github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/k3s-cis-1.24/master.yaml (about) 1 --- 2 controls: 3 version: "k3s-cis-1.24" 4 id: 1 5 text: "Control Plane Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Control Plane Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)" 13 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" 14 type: "skip" 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "644" 21 remediation: | 22 Run the below command (based on the file location on your system) on the 23 control plane node. 24 For example, chmod 644 $apiserverconf 25 scored: true 26 27 - id: 1.1.2 28 text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)" 29 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 30 type: "skip" 31 tests: 32 test_items: 33 - flag: "root:root" 34 remediation: | 35 Run the below command (based on the file location on your system) on the control plane node. 36 For example, chown root:root $apiserverconf 37 scored: true 38 39 - id: 1.1.3 40 text: "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)" 41 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 42 type: "skip" 43 tests: 44 test_items: 45 - flag: "permissions" 46 compare: 47 op: bitmask 48 value: "600" 49 remediation: | 50 Run the below command (based on the file location on your system) on the control plane node. 51 For example, chmod 600 $controllermanagerconf 52 scored: true 53 54 - id: 1.1.4 55 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" 56 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 57 type: "skip" 58 tests: 59 test_items: 60 - flag: "root:root" 61 remediation: | 62 Run the below command (based on the file location on your system) on the control plane node. 63 For example, chown root:root $controllermanagerconf 64 scored: true 65 66 - id: 1.1.5 67 text: "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)" 68 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 69 type: "skip" 70 tests: 71 test_items: 72 - flag: "permissions" 73 compare: 74 op: bitmask 75 value: "600" 76 remediation: | 77 Run the below command (based on the file location on your system) on the control plane node. 78 For example, chmod 600 $schedulerconf 79 scored: true 80 81 - id: 1.1.6 82 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" 83 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 84 type: "skip" 85 tests: 86 test_items: 87 - flag: "root:root" 88 remediation: | 89 Run the below command (based on the file location on your system) on the control plane node. 90 For example, chown root:root $schedulerconf 91 scored: true 92 93 - id: 1.1.7 94 text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)" 95 audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'" 96 type: "skip" 97 tests: 98 test_items: 99 - flag: "permissions" 100 compare: 101 op: bitmask 102 value: "600" 103 remediation: | 104 Run the below command (based on the file location on your system) on the control plane node. 105 For example, 106 chmod 600 $etcdconf 107 scored: true 108 109 - id: 1.1.8 110 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" 111 audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" 112 type: "skip" 113 tests: 114 test_items: 115 - flag: "root:root" 116 remediation: | 117 Run the below command (based on the file location on your system) on the control plane node. 118 For example, 119 chown root:root $etcdconf 120 scored: true 121 122 - id: 1.1.9 123 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)" 124 type: "skip" 125 audit: | 126 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a 127 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a 128 use_multiple_values: true 129 tests: 130 test_items: 131 - flag: "permissions" 132 compare: 133 op: bitmask 134 value: "600" 135 remediation: | 136 Run the below command (based on the file location on your system) on the control plane node. 137 For example, chmod 600 <path/to/cni/files> 138 scored: false 139 140 - id: 1.1.10 141 text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" 142 type: "skip" 143 audit: | 144 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G 145 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G 146 use_multiple_values: true 147 tests: 148 test_items: 149 - flag: "root:root" 150 remediation: | 151 Run the below command (based on the file location on your system) on the control plane node. 152 For example, 153 chown root:root <path/to/cni/files> 154 scored: false 155 156 - id: 1.1.11 157 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" 158 audit: "check_for_k3s_etcd.sh 1.1.11" 159 tests: 160 test_items: 161 - flag: "700" 162 compare: 163 op: eq 164 value: "700" 165 set: true 166 remediation: | 167 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 168 from the command 'ps -ef | grep etcd'. 169 Run the below command (based on the etcd data directory found above). For example, 170 chmod 700 /var/lib/etcd 171 scored: true 172 173 - id: 1.1.12 174 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" 175 audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G 176 type: "skip" 177 tests: 178 test_items: 179 - flag: "etcd:etcd" 180 remediation: | 181 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 182 from the command 'ps -ef | grep etcd'. 183 Run the below command (based on the etcd data directory found above). 