github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke-cis-1.23/node.yaml (about) 1 --- 2 controls: 3 version: "rke-cis-1.23" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)" 13 type: "skip" 14 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "644" 21 remediation: | 22 Cluster provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. 23 All configuration is passed in as arguments at container run time. 24 scored: true 25 26 - id: 4.1.2 27 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 28 type: "skip" 29 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' ' 30 tests: 31 test_items: 32 - flag: root:root 33 remediation: | 34 Cluster provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. 35 All configuration is passed in as arguments at container run time. 36 scored: true 37 38 - id: 4.1.3 39 text: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)" 40 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 41 tests: 42 bin_op: or 43 test_items: 44 - flag: "permissions" 45 set: true 46 compare: 47 op: bitmask 48 value: "644" 49 remediation: | 50 Run the below command (based on the file location on your system) on the each worker node. 51 For example, 52 chmod 644 $proxykubeconfig 53 scored: true 54 55 - id: 4.1.4 56 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 57 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 58 tests: 59 bin_op: or 60 test_items: 61 - flag: root:root 62 remediation: | 63 Run the below command (based on the file location on your system) on the each worker node. 64 For example, chown root:root $proxykubeconfig 65 scored: true 66 67 - id: 4.1.5 68 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)" 69 audit: '/bin/sh -c ''if test -e /node$kubeletkubeconfig; then stat -c permissions=%a /node$kubeletkubeconfig; fi'' ' 70 tests: 71 test_items: 72 - flag: "permissions" 73 compare: 74 op: bitmask 75 value: "644" 76 remediation: | 77 Run the below command (based on the file location on your system) on the each worker node. 78 For example, 79 chmod 644 $kubeletkubeconfig 80 scored: true 81 82 - id: 4.1.6 83 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 84 audit: '/bin/sh -c ''if test -e /node$kubeletkubeconfig; then stat -c %U:%G /node$kubeletkubeconfig; fi'' ' 85 tests: 86 test_items: 87 - flag: root:root 88 remediation: | 89 Run the below command (based on the file location on your system) on the each worker node. 90 For example, 91 chown root:root $kubeletkubeconfig 92 scored: true 93 94 - id: 4.1.7 95 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Automated)" 96 audit: "stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem" 97 tests: 98 test_items: 99 - flag: "permissions" 100 compare: 101 op: bitmask 102 value: "644" 103 remediation: | 104 Run the following command to modify the file permissions of the 105 --client-ca-file chmod 644 <filename> 106 scored: true 107 108 - id: 4.1.8 109 text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)" 110 audit: "stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem" 111 tests: 112 test_items: 113 - flag: root:root 114 compare: 115 op: eq 116 value: root:root 117 remediation: | 118 Run the following command to modify the ownership of the --client-ca-file. 119 chown root:root <filename> 120 scored: true 121 122 - id: 4.1.9 123 text: "Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)" 124 type: "skip" 125 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 126 tests: 127 test_items: 128 - flag: "permissions" 129 compare: 130 op: bitmask 131 value: "644" 132 remediation: | 133 Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet. 134 All configuration is passed in as arguments at container run time. 135 136 Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet. 137 All configuration is passed in as arguments at container run time. 138 scored: true 139 140 - id: 4.1.10 141 text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)" 142 type: "skip" 143 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 144 tests: 145 test_items: 146 - flag: root:root 147 remediation: | 148 Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet. 149 All configuration is passed in as arguments at container run time. 150 151 Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet. 152 All configuration is passed in as arguments at container run time. 153 scored: true 154 155 - id: 4.2 156 text: "Kubelet" 157 checks: 158 - id: 4.2.1 159 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 160 audit: "/bin/ps -fC $kubeletbin" 161 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 162 tests: 163 test_items: 164 - flag: "--anonymous-auth" 165 path: '{.authentication.anonymous.enabled}' 166 compare: 167 op: eq 168 value: false 169 remediation: | 170 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 171 `false`. 