github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.6-k3s/policies.yaml (about) 1 --- 2 controls: 3 version: "cis-1.6-k3s" 4 id: 5 5 text: "Kubernetes Policies" 6 type: "policies" 7 groups: 8 - id: 5.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 5.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Manual)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 5.1.2 23 text: "Minimize access to secrets (Manual)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to secret objects in the cluster. 27 scored: false 28 29 - id: 5.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 kubectl get roles --all-namespaces -o yaml 36 kubectl get clusterroles -o yaml 37 scored: false 38 39 - id: 5.1.4 40 text: "Minimize access to create pods (Manual)" 41 type: "manual" 42 remediation: | 43 Where possible, remove create access to pod objects in the cluster. 44 scored: false 45 46 - id: 5.1.5 47 text: "Ensure that default service accounts are not actively used. (Manual)" 48 type: "manual" 49 remediation: | 50 Create explicit service accounts wherever a Kubernetes workload requires specific access 51 to the Kubernetes API server. 52 Modify the configuration of each default service account to include this value 53 automountServiceAccountToken: false 54 scored: false 55 56 - id: 5.1.6 57 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" 58 type: "manual" 59 remediation: | 60 Modify the definition of pods and service accounts which do not need to mount service 61 account tokens to disable it. 62 scored: false 63 64 - id: 5.2 65 text: "Pod Security Policies" 66 checks: 67 - id: 5.2.1 68 text: "Minimize the admission of privileged containers (Manual)" 69 type: "manual" 70 remediation: | 71 kubectl describe psp <psp_name> | grep MustRunAsNonRoot 72 An operator should apply a PodSecurityPolicy that sets the Rule value to MustRunAsNonRoot. An example of this can be found in the Hardening Guide 73 https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index 74 scored: false 75 76 - id: 5.2.2 77 text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)" 78 type: "manual" 79 remediation: | 80 kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.hostPID == null) or (.spec.hostPID == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' 81 An operator should apply a PodSecurityPolicy that sets the hostPID value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide. 82 https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index 83 scored: false 84 85 - id: 5.2.3 86 text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)" 87 type: "manual" 88 remediation: | 89 kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.hostIPC == null) or (.spec.hostIPC == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' 90 An operator should apply a PodSecurityPolicy that sets the HostIPC value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide. 91 https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index 92 scored: false 93 94 - id: 5.2.4 95 text: "Minimize the admission of containers wishing to share the host network namespace (Manual)" 96 type: "manual" 97 remediation: | 98 kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.hostNetwork == null) or (.spec.hostNetwork == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' 99 An operator should apply a PodSecurityPolicy that sets the HostNetwork value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide. 100 https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index 101 scored: false 102 103 - id: 5.2.5 104 text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)" 105 type: "manual" 106 remediation: | 107 kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.allowPrivilegeEscalation == null) or (.spec.allowPrivilegeEscalation == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' 108 An operator should apply a PodSecurityPolicy that sets the allowPrivilegeEscalation value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide. 109 https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index 110 scored: false 111 112 - id: 5.2.6 113 text: "Minimize the admission of root containers (Manual)" 114 type: "manual" 115 remediation: | 116 kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.allowPrivilegeEscalation == null) or (.spec.allowPrivilegeEscalation == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' 117 An operator should apply a PodSecurityPolicy that sets the runAsUser.Rule value to MustRunAsNonRoot. An example of this can be found in the Hardening Guide. 118 https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index 119 scored: false 120 121 - id: 5.2.7 122 text: "Minimize the admission of containers with the NET_RAW capability (Manual)" 123 type: "manual" 124 remediation: | 125 kubectl get psp <psp_name> -o json | jq .spec.requiredDropCapabilities[] 126 An operator should apply a PodSecurityPolicy that sets .spec.requiredDropCapabilities[] to a value of All. An example of this can be found in the Hardening Guide. 