github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/k3s-cis-1.23/etcd.yaml (about) 1 --- 2 controls: 3 version: "k3s-cis-1.23" 4 id: 2 5 text: "Etcd Node Configuration" 6 type: "etcd" 7 groups: 8 - id: 2 9 text: "Etcd Node Configuration" 10 checks: 11 - id: 2.1 12 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" 13 audit: "check_for_k3s_etcd.sh 2.1" 14 tests: 15 bin_op: and 16 test_items: 17 - flag: "cert-file" 18 env: "ETCD_CERT_FILE" 19 set: true 20 - flag: "key-file" 21 env: "ETCD_KEY_FILE" 22 set: true 23 remediation: | 24 Follow the etcd service documentation and configure TLS encryption. 25 Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml 26 on the master node and set the below parameters. 27 --cert-file=</path/to/ca-file> 28 --key-file=</path/to/key-file> 29 scored: true 30 31 - id: 2.2 32 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" 33 audit: "check_for_k3s_etcd.sh 2.2" 34 tests: 35 bin_op: or 36 test_items: 37 - flag: "--client-cert-auth" 38 set: true 39 - flag: "client-cert-auth" 40 env: "ETCD_CLIENT_CERT_AUTH" 41 compare: 42 op: eq 43 value: true 44 set: true 45 remediation: | 46 Edit the etcd pod specification file $etcdconf on the master 47 node and set the below parameter. 48 --client-cert-auth="true" 49 scored: true 50 51 - id: 2.3 52 text: "Ensure that the --auto-tls argument is not set to true (Automated)" 53 audit: "check_for_k3s_etcd.sh 2.3" 54 tests: 55 bin_op: or 56 test_items: 57 - flag: "--auto-tls" 58 env: "ETCD_AUTO_TLS" 59 set: false 60 - flag: "--auto-tls" 61 env: "ETCD_AUTO_TLS" 62 compare: 63 op: eq 64 value: false 65 remediation: | 66 Edit the etcd pod specification file $etcdconf on the master 67 node and either remove the --auto-tls parameter or set it to false. 68 --auto-tls=false 69 scored: true 70 71 - id: 2.4 72 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" 73 audit: "check_for_k3s_etcd.sh 2.4" 74 tests: 75 bin_op: and 76 test_items: 77 - flag: "cert-file" 78 env: "ETCD_PEER_CERT_FILE" 79 set: true 80 - flag: "key-file" 81 env: "ETCD_PEER_KEY_FILE" 82 set: true 83 remediation: | 84 Follow the etcd service documentation and configure peer TLS encryption as appropriate 85 for your etcd cluster. 86 Then, edit the etcd pod specification file $etcdconf on the 87 master node and set the below parameters. 88 --peer-client-file=</path/to/peer-cert-file> 89 --peer-key-file=</path/to/peer-key-file> 90 scored: true 91 92 - id: 2.5 93 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" 94 audit: "check_for_k3s_etcd.sh 2.5" 95 tests: 96 bin_op: or 97 test_items: 98 - flag: "--client-cert-auth" 99 set: true 100 - flag: "client-cert-auth" 101 env: "ETCD_PEER_CLIENT_CERT_AUTH" 102 compare: 103 op: eq 104 value: true 105 set: true 106 remediation: | 107 Edit the etcd pod specification file $etcdconf on the master 108 node and set the below parameter. 109 --peer-client-cert-auth=true 110 scored: true 111 112 - id: 2.6 113 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" 114 audit: "check_for_k3s_etcd.sh 2.6" 115 tests: 116 bin_op: or 117 test_items: 118 - flag: "--peer-auto-tls" 119 env: "ETCD_PEER_AUTO_TLS" 120 set: false 121 - flag: "--peer-auto-tls" 122 env: "ETCD_PEER_AUTO_TLS" 123 compare: 124 op: eq 125 value: false 126 set: true 127 remediation: | 128 Edit the etcd pod specification file $etcdconf on the master 129 node and either remove the --peer-auto-tls parameter or set it to false. 130 --peer-auto-tls=false 131 scored: true 132 133 - id: 2.7 134 text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" 135 audit: "check_for_k3s_etcd.sh 2.7" 136 tests: 137 test_items: 138 - flag: "trusted-ca-file" 139 env: "ETCD_TRUSTED_CA_FILE" 140 set: true 141 remediation: | 142 [Manual test] 143 Follow the etcd documentation and create a dedicated certificate authority setup for the 144 etcd service. 145 Then, edit the etcd pod specification file $etcdconf on the 146 master node and set the below parameter. 147 --trusted-ca-file=</path/to/ca-file> 148 scored: false