172 If using executable arguments, edit the kubelet service file 173 $kubeletsvc on each worker node and 174 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 175 `--anonymous-auth=false` 176 Based on your system, restart the kubelet service. For example, 177 systemctl daemon-reload 178 systemctl restart kubelet.service 179 scored: true 180 181 - id: 4.2.2 182 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 183 audit: "/bin/ps -fC $kubeletbin" 184 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 185 tests: 186 test_items: 187 - flag: --authorization-mode 188 path: '{.authorization.mode}' 189 compare: 190 op: nothave 191 value: AlwaysAllow 192 remediation: | 193 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 194 using executable arguments, edit the kubelet service file 195 $kubeletsvc on each worker node and 196 set the below parameter in KUBELET_AUTHZ_ARGS variable. 197 --authorization-mode=Webhook 198 Based on your system, restart the kubelet service. For example, 199 systemctl daemon-reload 200 systemctl restart kubelet.service 201 scored: true 202 203 - id: 4.2.3 204 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 205 audit: "/bin/ps -fC $kubeletbin" 206 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 207 tests: 208 test_items: 209 - flag: --client-ca-file 210 path: '{.authentication.x509.clientCAFile}' 211 remediation: | 212 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 213 the location of the client CA file. 214 If using command line arguments, edit the kubelet service file 215 $kubeletsvc on each worker node and 216 set the below parameter in KUBELET_AUTHZ_ARGS variable. 217 --client-ca-file=<path/to/client-ca-file> 218 Based on your system, restart the kubelet service. For example, 219 systemctl daemon-reload 220 systemctl restart kubelet.service 221 scored: true 222 223 - id: 4.2.4 224 text: "Ensure that the --read-only-port argument is set to 0 (Automated)" 225 audit: "/bin/ps -fC $kubeletbin" 226 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 227 tests: 228 bin_op: or 229 test_items: 230 - flag: "--read-only-port" 231 path: '{.readOnlyPort}' 232 compare: 233 op: eq 234 value: 0 235 - flag: "--read-only-port" 236 path: '{.readOnlyPort}' 237 set: false 238 remediation: | 239 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 240 If using command line arguments, edit the kubelet service file 241 $kubeletsvc on each worker node and 242 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 243 --read-only-port=0 244 Based on your system, restart the kubelet service. For example, 245 systemctl daemon-reload 246 systemctl restart kubelet.service 247 scored: true 248 249 - id: 4.2.5 250 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)" 251 audit: "/bin/ps -fC $kubeletbin" 252 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 253 tests: 254 test_items: 255 - flag: --streaming-connection-idle-timeout 256 path: '{.streamingConnectionIdleTimeout}' 257 compare: 258 op: noteq 259 value: 0 260 - flag: --streaming-connection-idle-timeout 261 path: '{.streamingConnectionIdleTimeout}' 262 set: false 263 bin_op: or 264 remediation: | 265 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 266 value other than 0. 267 If using command line arguments, edit the kubelet service file 268 $kubeletsvc on each worker node and 269 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 270 --streaming-connection-idle-timeout=5m 271 Based on your system, restart the kubelet service. For example, 272 systemctl daemon-reload 273 systemctl restart kubelet.service 274 scored: true 275 276 - id: 4.2.6 277 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 278 type: "skip" 279 audit: "/bin/ps -fC $kubeletbin" 280 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 281 tests: 282 test_items: 283 - flag: --protect-kernel-defaults 284 path: '{.protectKernelDefaults}' 285 compare: 286 op: eq 287 value: true 288 remediation: | 289 If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`. 290 If using command line arguments, edit the kubelet service file 291 $kubeletsvc on each worker node and 292 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 293 --protect-kernel-defaults=true 294 Based on your system, restart the kubelet service. For example: 295 systemctl daemon-reload 296 systemctl restart kubelet.service 297 System level configurations are required prior to provisioning the cluster in order for this argument to be set to true. 298 scored: true 299 300 - id: 4.2.7 301 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 302 audit: "/bin/ps -fC $kubeletbin" 303 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 304 tests: 305 test_items: 306 - flag: --make-iptables-util-chains 307 path: '{.makeIPTablesUtilChains}' 308 compare: 309 op: eq 310 value: true 311 - flag: --make-iptables-util-chains 312 path: '{.makeIPTablesUtilChains}' 313 set: false 314 bin_op: or 315 remediation: | 316 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 317 If using command line arguments, edit the kubelet service file 318 $kubeletsvc on each worker node and 319 remove the --make-iptables-util-chains argument from the 320 KUBELET_SYSTEM_PODS_ARGS variable. 321 Based on your system, restart the kubelet service. For example: 322 systemctl daemon-reload 323 systemctl restart kubelet.service 324 scored: true 325 326 - id: 4.2.8 327 text: "Ensure that the --hostname-override argument is not set (Manual)" 328 # This is one of those properties that can only be set as a command line argument. 