github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke-cis-1.7/master.yaml (about) 1 --- 2 controls: 3 version: "rke-cis-1.7" 4 id: 1 5 text: "Control Plane Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Control Plane Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)" 13 type: "skip" 14 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "600" 21 remediation: | 22 Run the below command (based on the file location on your system) on the 23 control plane node. 24 For example, chmod 600 $apiserverconf 25 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. 26 All configuration is passed in as arguments at container run time. 27 scored: true 28 29 - id: 1.1.2 30 text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)" 31 type: "skip" 32 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 33 tests: 34 test_items: 35 - flag: "root:root" 36 remediation: | 37 Run the below command (based on the file location on your system) on the control plane node. 38 For example, chown root:root $apiserverconf 39 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. 40 All configuration is passed in as arguments at container run time. 41 scored: true 42 43 - id: 1.1.3 44 text: "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)" 45 type: "skip" 46 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 47 tests: 48 test_items: 49 - flag: "permissions" 50 compare: 51 op: bitmask 52 value: "600" 53 remediation: | 54 Run the below command (based on the file location on your system) on the control plane node. 55 For example, chmod 600 $controllermanagerconf 56 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. 57 All configuration is passed in as arguments at container run time. 58 scored: true 59 60 - id: 1.1.4 61 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" 62 type: "skip" 63 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 64 tests: 65 test_items: 66 - flag: "root:root" 67 remediation: | 68 Run the below command (based on the file location on your system) on the control plane node. 69 For example, chown root:root $controllermanagerconf 70 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. 71 All configuration is passed in as arguments at container run time. 72 scored: true 73 74 - id: 1.1.5 75 text: "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)" 76 type: "skip" 77 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 78 tests: 79 test_items: 80 - flag: "permissions" 81 compare: 82 op: bitmask 83 value: "600" 84 remediation: | 85 Run the below command (based on the file location on your system) on the control plane node. 86 For example, chmod 600 $schedulerconf 87 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. 88 All configuration is passed in as arguments at container run time. 89 scored: true 90 91 - id: 1.1.6 92 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" 93 type: "skip" 94 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 95 tests: 96 test_items: 97 - flag: "root:root" 98 remediation: | 99 Run the below command (based on the file location on your system) on the control plane node. 100 For example, chown root:root $schedulerconf 101 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. 102 All configuration is passed in as arguments at container run time. 103 scored: true 104 105 - id: 1.1.7 106 text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)" 107 type: "skip" 108 audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" 109 use_multiple_values: true 110 tests: 111 test_items: 112 - flag: "permissions" 113 compare: 114 op: bitmask 115 value: "600" 116 remediation: | 117 Run the below command (based on the file location on your system) on the control plane node. 118 For example, 119 chmod 600 $etcdconf 120 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. 121 All configuration is passed in as arguments at container run time. 122 scored: true 123 124 - id: 1.1.8 125 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" 126 type: "skip" 127 audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c %U:%G; fi'" 128 use_multiple_values: true 129 tests: 130 test_items: 131 - flag: "root:root" 132 remediation: | 133 Run the below command (based on the file location on your system) on the control plane node. 134 For example, 135 chown root:root $etcdconf 136 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. 137 All configuration is passed in as arguments at container run time. 138 scored: true 139 140 - id: 1.1.9 141 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" 142 audit: | 143 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a 144 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a 145 use_multiple_values: true 146 tests: 147 test_items: 148 - flag: "permissions" 149 compare: 150 op: bitmask 151 value: "600" 152 remediation: | 153 Run the below command (based on the file location on your system) on the control plane node. 154 For example, chmod 600 <path/to/cni/files> 155 scored: false 156 157 - id: 1.1.10 158 text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" 159 audit: | 160 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G 161 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G 162 use_multiple_values: true 163 tests: 164 test_items: 165 - flag: "root:root" 166 remediation: | 167 Run the below command (based on the file location on your system) on the control plane node. 168 For example, 169 chown root:root <path/to/cni/files> 170 scored: false 171 172 - id: 1.1.11 173 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" 174 audit: stat -c %a /node/var/lib/etcd 175 tests: 176 test_items: 177 - flag: "700" 178 compare: 179 op: eq 180 value: "700" 181 set: true 182 remediation: | 183 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 184 from the command 'ps -ef | grep etcd'. 