op: bitmask 191 value: "600" 192 remediation: | 193 Run the below command (based on the file location on your system) on the master node. 194 For example, 195 chmod -R 600 /etc/kubernetes/pki/*.key 196 scored: true 197 198 - id: 1.2 199 text: "API Server" 200 checks: 201 - id: 1.2.1 202 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 203 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" 204 tests: 205 test_items: 206 - flag: "--anonymous-auth" 207 compare: 208 op: eq 209 value: false 210 remediation: | 211 By default, K3s kube-apiserver is configured to run with --anonymous-auth=false flag and value. 212 scored: false 213 214 - id: 1.2.2 215 text: "Ensure that the --basic-auth-file argument is not set (Automated)" 216 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "basic-auth-file" | cat 217 tests: 218 test_items: 219 - flag: "--basic-auth-file" 220 set: false 221 remediation: | 222 By default, K3s does not run with basic authentication enabled. No manual remediation is needed. 223 scored: true 224 225 - id: 1.2.3 226 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 227 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "token-auth-file" | cat 228 tests: 229 test_items: 230 - flag: "--token-auth-file" 231 set: false 232 remediation: | 233 By default, K3s does not run with basic authentication enabled. No manual remediation is needed. 234 scored: true 235 236 - id: 1.2.4 237 text: "Ensure that the --kubelet-https argument is set to true (Automated)" 238 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "kubelet-https" | cat 239 tests: 240 bin_op: or 241 test_items: 242 - flag: "--kubelet-https" 243 compare: 244 op: eq 245 value: true 246 - flag: "--kubelet-https" 247 set: false 248 remediation: | 249 By default, K3s kube-apiserver doesn't run with the --kubelet-https parameter as it runs with TLS. No manual remediation is needed. 250 scored: true 251 252 - id: 1.2.5 253 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 254 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'kubelet-client-certificate|kubelet-client-key' 255 tests: 256 bin_op: and 257 test_items: 258 - flag: "--kubelet-client-certificate" 259 - flag: "--kubelet-client-key" 260 remediation: | 261 By default, K3s kube-apiserver is ran with these arguments for secure communication with kubelet. No manual remediation is needed. 262 scored: true 263 264 - id: 1.2.6 265 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" 266 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "kubelet-certificate-authority" 267 tests: 268 test_items: 269 - flag: "--kubelet-certificate-authority" 270 remediation: | 271 By default, K3s kube-apiserver is ran with this argument for secure communication with kubelet. No manual remediation is needed. 272 scored: true 273 274 - id: 1.2.7 275 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 276 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" 277 tests: 278 test_items: 279 - flag: "--authorization-mode" 280 compare: 281 op: nothave 282 value: "AlwaysAllow" 283 remediation: | 284 By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed. 285 scored: true 286 287 - id: 1.2.8 288 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 289 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" 290 tests: 291 test_items: 292 - flag: "--authorization-mode" 293 compare: 294 op: has 295 value: "Node" 296 remediation: | 297 By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed. 298 scored: true 299 300 - id: 1.2.9 301 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 302 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" 303 tests: 304 test_items: 305 - flag: "--authorization-mode" 306 compare: 307 op: has 308 value: "RBAC" 309 remediation: | 310 By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed. 311 scored: true 312 313 - id: 1.2.10 314 text: "Ensure that the admission control plugin EventRateLimit is set (Manual)" 315 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins" 316 tests: 317 test_items: 318 - flag: "--enable-admission-plugins" 319 compare: 320 op: has 321 value: "EventRateLimit" 322 remediation: | 323 By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument. 324 To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file. 325 Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter. 326 scored: false 327 328 - id: 1.2.11 329 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 330 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins" 331 tests: 332 bin_op: or 333 test_items: 334 - flag: "--enable-admission-plugins" 335 compare: 336 op: nothave 337 value: AlwaysAdmit 338 - flag: "--enable-admission-plugins" 339 set: false 340 remediation: | 341 By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument. 342 No manual remediation needed. 