184 For example, chown etcd:etcd /var/lib/etcd 185 scored: true 186 187 - id: 1.1.13 188 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" 189 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig'" 190 type: "skip" 191 tests: 192 test_items: 193 - flag: "600" 194 compare: 195 op: eq 196 value: "600" 197 set: true 198 remediation: | 199 Run the below command (based on the file location on your system) on the control plane node. 200 For example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig 201 scored: true 202 203 - id: 1.1.14 204 text: "Ensure that the admin.conf file ownership is set to root:root (Automated)" 205 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'" 206 tests: 207 test_items: 208 - flag: "root:root" 209 compare: 210 op: eq 211 value: "root:root" 212 set: true 213 remediation: | 214 Run the below command (based on the file location on your system) on the control plane node. 215 For example, chown root:root /etc/kubernetes/admin.conf 216 scored: true 217 218 - id: 1.1.15 219 text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)" 220 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'" 221 tests: 222 test_items: 223 - flag: "permissions" 224 compare: 225 op: bitmask 226 value: "600" 227 remediation: | 228 Run the below command (based on the file location on your system) on the control plane node. 229 For example, 230 chmod 600 $schedulerkubeconfig 231 scored: true 232 233 - id: 1.1.16 234 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" 235 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'" 236 tests: 237 test_items: 238 - flag: "root:root" 239 remediation: | 240 Run the below command (based on the file location on your system) on the control plane node. 241 For example, 242 chown root:root $schedulerkubeconfig 243 scored: true 244 245 - id: 1.1.17 246 text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)" 247 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'" 248 tests: 249 test_items: 250 - flag: "permissions" 251 compare: 252 op: bitmask 253 value: "600" 254 remediation: | 255 Run the below command (based on the file location on your system) on the control plane node. 256 For example, 257 chmod 600 $controllermanagerkubeconfig 258 scored: true 259 260 - id: 1.1.18 261 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" 262 audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls" 263 tests: 264 test_items: 265 - flag: "root:root" 266 compare: 267 op: eq 268 value: "root:root" 269 set: true 270 remediation: | 271 Run the below command (based on the file location on your system) on the control plane node. 272 For example, 273 chown root:root $controllermanagerkubeconfig 274 scored: true 275 276 - id: 1.1.19 277 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 278 audit: "find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G" 279 use_multiple_values: true 280 tests: 281 test_items: 282 - flag: "root:root" 283 remediation: | 284 Run the below command (based on the file location on your system) on the control plane node. 285 For example, 286 chown -R root:root /etc/kubernetes/pki/ 287 scored: true 288 289 - id: 1.1.20 290 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Automated)" 291 audit: "stat -c %n\ %a /var/lib/rancher/k3s/server/tls/*.crt" 292 use_multiple_values: true 293 tests: 294 test_items: 295 - flag: "permissions" 296 compare: 297 op: bitmask 298 value: "600" 299 remediation: | 300 Run the below command (based on the file location on your system) on the control plane node. 301 For example, 302 chmod -R 600 /etc/kubernetes/pki/*.crt 303 scored: false 304 305 - id: 1.1.21 306 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)" 307 audit: "stat -c %n\ %a /var/lib/rancher/k3s/server/tls/*.key" 308 use_multiple_values: true 309 tests: 310 test_items: 311 - flag: "permissions" 312 compare: 313 op: bitmask 314 value: "600" 315 remediation: | 316 Run the below command (based on the file location on your system) on the control plane node. 317 For example, 318 chmod -R 600 /etc/kubernetes/pki/*.key 319 scored: false 320 321 - id: 1.2 322 text: "API Server" 323 checks: 324 - id: 1.2.1 325 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 326 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'" 327 tests: 328 test_items: 329 - flag: "--anonymous-auth" 330 compare: 331 op: eq 332 value: false 333 remediation: | 334 Edit the API server pod specification file $apiserverconf 335 on the control plane node and set the below parameter. 336 --anonymous-auth=false 337 scored: false 338 339 - id: 1.2.2 340 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 341 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 342 tests: 343 test_items: 344 - flag: "--token-auth-file" 345 set: false 346 remediation: | 347 Follow the documentation and configure alternate mechanisms for authentication. Then, 348 edit the API server pod specification file $apiserverconf 349 on the control plane node and remove the --token-auth-file=<filename> parameter. 