github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/k3s-cis-1.7/node.yaml (about) 1 --- 2 controls: 3 version: "k3s-cis-1.7" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)" 13 type: "skip" 14 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "600" 21 remediation: | 22 Run the below command (based on the file location on your system) on the each worker node. 23 For example, chmod 600 $kubeletsvc 24 Not Applicable - All configuration is passed in as arguments at container run time. 25 scored: true 26 27 - id: 4.1.2 28 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 29 type: "skip" 30 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' ' 31 tests: 32 test_items: 33 - flag: root:root 34 remediation: | 35 Run the below command (based on the file location on your system) on the each worker node. 36 For example, 37 chown root:root $kubeletsvc 38 Not Applicable. 39 All configuration is passed in as arguments at container run time. 40 scored: true 41 42 - id: 4.1.3 43 text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)" 44 audit: 'stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' 45 tests: 46 bin_op: or 47 test_items: 48 - flag: "permissions" 49 compare: 50 op: bitmask 51 value: "600" 52 remediation: | 53 Run the below command (based on the file location on your system) on the each worker node. 54 For example, 55 chmod 600 $proxykubeconfig 56 scored: false 57 58 - id: 4.1.4 59 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 60 audit: '/bin/sh -c ''if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi'' ' 61 tests: 62 bin_op: or 63 test_items: 64 - flag: root:root 65 remediation: | 66 Run the below command (based on the file location on your system) on the each worker node. 67 For example, chown root:root $proxykubeconfig 68 scored: false 69 70 - id: 4.1.5 71 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)" 72 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 73 tests: 74 test_items: 75 - flag: "permissions" 76 compare: 77 op: bitmask 78 value: "600" 79 remediation: | 80 Run the below command (based on the file location on your system) on the each worker node. 81 For example, 82 chmod 600 $kubeletkubeconfig 83 scored: true 84 85 - id: 4.1.6 86 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 87 audit: 'stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig' 88 tests: 89 test_items: 90 - flag: root:root 91 remediation: | 92 Run the below command (based on the file location on your system) on the each worker node. 93 For example, 94 chown root:root $kubeletkubeconfig 95 scored: true 96 97 - id: 4.1.7 98 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)" 99 audit: "stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt" 100 tests: 101 test_items: 102 - flag: "permissions" 103 compare: 104 op: bitmask 105 value: "600" 106 remediation: | 107 Run the following command to modify the file permissions of the 108 --client-ca-file chmod 600 <filename> 109 scored: false 110 111 - id: 4.1.8 112 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 113 audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt" 114 tests: 115 test_items: 116 - flag: root:root 117 compare: 118 op: eq 119 value: root:root 120 remediation: | 121 Run the following command to modify the ownership of the --client-ca-file. 122 chown root:root <filename> 123 scored: false 124 125 - id: 4.1.9 126 text: "Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)" 127 type: "skip" 128 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 129 tests: 130 test_items: 131 - flag: "permissions" 132 compare: 133 op: bitmask 134 value: "600" 135 remediation: | 136 Run the following command (using the config file location identified in the Audit step) 137 chmod 600 $kubeletconf 138 scored: true 139 140 - id: 4.1.10 141 text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)" 142 type: "skip" 143 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 144 tests: 145 test_items: 146 - flag: root:root 147 remediation: | 148 Run the following command (using the config file location identified in the Audit step) 149 chown root:root $kubeletconf 150 Not Applicable. 151 All configuration is passed in as arguments at container run time. 152 scored: true 153 154 - id: 4.2 155 text: "Kubelet" 156 checks: 157 - id: 4.2.1 158 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 159 audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' ' 160 tests: 161 test_items: 162 - flag: "--anonymous-auth" 163 path: '{.authentication.anonymous.enabled}' 164 compare: 165 op: eq 166 value: false 167 remediation: | 168 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 169 `false`. 