github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/k3s-cis-1.7/controlplane.yaml

github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/k3s-cis-1.7/controlplane.yaml (about)

     1  ---
     2  controls:
     3  version: "k3s-cis-1.7"
     4  id: 3
     5  text: "Control Plane Configuration"
     6  type: "controlplane"
     7  groups:
     8    - id: 3.1
     9      text: "Authentication and Authorization"
    10      checks:
    11        - id: 3.1.1
    12          text: "Client certificate authentication should not be used for users (Manual)"
    13          type: "manual"
    14          remediation: |
    15            Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
    16            implemented in place of client certificates.
    17          scored: false
    18        - id: 3.1.2
    19          text: "Service account token authentication should not be used for users (Manual)"
    20          type: "manual"
    21          remediation: |
    22            Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented
    23            in place of service account tokens.
    24          scored: false
    25        - id: 3.1.3
    26          text: "Bootstrap token authentication should not be used for users (Manual)"
    27          type: "manual"
    28          remediation: |
    29            Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented
    30            in place of bootstrap tokens.
    31          scored: false
    32  
    33    - id: 3.2
    34      text: "Logging"
    35      checks:
    36        - id: 3.2.1
    37          text: "Ensure that a minimal audit policy is created (Manual)"
    38          audit: "journalctl -D /var/log/journal  -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'"
    39          tests:
    40            test_items:
    41              - flag: "--audit-policy-file"
    42                set: true
    43          remediation: |
    44            Create an audit policy file for your cluster.
    45          scored: false
    46  
    47        - id: 3.2.2
    48          text: "Ensure that the audit policy covers key security concerns (Manual)"
    49          type: "manual"
    50          remediation: |
    51            Review the audit policy provided for the cluster and ensure that it covers
    52            at least the following areas,
    53            - Access to Secrets managed by the cluster. Care should be taken to only
    54              log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in
    55              order to avoid risk of logging sensitive data.
    56            - Modification of Pod and Deployment objects.
    57            - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`.
    58            For most requests, minimally logging at the Metadata level is recommended
    59            (the most basic level of logging).
    60          scored: false