350 scored: true 351 352 - id: 1.2.3 353 text: "Ensure that the --DenyServiceExternalIPs is not set (Automated)" 354 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 355 tests: 356 bin_op: or 357 test_items: 358 - flag: "--enable-admission-plugins" 359 compare: 360 op: nothave 361 value: "DenyServiceExternalIPs" 362 set: true 363 - flag: "--enable-admission-plugins" 364 set: false 365 remediation: | 366 Edit the API server pod specification file $apiserverconf 367 on the control plane node and remove the `DenyServiceExternalIPs` 368 from enabled admission plugins. 369 scored: true 370 371 - id: 1.2.4 372 text: "Ensure that the --kubelet-https argument is set to true (Automated)" 373 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-https'" 374 type: "skip" 375 tests: 376 bin_op: or 377 test_items: 378 - flag: "--kubelet-https" 379 compare: 380 op: eq 381 value: true 382 - flag: "--kubelet-https" 383 set: false 384 remediation: | 385 Edit the API server pod specification file $apiserverconf 386 on the control plane node and remove the --kubelet-https parameter. 387 scored: true 388 389 - id: 1.2.5 390 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 391 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'" 392 tests: 393 bin_op: and 394 test_items: 395 - flag: "--kubelet-client-certificate" 396 - flag: "--kubelet-client-key" 397 remediation: | 398 Follow the Kubernetes documentation and set up the TLS connection between the 399 apiserver and kubelets. Then, edit API server pod specification file 400 $apiserverconf on the control plane node and set the 401 kubelet client certificate and key parameters as below. 402 --kubelet-client-certificate=<path/to/client-certificate-file> 403 --kubelet-client-key=<path/to/client-key-file> 404 scored: true 405 406 - id: 1.2.6 407 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" 408 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'" 409 tests: 410 test_items: 411 - flag: "--kubelet-certificate-authority" 412 remediation: | 413 Follow the Kubernetes documentation and setup the TLS connection between 414 the apiserver and kubelets. Then, edit the API server pod specification file 415 $apiserverconf on the control plane node and set the 416 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. 417 --kubelet-certificate-authority=<ca-string> 418 scored: true 419 420 - id: 1.2.7 421 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 422 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'" 423 tests: 424 test_items: 425 - flag: "--authorization-mode" 426 compare: 427 op: nothave 428 value: "AlwaysAllow" 429 remediation: | 430 Edit the API server pod specification file $apiserverconf 431 on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow. 432 One such example could be as below. 433 --authorization-mode=RBAC 434 scored: true 435 436 - id: 1.2.8 437 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 438 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'" 439 tests: 440 test_items: 441 - flag: "--authorization-mode" 442 compare: 443 op: has 444 value: "Node" 445 remediation: | 446 Edit the API server pod specification file $apiserverconf 447 on the control plane node and set the --authorization-mode parameter to a value that includes Node. 448 --authorization-mode=Node,RBAC 449 scored: true 450 451 - id: 1.2.9 452 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 453 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'" 454 tests: 455 test_items: 456 - flag: "--authorization-mode" 457 compare: 458 op: has 459 value: "RBAC" 460 remediation: | 461 Edit the API server pod specification file $apiserverconf 462 on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, 463 for example `--authorization-mode=Node,RBAC`. 464 scored: true 465 466 - id: 1.2.10 467 text: "Ensure that the admission control plugin EventRateLimit is set (Automated)" 468 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 469 tests: 470 test_items: 471 - flag: "--enable-admission-plugins" 472 compare: 473 op: has 474 value: "EventRateLimit" 475 remediation: | 476 Follow the Kubernetes documentation and set the desired limits in a configuration file. 477 Then, edit the API server pod specification file $apiserverconf 478 and set the below parameters. 479 --enable-admission-plugins=...,EventRateLimit,... 480 --admission-control-config-file=<path/to/configuration/file> 481 scored: false 482 483 - id: 1.2.11 484 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 485 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 486 tests: 487 bin_op: or 488 test_items: 489 - flag: "--enable-admission-plugins" 490 compare: 491 op: nothave 492 value: AlwaysAdmit 493 - flag: "--enable-admission-plugins" 494 set: false 495 remediation: | 496 Edit the API server pod specification file $apiserverconf 497 on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a 498 value that does not include AlwaysAdmit. 499 scored: true 500 501 - id: 1.2.12 502 text: "Ensure that the admission control plugin AlwaysPullImages is set (Automated)" 503 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 504 tests: 505 test_items: 506 - flag: "--enable-admission-plugins" 507 compare: 508 op: has 509 value: "AlwaysPullImages" 510 remediation: | 511 Edit the API server pod specification file $apiserverconf 512 on the control plane node and set the --enable-admission-plugins parameter to include 513 AlwaysPullImages. 514 --enable-admission-plugins=...,AlwaysPullImages,... 