github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/k3s-cis-1.23/master.yaml (about) 1 --- 2 controls: 3 version: "k3s-cis-1.23" 4 id: 1 5 text: "Control Plane Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Control Plane Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)" 13 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" 14 type: "skip" 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "644" 21 remediation: | 22 Run the below command (based on the file location on your system) on the 23 control plane node. 24 For example, chmod 644 $apiserverconf 25 scored: true 26 27 - id: 1.1.2 28 text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)" 29 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 30 type: "skip" 31 tests: 32 test_items: 33 - flag: "root:root" 34 remediation: | 35 Run the below command (based on the file location on your system) on the control plane node. 36 For example, chown root:root $apiserverconf 37 scored: true 38 39 - id: 1.1.3 40 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)" 41 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 42 type: "skip" 43 tests: 44 test_items: 45 - flag: "permissions" 46 compare: 47 op: bitmask 48 value: "644" 49 remediation: | 50 Run the below command (based on the file location on your system) on the control plane node. 51 For example, chmod 644 $controllermanagerconf 52 scored: true 53 54 - id: 1.1.4 55 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" 56 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 57 type: "skip" 58 tests: 59 test_items: 60 - flag: "root:root" 61 remediation: | 62 Run the below command (based on the file location on your system) on the control plane node. 63 For example, chown root:root $controllermanagerconf 64 scored: true 65 66 - id: 1.1.5 67 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)" 68 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 69 type: "skip" 70 tests: 71 test_items: 72 - flag: "permissions" 73 compare: 74 op: bitmask 75 value: "644" 76 remediation: | 77 Run the below command (based on the file location on your system) on the control plane node. 78 For example, chmod 644 $schedulerconf 79 scored: true 80 81 - id: 1.1.6 82 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" 83 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 84 type: "skip" 85 tests: 86 test_items: 87 - flag: "root:root" 88 remediation: | 89 Run the below command (based on the file location on your system) on the control plane node. 90 For example, chown root:root $schedulerconf 91 scored: true 92 93 - id: 1.1.7 94 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" 95 audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'" 96 type: "skip" 97 tests: 98 test_items: 99 - flag: "permissions" 100 compare: 101 op: bitmask 102 value: "644" 103 remediation: | 104 Run the below command (based on the file location on your system) on the control plane node. 105 For example, 106 chmod 644 $etcdconf 107 scored: true 108 109 - id: 1.1.8 110 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" 111 audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" 112 type: "skip" 113 tests: 114 test_items: 115 - flag: "root:root" 116 remediation: | 117 Run the below command (based on the file location on your system) on the control plane node. 118 For example, 119 chown root:root $etcdconf 120 scored: true 121 122 - id: 1.1.9 123 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)" 124 type: "skip" 125 audit: | 126 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a 127 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a 128 use_multiple_values: true 129 tests: 130 test_items: 131 - flag: "permissions" 132 compare: 133 op: bitmask 134 value: "644" 135 remediation: | 136 Run the below command (based on the file location on your system) on the control plane node. 137 For example, chmod 644 <path/to/cni/files> 138 scored: false 139 140 - id: 1.1.10 141 text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" 142 type: "skip" 143 audit: | 144 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G 145 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G 146 use_multiple_values: true 147 tests: 148 test_items: 149 - flag: "root:root" 150 remediation: | 151 Run the below command (based on the file location on your system) on the control plane node. 152 For example, 153 chown root:root <path/to/cni/files> 154 scored: false 155 156 - id: 1.1.11 157 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" 158 audit: "check_for_k3s_etcd.sh 1.1.11" 159 tests: 160 test_items: 161 - flag: "700" 162 compare: 163 op: eq 164 value: "700" 165 set: true 166 remediation: | 167 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 168 from the command 'ps -ef | grep etcd'. 169 Run the below command (based on the etcd data directory found above). For example, 170 chmod 700 /var/lib/etcd 171 scored: true 172 173 - id: 1.1.12 174 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" 175 audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G 176 type: "skip" 177 tests: 178 test_items: 179 - flag: "etcd:etcd" 180 remediation: | 181 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 182 from the command 'ps -ef | grep etcd'. 