343 scored: true 344 345 - id: 1.2.12 346 text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)" 347 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins" 348 tests: 349 test_items: 350 - flag: "--enable-admission-plugins" 351 compare: 352 op: has 353 value: "AlwaysPullImages" 354 remediation: | 355 By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument. 356 To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file. 357 Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter. 358 scored: false 359 360 - id: 1.2.13 361 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" 362 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins" 363 tests: 364 bin_op: or 365 test_items: 366 - flag: "--enable-admission-plugins" 367 compare: 368 op: has 369 value: "SecurityContextDeny" 370 - flag: "--enable-admission-plugins" 371 compare: 372 op: has 373 value: "PodSecurityPolicy" 374 remediation: | 375 K3s would need to have the SecurityContextDeny admission plugin enabled by passing it as an argument to K3s. 376 --kube-apiserver-arg='enable-admission-plugins=SecurityContextDeny 377 scored: false 378 379 - id: 1.2.14 380 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 381 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "ServiceAccount" 382 tests: 383 bin_op: or 384 test_items: 385 - flag: "--disable-admission-plugins" 386 compare: 387 op: nothave 388 value: "ServiceAccount" 389 - flag: "--disable-admission-plugins" 390 set: false 391 remediation: | 392 By default, K3s does not use this argument. 393 If there's a desire to use this argument, follow the documentation and create ServiceAccount objects as per your environment. 394 Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter. 395 scored: true 396 397 - id: 1.2.15 398 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 399 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "disable-admission-plugins" | cat 400 tests: 401 bin_op: or 402 test_items: 403 - flag: "--disable-admission-plugins" 404 compare: 405 op: nothave 406 value: "NamespaceLifecycle" 407 - flag: "--disable-admission-plugins" 408 set: false 409 remediation: | 410 By default, K3s does not use this argument. No manual remediation needed. 411 scored: true 412 413 - id: 1.2.16 414 text: "Ensure that the admission control plugin PodSecurityPolicy is set (Automated)" 415 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins" 416 tests: 417 test_items: 418 - flag: "--enable-admission-plugins" 419 compare: 420 op: has 421 value: "PodSecurityPolicy" 422 remediation: | 423 K3s would need to have the PodSecurityPolicy admission plugin enabled by passing it as an argument to K3s. 424 --kube-apiserver-arg='enable-admission-plugins=PodSecurityPolicy. 425 scored: true 426 427 - id: 1.2.17 428 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 429 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins" 430 tests: 431 test_items: 432 - flag: "--enable-admission-plugins" 433 compare: 434 op: has 435 value: "NodeRestriction" 436 remediation: | 437 K3s would need to have the NodeRestriction admission plugin enabled by passing it as an argument to K3s. 438 --kube-apiserver-arg='enable-admission-plugins=NodeRestriction. 439 scored: true 440 441 - id: 1.2.18 442 text: "Ensure that the --insecure-bind-address argument is not set (Automated)" 443 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins" 444 tests: 445 test_items: 446 - flag: "--insecure-bind-address" 447 set: false 448 remediation: | 449 By default, K3s explicitly excludes the use of the --insecure-bind-address parameter. No manual remediation is needed. 450 scored: true 451 452 - id: 1.2.19 453 text: "Ensure that the --insecure-port argument is set to 0 (Automated)" 454 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "insecure-port" 455 tests: 456 test_items: 457 - flag: "--insecure-port" 458 compare: 459 op: eq 460 value: 0 461 remediation: | 462 By default, K3s starts the kube-apiserver process with this argument's parameter set to 0. No manual remediation is needed. 463 scored: true 464 465 - id: 1.2.20 466 text: "Ensure that the --secure-port argument is not set to 0 (Automated)" 467 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "secure-port" 468 tests: 469 bin_op: or 470 test_items: 471 - flag: "--secure-port" 472 compare: 473 op: gt 474 value: 0 475 - flag: "--secure-port" 476 set: false 477 remediation: | 478 By default, K3s sets the parameter of 6444 for the --secure-port argument. No manual remediation is needed. 479 scored: true 480 481 - id: 1.2.21 482 text: "Ensure that the --profiling argument is set to false (Automated)" 483 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "profiling" 484 tests: 485 test_items: 486 - flag: "--profiling" 487 compare: 488 op: eq 489 value: false 490 remediation: | 491 By default, K3s sets the --profiling flag parameter to false. No manual remediation needed. 