329 # To check if the property is set as expected, we need to parse the kubelet command 330 # instead reading the Kubelet Configuration file. 331 type: "skip" 332 audit: "/bin/ps -fC $kubeletbin " 333 tests: 334 test_items: 335 - flag: --hostname-override 336 set: false 337 remediation: | 338 Edit the kubelet service file $kubeletsvc 339 on each worker node and remove the --hostname-override argument from the 340 KUBELET_SYSTEM_PODS_ARGS variable. 341 Based on your system, restart the kubelet service. For example, 342 systemctl daemon-reload 343 systemctl restart kubelet.service 344 Clusters provisioned by RKE set the --hostname-override to avoid any hostname configuration errors 345 scored: false 346 347 - id: 4.2.9 348 text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated)" 349 audit: "/bin/ps -fC $kubeletbin" 350 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 351 tests: 352 test_items: 353 - flag: --event-qps 354 path: '{.eventRecordQPS}' 355 compare: 356 op: eq 357 value: 0 358 remediation: | 359 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 360 If using command line arguments, edit the kubelet service file 361 $kubeletsvc on each worker node and 362 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 363 Based on your system, restart the kubelet service. For example, 364 systemctl daemon-reload 365 systemctl restart kubelet.service 366 scored: true 367 368 - id: 4.2.10 369 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 370 type: "skip" 371 audit: "/bin/ps -fC $kubeletbin" 372 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 373 tests: 374 test_items: 375 - flag: --tls-cert-file 376 path: '{.tlsCertFile}' 377 - flag: --tls-private-key-file 378 path: '{.tlsPrivateKeyFile}' 379 remediation: | 380 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 381 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 382 to the location of the corresponding private key file. 383 If using command line arguments, edit the kubelet service file 384 $kubeletsvc on each worker node and 385 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 386 --tls-cert-file=<path/to/tls-certificate-file> 387 --tls-private-key-file=<path/to/tls-key-file> 388 Based on your system, restart the kubelet service. For example, 389 systemctl daemon-reload 390 systemctl restart kubelet.service 391 When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. 392 scored: false 393 394 - id: 4.2.11 395 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 396 audit: "/bin/ps -fC $kubeletbin" 397 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 398 tests: 399 test_items: 400 - flag: --rotate-certificates 401 path: '{.rotateCertificates}' 402 compare: 403 op: eq 404 value: true 405 - flag: --rotate-certificates 406 path: '{.rotateCertificates}' 407 set: false 408 bin_op: or 409 remediation: | 410 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 411 remove it altogether to use the default value. 412 If using command line arguments, edit the kubelet service file 413 $kubeletsvc on each worker node and 414 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 415 variable. 416 Based on your system, restart the kubelet service. For example, 417 systemctl daemon-reload 418 systemctl restart kubelet.service 419 scored: true 420 421 - id: 4.2.12 422 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 423 type: "skip" 424 audit: "/bin/ps -fC $kubeletbin" 425 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 426 tests: 427 bin_op: or 428 test_items: 429 - flag: RotateKubeletServerCertificate 430 path: '{.featureGates.RotateKubeletServerCertificate}' 431 compare: 432 op: nothave 433 value: false 434 - flag: RotateKubeletServerCertificate 435 path: '{.featureGates.RotateKubeletServerCertificate}' 436 set: false 437 remediation: | 438 Edit the kubelet service file $kubeletsvc 439 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 440 --feature-gates=RotateKubeletServerCertificate=true 441 Based on your system, restart the kubelet service. For example: 442 systemctl daemon-reload 443 systemctl restart kubelet.service 444 Clusters provisioned by RKE handles certificate rotation directly through RKE. 445 scored: false 446 447 - id: 4.2.13 448 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated)" 449 audit: "/bin/ps -fC $kubeletbin" 450 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 451 tests: 452 test_items: 453 - flag: --tls-cipher-suites 454 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 455 compare: 456 op: valid_elements 457 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 458 remediation: | 459 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 460 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 461 or to a subset of these values. 462 If using executable arguments, edit the kubelet service file 463 $kubeletsvc on each worker node and 464 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 465 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 466 Based on your system, restart the kubelet service. For example: 467 systemctl daemon-reload 468 systemctl restart kubelet.service 469 scored: true