183 Run the below command (based on the etcd data directory found above). 184 For example, chown etcd:etcd /var/lib/etcd 185 scored: true 186 187 - id: 1.1.13 188 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" 189 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig'" 190 type: "skip" 191 tests: 192 test_items: 193 - flag: "600" 194 compare: 195 op: eq 196 value: "600" 197 set: true 198 remediation: | 199 Run the below command (based on the file location on your system) on the control plane node. 200 For example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig 201 scored: true 202 203 - id: 1.1.14 204 text: "Ensure that the admin.conf file ownership is set to root:root (Automated)" 205 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'" 206 tests: 207 test_items: 208 - flag: "root:root" 209 compare: 210 op: eq 211 value: "root:root" 212 set: true 213 remediation: | 214 Run the below command (based on the file location on your system) on the control plane node. 215 For example, chown root:root /etc/kubernetes/admin.conf 216 scored: true 217 218 - id: 1.1.15 219 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)" 220 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'" 221 tests: 222 test_items: 223 - flag: "permissions" 224 compare: 225 op: bitmask 226 value: "644" 227 remediation: | 228 Run the below command (based on the file location on your system) on the control plane node. 229 For example, 230 chmod 644 $schedulerkubeconfig 231 scored: true 232 233 - id: 1.1.16 234 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" 235 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'" 236 tests: 237 test_items: 238 - flag: "root:root" 239 remediation: | 240 Run the below command (based on the file location on your system) on the control plane node. 241 For example, 242 chown root:root $schedulerkubeconfig 243 scored: true 244 245 - id: 1.1.17 246 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)" 247 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'" 248 tests: 249 test_items: 250 - flag: "permissions" 251 compare: 252 op: bitmask 253 value: "644" 254 remediation: | 255 Run the below command (based on the file location on your system) on the control plane node. 256 For example, 257 chmod 644 $controllermanagerkubeconfig 258 scored: true 259 260 - id: 1.1.18 261 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" 262 audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls" 263 tests: 264 test_items: 265 - flag: "root:root" 266 compare: 267 op: eq 268 value: "root:root" 269 set: true 270 remediation: | 271 Run the below command (based on the file location on your system) on the control plane node. 272 For example, 273 chown root:root $controllermanagerkubeconfig 274 scored: true 275 276 - id: 1.1.19 277 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 278 audit: "find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G" 279 use_multiple_values: true 280 tests: 281 test_items: 282 - flag: "root:root" 283 remediation: | 284 Run the below command (based on the file location on your system) on the control plane node. 285 For example, 286 chown -R root:root /etc/kubernetes/pki/ 287 scored: true 288 289 - id: 1.1.20 290 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)" 291 audit: "stat -c %n\ %a /var/lib/rancher/k3s/server/tls/*.crt" 292 use_multiple_values: true 293 tests: 294 test_items: 295 - flag: "permissions" 296 compare: 297 op: bitmask 298 value: "644" 299 remediation: | 300 Run the below command (based on the file location on your system) on the control plane node. 301 For example, 302 chmod -R 644 /etc/kubernetes/pki/*.crt 303 scored: false 304 305 - id: 1.1.21 306 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" 307 audit: "stat -c %n\ %a /var/lib/rancher/k3s/server/tls/*.key" 308 use_multiple_values: true 309 tests: 310 test_items: 311 - flag: "permissions" 312 compare: 313 op: bitmask 314 value: "600" 315 remediation: | 316 Run the below command (based on the file location on your system) on the control plane node. 317 For example, 318 chmod -R 600 /etc/kubernetes/pki/*.key 319 scored: false 320 321 - id: 1.2 322 text: "API Server" 323 checks: 324 - id: 1.2.1 325 text: "Ensure that the --anonymous-auth argument is set to false (Manual)" 326 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'" 327 type: manual 328 tests: 329 test_items: 330 - flag: "--anonymous-auth" 331 compare: 332 op: eq 333 value: false 334 remediation: | 335 Edit the API server pod specification file $apiserverconf 336 on the control plane node and set the below parameter. 337 --anonymous-auth=false 338 scored: false 339 340 - id: 1.2.2 341 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 342 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 343 tests: 344 test_items: 345 - flag: "--token-auth-file" 346 set: false 347 remediation: | 348 Follow the documentation and configure alternate mechanisms for authentication. Then, 349 edit the API server pod specification file $apiserverconf 350 on the control plane node and remove the --token-auth-file=<filename> parameter. 