github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/gke-1.0/master.yaml (about) 1 --- 2 controls: 3 version: "gke-1.0" 4 id: 1 5 text: "Control Plane Components" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Master Node Configuration Files " 10 type: skip 11 checks: 12 - id: 1.1.1 13 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Scored)" 14 remediation: "This control cannot be modified in GKE." 15 scored: false 16 17 - id: 1.1.2 18 text: "Ensure that the API server pod specification file ownership is set to root:root (Not Scored)" 19 remediation: "This control cannot be modified in GKE." 20 scored: false 21 22 - id: 1.1.3 23 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Not Scored)" 24 remediation: "This control cannot be modified in GKE." 25 scored: false 26 27 - id: 1.1.4 28 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Not Scored)" 29 remediation: "This control cannot be modified in GKE." 30 scored: false 31 32 - id: 1.1.5 33 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Not Scored)" 34 remediation: "This control cannot be modified in GKE." 35 scored: false 36 37 - id: 1.1.6 38 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Not Scored)" 39 remediation: "This control cannot be modified in GKE." 40 scored: false 41 42 - id: 1.1.7 43 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Not Scored)" 44 remediation: "This control cannot be modified in GKE." 45 scored: false 46 47 - id: 1.1.8 48 text: "Ensure that the etcd pod specification file ownership is set to root:root (Not Scored)" 49 remediation: "This control cannot be modified in GKE." 50 scored: false 51 52 - id: 1.1.9 53 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" 54 remediation: "This control cannot be modified in GKE." 55 scored: false 56 57 - id: 1.1.10 58 text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)" 59 remediation: "This control cannot be modified in GKE." 60 scored: false 61 62 - id: 1.1.11 63 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Not Scored)" 64 remediation: "This control cannot be modified in GKE." 65 scored: false 66 67 - id: 1.1.12 68 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Not Scored)" 69 remediation: "This control cannot be modified in GKE." 70 scored: false 71 72 - id: 1.1.13 73 text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Not Scored)" 74 remediation: "This control cannot be modified in GKE." 75 scored: false 76 77 - id: 1.1.14 78 text: "Ensure that the admin.conf file ownership is set to root:root (Not Scored) " 79 remediation: "This control cannot be modified in GKE." 80 scored: false 81 82 - id: 1.1.15 83 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Not Scored)" 84 remediation: "This control cannot be modified in GKE." 85 scored: true 86 87 - id: 1.1.16 88 text: "Ensure that the scheduler.conf file ownership is set to root:root (Not Scored)" 89 remediation: "This control cannot be modified in GKE." 90 scored: false 91 92 - id: 1.1.17 93 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Not Scored)" 94 remediation: "This control cannot be modified in GKE." 95 scored: false 96 97 - id: 1.1.18 98 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Not Scored)" 99 remediation: "This control cannot be modified in GKE." 100 scored: false 101 102 - id: 1.1.19 103 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Not Scored)" 104 remediation: "This control cannot be modified in GKE." 105 scored: false 106 107 - id: 1.1.20 108 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)" 109 remediation: "This control cannot be modified in GKE." 110 scored: false 111 112 - id: 1.1.21 113 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)" 114 remediation: "This control cannot be modified in GKE." 115 scored: false 116 117 - id: 1.2 118 text: "API Server" 119 type: skip 120 checks: 121 - id: 1.2.1 122 text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)" 123 remediation: "This control cannot be modified in GKE." 124 scored: false 125 126 - id: 1.2.2 127 text: "Ensure that the --basic-auth-file argument is not set (Not Scored)" 128 remediation: | 129 Although the use of the --basic-auth-file argument cannot be audited on GKE, you can 130 remediate the use of basic authentication. See Recommendation 6.8.1. 131 scored: false 132 133 - id: 1.2.3 134 text: "Ensure that the --token-auth-file parameter is not set (Not Scored)" 135 remediation: "This control cannot be modified in GKE." 136 scored: false 137 138 - id: 1.2.4 139 text: "Ensure that the --kubelet-https argument is set to true (Not Scored)" 140 remediation: "This control cannot be modified in GKE." 141 scored: false 142 143 - id: 1.2.5 144 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Not Scored)" 145 remediation: "This control cannot be modified in GKE." 146 scored: false 147 148 - id: 1.2.6 149 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Not Scored)" 150 remediation: "This control cannot be modified in GKE." 151 scored: false 152 153 - id: 1.2.7 154 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Not Scored)" 155 remediation: "This control cannot be modified in GKE." 156 scored: false 157 158 - id: 1.2.8 159 text: "Ensure that the --authorization-mode argument includes Node (Not Scored)" 160 remediation: "This control cannot be modified in GKE." 161 scored: false 162 163 - id: 1.2.9 164 text: "Ensure that the --authorization-mode argument includes RBAC (Not Scored)" 165 remediation: "This control cannot be modified in GKE." 166 scored: false 167 168 - id: 1.2.10 169 text: "Ensure that the admission control plugin EventRateLimit is set (Not Scored)" 170 remediation: "This control cannot be modified in GKE." 171 scored: false 172 173 - id: 1.2.11 174 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Not Scored)" 175 remediation: "This control cannot be modified in GKE." 176 scored: false 177 178 - id: 1.2.12 179 text: "Ensure that the admission control plugin AlwaysPullImages is set (Not Scored)" 180 remediation: "This control cannot be modified in GKE." 181 scored: false 182 183 - id: 1.2.13 184 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored)" 185 remediation: "This control cannot be modified in GKE." 186 scored: false 187 188 - id: 1.2.14 189 text: "Ensure that the admission control plugin ServiceAccount is set (Not Scored)" 190 remediation: "This control cannot be modified in GKE." 191 scored: false 192 193 - id: 1.2.15 194 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Not Scored)" 195 remediation: "This control cannot be modified in GKE." 196 scored: false 197 198 - id: 1.2.16 199 text: "Ensure that the admission control plugin PodSecurityPolicy is set (Not Scored)" 200 remediation: | 201 To verify and remediate the use of Pod Security Policy on GKE, see Recommendation 6.10.3. 