github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke-cis-1.24/controlplane.yaml (about) 1 --- 2 controls: 3 version: "rke-cis-1.24" 4 id: 3 5 text: "Control Plane Configuration" 6 type: "controlplane" 7 groups: 8 - id: 3.1 9 text: "Authentication and Authorization" 10 checks: 11 - id: 3.1.1 12 text: "Client certificate authentication should not be used for users (Manual)" 13 type: "manual" 14 remediation: | 15 Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 implemented in place of client certificates. 17 scored: false 18 19 - id: 3.2 20 text: "Logging" 21 checks: 22 - id: 3.2.1 23 text: "Ensure that a minimal audit policy is created (Manual)" 24 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 tests: 26 test_items: 27 - flag: "--audit-policy-file" 28 set: true 29 remediation: | 30 Create an audit policy file for your cluster. 31 scored: true 32 33 - id: 3.2.2 34 text: "Ensure that the audit policy covers key security concerns (Manual)" 35 type: "manual" 36 remediation: | 37 Review the audit policy provided for the cluster and ensure that it covers 38 at least the following areas, 39 - Access to Secrets managed by the cluster. Care should be taken to only 40 log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in 41 order to avoid risk of logging sensitive data. 42 - Modification of Pod and Deployment objects. 43 - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`. 44 For most requests, minimally logging at the Metadata level is recommended 45 (the most basic level of logging). 46 scored: false