351 scored: true 352 353 - id: 1.2.3 354 text: "Ensure that the --DenyServiceExternalIPs is not set (Automated)" 355 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 356 tests: 357 bin_op: or 358 test_items: 359 - flag: "--enable-admission-plugins" 360 compare: 361 op: nothave 362 value: "DenyServiceExternalIPs" 363 set: true 364 - flag: "--enable-admission-plugins" 365 set: false 366 remediation: | 367 Edit the API server pod specification file $apiserverconf 368 on the control plane node and remove the `DenyServiceExternalIPs` 369 from enabled admission plugins. 370 scored: true 371 372 - id: 1.2.4 373 text: "Ensure that the --kubelet-https argument is set to true (Automated)" 374 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-https'" 375 type: "skip" 376 tests: 377 bin_op: or 378 test_items: 379 - flag: "--kubelet-https" 380 compare: 381 op: eq 382 value: true 383 - flag: "--kubelet-https" 384 set: false 385 remediation: | 386 Edit the API server pod specification file $apiserverconf 387 on the control plane node and remove the --kubelet-https parameter. 388 scored: true 389 390 - id: 1.2.5 391 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 392 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'" 393 tests: 394 bin_op: and 395 test_items: 396 - flag: "--kubelet-client-certificate" 397 - flag: "--kubelet-client-key" 398 remediation: | 399 Follow the Kubernetes documentation and set up the TLS connection between the 400 apiserver and kubelets. Then, edit API server pod specification file 401 $apiserverconf on the control plane node and set the 402 kubelet client certificate and key parameters as below. 403 --kubelet-client-certificate=<path/to/client-certificate-file> 404 --kubelet-client-key=<path/to/client-key-file> 405 scored: true 406 407 - id: 1.2.6 408 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" 409 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'" 410 tests: 411 test_items: 412 - flag: "--kubelet-certificate-authority" 413 remediation: | 414 Follow the Kubernetes documentation and setup the TLS connection between 415 the apiserver and kubelets. Then, edit the API server pod specification file 416 $apiserverconf on the control plane node and set the 417 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. 418 --kubelet-certificate-authority=<ca-string> 419 scored: true 420 421 - id: 1.2.7 422 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 423 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'" 424 tests: 425 test_items: 426 - flag: "--authorization-mode" 427 compare: 428 op: nothave 429 value: "AlwaysAllow" 430 remediation: | 431 Edit the API server pod specification file $apiserverconf 432 on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow. 433 One such example could be as below. 434 --authorization-mode=RBAC 435 scored: true 436 437 - id: 1.2.8 438 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 439 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'" 440 tests: 441 test_items: 442 - flag: "--authorization-mode" 443 compare: 444 op: has 445 value: "Node" 446 remediation: | 447 Edit the API server pod specification file $apiserverconf 448 on the control plane node and set the --authorization-mode parameter to a value that includes Node. 449 --authorization-mode=Node,RBAC 450 scored: true 451 452 - id: 1.2.9 453 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 454 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'" 455 tests: 456 test_items: 457 - flag: "--authorization-mode" 458 compare: 459 op: has 460 value: "RBAC" 461 remediation: | 462 Edit the API server pod specification file $apiserverconf 463 on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, 464 for example `--authorization-mode=Node,RBAC`. 465 scored: true 466 467 - id: 1.2.10 468 text: "Ensure that the admission control plugin EventRateLimit is set (Manual)" 469 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 470 tests: 471 test_items: 472 - flag: "--enable-admission-plugins" 473 compare: 474 op: has 475 value: "EventRateLimit" 476 remediation: | 477 Follow the Kubernetes documentation and set the desired limits in a configuration file. 478 Then, edit the API server pod specification file $apiserverconf 479 and set the below parameters. 480 --enable-admission-plugins=...,EventRateLimit,... 481 --admission-control-config-file=<path/to/configuration/file> 482 scored: false 483 484 - id: 1.2.11 485 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 486 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 487 tests: 488 bin_op: or 489 test_items: 490 - flag: "--enable-admission-plugins" 491 compare: 492 op: nothave 493 value: AlwaysAdmit 494 - flag: "--enable-admission-plugins" 495 set: false 496 remediation: | 497 Edit the API server pod specification file $apiserverconf 498 on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a 499 value that does not include AlwaysAdmit. 500 scored: true 501 502 - id: 1.2.12 503 text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)" 504 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 505 tests: 506 test_items: 507 - flag: "--enable-admission-plugins" 508 compare: 509 op: has 510 value: "AlwaysPullImages" 511 remediation: | 512 Edit the API server pod specification file $apiserverconf 513 on the control plane node and set the --enable-admission-plugins parameter to include 514 AlwaysPullImages. 