202 scored: false 203 204 - id: 1.2.17 205 text: "Ensure that the admission control plugin NodeRestriction is set (Not Scored)" 206 remediation: "This control cannot be modified in GKE." 207 scored: false 208 209 - id: 1.2.18 210 text: "Ensure that the --insecure-bind-address argument is not set (Not Scored)" 211 remediation: "This control cannot be modified in GKE." 212 scored: false 213 214 - id: 1.2.19 215 text: "Ensure that the --insecure-port argument is set to 0 (Not Scored)" 216 remediation: "This control cannot be modified in GKE." 217 scored: false 218 219 - id: 1.2.20 220 text: "Ensure that the --secure-port argument is not set to 0 (Not Scored)" 221 remediation: "This control cannot be modified in GKE." 222 scored: false 223 224 - id: 1.2.21 225 text: "Ensure that the --profiling argument is set to false (Not Scored)" 226 remediation: "This control cannot be modified in GKE." 227 scored: false 228 229 - id: 1.2.22 230 text: "Ensure that the --audit-log-path argument is set (Not Scored)" 231 remediation: "This control cannot be modified in GKE." 232 scored: false 233 234 - id: 1.2.23 235 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Not Scored)" 236 remediation: "This control cannot be modified in GKE." 237 scored: false 238 239 - id: 1.2.24 240 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Not Scored)" 241 remediation: "This control cannot be modified in GKE." 242 scored: false 243 244 - id: 1.2.25 245 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Not Scored)" 246 remediation: "This control cannot be modified in GKE." 247 scored: false 248 249 - id: 1.2.26 250 text: "Ensure that the --request-timeout argument is set as appropriate (Not Scored)" 251 remediation: "This control cannot be modified in GKE." 252 scored: false 253 254 - id: 1.2.27 255 text: "Ensure that the --service-account-lookup argument is set to true (Not Scored)" 256 remediation: "This control cannot be modified in GKE." 257 scored: false 258 259 - id: 1.2.28 260 text: "Ensure that the --service-account-key-file argument is set as appropriate (Not Scored)" 261 remediation: "This control cannot be modified in GKE." 262 scored: false 263 264 - id: 1.2.29 265 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Not Scored)" 266 remediation: "This control cannot be modified in GKE." 267 scored: false 268 269 - id: 1.2.30 270 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Not Scored)" 271 remediation: "This control cannot be modified in GKE." 272 scored: false 273 274 - id: 1.2.31 275 text: "Ensure that the --client-ca-file argument is set as appropriate (Not Scored)" 276 remediation: "This control cannot be modified in GKE." 277 scored: false 278 279 - id: 1.2.32 280 text: "Ensure that the --etcd-cafile argument is set as appropriate (Not Scored)" 281 remediation: "This control cannot be modified in GKE." 282 scored: false 283 284 - id: 1.2.33 285 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)" 286 remediation: | 287 To verify and remediate the use of secret encryption on GKE, see Recommendation 6.3.1. 288 scored: false 289 290 - id: 1.2.34 291 text: "Ensure that encryption providers are appropriately configured (Not Scored)" 292 remediation: | 293 To verify and remediate the use of secret encryption on GKE, see Recommendation 6.3.1. 294 scored: false 295 296 - id: 1.2.35 297 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" 298 remediation: "This control cannot be modified in GKE." 299 scored: false 300 301 - id: 1.3 302 text: "Controller Manager" 303 type: skip 304 checks: 305 - id: 1.3.1 306 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)" 307 remediation: "This control cannot be modified in GKE." 308 scored: false 309 310 - id: 1.3.2 311 text: "Ensure that the --profiling argument is set to false (Not Scored)" 312 remediation: "This control cannot be modified in GKE." 313 scored: false 314 315 - id: 1.3.3 316 text: "Ensure that the --use-service-account-credentials argument is set to true (Not Scored)" 317 remediation: "This control cannot be modified in GKE." 318 scored: false 319 320 - id: 1.3.4 321 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Not Scored)" 322 remediation: "This control cannot be modified in GKE." 323 scored: false 324 325 - id: 1.3.5 326 text: "Ensure that the --root-ca-file argument is set as appropriate (Not Scored)" 327 remediation: "This control cannot be modified in GKE." 328 scored: false 329 330 - id: 1.3.6 331 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Not Scored)" 332 remediation: "This control cannot be modified in GKE." 333 scored: false 334 335 - id: 1.3.7 336 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Not Scored)" 337 remediation: "This control cannot be modified in GKE." 338 scored: false 339 340 - id: 1.4 341 text: "Scheduler" 342 type: skip 343 checks: 344 - id: 1.4.1 345 text: "Ensure that the --profiling argument is set to false (Not Scored)" 346 remediation: "This control cannot be modified in GKE." 347 scored: false 348 349 - id: 1.4.2 350 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Not Scored) " 351 remediation: "This control cannot be modified in GKE." 352 scored: false