185 Run the below command (based on the etcd data directory found above). For example, 186 chmod 700 /var/lib/etcd 187 scored: true 188 189 - id: 1.1.12 190 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" 191 type: "skip" 192 audit: "stat -c %U:%G /node/var/lib/etcd" 193 tests: 194 test_items: 195 - flag: "etcd:etcd" 196 set: true 197 remediation: | 198 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 199 from the command 'ps -ef | grep etcd'. 200 Run the below command (based on the etcd data directory found above). 201 For example, chown etcd:etcd /var/lib/etcd 202 Permissive - A system service account is required for etcd data directory ownership. 203 Refer to Rancher's hardening guide for more details on how to configure this ownership. 204 scored: true 205 206 - id: 1.1.13 207 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" 208 type: "skip" 209 audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'" 210 tests: 211 test_items: 212 - flag: "permissions" 213 compare: 214 op: bitmask 215 value: "600" 216 remediation: | 217 Run the below command (based on the file location on your system) on the control plane node. 218 For example, chmod 600 /etc/kubernetes/admin.conf 219 Not Applicable - Cluster provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes. 220 scored: true 221 222 - id: 1.1.14 223 text: "Ensure that the admin.conf file ownership is set to root:root (Automated)" 224 type: "skip" 225 audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'" 226 tests: 227 test_items: 228 - flag: "root:root" 229 remediation: | 230 Run the below command (based on the file location on your system) on the control plane node. 231 For example, chown root:root /etc/kubernetes/admin.conf 232 Not Applicable - Cluster provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes. 233 scored: true 234 235 - id: 1.1.15 236 text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)" 237 type: "skip" 238 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'" 239 tests: 240 test_items: 241 - flag: "permissions" 242 compare: 243 op: bitmask 244 value: "600" 245 remediation: | 246 Run the below command (based on the file location on your system) on the control plane node. 247 For example, 248 chmod 600 $schedulerkubeconfig 249 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for scheduler. 250 All configuration is passed in as arguments at container run time. 251 scored: true 252 253 - id: 1.1.16 254 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" 255 type: "skip" 256 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'" 257 tests: 258 test_items: 259 - flag: "root:root" 260 remediation: | 261 Run the below command (based on the file location on your system) on the control plane node. 262 For example, 263 chown root:root $schedulerkubeconfig 264 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for scheduler. 265 All configuration is passed in as arguments at container run time. 266 scored: true 267 268 - id: 1.1.17 269 text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)" 270 type: "skip" 271 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'" 272 tests: 273 test_items: 274 - flag: "permissions" 275 compare: 276 op: bitmask 277 value: "600" 278 remediation: | 279 Run the below command (based on the file location on your system) on the control plane node. 280 For example, 281 chmod 600 $controllermanagerkubeconfig 282 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for controller-manager. 283 All configuration is passed in as arguments at container run time. 284 scored: true 285 286 - id: 1.1.18 287 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" 288 type: "skip" 289 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'" 290 tests: 291 test_items: 292 - flag: "root:root" 293 remediation: | 294 Run the below command (based on the file location on your system) on the control plane node. 295 For example, 296 chown root:root $controllermanagerkubeconfig 297 Not Applicable - Cluster provisioned by RKE doesn't require or maintain a configuration file for controller-manager. 