170 If using executable arguments, edit the kubelet service file 171 $kubeletsvc on each worker node and 172 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 173 `--anonymous-auth=false` 174 Based on your system, restart the kubelet service. For example, 175 systemctl daemon-reload 176 systemctl restart kubelet.service 177 scored: true 178 179 - id: 4.2.2 180 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 181 audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi'' ' 182 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 183 tests: 184 test_items: 185 - flag: --authorization-mode 186 path: '{.authorization.mode}' 187 compare: 188 op: nothave 189 value: AlwaysAllow 190 remediation: | 191 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 192 using executable arguments, edit the kubelet service file 193 $kubeletsvc on each worker node and 194 set the below parameter in KUBELET_AUTHZ_ARGS variable. 195 --authorization-mode=Webhook 196 Based on your system, restart the kubelet service. For example, 197 systemctl daemon-reload 198 systemctl restart kubelet.service 199 scored: true 200 201 - id: 4.2.3 202 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 203 audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' ' 204 tests: 205 test_items: 206 - flag: --client-ca-file 207 path: '{.authentication.x509.clientCAFile}' 208 remediation: | 209 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 210 the location of the client CA file. 211 If using command line arguments, edit the kubelet service file 212 $kubeletsvc on each worker node and 213 set the below parameter in KUBELET_AUTHZ_ARGS variable. 214 --client-ca-file=<path/to/client-ca-file> 215 Based on your system, restart the kubelet service. For example, 216 systemctl daemon-reload 217 systemctl restart kubelet.service 218 scored: true 219 220 - id: 4.2.4 221 text: "Verify that the --read-only-port argument is set to 0 (Manual)" 222 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port' " 223 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 224 tests: 225 bin_op: or 226 test_items: 227 - flag: "--read-only-port" 228 path: '{.readOnlyPort}' 229 compare: 230 op: eq 231 value: 0 232 - flag: "--read-only-port" 233 path: '{.readOnlyPort}' 234 set: false 235 remediation: | 236 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 237 If using command line arguments, edit the kubelet service file 238 $kubeletsvc on each worker node and 239 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 240 --read-only-port=0 241 Based on your system, restart the kubelet service. For example, 242 systemctl daemon-reload 243 systemctl restart kubelet.service 244 scored: false 245 246 - id: 4.2.5 247 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 248 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'" 249 tests: 250 test_items: 251 - flag: --streaming-connection-idle-timeout 252 path: '{.streamingConnectionIdleTimeout}' 253 compare: 254 op: noteq 255 value: 0 256 - flag: --streaming-connection-idle-timeout 257 path: '{.streamingConnectionIdleTimeout}' 258 set: false 259 bin_op: or 260 remediation: | 261 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 262 value other than 0. 263 If using command line arguments, edit the kubelet service file 264 $kubeletsvc on each worker node and 265 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 266 --streaming-connection-idle-timeout=5m 267 Based on your system, restart the kubelet service. For example, 268 systemctl daemon-reload 269 systemctl restart kubelet.service 270 scored: false 271 272 - id: 4.2.6 273 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 274 type: "skip" 275 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'make-iptables-util-chains'" 276 tests: 277 test_items: 278 - flag: --make-iptables-util-chains 279 path: '{.makeIPTablesUtilChains}' 280 compare: 281 op: eq 282 value: true 283 - flag: --make-iptables-util-chains 284 path: '{.makeIPTablesUtilChains}' 285 set: false 286 bin_op: or 287 remediation: | 288 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 289 If using command line arguments, edit the kubelet service file 290 $kubeletsvc on each worker node and 291 remove the --make-iptables-util-chains argument from the 292 KUBELET_SYSTEM_PODS_ARGS variable. 293 Based on your system, restart the kubelet service. For example: 294 systemctl daemon-reload 295 systemctl restart kubelet.service 296 Permissive. 297 scored: true 298 299 - id: 4.2.7 300 text: "Ensure that the --hostname-override argument is not set (Manual)" 301 # This is one of those properties that can only be set as a command line argument. 302 # To check if the property is set as expected, we need to parse the kubelet command 303 # instead reading the Kubelet Configuration file. 304 type: "skip" 305 audit: "/bin/ps -fC $kubeletbin " 306 tests: 307 test_items: 308 - flag: --hostname-override 309 set: false 310 remediation: | 311 Edit the kubelet service file $kubeletsvc 312 on each worker node and remove the --hostname-override argument from the 313 KUBELET_SYSTEM_PODS_ARGS variable. 314 Based on your system, restart the kubelet service. For example, 315 systemctl daemon-reload 316 systemctl restart kubelet.service 317 Not Applicable. 