github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/gke-1.0/node.yaml (about) 1 --- 2 controls: 3 version: "gke-1.0" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Not Scored)" 13 type: skip 14 remediation: "This control cannot be modified in GKE." 15 scored: false 16 17 - id: 4.1.2 18 text: "Ensure that the kubelet service file ownership is set to root:root (Not Scored)" 19 type: skip 20 remediation: "This control cannot be modified in GKE." 21 scored: false 22 23 - id: 4.1.3 24 text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" 25 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 26 tests: 27 test_items: 28 - flag: "permissions" 29 compare: 30 op: bitmask 31 value: "644" 32 remediation: | 33 Run the below command (based on the file location on your system) on each worker node. 34 For example, 35 chmod 644 $proxykubeconfig 36 scored: true 37 38 - id: 4.1.4 39 text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" 40 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 41 tests: 42 test_items: 43 - flag: root:root 44 remediation: | 45 Run the below command (based on the file location on your system) on each worker node. 46 For example, chown root:root $proxykubeconfig 47 scored: true 48 49 - id: 4.1.5 50 text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Not Scored)" 51 type: skip 52 remediation: "This control cannot be modified in GKE." 53 scored: false 54 55 - id: 4.1.6 56 text: "Ensure that the kubelet.conf file ownership is set to root:root (Not Scored)" 57 type: skip 58 remediation: "This control cannot be modified in GKE." 59 scored: false 60 61 - id: 4.1.7 62 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Not Scored)" 63 type: skip 64 remediation: "This control cannot be modified in GKE." 65 scored: false 66 67 - id: 4.1.8 68 text: "Ensure that the client certificate authorities file ownership is set to root:root (Not Scored)" 69 type: skip 70 remediation: "This control cannot be modified in GKE." 71 scored: false 72 73 - id: 4.1.9 74 text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" 75 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 76 tests: 77 test_items: 78 - flag: "permissions" 79 set: true 80 compare: 81 op: bitmask 82 value: "644" 83 remediation: | 84 Run the following command (using the config file location identified in the Audit step) 85 chmod 644 $kubeletconf 86 scored: true 87 88 - id: 4.1.10 89 text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" 90 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 91 tests: 92 test_items: 93 - flag: root:root 94 remediation: | 95 Run the following command (using the config file location identified in the Audit step) 96 chown root:root $kubeletconf 97 scored: true 98 99 - id: 4.2 100 text: "Kubelet" 101 checks: 102 - id: 4.2.1 103 text: "Ensure that the --anonymous-auth argument is set to false (Scored)" 104 audit: "/bin/ps -fC $kubeletbin" 105 audit_config: "/bin/cat $kubeletconf" 106 tests: 107 test_items: 108 - flag: "--anonymous-auth" 109 path: '{.authentication.anonymous.enabled}' 110 compare: 111 op: eq 112 value: false 113 remediation: | 114 If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to 115 false. 116 If using executable arguments, edit the kubelet service file 117 $kubeletsvc on each worker node and 118 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 119 --anonymous-auth=false 120 Based on your system, restart the kubelet service. For example: 121 systemctl daemon-reload 122 systemctl restart kubelet.service 123 scored: true 124 125 - id: 4.2.2 126 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" 127 audit: "/bin/ps -fC $kubeletbin" 128 audit_config: "/bin/cat $kubeletconf" 129 tests: 130 test_items: 131 - flag: --authorization-mode 132 path: '{.authorization.mode}' 133 compare: 134 op: nothave 135 value: AlwaysAllow 136 remediation: | 137 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If 138 using executable arguments, edit the kubelet service file 139 $kubeletsvc on each worker node and 140 set the below parameter in KUBELET_AUTHZ_ARGS variable. 141 --authorization-mode=Webhook 142 Based on your system, restart the kubelet service. For example: 143 systemctl daemon-reload 144 systemctl restart kubelet.service 145 scored: true 146 147 - id: 4.2.3 148 text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" 149 audit: "/bin/ps -fC $kubeletbin" 150 audit_config: "/bin/cat $kubeletconf" 151 tests: 152 test_items: 153 - flag: --client-ca-file 154 path: '{.authentication.x509.clientCAFile}' 155 set: true 156 remediation: | 157 If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to 158 the location of the client CA file. 159 If using command line arguments, edit the kubelet service file 160 $kubeletsvc on each worker node and 161 set the below parameter in KUBELET_AUTHZ_ARGS variable. 