github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke-cis-1.24/node.yaml (about) 1 --- 2 controls: 3 version: "rke-cis-1.24" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)" 13 type: "skip" 14 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "600" 21 remediation: | 22 Run the below command (based on the file location on your system) on the each worker node. 23 For example, chmod 600 $kubeletsvc 24 scored: true 25 26 - id: 4.1.2 27 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 28 type: "skip" 29 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' ' 30 tests: 31 test_items: 32 - flag: root:root 33 remediation: | 34 Run the below command (based on the file location on your system) on the each worker node. 35 For example, 36 chown root:root $kubeletsvc 37 scored: true 38 39 - id: 4.1.3 40 text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)" 41 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 42 tests: 43 bin_op: or 44 test_items: 45 - flag: "permissions" 46 set: true 47 compare: 48 op: bitmask 49 value: "600" 50 remediation: | 51 Run the below command (based on the file location on your system) on the each worker node. 52 For example, 53 chmod 600 $proxykubeconfig 54 scored: true 55 56 - id: 4.1.4 57 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 58 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 59 tests: 60 bin_op: or 61 test_items: 62 - flag: root:root 63 remediation: | 64 Run the below command (based on the file location on your system) on the each worker node. 65 For example, chown root:root $proxykubeconfig 66 scored: true 67 68 - id: 4.1.5 69 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)" 70 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 71 tests: 72 test_items: 73 - flag: "permissions" 74 compare: 75 op: bitmask 76 value: "600" 77 remediation: | 78 Run the below command (based on the file location on your system) on the each worker node. 79 For example, 80 chmod 600 $kubeletkubeconfig 81 scored: true 82 83 - id: 4.1.6 84 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 85 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 86 tests: 87 test_items: 88 - flag: root:root 89 remediation: | 90 Run the below command (based on the file location on your system) on the each worker node. 91 For example, 92 chown root:root $kubeletkubeconfig 93 scored: true 94 95 - id: 4.1.7 96 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)" 97 audit: "stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem" 98 tests: 99 test_items: 100 - flag: "permissions" 101 compare: 102 op: bitmask 103 value: "600" 104 remediation: | 105 Run the following command to modify the file permissions of the 106 --client-ca-file chmod 600 <filename> 107 scored: true 108 109 - id: 4.1.8 110 text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)" 111 audit: "stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem" 112 tests: 113 test_items: 114 - flag: root:root 115 compare: 116 op: eq 117 value: root:root 118 remediation: | 119 Run the following command to modify the ownership of the --client-ca-file. 120 chown root:root <filename> 121 scored: true 122 123 - id: 4.1.9 124 text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Manual)" 125 type: "skip" 126 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 127 tests: 128 test_items: 129 - flag: "permissions" 130 compare: 131 op: bitmask 132 value: "600" 133 remediation: | 134 Cluster provisioned by RKE doesn't require or maintain a configuration file for the kubelet. 135 All configuration is passed in as arguments at container run time. 136 scored: true 137 138 - id: 4.1.10 139 text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)" 140 type: "skip" 141 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 142 tests: 143 test_items: 144 - flag: root:root 145 remediation: | 146 Cluster provisioned by RKE doesn’t require or maintain a configuration file for the kubelet. 147 All configuration is passed in as arguments at container run time. 148 scored: true 149 150 - id: 4.2 151 text: "Kubelet" 152 checks: 153 - id: 4.2.1 154 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 155 audit: "/bin/ps -fC $kubeletbin" 156 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 157 tests: 158 test_items: 159 - flag: "--anonymous-auth" 160 path: '{.authentication.anonymous.enabled}' 161 compare: 162 op: eq 163 value: false 164 remediation: | 165 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 166 `false`. 167 If using executable arguments, edit the kubelet service file 168 $kubeletsvc on each worker node and 169 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 170 `--anonymous-auth=false` 171 Based on your system, restart the kubelet service. For example, 172 systemctl daemon-reload 173 systemctl restart kubelet.service 174 scored: true 175 176 - id: 4.2.2 177 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 178 audit: "/bin/ps -fC $kubeletbin" 179 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 180 tests: 181 test_items: 182 - flag: --authorization-mode 183 path: '{.authorization.mode}' 184 compare: 185 op: nothave 186 value: AlwaysAllow 187 remediation: | 188 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 189 using executable arguments, edit the kubelet service file 190 $kubeletsvc on each worker node and 191 set the below parameter in KUBELET_AUTHZ_ARGS variable. 