127 https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index 128 scored: false 129 130 - id: 5.2.8 131 text: "Minimize the admission of containers with added capabilities (Manual)" 132 type: "manual" 133 remediation: | 134 kubectl get psp 135 An operator should apply a PodSecurityPolicy that sets allowedCapabilities to anything other than an empty array. An example of this can be found in the Hardening Guide. 136 https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index 137 scored: false 138 139 - id: 5.2.9 140 text: "Minimize the admission of containers with capabilities assigned (Manual)" 141 type: "manual" 142 remediation: | 143 kubectl get psp 144 An operator should apply a PodSecurityPolicy that sets requiredDropCapabilities to ALL. An example of this can be found in the Hardening Guide. 145 https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index 146 scored: false 147 148 - id: 5.3 149 text: "Network Policies and CNI" 150 checks: 151 - id: 5.3.1 152 text: "Ensure that the CNI in use supports Network Policies (Manual)" 153 type: "manual" 154 remediation: | 155 By default, K3s use Canal (Calico and Flannel) and fully supports network policies. 156 scored: false 157 158 - id: 5.3.2 159 text: "Ensure that all Namespaces have Network Policies defined (Manual)" 160 type: "manual" 161 remediation: | 162 Run the below command on the master node. 163 for i in kube-system kube-public default; do 164 kubectl get networkpolicies -n $i; 165 done 166 Verify that there are network policies applied to each of the namespaces. 167 An operator should apply NetworkPolcyies that prevent unneeded traffic from traversing networks unnecessarily. An example of applying a NetworkPolcy can be found in the Hardening Guide. 168 https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index 169 scored: false 170 171 - id: 5.4 172 text: "Secrets Management" 173 checks: 174 - id: 5.4.1 175 text: "Prefer using secrets as files over secrets as environment variables (Manual)" 176 type: "manual" 177 remediation: | 178 Run the following command to find references to objects which use environment variables defined from secrets. 179 kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A 180 181 if possible, rewrite application code to read secrets from mounted secret files, rather than 182 from environment variables. 183 scored: false 184 185 - id: 5.4.2 186 text: "Consider external secret storage (Manual)" 187 type: "manual" 188 remediation: | 189 Refer to the secrets management options offered by your cloud provider or a third-party 190 secrets management solution. 191 scored: false 192 193 - id: 5.5 194 text: "Extensible Admission Control" 195 checks: 196 - id: 5.5.1 197 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" 198 type: "manual" 199 remediation: | 200 Follow the Kubernetes documentation and setup image provenance. 201 scored: false 202 203 - id: 5.7 204 text: "General Policies" 205 checks: 206 - id: 5.7.1 207 text: "Create administrative boundaries between resources using namespaces (Manual)" 208 audit: kubectl get namespaces 209 type: "manual" 210 remediation: | 211 Ensure that these namespaces are the ones you need and are adequately administered as per your requirements. 212 Follow the documentation and create namespaces for objects in your deployment as you need 213 them. 214 scored: false 215 216 - id: 5.7.2 217 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" 218 type: "manual" 219 remediation: | 220 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you 221 would need to enable alpha features in the apiserver by passing "--feature- 222 gates=AllAlpha=true" argument. 223 Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS 224 parameter to "--feature-gates=AllAlpha=true" 225 KUBE_API_ARGS="--feature-gates=AllAlpha=true" 226 Based on your system, restart the kube-apiserver service. For example: 227 systemctl restart kube-apiserver.service 228 Use annotations to enable the docker/default seccomp profile in your pod definitions. An 229 example is as below: 230 apiVersion: v1 231 kind: Pod 232 metadata: 233 name: trustworthy-pod 234 annotations: 235 seccomp.security.alpha.kubernetes.io/pod: docker/default 236 spec: 237 containers: 238 - name: trustworthy-container 239 image: sotrustworthy:latest 240 scored: false 241 242 - id: 5.7.3 243 text: "Apply Security Context to Your Pods and Containers (Manual)" 244 type: "manual" 245 remediation: | 246 Follow the Kubernetes documentation and apply security contexts to your pods. For a 247 suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker 248 Containers. 249 scored: false 250 251 - id: 5.7.4 252 text: "The default namespace should not be used (Manual)" 253 type: "manual" 254 remediation: | 255 Run the below command on the master node. 256 kubectl get all -n default 257 The only entries there should be system-managed resources such as the kubernetes service. 258 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 259 resources and that all new resources are created in a specific namespace. 260 scored: false