515 --enable-admission-plugins=...,AlwaysPullImages,... 516 scored: false 517 518 - id: 1.2.13 519 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" 520 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 521 tests: 522 bin_op: or 523 test_items: 524 - flag: "--enable-admission-plugins" 525 compare: 526 op: has 527 value: "SecurityContextDeny" 528 - flag: "--enable-admission-plugins" 529 compare: 530 op: has 531 value: "PodSecurityPolicy" 532 remediation: | 533 Edit the API server pod specification file $apiserverconf 534 on the control plane node and set the --enable-admission-plugins parameter to include 535 SecurityContextDeny, unless PodSecurityPolicy is already in place. 536 --enable-admission-plugins=...,SecurityContextDeny,... 537 scored: false 538 539 - id: 1.2.14 540 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 541 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 542 tests: 543 bin_op: or 544 test_items: 545 - flag: "--disable-admission-plugins" 546 compare: 547 op: nothave 548 value: "ServiceAccount" 549 - flag: "--disable-admission-plugins" 550 set: false 551 remediation: | 552 Follow the documentation and create ServiceAccount objects as per your environment. 553 Then, edit the API server pod specification file $apiserverconf 554 on the control plane node and ensure that the --disable-admission-plugins parameter is set to a 555 value that does not include ServiceAccount. 556 scored: true 557 558 - id: 1.2.15 559 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 560 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 561 tests: 562 bin_op: or 563 test_items: 564 - flag: "--disable-admission-plugins" 565 compare: 566 op: nothave 567 value: "NamespaceLifecycle" 568 - flag: "--disable-admission-plugins" 569 set: false 570 remediation: | 571 Edit the API server pod specification file $apiserverconf 572 on the control plane node and set the --disable-admission-plugins parameter to 573 ensure it does not include NamespaceLifecycle. 574 scored: true 575 576 - id: 1.2.16 577 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 578 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 579 tests: 580 test_items: 581 - flag: "--enable-admission-plugins" 582 compare: 583 op: has 584 value: "NodeRestriction" 585 remediation: | 586 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 587 Then, edit the API server pod specification file $apiserverconf 588 on the control plane node and set the --enable-admission-plugins parameter to a 589 value that includes NodeRestriction. 590 --enable-admission-plugins=...,NodeRestriction,... 591 scored: true 592 593 - id: 1.2.17 594 text: "Ensure that the --secure-port argument is not set to 0 (Automated)" 595 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'" 596 tests: 597 bin_op: or 598 test_items: 599 - flag: "--secure-port" 600 compare: 601 op: gt 602 value: 0 603 - flag: "--secure-port" 604 set: false 605 remediation: | 606 Edit the API server pod specification file $apiserverconf 607 on the control plane node and either remove the --secure-port parameter or 608 set it to a different (non-zero) desired port. 609 scored: true 610 611 - id: 1.2.18 612 text: "Ensure that the --profiling argument is set to false (Automated)" 613 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'" 614 tests: 615 test_items: 616 - flag: "--profiling" 617 compare: 618 op: eq 619 value: false 620 remediation: | 621 Edit the API server pod specification file $apiserverconf 622 on the control plane node and set the below parameter. 623 --profiling=false 624 scored: true 625 626 - id: 1.2.19 627 text: "Ensure that the --audit-log-path argument is set (Automated)" 628 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 629 type: "skip" 630 tests: 631 test_items: 632 - flag: "--audit-log-path" 633 remediation: | 634 Edit the API server pod specification file $apiserverconf 635 on the control plane node and set the --audit-log-path parameter to a suitable path and 636 file where you would like audit logs to be written, for example, 637 --audit-log-path=/var/log/apiserver/audit.log 638 scored: true 639 640 - id: 1.2.20 641 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 642 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 643 type: "skip" 644 tests: 645 test_items: 646 - flag: "--audit-log-maxage" 647 compare: 648 op: gte 649 value: 30 650 remediation: | 651 Edit the API server pod specification file $apiserverconf 652 on the control plane node and set the --audit-log-maxage parameter to 30 653 or as an appropriate number of days, for example, 654 --audit-log-maxage=30 655 scored: true 656 657 - id: 1.2.21 658 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 659 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 660 type: "skip" 661 tests: 662 test_items: 663 - flag: "--audit-log-maxbackup" 664 compare: 665 op: gte 666 value: 10 667 remediation: | 668 Edit the API server pod specification file $apiserverconf 669 on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 670 value. For example, 671 --audit-log-maxbackup=10 672 scored: true 673 674 - id: 1.2.22 675 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 676 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 677 type: "skip" 678 tests: 679 test_items: 680 - flag: "--audit-log-maxsize" 681 compare: 682 op: gte 683 value: 100 684 remediation: | 685 Edit the API server pod specification file $apiserverconf 686 on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. 