github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/eks-1.0.1/policies.yaml (about) 1 --- 2 controls: 3 version: "eks-1.0.1" 4 id: 4 5 text: "Policies" 6 type: "policies" 7 groups: 8 - id: 4.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Manual)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 4.1.2 23 text: "Minimize access to secrets (Manual)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to secret objects in the cluster. 27 scored: false 28 29 - id: 4.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 scored: false 36 37 - id: 4.1.4 38 text: "Minimize access to create pods (Manual)" 39 type: "manual" 40 remediation: | 41 Where possible, remove create access to pod objects in the cluster. 42 scored: false 43 44 - id: 4.1.5 45 text: "Ensure that default service accounts are not actively used. (Manual)" 46 type: "manual" 47 remediation: | 48 Create explicit service accounts wherever a Kubernetes workload requires specific access 49 to the Kubernetes API server. 50 Modify the configuration of each default service account to include this value 51 automountServiceAccountToken: false 52 scored: false 53 54 - id: 4.1.6 55 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" 56 type: "manual" 57 remediation: | 58 Modify the definition of pods and service accounts which do not need to mount service 59 account tokens to disable it. 60 scored: false 61 62 - id: 4.2 63 text: "Pod Security Policies" 64 checks: 65 - id: 4.2.1 66 text: "Minimize the admission of privileged containers (Automated)" 67 type: "manual" 68 remediation: | 69 Create a PSP as described in the Kubernetes documentation, ensuring that 70 the .spec.privileged field is omitted or set to false. 71 scored: false 72 73 - id: 4.2.2 74 text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" 75 type: "manual" 76 remediation: | 77 Create a PSP as described in the Kubernetes documentation, ensuring that the 78 .spec.hostPID field is omitted or set to false. 79 scored: false 80 81 - id: 4.2.3 82 text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" 83 type: "manual" 84 remediation: | 85 Create a PSP as described in the Kubernetes documentation, ensuring that the 86 .spec.hostIPC field is omitted or set to false. 87 scored: false 88 89 - id: 4.2.4 90 text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" 91 type: "manual" 92 remediation: | 93 Create a PSP as described in the Kubernetes documentation, ensuring that the 94 .spec.hostNetwork field is omitted or set to false. 95 scored: false 96 97 - id: 4.2.5 98 text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" 99 type: "manual" 100 remediation: | 101 Create a PSP as described in the Kubernetes documentation, ensuring that the 102 .spec.allowPrivilegeEscalation field is omitted or set to false. 103 scored: false 104 105 - id: 4.2.6 106 text: "Minimize the admission of root containers (Automated)" 107 type: "manual" 108 remediation: | 109 Create a PSP as described in the Kubernetes documentation, ensuring that the 110 .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of 111 UIDs not including 0. 112 scored: false 113 114 - id: 4.2.7 115 text: "Minimize the admission of containers with the NET_RAW capability (Automated)" 116 type: "manual" 117 remediation: | 118 Create a PSP as described in the Kubernetes documentation, ensuring that the 119 .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. 120 scored: false 121 122 - id: 4.2.8 123 text: "Minimize the admission of containers with added capabilities (Automated)" 124 type: "manual" 125 remediation: | 126 Ensure that allowedCapabilities is not present in PSPs for the cluster unless 127 it is set to an empty array. 128 scored: false 129 130 - id: 4.2.9 131 text: "Minimize the admission of containers with capabilities assigned (Manual)" 132 type: "manual" 133 remediation: | 134 Review the use of capabilities in applications running on your cluster. Where a namespace 135 contains applications which do not require any Linux capabities to operate consider adding 136 a PSP which forbids the admission of containers which do not drop all capabilities. 137 scored: false 138 139 - id: 4.3 140 text: "CNI Plugin" 141 checks: 142 - id: 4.3.1 143 text: "Ensure that the latest CNI version is used (Manual)" 144 type: "manual" 145 remediation: | 146 Review the documentation of AWS CNI plugin, and ensure latest CNI version is used. 147 scored: false 148 149 - id: 4.3.2 150 text: "Ensure that all Namespaces have Network Policies defined (Automated)" 151 type: "manual" 152 remediation: | 153 Follow the documentation and create NetworkPolicy objects as you need them. 154 scored: false 155 156 - id: 4.4 157 text: "Secrets Management" 158 checks: 159 - id: 4.4.1 160 text: "Prefer using secrets as files over secrets as environment variables (Manual)" 161 type: "manual" 162 remediation: | 163 If possible, rewrite application code to read secrets from mounted secret files, rather than 164 from environment variables. 165 scored: false 166 167 - id: 4.4.2 168 text: "Consider external secret storage (Manual)" 169 type: "manual" 170 remediation: | 171 Refer to the secrets management options offered by your cloud provider or a third-party 172 secrets management solution. 173 scored: false 174 175 - id: 4.5 176 text: "Extensible Admission Control" 177 checks: 178 - id: 4.5.1 179 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" 180 type: "manual" 181 remediation: | 182 Follow the Kubernetes documentation and setup image provenance. 183 scored: false 184 185 - id: 4.6 186 text: "General Policies" 187 checks: 188 - id: 4.6.1 189 text: "Create administrative boundaries between resources using namespaces (Manual)" 190 type: "manual" 191 remediation: | 192 Follow the documentation and create namespaces for objects in your deployment as you need 193 them. 194 scored: false 195 196 - id: 4.6.2 197 text: "Apply Security Context to Your Pods and Containers (Manual)" 198 type: "manual" 199 remediation: | 200 Follow the Kubernetes documentation and apply security contexts to your pods. For a 201 suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker 202 Containers. 203 scored: false 204 205 - id: 4.6.3 206 text: "The default namespace should not be used (Automated)" 207 type: "manual" 208 remediation: | 209 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 210 resources and that all new resources are created in a specific namespace. 211 scored: false