192 --authorization-mode=Webhook 193 Based on your system, restart the kubelet service. For example, 194 systemctl daemon-reload 195 systemctl restart kubelet.service 196 scored: true 197 198 - id: 4.2.3 199 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 200 audit: "/bin/ps -fC $kubeletbin" 201 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 202 tests: 203 test_items: 204 - flag: --client-ca-file 205 path: '{.authentication.x509.clientCAFile}' 206 remediation: | 207 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 208 the location of the client CA file. 209 If using command line arguments, edit the kubelet service file 210 $kubeletsvc on each worker node and 211 set the below parameter in KUBELET_AUTHZ_ARGS variable. 212 --client-ca-file=<path/to/client-ca-file> 213 Based on your system, restart the kubelet service. For example, 214 systemctl daemon-reload 215 systemctl restart kubelet.service 216 scored: true 217 218 - id: 4.2.4 219 text: "Verify that the --read-only-port argument is set to 0 (Automated)" 220 audit: "/bin/ps -fC $kubeletbin" 221 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 222 tests: 223 bin_op: or 224 test_items: 225 - flag: "--read-only-port" 226 path: '{.readOnlyPort}' 227 compare: 228 op: eq 229 value: 0 230 - flag: "--read-only-port" 231 path: '{.readOnlyPort}' 232 set: false 233 remediation: | 234 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 235 If using command line arguments, edit the kubelet service file 236 $kubeletsvc on each worker node and 237 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 238 --read-only-port=0 239 Based on your system, restart the kubelet service. For example, 240 systemctl daemon-reload 241 systemctl restart kubelet.service 242 scored: true 243 244 - id: 4.2.5 245 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)" 246 audit: "/bin/ps -fC $kubeletbin" 247 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 248 tests: 249 test_items: 250 - flag: --streaming-connection-idle-timeout 251 path: '{.streamingConnectionIdleTimeout}' 252 compare: 253 op: noteq 254 value: 0 255 - flag: --streaming-connection-idle-timeout 256 path: '{.streamingConnectionIdleTimeout}' 257 set: false 258 bin_op: or 259 remediation: | 260 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 261 value other than 0. 262 If using command line arguments, edit the kubelet service file 263 $kubeletsvc on each worker node and 264 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 265 --streaming-connection-idle-timeout=5m 266 Based on your system, restart the kubelet service. For example, 267 systemctl daemon-reload 268 systemctl restart kubelet.service 269 scored: true 270 271 - id: 4.2.6 272 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 273 type: "skip" 274 audit: "/bin/ps -fC $kubeletbin" 275 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 276 tests: 277 test_items: 278 - flag: --protect-kernel-defaults 279 path: '{.protectKernelDefaults}' 280 compare: 281 op: eq 282 value: true 283 remediation: | 284 If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`. 285 If using command line arguments, edit the kubelet service file 286 $kubeletsvc on each worker node and 287 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 288 --protect-kernel-defaults=true 289 Based on your system, restart the kubelet service. For example: 290 systemctl daemon-reload 291 systemctl restart kubelet.service 292 System level configurations are required prior to provisioning the cluster in order for this argument to be set to true. 293 scored: true 294 295 - id: 4.2.7 296 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 297 audit: "/bin/ps -fC $kubeletbin" 298 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 299 tests: 300 test_items: 301 - flag: --make-iptables-util-chains 302 path: '{.makeIPTablesUtilChains}' 303 compare: 304 op: eq 305 value: true 306 - flag: --make-iptables-util-chains 307 path: '{.makeIPTablesUtilChains}' 308 set: false 309 bin_op: or 310 remediation: | 311 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 312 If using command line arguments, edit the kubelet service file 313 $kubeletsvc on each worker node and 314 remove the --make-iptables-util-chains argument from the 315 KUBELET_SYSTEM_PODS_ARGS variable. 316 Based on your system, restart the kubelet service. For example: 317 systemctl daemon-reload 318 systemctl restart kubelet.service 319 scored: true 320 321 - id: 4.2.8 322 text: "Ensure that the --hostname-override argument is not set (Manual)" 323 # This is one of those properties that can only be set as a command line argument. 