687 For example, to set it as 100 MB, --audit-log-maxsize=100 688 scored: true 689 690 - id: 1.2.23 691 text: "Ensure that the --request-timeout argument is set as appropriate (Automated)" 692 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 693 type: "skip" 694 tests: 695 test_items: 696 - flag: "--request-timeout" 697 remediation: | 698 Edit the API server pod specification file $apiserverconf 699 and set the below parameter as appropriate and if needed. 700 For example, --request-timeout=300s 701 scored: true 702 703 - id: 1.2.24 704 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 705 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 706 tests: 707 bin_op: or 708 test_items: 709 - flag: "--service-account-lookup" 710 set: false 711 - flag: "--service-account-lookup" 712 compare: 713 op: eq 714 value: true 715 remediation: | 716 Edit the API server pod specification file $apiserverconf 717 on the control plane node and set the below parameter. 718 --service-account-lookup=true 719 Alternatively, you can delete the --service-account-lookup parameter from this file so 720 that the default takes effect. 721 scored: true 722 723 - id: 1.2.25 724 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 725 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 726 type: "skip" 727 tests: 728 test_items: 729 - flag: "--service-account-key-file" 730 remediation: | 731 Edit the API server pod specification file $apiserverconf 732 on the control plane node and set the --service-account-key-file parameter 733 to the public key file for service accounts. For example, 734 --service-account-key-file=<filename> 735 scored: true 736 737 - id: 1.2.26 738 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 739 audit: "check_for_k3s_etcd.sh 1.2.29" 740 tests: 741 bin_op: and 742 test_items: 743 - flag: "--etcd-certfile" 744 set: true 745 - flag: "--etcd-keyfile" 746 set: true 747 remediation: | 748 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 749 Then, edit the API server pod specification file $apiserverconf 750 on the control plane node and set the etcd certificate and key file parameters. 751 --etcd-certfile=<path/to/client-certificate-file> 752 --etcd-keyfile=<path/to/client-key-file> 753 scored: true 754 755 - id: 1.2.27 756 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 757 audit: "journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2" 758 tests: 759 bin_op: and 760 test_items: 761 - flag: "--tls-cert-file" 762 set: true 763 - flag: "--tls-private-key-file" 764 set: true 765 remediation: | 766 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 767 Then, edit the API server pod specification file $apiserverconf 768 on the control plane node and set the TLS certificate and private key file parameters. 769 --tls-cert-file=<path/to/tls-certificate-file> 770 --tls-private-key-file=<path/to/tls-key-file> 771 scored: true 772 773 - id: 1.2.28 774 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 775 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'" 776 tests: 777 test_items: 778 - flag: "--client-ca-file" 779 remediation: | 780 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 781 Then, edit the API server pod specification file $apiserverconf 782 on the control plane node and set the client certificate authority file. 783 --client-ca-file=<path/to/client-ca-file> 784 scored: true 785 786 - id: 1.2.29 787 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 788 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'" 789 tests: 790 test_items: 791 - flag: "--etcd-cafile" 792 remediation: | 793 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 794 Then, edit the API server pod specification file $apiserverconf 795 on the control plane node and set the etcd certificate authority file parameter. 796 --etcd-cafile=<path/to/ca-file> 797 scored: true 798 799 - id: 1.2.30 800 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" 801 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'" 802 tests: 803 test_items: 804 - flag: "--encryption-provider-config" 805 remediation: | 806 Follow the Kubernetes documentation and configure a EncryptionConfig file. 807 Then, edit the API server pod specification file $apiserverconf 808 on the control plane node and set the --encryption-provider-config parameter to the path of that file. 809 For example, --encryption-provider-config=</path/to/EncryptionConfig/File> 810 scored: false 811 812 - id: 1.2.31 813 text: "Ensure that encryption providers are appropriately configured (Manual)" 814 audit: "grep aescbc /path/to/encryption-config.json" 815 type: "manual" 816 remediation: | 817 Follow the Kubernetes documentation and configure a EncryptionConfig file. 818 In this file, choose aescbc, kms or secretbox as the encryption provider. 