github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/gke-1.2.0/node.yaml (about) 1 --- 2 controls: 3 version: "gke-1.2.0" 4 id: 3 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 3.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 3.1.1 12 text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Manual)" 13 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 remediation: | 21 Run the below command (based on the file location on your system) on each worker node. 22 For example, 23 chmod 644 $proxykubeconfig 24 scored: false 25 26 - id: 3.1.2 27 text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)" 28 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 29 tests: 30 test_items: 31 - flag: root:root 32 remediation: | 33 Run the below command (based on the file location on your system) on each worker node. 34 For example, chown root:root $proxykubeconfig 35 scored: false 36 37 - id: 3.1.3 38 text: "Ensure that the kubelet configuration file permissions are set to 644 or more restrictive (Manual)" 39 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 40 tests: 41 test_items: 42 - flag: "permissions" 43 compare: 44 op: bitmask 45 value: "644" 46 remediation: | 47 Run the following command (using the config file location identied in the Audit step) 48 chmod 644 /var/lib/kubelet/config.yaml 49 scored: false 50 51 - id: 3.1.4 52 text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)" 53 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 54 tests: 55 test_items: 56 - flag: root:root 57 remediation: | 58 Run the following command (using the config file location identied in the Audit step) 59 chown root:root /etc/kubernetes/kubelet.conf 60 scored: false 61 62 - id: 3.2 63 text: "Kubelet" 64 checks: 65 - id: 3.2.1 66 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 67 audit: "/bin/ps -fC $kubeletbin" 68 audit_config: "/bin/cat $kubeletconf" 69 tests: 70 test_items: 71 - flag: "--anonymous-auth" 72 path: '{.authentication.anonymous.enabled}' 73 compare: 74 op: eq 75 value: false 76 remediation: | 77 If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to 78 false. 79 If using executable arguments, edit the kubelet service file 80 $kubeletsvc on each worker node and 81 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 82 --anonymous-auth=false 83 Based on your system, restart the kubelet service. For example: 84 systemctl daemon-reload 85 systemctl restart kubelet.service 86 scored: true 87 88 - id: 3.2.2 89 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 90 audit: "/bin/ps -fC $kubeletbin" 91 audit_config: "/bin/cat $kubeletconf" 92 tests: 93 test_items: 94 - flag: --authorization-mode 95 path: '{.authorization.mode}' 96 compare: 97 op: nothave 98 value: AlwaysAllow 99 remediation: | 100 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If 101 using executable arguments, edit the kubelet service file 102 $kubeletsvc on each worker node and 103 set the below parameter in KUBELET_AUTHZ_ARGS variable. 104 --authorization-mode=Webhook 105 Based on your system, restart the kubelet service. For example: 106 systemctl daemon-reload 107 systemctl restart kubelet.service 108 scored: true 109 110 - id: 3.2.3 111 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 112 audit: "/bin/ps -fC $kubeletbin" 113 audit_config: "/bin/cat $kubeletconf" 114 tests: 115 test_items: 116 - flag: --client-ca-file 117 path: '{.authentication.x509.clientCAFile}' 118 set: true 119 remediation: | 120 If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to 121 the location of the client CA file. 122 If using command line arguments, edit the kubelet service file 123 $kubeletsvc on each worker node and 124 set the below parameter in KUBELET_AUTHZ_ARGS variable. 125 --client-ca-file=<path/to/client-ca-file> 126 Based on your system, restart the kubelet service. For example: 127 systemctl daemon-reload 128 systemctl restart kubelet.service 129 scored: true 130 131 - id: 3.2.4 132 text: "Ensure that the --read-only-port argument is set to 0 (Manual)" 133 audit: "/bin/ps -fC $kubeletbin" 134 audit_config: "/bin/cat $kubeletconf" 135 tests: 136 test_items: 137 - flag: "--read-only-port" 138 path: '{.readOnlyPort}' 139 set: true 140 compare: 141 op: eq 142 value: 0 143 remediation: | 144 If using a Kubelet config file, edit the file to set readOnlyPort to 0. 145 If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf 146 on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 147 --read-only-port=0 148 Based on your system, restart the kubelet service. For example: 149 systemctl daemon-reload 150 systemctl restart kubelet.service 151 scored: false 152 153 - id: 3.2.5 154 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)" 155 audit: "/bin/ps -fC $kubeletbin" 156 audit_config: "/bin/cat $kubeletconf" 157 tests: 158 test_items: 159 - flag: --streaming-connection-idle-timeout 160 path: '{.streamingConnectionIdleTimeout}' 161 compare: 162 op: noteq 163 value: 0 164 - flag: --streaming-connection-idle-timeout 165 path: '{.streamingConnectionIdleTimeout}' 166 set: false 167 bin_op: or 168 remediation: | 169 If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a 170 value other than 0. 