324 # To check if the property is set as expected, we need to parse the kubelet command 325 # instead reading the Kubelet Configuration file. 326 type: "skip" 327 audit: "/bin/ps -fC $kubeletbin " 328 tests: 329 test_items: 330 - flag: --hostname-override 331 set: false 332 remediation: | 333 Edit the kubelet service file $kubeletsvc 334 on each worker node and remove the --hostname-override argument from the 335 KUBELET_SYSTEM_PODS_ARGS variable. 336 Based on your system, restart the kubelet service. For example, 337 systemctl daemon-reload 338 systemctl restart kubelet.service 339 Clusters provisioned by RKE set the --hostname-override to avoid any hostname configuration errors 340 scored: false 341 342 - id: 4.2.9 343 text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Automated)" 344 audit: "/bin/ps -fC $kubeletbin" 345 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 346 tests: 347 test_items: 348 - flag: --event-qps 349 path: '{.eventRecordQPS}' 350 compare: 351 op: eq 352 value: 0 353 remediation: | 354 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 355 If using command line arguments, edit the kubelet service file 356 $kubeletsvc on each worker node and 357 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 358 Based on your system, restart the kubelet service. For example, 359 systemctl daemon-reload 360 systemctl restart kubelet.service 361 scored: true 362 363 - id: 4.2.10 364 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 365 type: "skip" 366 audit: "/bin/ps -fC $kubeletbin" 367 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 368 tests: 369 test_items: 370 - flag: --tls-cert-file 371 path: '{.tlsCertFile}' 372 - flag: --tls-private-key-file 373 path: '{.tlsPrivateKeyFile}' 374 remediation: | 375 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 376 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 377 to the location of the corresponding private key file. 378 If using command line arguments, edit the kubelet service file 379 $kubeletsvc on each worker node and 380 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 381 --tls-cert-file=<path/to/tls-certificate-file> 382 --tls-private-key-file=<path/to/tls-key-file> 383 Based on your system, restart the kubelet service. For example, 384 systemctl daemon-reload 385 systemctl restart kubelet.service 386 When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. 387 scored: false 388 389 - id: 4.2.11 390 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 391 audit: "/bin/ps -fC $kubeletbin" 392 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 393 tests: 394 test_items: 395 - flag: --rotate-certificates 396 path: '{.rotateCertificates}' 397 compare: 398 op: eq 399 value: true 400 - flag: --rotate-certificates 401 path: '{.rotateCertificates}' 402 set: false 403 bin_op: or 404 remediation: | 405 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 406 remove it altogether to use the default value. 407 If using command line arguments, edit the kubelet service file 408 $kubeletsvc on each worker node and 409 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 410 variable. 411 Based on your system, restart the kubelet service. For example, 412 systemctl daemon-reload 413 systemctl restart kubelet.service 414 scored: true 415 416 - id: 4.2.12 417 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 418 type: "skip" 419 audit: "/bin/ps -fC $kubeletbin" 420 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 421 tests: 422 bin_op: or 423 test_items: 424 - flag: RotateKubeletServerCertificate 425 path: '{.featureGates.RotateKubeletServerCertificate}' 426 compare: 427 op: nothave 428 value: false 429 - flag: RotateKubeletServerCertificate 430 path: '{.featureGates.RotateKubeletServerCertificate}' 431 set: false 432 remediation: | 433 Edit the kubelet service file $kubeletsvc 434 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 435 --feature-gates=RotateKubeletServerCertificate=true 436 Based on your system, restart the kubelet service. For example: 437 systemctl daemon-reload 438 systemctl restart kubelet.service 439 Clusters provisioned by RKE handles certificate rotation directly through RKE. 440 scored: false 441 442 - id: 4.2.13 443 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated)" 444 audit: "/bin/ps -fC $kubeletbin" 445 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 446 tests: 447 test_items: 448 - flag: --tls-cipher-suites 449 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 450 compare: 451 op: valid_elements 452 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 453 remediation: | 454 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 455 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 456 or to a subset of these values. 457 If using executable arguments, edit the kubelet service file 458 $kubeletsvc on each worker node and 459 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 460 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 461 Based on your system, restart the kubelet service. For example: 462 systemctl daemon-reload 463 systemctl restart kubelet.service 464 scored: true