515 scored: false 516 517 - id: 1.2.13 518 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Automated)" 519 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 520 tests: 521 bin_op: or 522 test_items: 523 - flag: "--enable-admission-plugins" 524 compare: 525 op: has 526 value: "SecurityContextDeny" 527 - flag: "--enable-admission-plugins" 528 compare: 529 op: has 530 value: "PodSecurityPolicy" 531 remediation: | 532 Edit the API server pod specification file $apiserverconf 533 on the control plane node and set the --enable-admission-plugins parameter to include 534 SecurityContextDeny, unless PodSecurityPolicy is already in place. 535 --enable-admission-plugins=...,SecurityContextDeny,... 536 scored: false 537 538 - id: 1.2.14 539 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 540 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 541 tests: 542 bin_op: or 543 test_items: 544 - flag: "--disable-admission-plugins" 545 compare: 546 op: nothave 547 value: "ServiceAccount" 548 - flag: "--disable-admission-plugins" 549 set: false 550 remediation: | 551 Follow the documentation and create ServiceAccount objects as per your environment. 552 Then, edit the API server pod specification file $apiserverconf 553 on the control plane node and ensure that the --disable-admission-plugins parameter is set to a 554 value that does not include ServiceAccount. 555 scored: true 556 557 - id: 1.2.15 558 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 559 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 560 tests: 561 bin_op: or 562 test_items: 563 - flag: "--disable-admission-plugins" 564 compare: 565 op: nothave 566 value: "NamespaceLifecycle" 567 - flag: "--disable-admission-plugins" 568 set: false 569 remediation: | 570 Edit the API server pod specification file $apiserverconf 571 on the control plane node and set the --disable-admission-plugins parameter to 572 ensure it does not include NamespaceLifecycle. 573 scored: true 574 575 - id: 1.2.16 576 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 577 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 578 tests: 579 test_items: 580 - flag: "--enable-admission-plugins" 581 compare: 582 op: has 583 value: "NodeRestriction" 584 remediation: | 585 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 586 Then, edit the API server pod specification file $apiserverconf 587 on the control plane node and set the --enable-admission-plugins parameter to a 588 value that includes NodeRestriction. 589 --enable-admission-plugins=...,NodeRestriction,... 590 scored: true 591 592 - id: 1.2.17 593 text: "Ensure that the --secure-port argument is not set to 0 (Automated)" 594 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'" 595 tests: 596 bin_op: or 597 test_items: 598 - flag: "--secure-port" 599 compare: 600 op: gt 601 value: 0 602 - flag: "--secure-port" 603 set: false 604 remediation: | 605 Edit the API server pod specification file $apiserverconf 606 on the control plane node and either remove the --secure-port parameter or 607 set it to a different (non-zero) desired port. 608 scored: true 609 610 - id: 1.2.18 611 text: "Ensure that the --profiling argument is set to false (Automated)" 612 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'" 613 tests: 614 test_items: 615 - flag: "--profiling" 616 compare: 617 op: eq 618 value: false 619 remediation: | 620 Edit the API server pod specification file $apiserverconf 621 on the control plane node and set the below parameter. 622 --profiling=false 623 scored: true 624 625 - id: 1.2.19 626 text: "Ensure that the --audit-log-path argument is set (Automated)" 627 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 628 type: "skip" 629 tests: 630 test_items: 631 - flag: "--audit-log-path" 632 remediation: | 633 Edit the API server pod specification file $apiserverconf 634 on the control plane node and set the --audit-log-path parameter to a suitable path and 635 file where you would like audit logs to be written, for example, 636 --audit-log-path=/var/log/apiserver/audit.log 637 scored: true 638 639 - id: 1.2.20 640 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 641 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 642 type: "skip" 643 tests: 644 test_items: 645 - flag: "--audit-log-maxage" 646 compare: 647 op: gte 648 value: 30 649 remediation: | 650 Edit the API server pod specification file $apiserverconf 651 on the control plane node and set the --audit-log-maxage parameter to 30 652 or as an appropriate number of days, for example, 653 --audit-log-maxage=30 654 scored: true 655 656 - id: 1.2.21 657 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 658 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 659 type: "skip" 660 tests: 661 test_items: 662 - flag: "--audit-log-maxbackup" 663 compare: 664 op: gte 665 value: 10 666 remediation: | 667 Edit the API server pod specification file $apiserverconf 668 on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 669 value. For example, 670 --audit-log-maxbackup=10 671 scored: true 672 673 - id: 1.2.22 674 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 675 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 676 type: "skip" 677 tests: 678 test_items: 679 - flag: "--audit-log-maxsize" 680 compare: 681 op: gte 682 value: 100 683 remediation: | 684 Edit the API server pod specification file $apiserverconf 685 on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. 