819 scored: false 820 821 - id: 1.2.32 822 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" 823 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'" 824 tests: 825 test_items: 826 - flag: "--tls-cipher-suites" 827 compare: 828 op: valid_elements 829 value: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" 830 remediation: | 831 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 832 on the control plane node and set the below parameter. 833 --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, 834 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 835 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 836 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 837 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 838 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 839 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, 840 TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 841 scored: false 842 843 - id: 1.3 844 text: "Controller Manager" 845 checks: 846 - id: 1.3.1 847 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" 848 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'" 849 tests: 850 test_items: 851 - flag: "--terminated-pod-gc-threshold" 852 remediation: | 853 Edit the Controller Manager pod specification file $controllermanagerconf 854 on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, 855 for example, --terminated-pod-gc-threshold=10 856 scored: false 857 858 - id: 1.3.2 859 text: "Ensure that the --profiling argument is set to false (Automated)" 860 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'" 861 tests: 862 test_items: 863 - flag: "--profiling" 864 compare: 865 op: eq 866 value: false 867 remediation: | 868 Edit the Controller Manager pod specification file $controllermanagerconf 869 on the control plane node and set the below parameter. 870 --profiling=false 871 scored: true 872 873 - id: 1.3.3 874 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 875 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'" 876 tests: 877 test_items: 878 - flag: "--use-service-account-credentials" 879 compare: 880 op: noteq 881 value: false 882 remediation: | 883 Edit the Controller Manager pod specification file $controllermanagerconf 884 on the control plane node to set the below parameter. 885 --use-service-account-credentials=true 886 scored: true 887 888 - id: 1.3.4 889 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 890 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'" 891 tests: 892 test_items: 893 - flag: "--service-account-private-key-file" 894 remediation: | 895 Edit the Controller Manager pod specification file $controllermanagerconf 896 on the control plane node and set the --service-account-private-key-file parameter 897 to the private key file for service accounts. 898 --service-account-private-key-file=<filename> 899 scored: true 900 901 - id: 1.3.5 902 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 903 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'" 904 tests: 905 test_items: 906 - flag: "--root-ca-file" 907 remediation: | 908 Edit the Controller Manager pod specification file $controllermanagerconf 909 on the control plane node and set the --root-ca-file parameter to the certificate bundle file`. 910 --root-ca-file=<path/to/file> 911 scored: true 912 913 - id: 1.3.6 914 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 915 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'RotateKubeletServerCertificate'" 916 type: "skip" 917 tests: 918 bin_op: or 919 test_items: 920 - flag: "--feature-gates" 921 compare: 922 op: nothave 923 value: "RotateKubeletServerCertificate=false" 924 set: true 925 - flag: "--feature-gates" 926 set: false 927 remediation: | 928 Edit the Controller Manager pod specification file $controllermanagerconf 929 on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 930 --feature-gates=RotateKubeletServerCertificate=true 931 scored: true 932 933 - id: 1.3.7 934 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 935 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 936 tests: 937 bin_op: or 938 test_items: 939 - flag: "--bind-address" 940 compare: 941 op: eq 942 value: "127.0.0.1" 943 set: true 944 - flag: "--bind-address" 945 set: false 946 remediation: | 947 Edit the Controller Manager pod specification file $controllermanagerconf 948 on the control plane node and ensure the correct value for the --bind-address parameter 949 scored: true 950 951 - id: 1.4 952 text: "Scheduler" 953 checks: 954 - id: 1.4.1 955 text: "Ensure that the --profiling argument is set to false (Automated)" 956 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1" 957 tests: 958 test_items: 959 - flag: "--profiling" 960 compare: 961 op: eq 962 value: false 963 set: true 964 remediation: | 965 Edit the Scheduler pod specification file $schedulerconf file 966 on the control plane node and set the below parameter. 967 --profiling=false 968 scored: true 969 970 - id: 1.4.2 971 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 972 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'" 973 tests: 974 bin_op: or 975 test_items: 976 - flag: "--bind-address" 977 compare: 978 op: eq 979 value: "127.0.0.1" 980 set: true 981 - flag: "--bind-address" 982 set: false 983 remediation: | 984 Edit the Scheduler pod specification file $schedulerconf 985 on the control plane node and ensure the correct value for the --bind-address parameter 986 scored: true