162 --client-ca-file=<path/to/client-ca-file> 163 Based on your system, restart the kubelet service. For example: 164 systemctl daemon-reload 165 systemctl restart kubelet.service 166 scored: true 167 168 - id: 4.2.4 169 text: "Ensure that the --read-only-port argument is set to 0 (Scored)" 170 type: skip 171 remediation: "This control cannot be modified in GKE." 172 scored: true 173 174 - id: 4.2.5 175 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" 176 audit: "/bin/ps -fC $kubeletbin" 177 audit_config: "/bin/cat $kubeletconf" 178 tests: 179 test_items: 180 - flag: --streaming-connection-idle-timeout 181 path: '{.streamingConnectionIdleTimeout}' 182 compare: 183 op: noteq 184 value: 0 185 - flag: --streaming-connection-idle-timeout 186 path: '{.streamingConnectionIdleTimeout}' 187 set: false 188 bin_op: or 189 remediation: | 190 If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a 191 value other than 0. 192 If using command line arguments, edit the kubelet service file 193 $kubeletsvc on each worker node and 194 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 195 --streaming-connection-idle-timeout=5m 196 Based on your system, restart the kubelet service. For example: 197 systemctl daemon-reload 198 systemctl restart kubelet.service 199 scored: true 200 201 - id: 4.2.6 202 text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" 203 type: skip 204 remediation: "This control cannot be modified in GKE." 205 206 - id: 4.2.7 207 text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) " 208 audit: "/bin/ps -fC $kubeletbin" 209 audit_config: "/bin/cat $kubeletconf" 210 tests: 211 test_items: 212 - flag: --make-iptables-util-chains 213 path: '{.makeIPTablesUtilChains}' 214 compare: 215 op: eq 216 value: true 217 - flag: --make-iptables-util-chains 218 path: '{.makeIPTablesUtilChains}' 219 set: false 220 bin_op: or 221 remediation: | 222 If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true. 223 If using command line arguments, edit the kubelet service file 224 $kubeletsvc on each worker node and 225 remove the --make-iptables-util-chains argument from the 226 KUBELET_SYSTEM_PODS_ARGS variable. 227 Based on your system, restart the kubelet service. For example: 228 systemctl daemon-reload 229 systemctl restart kubelet.service 230 scored: true 231 232 - id: 4.2.8 233 text: "Ensure that the --hostname-override argument is not set (Scored)" 234 audit: "/bin/ps -fC $kubeletbin " 235 tests: 236 test_items: 237 - flag: --hostname-override 238 set: false 239 remediation: | 240 Edit the kubelet service file $kubeletsvc 241 on each worker node and remove the --hostname-override argument from the 242 KUBELET_SYSTEM_PODS_ARGS variable. 243 Based on your system, restart the kubelet service. For example: 244 systemctl daemon-reload 245 systemctl restart kubelet.service 246 scored: true 247 248 - id: 4.2.9 249 text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)" 250 type: skip 251 remediation: "This control cannot be modified in GKE." 252 253 - id: 4.2.10 254 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" 255 type: skip 256 remediation: "This control cannot be modified in GKE." 257 258 - id: 4.2.11 259 text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" 260 audit: "/bin/ps -fC $kubeletbin" 261 audit_config: "/bin/cat $kubeletconf" 262 tests: 263 test_items: 264 - flag: --rotate-certificates 265 path: '{.rotateCertificates}' 266 compare: 267 op: eq 268 value: true 269 - flag: --rotate-certificates 270 path: '{.rotateCertificates}' 271 set: false 272 bin_op: or 273 remediation: | 274 If using a Kubelet config file, edit the file to add the line rotateCertificates: true or 275 remove it altogether to use the default value. 276 If using command line arguments, edit the kubelet service file 277 $kubeletsvc on each worker node and 278 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 279 variable. 280 Based on your system, restart the kubelet service. For example: 281 systemctl daemon-reload 282 systemctl restart kubelet.service 283 scored: true 284 285 - id: 4.2.12 286 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" 287 audit: "/bin/ps -fC $kubeletbin" 288 audit_config: "/bin/cat $kubeletconf" 289 tests: 290 test_items: 291 - flag: RotateKubeletServerCertificate 292 path: '{.featureGates.RotateKubeletServerCertificate}' 293 compare: 294 op: eq 295 value: true 296 remediation: | 297 Edit the kubelet service file $kubeletsvc 298 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 299 --feature-gates=RotateKubeletServerCertificate=true 300 Based on your system, restart the kubelet service. For example: 301 systemctl daemon-reload 302 systemctl restart kubelet.service 303 scored: true 304 305 - id: 4.2.13 306 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" 307 type: skip 308 remediation: "This control cannot be modified in GKE." 309 scored: false