github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke-cis-1.24/policies.yaml (about) 1 --- 2 controls: 3 version: "rke-cis-1.24" 4 id: 5 5 text: "Kubernetes Policies" 6 type: "policies" 7 groups: 8 - id: 5.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 5.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Manual)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 5.1.2 23 text: "Minimize access to secrets (Manual)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to Secret objects in the cluster. 27 scored: false 28 29 - id: 5.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 scored: false 36 37 - id: 5.1.4 38 text: "Minimize access to create pods (Manual)" 39 type: "manual" 40 remediation: | 41 Where possible, remove create access to pod objects in the cluster. 42 scored: false 43 44 - id: 5.1.5 45 text: "Ensure that default service accounts are not actively used. (Manual)" 46 type: "skip" 47 audit: check_for_default_sa.sh 48 tests: 49 test_items: 50 - flag: "true" 51 compare: 52 op: eq 53 value: "true" 54 set: true 55 remediation: | 56 Create explicit service accounts wherever a Kubernetes workload requires specific access 57 to the Kubernetes API server. 58 Modify the configuration of each default service account to include this value 59 automountServiceAccountToken: false 60 scored: false 61 62 - id: 5.1.6 63 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" 64 type: "manual" 65 remediation: | 66 Modify the definition of pods and service accounts which do not need to mount service 67 account tokens to disable it. 68 scored: false 69 70 - id: 5.1.7 71 text: "Avoid use of system:masters group (Manual)" 72 type: "manual" 73 remediation: | 74 Remove the system:masters group from all users in the cluster. 75 scored: false 76 77 - id: 5.1.8 78 text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)" 79 type: "manual" 80 remediation: | 81 Where possible, remove the impersonate, bind and escalate rights from subjects. 82 scored: false 83 84 - id: 5.2 85 text: "Pod Security Standards" 86 checks: 87 - id: 5.2.1 88 text: "Ensure that the cluster has at least one active policy control mechanism in place (Manual)" 89 type: "manual" 90 remediation: | 91 Ensure that either Pod Security Admission or an external policy control system is in place 92 for every namespace which contains user workloads. 93 scored: false 94 95 - id: 5.2.2 96 text: "Minimize the admission of privileged containers (Manual)" 97 type: "manual" 98 remediation: | 99 Add policies to each namespace in the cluster which has user workloads to restrict the 100 admission of privileged containers. 101 scored: false 102 103 - id: 5.2.3 104 text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" 105 type: "skip" 106 remediation: | 107 Add policies to each namespace in the cluster which has user workloads to restrict the 108 admission of `hostPID` containers. 109 scored: false 110 111 - id: 5.2.4 112 text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" 113 type: "skip" 114 remediation: | 115 Add policies to each namespace in the cluster which has user workloads to restrict the 116 admission of `hostIPC` containers. 117 scored: false 118 119 - id: 5.2.5 120 text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" 121 type: "skip" 122 remediation: | 123 Add policies to each namespace in the cluster which has user workloads to restrict the 124 admission of `hostNetwork` containers. 125 scored: false 126 127 - id: 5.2.6 128 text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" 129 type: "manual" 130 remediation: | 131 Add policies to each namespace in the cluster which has user workloads to restrict the 132 admission of containers with `.spec.allowPrivilegeEscalation` set to `true`. 133 scored: false 134 135 - id: 5.2.7 136 text: "Minimize the admission of root containers (Automated)" 137 type: "manual" 138 remediation: | 139 Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot` 140 or `MustRunAs` with the range of UIDs not including 0, is set. 141 scored: false 142 143 - id: 5.2.8 144 text: "Minimize the admission of containers with the NET_RAW capability (Automated)" 145 type: "manual" 146 remediation: | 147 Add policies to each namespace in the cluster which has user workloads to restrict the 148 admission of containers with the `NET_RAW` capability. 