github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/k3s-cis-1.7/policies.yaml (about) 1 --- 2 controls: 3 version: "k3s-cis-1.7" 4 id: 5 5 text: "Kubernetes Policies" 6 type: "policies" 7 groups: 8 - id: 5.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 5.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Manual)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 5.1.2 23 text: "Minimize access to secrets (Manual)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to Secret objects in the cluster. 27 scored: false 28 29 - id: 5.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 scored: false 36 37 - id: 5.1.4 38 text: "Minimize access to create pods (Manual)" 39 type: "manual" 40 remediation: | 41 Where possible, remove create access to pod objects in the cluster. 42 scored: false 43 44 - id: 5.1.5 45 text: "Ensure that default service accounts are not actively used. (Manual)" 46 type: "skip" 47 audit: check_for_default_sa.sh 48 tests: 49 test_items: 50 - flag: "true" 51 compare: 52 op: eq 53 value: "true" 54 set: true 55 remediation: | 56 Create explicit service accounts wherever a Kubernetes workload requires specific access 57 to the Kubernetes API server. 58 Modify the configuration of each default service account to include this value 59 automountServiceAccountToken: false 60 Permissive - Kubernetes provides default service accounts to be used. 61 scored: false 62 63 - id: 5.1.6 64 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" 65 type: "manual" 66 remediation: | 67 Modify the definition of pods and service accounts which do not need to mount service 68 account tokens to disable it. 69 scored: false 70 71 - id: 5.1.7 72 text: "Avoid use of system:masters group (Manual)" 73 type: "manual" 74 remediation: | 75 Remove the system:masters group from all users in the cluster. 76 scored: false 77 78 - id: 5.1.8 79 text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)" 80 type: "manual" 81 remediation: | 82 Where possible, remove the impersonate, bind and escalate rights from subjects. 83 scored: false 84 85 - id: 5.1.9 86 text: "Minimize access to create persistent volumes (Manual)" 87 type: "manual" 88 remediation: | 89 Where possible, remove create access to PersistentVolume objects in the cluster. 90 scored: false 91 92 - id: 5.1.10 93 text: "Minimize access to the proxy sub-resource of nodes (Manual)" 94 type: "manual" 95 remediation: | 96 Where possible, remove access to the proxy sub-resource of node objects. 97 scored: false 98 99 - id: 5.1.11 100 text: "Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)" 101 type: "manual" 102 remediation: | 103 Where possible, remove access to the approval sub-resource of certificatesigningrequest objects. 104 scored: false 105 106 - id: 5.1.12 107 text: "Minimize access to webhook configuration objects (Manual)" 108 type: "manual" 109 remediation: | 110 Where possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects 111 scored: false 112 113 - id: 5.1.13 114 text: "Minimize access to the service account token creation (Manual)" 115 type: "manual" 116 remediation: | 117 Where possible, remove access to the token sub-resource of serviceaccount objects. 118 scored: false 119 120 - id: 5.2 121 text: "Pod Security Standards" 122 checks: 123 - id: 5.2.1 124 text: "Ensure that the cluster has at least one active policy control mechanism in place (Manual)" 125 type: "manual" 126 remediation: | 127 Ensure that either Pod Security Admission or an external policy control system is in place 128 for every namespace which contains user workloads. 129 scored: false 130 131 - id: 5.2.2 132 text: "Minimize the admission of privileged containers (Manual)" 133 type: "manual" 134 remediation: | 135 Add policies to each namespace in the cluster which has user workloads to restrict the 136 admission of privileged containers. 137 scored: false 138 139 - id: 5.2.3 140 text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" 141 type: "skip" 142 remediation: | 143 Add policies to each namespace in the cluster which has user workloads to restrict the 144 admission of `hostPID` containers. 145 Permissive - Enabling Pod Security Policy can cause applications to unexpectedly fail. 146 scored: false 147 148 - id: 5.2.4 149 text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" 150 type: "skip" 151 remediation: | 152 Add policies to each namespace in the cluster which has user workloads to restrict the 153 admission of `hostIPC` containers. 154 Permissive - Enabling Pod Security Policy can cause applications to unexpectedly fail. 155 scored: false 156 157 - id: 5.2.5 158 text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" 159 type: "skip" 160 remediation: | 161 Add policies to each namespace in the cluster which has user workloads to restrict the 162 admission of `hostNetwork` containers. 163 Permissive - Enabling Pod Security Policy can cause applications to unexpectedly fail. 164 scored: false 165 166 - id: 5.2.6 167 text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" 168 type: "manual" 169 remediation: | 170 Add policies to each namespace in the cluster which has user workloads to restrict the 171 admission of containers with `.spec.allowPrivilegeEscalation` set to `true`. 