171 If using command line arguments, edit the kubelet service file 172 $kubeletsvc on each worker node and 173 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 174 --streaming-connection-idle-timeout=5m 175 Based on your system, restart the kubelet service. For example: 176 systemctl daemon-reload 177 systemctl restart kubelet.service 178 scored: true 179 180 - id: 3.2.6 181 text: "Ensure that the --protect-kernel-defaults argument is set to true (Manual)" 182 audit: "/bin/ps -fC $kubeletbin" 183 audit_config: "/bin/cat $kubeletconf" 184 tests: 185 test_items: 186 - flag: --protect-kernel-defaults 187 path: '{.protectKernelDefaults}' 188 set: true 189 compare: 190 op: eq 191 value: true 192 remediation: | 193 If using a Kubelet config file, edit the file to set protectKernelDefaults: true. 194 If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf 195 on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 196 --protect-kernel-defaults=true 197 Based on your system, restart the kubelet service. For example: 198 systemctl daemon-reload 199 systemctl restart kubelet.service 200 scored: true 201 202 - id: 3.2.7 203 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) " 204 audit: "/bin/ps -fC $kubeletbin" 205 audit_config: "/bin/cat $kubeletconf" 206 tests: 207 test_items: 208 - flag: --make-iptables-util-chains 209 path: '{.makeIPTablesUtilChains}' 210 compare: 211 op: eq 212 value: true 213 - flag: --make-iptables-util-chains 214 path: '{.makeIPTablesUtilChains}' 215 set: false 216 bin_op: or 217 remediation: | 218 If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true. 219 If using command line arguments, edit the kubelet service file 220 $kubeletsvc on each worker node and 221 remove the --make-iptables-util-chains argument from the 222 KUBELET_SYSTEM_PODS_ARGS variable. 223 Based on your system, restart the kubelet service. For example: 224 systemctl daemon-reload 225 systemctl restart kubelet.service 226 scored: true 227 228 - id: 3.2.8 229 text: "Ensure that the --hostname-override argument is not set (Manual)" 230 audit: "/bin/ps -fC $kubeletbin " 231 tests: 232 test_items: 233 - flag: --hostname-override 234 set: false 235 remediation: | 236 Edit the kubelet service file $kubeletsvc 237 on each worker node and remove the --hostname-override argument from the 238 KUBELET_SYSTEM_PODS_ARGS variable. 239 Based on your system, restart the kubelet service. For example: 240 systemctl daemon-reload 241 systemctl restart kubelet.service 242 scored: false 243 244 - id: 3.2.9 245 text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated)" 246 audit: "/bin/ps -fC $kubeletbin" 247 audit_config: "/bin/cat $kubeletconf" 248 tests: 249 test_items: 250 - flag: --event-qps 251 path: '{.eventRecordQPS}' 252 set: true 253 compare: 254 op: eq 255 value: 0 256 remediation: | 257 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. 258 If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf 259 on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 260 Based on your system, restart the kubelet service. For example: 261 systemctl daemon-reload 262 systemctl restart kubelet.service 263 scored: true 264 265 - id: 3.2.10 266 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 267 audit: "/bin/ps -fC $kubeletbin" 268 audit_config: "/bin/cat $kubeletconf" 269 tests: 270 test_items: 271 - flag: --tls-cert-file 272 path: '{.tlsCertFile}' 273 - flag: --tls-private-key-file 274 path: '{.tlsPrivateKeyFile}' 275 remediation: | 276 If using a Kubelet config file, edit the file to set tlsCertFile to the location 277 of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile 278 to the location of the corresponding private key file. 279 If using command line arguments, edit the kubelet service file 280 $kubeletsvc on each worker node and 281 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 282 --tls-cert-file=<path/to/tls-certificate-file> 283 --tls-private-key-file=<path/to/tls-key-file> 284 Based on your system, restart the kubelet service. For example: 285 systemctl daemon-reload 286 systemctl restart kubelet.service 287 scored: false 288 289 - id: 3.2.11 290 text: "Ensure that the --rotate-certificates argument is not set to false (Manual)" 291 audit: "/bin/ps -fC $kubeletbin" 292 audit_config: "/bin/cat $kubeletconf" 293 tests: 294 test_items: 295 - flag: --rotate-certificates 296 path: '{.rotateCertificates}' 297 compare: 298 op: eq 299 value: true 300 - flag: --rotate-certificates 301 path: '{.rotateCertificates}' 302 set: false 303 bin_op: or 304 remediation: | 305 If using a Kubelet config file, edit the file to add the line rotateCertificates: true or 306 remove it altogether to use the default value. 307 If using command line arguments, edit the kubelet service file 308 $kubeletsvc on each worker node and 309 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 310 variable. 311 Based on your system, restart the kubelet service. For example: 312 systemctl daemon-reload 313 systemctl restart kubelet.service 314 scored: false 315 316 - id: 3.2.12 317 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 318 audit: "/bin/ps -fC $kubeletbin" 319 audit_config: "/bin/cat $kubeletconf" 320 tests: 321 test_items: 322 - flag: RotateKubeletServerCertificate 323 path: '{.featureGates.RotateKubeletServerCertificate}' 324 compare: 325 op: eq 326 value: true 327 remediation: | 328 Edit the kubelet service file $kubeletsvc 329 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 330 --feature-gates=RotateKubeletServerCertificate=true 331 Based on your system, restart the kubelet service. For example: 332 systemctl daemon-reload 333 systemctl restart kubelet.service 334 scored: true