686 For example, to set it as 100 MB, --audit-log-maxsize=100 687 scored: true 688 689 - id: 1.2.23 690 text: "Ensure that the --request-timeout argument is set as appropriate (Automated)" 691 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 692 type: "skip" 693 tests: 694 test_items: 695 - flag: "--request-timeout" 696 remediation: | 697 Edit the API server pod specification file $apiserverconf 698 and set the below parameter as appropriate and if needed. 699 For example, --request-timeout=300s 700 scored: true 701 702 - id: 1.2.24 703 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 704 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 705 tests: 706 bin_op: or 707 test_items: 708 - flag: "--service-account-lookup" 709 set: false 710 - flag: "--service-account-lookup" 711 compare: 712 op: eq 713 value: true 714 remediation: | 715 Edit the API server pod specification file $apiserverconf 716 on the control plane node and set the below parameter. 717 --service-account-lookup=true 718 Alternatively, you can delete the --service-account-lookup parameter from this file so 719 that the default takes effect. 720 scored: true 721 722 - id: 1.2.25 723 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 724 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 725 type: "skip" 726 tests: 727 test_items: 728 - flag: "--service-account-key-file" 729 remediation: | 730 Edit the API server pod specification file $apiserverconf 731 on the control plane node and set the --service-account-key-file parameter 732 to the public key file for service accounts. For example, 733 --service-account-key-file=<filename> 734 scored: true 735 736 - id: 1.2.26 737 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 738 audit: "check_for_k3s_etcd.sh 1.2.29" 739 tests: 740 bin_op: and 741 test_items: 742 - flag: "--etcd-certfile" 743 set: true 744 - flag: "--etcd-keyfile" 745 set: true 746 remediation: | 747 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 748 Then, edit the API server pod specification file $apiserverconf 749 on the control plane node and set the etcd certificate and key file parameters. 750 --etcd-certfile=<path/to/client-certificate-file> 751 --etcd-keyfile=<path/to/client-key-file> 752 scored: true 753 754 - id: 1.2.27 755 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 756 audit: "journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2" 757 tests: 758 bin_op: and 759 test_items: 760 - flag: "--tls-cert-file" 761 set: true 762 - flag: "--tls-private-key-file" 763 set: true 764 remediation: | 765 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 766 Then, edit the API server pod specification file $apiserverconf 767 on the control plane node and set the TLS certificate and private key file parameters. 768 --tls-cert-file=<path/to/tls-certificate-file> 769 --tls-private-key-file=<path/to/tls-key-file> 770 scored: true 771 772 - id: 1.2.28 773 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 774 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'" 775 tests: 776 test_items: 777 - flag: "--client-ca-file" 778 remediation: | 779 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 780 Then, edit the API server pod specification file $apiserverconf 781 on the control plane node and set the client certificate authority file. 782 --client-ca-file=<path/to/client-ca-file> 783 scored: true 784 785 - id: 1.2.29 786 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 787 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'" 788 tests: 789 test_items: 790 - flag: "--etcd-cafile" 791 remediation: | 792 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 793 Then, edit the API server pod specification file $apiserverconf 794 on the control plane node and set the etcd certificate authority file parameter. 795 --etcd-cafile=<path/to/ca-file> 796 scored: true 797 798 - id: 1.2.30 799 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Automated)" 800 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'" 801 tests: 802 test_items: 803 - flag: "--encryption-provider-config" 804 remediation: | 805 Follow the Kubernetes documentation and configure a EncryptionConfig file. 806 Then, edit the API server pod specification file $apiserverconf 807 on the control plane node and set the --encryption-provider-config parameter to the path of that file. 808 For example, --encryption-provider-config=</path/to/EncryptionConfig/File> 809 scored: false 810 811 - id: 1.2.31 812 text: "Ensure that encryption providers are appropriately configured (Automated)" 813 audit: | 814 ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%') 815 if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi 816 tests: 817 test_items: 818 - flag: "provider" 819 compare: 820 op: valid_elements 821 value: "aescbc,kms,secretbox" 822 remediation: | 823 Follow the Kubernetes documentation and configure a EncryptionConfig file. 824 In this file, choose aescbc, kms or secretbox as the encryption provider. 