github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/eks-1.2.0/policies.yaml (about) 1 --- 2 controls: 3 version: "eks-1.2.0" 4 id: 4 5 text: "Policies" 6 type: "policies" 7 groups: 8 - id: 4.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Manual)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 4.1.2 23 text: "Minimize access to secrets (Manual)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to secret objects in the cluster. 27 scored: false 28 29 - id: 4.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 scored: false 36 37 - id: 4.1.4 38 text: "Minimize access to create pods (Manual)" 39 type: "manual" 40 remediation: | 41 Where possible, remove create access to pod objects in the cluster. 42 scored: false 43 44 - id: 4.1.5 45 text: "Ensure that default service accounts are not actively used. (Manual)" 46 type: "manual" 47 remediation: | 48 Create explicit service accounts wherever a Kubernetes workload requires specific access 49 to the Kubernetes API server. 50 Modify the configuration of each default service account to include this value 51 automountServiceAccountToken: false 52 scored: false 53 54 - id: 4.1.6 55 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" 56 type: "manual" 57 remediation: | 58 Modify the definition of pods and service accounts which do not need to mount service 59 account tokens to disable it. 60 scored: false 61 62 - id: 4.1.7 63 text: "Avoid use of system:masters group (Manual)" 64 type: "manual" 65 remediation: | 66 Remove the system:masters group from all users in the cluster. 67 scored: false 68 69 - id: 4.1.8 70 text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)" 71 type: "manual" 72 remediation: | 73 Where possible, remove the impersonate, bind and escalate rights from subjects. 74 scored: false 75 76 - id: 4.2 77 text: "Pod Security Policies" 78 checks: 79 - id: 4.2.1 80 text: "Minimize the admission of privileged containers (Automated)" 81 type: "manual" 82 remediation: | 83 Create a PSP as described in the Kubernetes documentation, ensuring that 84 the .spec.privileged field is omitted or set to false. 85 scored: false 86 87 - id: 4.2.2 88 text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" 89 type: "manual" 90 remediation: | 91 Create a PSP as described in the Kubernetes documentation, ensuring that the 92 .spec.hostPID field is omitted or set to false. 93 scored: false 94 95 - id: 4.2.3 96 text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" 97 type: "manual" 98 remediation: | 99 Create a PSP as described in the Kubernetes documentation, ensuring that the 100 .spec.hostIPC field is omitted or set to false. 101 scored: false 102 103 - id: 4.2.4 104 text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" 105 type: "manual" 106 remediation: | 107 Create a PSP as described in the Kubernetes documentation, ensuring that the 108 .spec.hostNetwork field is omitted or set to false. 109 scored: false 110 111 - id: 4.2.5 112 text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" 113 type: "manual" 114 remediation: | 115 Create a PSP as described in the Kubernetes documentation, ensuring that the 116 .spec.allowPrivilegeEscalation field is omitted or set to false. 117 scored: false 118 119 - id: 4.2.6 120 text: "Minimize the admission of root containers (Automated)" 121 type: "manual" 122 remediation: | 123 Create a PSP as described in the Kubernetes documentation, ensuring that the 124 .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of 125 UIDs not including 0. 126 scored: false 127 128 - id: 4.2.7 129 text: "Minimize the admission of containers with added capabilities (Manual)" 130 type: "manual" 131 remediation: | 132 Ensure that allowedCapabilities is not present in PSPs for the cluster unless 133 it is set to an empty array. 134 scored: false 135 136 - id: 4.2.8 137 text: "Minimize the admission of containers with capabilities assigned (Manual)" 138 type: "manual" 139 remediation: | 140 Review the use of capabilities in applications running on your cluster. Where a namespace 141 contains applications which do not require any Linux capabities to operate consider adding 142 a PSP which forbids the admission of containers which do not drop all capabilities. 143 scored: false 144 145 - id: 4.3 146 text: "CNI Plugin" 147 checks: 148 - id: 4.3.1 149 text: "Ensure CNI plugin supports network policies (Manual)" 150 type: "manual" 151 remediation: | 152 As with RBAC policies, network policies should adhere to the policy of least privileged 153 access. Start by creating a deny all policy that restricts all inbound and outbound traffic 154 from a namespace or create a global policy using Calico. 155 scored: false 156 157 - id: 4.3.2 158 text: "Ensure that all Namespaces have Network Policies defined (Manual)" 159 type: "manual" 160 remediation: | 161 Follow the documentation and create NetworkPolicy objects as you need them. 162 scored: false 163 164 - id: 4.4 165 text: "Secrets Management" 166 checks: 167 - id: 4.4.1 168 text: "Prefer using secrets as files over secrets as environment variables (Manual)" 169 type: "manual" 170 remediation: | 171 If possible, rewrite application code to read secrets from mounted secret files, rather than 172 from environment variables. 173 scored: false 174 175 - id: 4.4.2 176 text: "Consider external secret storage (Manual)" 177 type: "manual" 178 remediation: | 179 Refer to the secrets management options offered by your cloud provider or a third-party 180 secrets management solution. 181 scored: false 182 183 - id: 4.5 184 text: "Extensible Admission Control" 185 checks: [] 186 187 - id: 4.6 188 text: "General Policies" 189 checks: 190 - id: 4.6.1 191 text: "Create administrative boundaries between resources using namespaces (Manual)" 192 type: "manual" 193 remediation: | 194 Follow the documentation and create namespaces for objects in your deployment as you need 195 them. 196 scored: false 197 198 - id: 4.6.2 199 text: "Apply Security Context to Your Pods and Containers (Manual)" 200 type: "manual" 201 remediation: | 202 Follow the Kubernetes documentation and apply security contexts to your pods. For a 203 suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker 204 Containers. 205 scored: false 206 207 - id: 4.6.3 208 text: "The default namespace should not be used (Manual)" 209 type: "manual" 210 remediation: | 211 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 212 resources and that all new resources are created in a specific namespace. 213 scored: false