492 scored: true 493 494 - id: 1.2.22 495 text: "Ensure that the --audit-log-path argument is set (Automated)" 496 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-path" 497 tests: 498 test_items: 499 - flag: "--audit-log-path" 500 remediation: | 501 K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-path=/path/to/log/file' 502 scored: true 503 504 - id: 1.2.23 505 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 506 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxage" 507 tests: 508 test_items: 509 - flag: "--audit-log-maxage" 510 compare: 511 op: gte 512 value: 30 513 remediation: | 514 K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxage=30' 515 scored: true 516 517 - id: 1.2.24 518 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 519 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxbackup" 520 tests: 521 test_items: 522 - flag: "--audit-log-maxbackup" 523 compare: 524 op: gte 525 value: 10 526 remediation: | 527 K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxbackup=10' 528 scored: true 529 530 - id: 1.2.25 531 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 532 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxsize" 533 tests: 534 test_items: 535 - flag: "--audit-log-maxsize" 536 compare: 537 op: gte 538 value: 100 539 remediation: | 540 K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxsize=100' 541 scored: true 542 543 - id: 1.2.26 544 text: "Ensure that the --request-timeout argument is set as appropriate (Automated)" 545 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "request-timeout" | cat 546 tests: 547 bin_op: or 548 test_items: 549 - flag: "--request-timeout" 550 set: false 551 - flag: "--request-timeout" 552 compare: 553 op: lte 554 value: 60 555 remediation: | 556 By default, K3s does not set the --request-timeout argument. No manual remediation needed. 557 scored: true 558 559 - id: 1.2.27 560 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 561 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "service-account-lookup" 562 tests: 563 bin_op: or 564 test_items: 565 - flag: "--service-account-lookup" 566 set: false 567 - flag: "--service-account-lookup" 568 compare: 569 op: eq 570 value: true 571 remediation: | 572 K3s server needs to be run with the following argument, --kube-apiserver-arg='service-account-lookup=true' 573 scored: true 574 575 - id: 1.2.28 576 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 577 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "service-account-key-file" 578 tests: 579 test_items: 580 - flag: "--service-account-key-file" 581 remediation: | 582 By default, K3s sets the --service-account-key-file explicitly. No manual remediation needed. 583 scored: true 584 585 - id: 1.2.29 586 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 587 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'etcd-certfile|etcd-keyfile' 588 tests: 589 bin_op: and 590 test_items: 591 - flag: "--etcd-certfile" 592 - flag: "--etcd-keyfile" 593 remediation: | 594 By default, K3s sets the --etcd-certfile and --etcd-keyfile arguments explicitly. No manual remediation needed. 595 scored: true 596 597 - id: 1.2.30 598 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 599 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'tls-cert-file|tls-private-key-file' 600 tests: 601 bin_op: and 602 test_items: 603 - flag: "--tls-cert-file" 604 - flag: "--tls-private-key-file" 605 remediation: | 606 By default, K3s sets the --tls-cert-file and --tls-private-key-file arguments explicitly. No manual remediation needed. 607 scored: true 608 609 - id: 1.2.31 610 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 611 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" 612 tests: 613 test_items: 614 - flag: "--client-ca-file" 615 remediation: | 616 By default, K3s sets the --client-ca-file argument explicitly. No manual remediation needed. 617 scored: true 618 619 - id: 1.2.32 620 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 621 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'etcd-cafile' 622 tests: 623 test_items: 624 - flag: "--etcd-cafile" 625 remediation: | 626 By default, K3s sets the --etcd-cafile argument explicitly. No manual remediation needed. 627 scored: true 628 629 - id: 1.2.33 630 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" 631 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E "encryption-provider-config" 632 tests: 633 test_items: 634 - flag: "--encryption-provider-config" 635 remediation: | 636 K3s server needs to be ran with the follow, --kube-apiserver-arg='encryption-provider-config=/path/to/encryption_config'. 637 This can be done by running k3s with the --secrets-encryptiuon argument which will configure the encryption provider. 