149 scored: false 150 151 - id: 5.2.9 152 text: "Minimize the admission of containers with added capabilities (Automated)" 153 type: "manual" 154 remediation: | 155 Ensure that `allowedCapabilities` is not present in policies for the cluster unless 156 it is set to an empty array. 157 scored: false 158 159 - id: 5.2.10 160 text: "Minimize the admission of containers with capabilities assigned (Manual)" 161 type: "manual" 162 remediation: | 163 Review the use of capabilites in applications running on your cluster. Where a namespace 164 contains applicaions which do not require any Linux capabities to operate consider adding 165 a PSP which forbids the admission of containers which do not drop all capabilities. 166 scored: false 167 168 - id: 5.2.11 169 text: "Minimize the admission of Windows HostProcess containers (Manual)" 170 type: "manual" 171 remediation: | 172 Add policies to each namespace in the cluster which has user workloads to restrict the 173 admission of containers that have `.securityContext.windowsOptions.hostProcess` set to `true`. 174 scored: false 175 176 - id: 5.2.12 177 text: "Minimize the admission of HostPath volumes (Manual)" 178 type: "manual" 179 remediation: | 180 Add policies to each namespace in the cluster which has user workloads to restrict the 181 admission of containers with `hostPath` volumes. 182 scored: false 183 184 - id: 5.2.13 185 text: "Minimize the admission of containers which use HostPorts (Manual)" 186 type: "manual" 187 remediation: | 188 Add policies to each namespace in the cluster which has user workloads to restrict the 189 admission of containers which use `hostPort` sections. 190 scored: false 191 192 - id: 5.3 193 text: "Network Policies and CNI" 194 checks: 195 - id: 5.3.1 196 text: "Ensure that the CNI in use supports NetworkPolicies (Manual)" 197 type: "manual" 198 remediation: | 199 If the CNI plugin in use does not support network policies, consideration should be given to 200 making use of a different plugin, or finding an alternate mechanism for restricting traffic 201 in the Kubernetes cluster. 202 scored: false 203 204 - id: 5.3.2 205 text: "Ensure that all Namespaces have NetworkPolicies defined (Manual)" 206 type: "skip" 207 remediation: | 208 Follow the documentation and create NetworkPolicy objects as you need them. 209 scored: false 210 211 - id: 5.4 212 text: "Secrets Management" 213 checks: 214 - id: 5.4.1 215 text: "Prefer using Secrets as files over Secrets as environment variables (Manual)" 216 type: "manual" 217 remediation: | 218 If possible, rewrite application code to read Secrets from mounted secret files, rather than 219 from environment variables. 220 scored: false 221 222 - id: 5.4.2 223 text: "Consider external secret storage (Manual)" 224 type: "manual" 225 remediation: | 226 Refer to the Secrets management options offered by your cloud provider or a third-party 227 secrets management solution. 228 scored: false 229 230 - id: 5.5 231 text: "Extensible Admission Control" 232 checks: 233 - id: 5.5.1 234 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" 235 type: "manual" 236 remediation: | 237 Follow the Kubernetes documentation and setup image provenance. 238 scored: false 239 240 - id: 5.7 241 text: "General Policies" 242 checks: 243 - id: 5.7.1 244 text: "Create administrative boundaries between resources using namespaces (Manual)" 245 type: "manual" 246 remediation: | 247 Follow the documentation and create namespaces for objects in your deployment as you need 248 them. 249 scored: false 250 251 - id: 5.7.2 252 text: "Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)" 253 type: "manual" 254 remediation: | 255 Use `securityContext` to enable the docker/default seccomp profile in your pod definitions. 256 An example is as below: 257 securityContext: 258 seccompProfile: 259 type: RuntimeDefault 260 scored: false 261 262 - id: 5.7.3 263 text: "Apply SecurityContext to your Pods and Containers (Manual)" 264 type: "manual" 265 remediation: | 266 Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a 267 suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker 268 Containers. 269 scored: false 270 271 - id: 5.7.4 272 text: "The default namespace should not be used (Manual)" 273 type: "skip" 274 remediation: | 275 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 276 resources and that all new resources are created in a specific namespace. 277 scored: false