318 scored: false 319 320 - id: 4.2.8 321 text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)" 322 audit: "/bin/ps -fC $kubeletbin" 323 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 324 tests: 325 test_items: 326 - flag: --event-qps 327 path: '{.eventRecordQPS}' 328 compare: 329 op: gte 330 value: 0 331 - flag: --event-qps 332 path: '{.eventRecordQPS}' 333 set: false 334 bin_op: or 335 remediation: | 336 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 337 If using command line arguments, edit the kubelet service file 338 $kubeletsvc on each worker node and 339 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 340 Based on your system, restart the kubelet service. For example, 341 systemctl daemon-reload 342 systemctl restart kubelet.service 343 scored: false 344 345 - id: 4.2.9 346 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 347 type: "skip" 348 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1" 349 tests: 350 test_items: 351 - flag: --tls-cert-file 352 path: '/var/lib/rancher/k3s/agent/serving-kubelet.crt' 353 - flag: --tls-private-key-file 354 path: '/var/lib/rancher/k3s/agent/serving-kubelet.key' 355 remediation: | 356 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 357 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 358 to the location of the corresponding private key file. 359 If using command line arguments, edit the kubelet service file 360 $kubeletsvc on each worker node and 361 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 362 --tls-cert-file=<path/to/tls-certificate-file> 363 --tls-private-key-file=<path/to/tls-key-file> 364 Based on your system, restart the kubelet service. For example, 365 systemctl daemon-reload 366 systemctl restart kubelet.service 367 Permissive - When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. 368 scored: false 369 370 - id: 4.2.10 371 text: "Ensure that the --rotate-certificates argument is not set to false (Manual)" 372 audit: "/bin/ps -fC $kubeletbin" 373 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 374 tests: 375 test_items: 376 - flag: --rotate-certificates 377 path: '{.rotateCertificates}' 378 compare: 379 op: eq 380 value: true 381 - flag: --rotate-certificates 382 path: '{.rotateCertificates}' 383 set: false 384 bin_op: or 385 remediation: | 386 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 387 remove it altogether to use the default value. 388 If using command line arguments, edit the kubelet service file 389 $kubeletsvc on each worker node and 390 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 391 variable. 392 Based on your system, restart the kubelet service. For example, 393 systemctl daemon-reload 394 systemctl restart kubelet.service 395 scored: false 396 397 - id: 4.2.11 398 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 399 audit: "/bin/ps -fC $kubeletbin" 400 audit_config: "/bin/cat $kubeletconf" 401 tests: 402 bin_op: or 403 test_items: 404 - flag: RotateKubeletServerCertificate 405 path: '{.featureGates.RotateKubeletServerCertificate}' 406 compare: 407 op: nothave 408 value: false 409 - flag: RotateKubeletServerCertificate 410 path: '{.featureGates.RotateKubeletServerCertificate}' 411 set: false 412 remediation: | 413 Edit the kubelet service file $kubeletsvc 414 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 415 --feature-gates=RotateKubeletServerCertificate=true 416 Based on your system, restart the kubelet service. For example: 417 systemctl daemon-reload 418 systemctl restart kubelet.service 419 Not Applicable. 420 scored: false 421 422 - id: 4.2.12 423 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 424 audit: "/bin/ps -fC $kubeletbin" 425 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 426 tests: 427 test_items: 428 - flag: --tls-cipher-suites 429 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 430 compare: 431 op: valid_elements 432 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 433 remediation: | 434 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 435 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 436 or to a subset of these values. 437 If using executable arguments, edit the kubelet service file 438 $kubeletsvc on each worker node and 439 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 440 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 441 Based on your system, restart the kubelet service. For example: 442 systemctl daemon-reload 443 systemctl restart kubelet.service 444 scored: false 445 446 - id: 4.2.13 447 text: "Ensure that a limit is set on pod PIDs (Manual)" 448 audit: "/bin/ps -fC $kubeletbin" 449 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 450 tests: 451 test_items: 452 - flag: --pod-max-pids 453 path: '{.podPidsLimit}' 454 remediation: | 455 Decide on an appropriate level for this parameter and set it, 456 either via the --pod-max-pids command line parameter or the PodPidsLimit configuration file setting. 457 scored: false