825 scored: false 826 827 - id: 1.2.32 828 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)" 829 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'" 830 tests: 831 test_items: 832 - flag: "--tls-cipher-suites" 833 compare: 834 op: valid_elements 835 value: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" 836 remediation: | 837 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 838 on the control plane node and set the below parameter. 839 --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, 840 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 841 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 842 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 843 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 844 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 845 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, 846 TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 847 scored: false 848 849 - id: 1.3 850 text: "Controller Manager" 851 checks: 852 - id: 1.3.1 853 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Automated)" 854 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'" 855 tests: 856 test_items: 857 - flag: "--terminated-pod-gc-threshold" 858 remediation: | 859 Edit the Controller Manager pod specification file $controllermanagerconf 860 on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, 861 for example, --terminated-pod-gc-threshold=10 862 scored: false 863 864 - id: 1.3.2 865 text: "Ensure that the --profiling argument is set to false (Automated)" 866 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'" 867 tests: 868 test_items: 869 - flag: "--profiling" 870 compare: 871 op: eq 872 value: false 873 remediation: | 874 Edit the Controller Manager pod specification file $controllermanagerconf 875 on the control plane node and set the below parameter. 876 --profiling=false 877 scored: true 878 879 - id: 1.3.3 880 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 881 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'" 882 tests: 883 test_items: 884 - flag: "--use-service-account-credentials" 885 compare: 886 op: noteq 887 value: false 888 remediation: | 889 Edit the Controller Manager pod specification file $controllermanagerconf 890 on the control plane node to set the below parameter. 891 --use-service-account-credentials=true 892 scored: true 893 894 - id: 1.3.4 895 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 896 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'" 897 tests: 898 test_items: 899 - flag: "--service-account-private-key-file" 900 remediation: | 901 Edit the Controller Manager pod specification file $controllermanagerconf 902 on the control plane node and set the --service-account-private-key-file parameter 903 to the private key file for service accounts. 904 --service-account-private-key-file=<filename> 905 scored: true 906 907 - id: 1.3.5 908 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 909 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'" 910 tests: 911 test_items: 912 - flag: "--root-ca-file" 913 remediation: | 914 Edit the Controller Manager pod specification file $controllermanagerconf 915 on the control plane node and set the --root-ca-file parameter to the certificate bundle file`. 916 --root-ca-file=<path/to/file> 917 scored: true 918 919 - id: 1.3.6 920 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 921 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'RotateKubeletServerCertificate'" 922 type: "skip" 923 tests: 924 bin_op: or 925 test_items: 926 - flag: "--feature-gates" 927 compare: 928 op: nothave 929 value: "RotateKubeletServerCertificate=false" 930 set: true 931 - flag: "--feature-gates" 932 set: false 933 remediation: | 934 Edit the Controller Manager pod specification file $controllermanagerconf 935 on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 936 --feature-gates=RotateKubeletServerCertificate=true 937 scored: true 938 939 - id: 1.3.7 940 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 941 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 942 tests: 943 bin_op: or 944 test_items: 945 - flag: "--bind-address" 946 compare: 947 op: eq 948 value: "127.0.0.1" 949 set: true 950 - flag: "--bind-address" 951 set: false 952 remediation: | 953 Edit the Controller Manager pod specification file $controllermanagerconf 954 on the control plane node and ensure the correct value for the --bind-address parameter 955 scored: true 956 957 - id: 1.4 958 text: "Scheduler" 959 checks: 960 - id: 1.4.1 961 text: "Ensure that the --profiling argument is set to false (Automated)" 962 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1" 963 tests: 964 test_items: 965 - flag: "--profiling" 966 compare: 967 op: eq 968 value: false 969 set: true 970 remediation: | 971 Edit the Scheduler pod specification file $schedulerconf file 972 on the control plane node and set the below parameter. 973 --profiling=false 974 scored: true 975 976 - id: 1.4.2 977 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 978 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'" 979 tests: 980 bin_op: or 981 test_items: 982 - flag: "--bind-address" 983 compare: 984 op: eq 985 value: "127.0.0.1" 986 set: true 987 - flag: "--bind-address" 988 set: false 989 remediation: | 990 Edit the Scheduler pod specification file $schedulerconf 991 on the control plane node and ensure the correct value for the --bind-address parameter 992 scored: true