172 scored: true 173 174 - id: 5.2.7 175 text: "Minimize the admission of root containers (Automated)" 176 type: "manual" 177 remediation: | 178 Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot` 179 or `MustRunAs` with the range of UIDs not including 0, is set. 180 scored: false 181 182 - id: 5.2.8 183 text: "Minimize the admission of containers with the NET_RAW capability (Automated)" 184 type: "manual" 185 remediation: | 186 Add policies to each namespace in the cluster which has user workloads to restrict the 187 admission of containers with the `NET_RAW` capability. 188 scored: false 189 190 - id: 5.2.9 191 text: "Minimize the admission of containers with added capabilities (Automated)" 192 type: "manual" 193 remediation: | 194 Ensure that `allowedCapabilities` is not present in policies for the cluster unless 195 it is set to an empty array. 196 scored: false 197 198 - id: 5.2.10 199 text: "Minimize the admission of containers with capabilities assigned (Manual)" 200 type: "manual" 201 remediation: | 202 Review the use of capabilites in applications running on your cluster. Where a namespace 203 contains applicaions which do not require any Linux capabities to operate consider adding 204 a PSP which forbids the admission of containers which do not drop all capabilities. 205 scored: false 206 207 - id: 5.2.11 208 text: "Minimize the admission of Windows HostProcess containers (Manual)" 209 type: "manual" 210 remediation: | 211 Add policies to each namespace in the cluster which has user workloads to restrict the 212 admission of containers that have `.securityContext.windowsOptions.hostProcess` set to `true`. 213 scored: false 214 215 - id: 5.2.12 216 text: "Minimize the admission of HostPath volumes (Manual)" 217 type: "manual" 218 remediation: | 219 Add policies to each namespace in the cluster which has user workloads to restrict the 220 admission of containers with `hostPath` volumes. 221 scored: false 222 223 - id: 5.2.13 224 text: "Minimize the admission of containers which use HostPorts (Manual)" 225 type: "manual" 226 remediation: | 227 Add policies to each namespace in the cluster which has user workloads to restrict the 228 admission of containers which use `hostPort` sections. 229 scored: false 230 231 - id: 5.3 232 text: "Network Policies and CNI" 233 checks: 234 - id: 5.3.1 235 text: "Ensure that the CNI in use supports NetworkPolicies (Manual)" 236 type: "manual" 237 remediation: | 238 If the CNI plugin in use does not support network policies, consideration should be given to 239 making use of a different plugin, or finding an alternate mechanism for restricting traffic 240 in the Kubernetes cluster. 241 scored: false 242 243 - id: 5.3.2 244 text: "Ensure that all Namespaces have NetworkPolicies defined (Manual)" 245 type: "skip" 246 remediation: | 247 Follow the documentation and create NetworkPolicy objects as you need them. 248 Permissive - Enabling Network Policies can prevent certain applications from communicating with each other. 249 scored: false 250 251 - id: 5.4 252 text: "Secrets Management" 253 checks: 254 - id: 5.4.1 255 text: "Prefer using Secrets as files over Secrets as environment variables (Manual)" 256 type: "manual" 257 remediation: | 258 If possible, rewrite application code to read Secrets from mounted secret files, rather than 259 from environment variables. 260 scored: false 261 262 - id: 5.4.2 263 text: "Consider external secret storage (Manual)" 264 type: "manual" 265 remediation: | 266 Refer to the Secrets management options offered by your cloud provider or a third-party 267 secrets management solution. 268 scored: false 269 270 - id: 5.5 271 text: "Extensible Admission Control" 272 checks: 273 - id: 5.5.1 274 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" 275 type: "manual" 276 remediation: | 277 Follow the Kubernetes documentation and setup image provenance. 278 scored: false 279 280 - id: 5.7 281 text: "General Policies" 282 checks: 283 - id: 5.7.1 284 text: "Create administrative boundaries between resources using namespaces (Manual)" 285 type: "manual" 286 remediation: | 287 Follow the documentation and create namespaces for objects in your deployment as you need 288 them. 289 scored: false 290 291 - id: 5.7.2 292 text: "Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)" 293 type: "manual" 294 remediation: | 295 Use `securityContext` to enable the docker/default seccomp profile in your pod definitions. 296 An example is as below: 297 securityContext: 298 seccompProfile: 299 type: RuntimeDefault 300 scored: false 301 302 - id: 5.7.3 303 text: "Apply SecurityContext to your Pods and Containers (Manual)" 304 type: "manual" 305 remediation: | 306 Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a 307 suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker 308 Containers. 309 scored: false 310 311 - id: 5.7.4 312 text: "The default namespace should not be used (Manual)" 313 type: "skip" 314 remediation: | 315 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 316 resources and that all new resources are created in a specific namespace. 317 Permissive - Kubernetes provides a default namespace. 318 scored: false