638 scored: false 639 640 - id: 1.2.34 641 text: "Ensure that encryption providers are appropriately configured (Manual)" 642 type: manual 643 remediation: | 644 K3s server needs to be run with the following, --secrets-encryption=true, and verify that one of the allowed encryption providers is present. 645 Run the below command on the master node. 646 grep aescbc /path/to/encryption-config.json 647 Verify that aescbc/kms/secretbox is set as the encryption provider for all the desired resources. 648 scored: true 649 650 - id: 1.2.35 651 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" 652 audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "tls-cipher-suites" 653 tests: 654 test_items: 655 - flag: "--tls-cipher-suites" 656 compare: 657 op: valid_elements 658 value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" 659 remediation: | 660 By default, K3s explicitly doesn't set this flag. No manual remediation needed. 661 scored: false 662 663 - id: 1.3 664 text: "Controller Manager" 665 checks: 666 - id: 1.3.1 667 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" 668 audit: | 669 journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "terminated-pod-gc-threshold" 670 tests: 671 test_items: 672 - flag: "--terminated-pod-gc-threshold" 673 remediation: | 674 K3s server needs to be run with the following, --kube-controller-manager-arg='terminated-pod-gc-threshold=10. 675 scored: false 676 677 - id: 1.3.2 678 text: "Ensure that the --profiling argument is set to false (Automated)" 679 audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "profiling" 680 tests: 681 test_items: 682 - flag: "--profiling" 683 compare: 684 op: eq 685 value: false 686 remediation: | 687 By default, K3s sets the --profiling flag parameter to false. No manual remediation needed. 688 scored: true 689 690 - id: 1.3.3 691 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 692 audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "use-service-account-credentials" 693 tests: 694 test_items: 695 - flag: "--use-service-account-credentials" 696 compare: 697 op: noteq 698 value: false 699 remediation: | 700 K3s server needs to be run with the following, --kube-controller-manager-arg='use-service-account-credentials=true' 701 scored: true 702 703 - id: 1.3.4 704 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 705 audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "service-account-private-key-file" 706 tests: 707 test_items: 708 - flag: "--service-account-private-key-file" 709 remediation: | 710 By default, K3s sets the --service-account-private-key-file argument with the service account key file. No manual remediation needed. 711 scored: true 712 713 - id: 1.3.5 714 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 715 audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "root-ca-file" 716 tests: 717 test_items: 718 - flag: "--root-ca-file" 719 remediation: | 720 By default, K3s sets the --root-ca-file argument with the root ca file. No manual remediation needed. 721 scored: true 722 723 - id: 1.3.6 724 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 725 audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "RotateKubeletServerCertificate" | cat 726 tests: 727 bin_op: or 728 test_items: 729 - flag: "--feature-gates" 730 compare: 731 op: nothave 732 value: "RotateKubeletServerCertificate=false" 733 set: true 734 - flag: "--feature-gates" 735 set: false 736 remediation: | 737 By default, K3s implements its own logic for certificate generation and rotation. 738 scored: true 739 740 - id: 1.3.7 741 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 742 audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "bind-address" 743 tests: 744 bin_op: or 745 test_items: 746 - flag: "--bind-address" 747 compare: 748 op: eq 749 value: "127.0.0.1" 750 - flag: "--bind-address" 751 set: false 752 remediation: | 753 By default, K3s sets the --bind-address argument to 127.0.0.1. No manual remediation needed. 754 scored: true 755 756 - id: 1.4 757 text: "Scheduler" 758 checks: 759 - id: 1.4.1 760 text: "Ensure that the --profiling argument is set to false (Automated)" 761 audit: journalctl -u k3s | grep "Running kube-scheduler" | tail -n1 | grep "profiling" 762 tests: 763 test_items: 764 - flag: "--profiling" 765 compare: 766 op: eq 767 value: false 768 remediation: | 769 By default, K3s sets the --profiling flag parameter to false. No manual remediation needed. 770 scored: true 771 772 - id: 1.4.2 773 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 774 audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "bind-address" 775 tests: 776 bin_op: or 777 test_items: 778 - flag: "--bind-address" 779 compare: 780 op: eq 781 value: "127.0.0.1" 782 - flag: "--bind-address" 783 set: false 784 remediation: | 785 By default, K3s sets the --bind-address argument to 127.0.0.1. No manual remediation needed. 786 scored: true