298 All configuration is passed in as arguments at container run time. 299 scored: true 300 301 - id: 1.1.19 302 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 303 audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl" 304 tests: 305 test_items: 306 - flag: "true" 307 compare: 308 op: eq 309 value: "true" 310 set: true 311 remediation: | 312 Run the below command (based on the file location on your system) on the control plane node. 313 For example, 314 chown -R root:root /etc/kubernetes/pki/ 315 scored: true 316 317 - id: 1.1.20 318 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" 319 audit: "find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a" 320 use_multiple_values: true 321 tests: 322 test_items: 323 - flag: "permissions" 324 compare: 325 op: bitmask 326 value: "600" 327 remediation: | 328 Run the below command (based on the file location on your system) on the control plane node. 329 For example, 330 find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} + 331 scored: false 332 333 - id: 1.1.21 334 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" 335 audit: "find /node/etc/kubernetes/ssl/ -name '*key.pem' | xargs stat -c permissions=%a" 336 use_multiple_values: true 337 tests: 338 test_items: 339 - flag: "permissions" 340 compare: 341 op: bitmask 342 value: "600" 343 remediation: | 344 Run the below command (based on the file location on your system) on the control plane node. 345 For example, 346 find /node/etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} + 347 scored: false 348 349 - id: 1.2 350 text: "API Server" 351 checks: 352 - id: 1.2.1 353 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 354 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 355 tests: 356 test_items: 357 - flag: "--anonymous-auth" 358 compare: 359 op: eq 360 value: false 361 set: true 362 remediation: | 363 Edit the API server pod specification file $apiserverconf 364 on the control plane node and set the below parameter. 365 --anonymous-auth=false 366 scored: true 367 368 - id: 1.2.2 369 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 370 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 371 tests: 372 test_items: 373 - flag: "--token-auth-file" 374 set: false 375 remediation: | 376 Follow the documentation and configure alternate mechanisms for authentication. Then, 377 edit the API server pod specification file $apiserverconf 378 on the control plane node and remove the --token-auth-file=<filename> parameter. 379 scored: true 380 381 - id: 1.2.3 382 text: "Ensure that the --DenyServiceExternalIPs is not set (Automated)" 383 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 384 tests: 385 bin_op: or 386 test_items: 387 - flag: "--enable-admission-plugins" 388 compare: 389 op: nothave 390 value: "DenyServiceExternalIPs" 391 set: true 392 - flag: "--enable-admission-plugins" 393 set: false 394 remediation: | 395 Edit the API server pod specification file $apiserverconf 396 on the control plane node and remove the `DenyServiceExternalIPs` 397 from enabled admission plugins. 398 scored: true 399 400 - id: 1.2.4 401 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 402 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 403 tests: 404 bin_op: and 405 test_items: 406 - flag: "--kubelet-client-certificate" 407 - flag: "--kubelet-client-key" 408 remediation: | 409 Follow the Kubernetes documentation and set up the TLS connection between the 410 apiserver and kubelets. Then, edit API server pod specification file 411 $apiserverconf on the control plane node and set the 412 kubelet client certificate and key parameters as below. 413 --kubelet-client-certificate=<path/to/client-certificate-file> 414 --kubelet-client-key=<path/to/client-key-file> 415 scored: true 416 417 - id: 1.2.5 418 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" 419 type: "skip" 420 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 421 tests: 422 test_items: 423 - flag: "--kubelet-certificate-authority" 424 set: true 425 remediation: | 426 Follow the Kubernetes documentation and setup the TLS connection between 427 the apiserver and kubelets. Then, edit the API server pod specification file 428 $apiserverconf on the control plane node and set the 429 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. 430 --kubelet-certificate-authority=<ca-string> 431 Permissive - When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. 432 scored: true 433 434 - id: 1.2.6 435 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 436 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 437 tests: 438 test_items: 439 - flag: "--authorization-mode" 440 compare: 441 op: nothave 442 value: "AlwaysAllow" 443 remediation: | 444 Edit the API server pod specification file $apiserverconf 445 on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow. 446 One such example could be as below. 447 --authorization-mode=RBAC 448 scored: true 449 450 - id: 1.2.7 451 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 452 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 453 tests: 454 test_items: 455 - flag: "--authorization-mode" 456 compare: 457 op: has 458 value: "Node" 459 remediation: | 460 Edit the API server pod specification file $apiserverconf 461 on the control plane node and set the --authorization-mode parameter to a value that includes Node. 462 --authorization-mode=Node,RBAC 463 scored: true 464 465 - id: 1.2.8 466 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 467 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 468 tests: 469 test_items: 470 - flag: "--authorization-mode" 471 compare: 472 op: has 473 value: "RBAC" 474 remediation: | 475 Edit the API server pod specification file $apiserverconf 476 on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, 477 for example `--authorization-mode=Node,RBAC`. 478 scored: true 479 480 - id: 1.2.9 481 text: "Ensure that the admission control plugin EventRateLimit is set (Manual)" 482 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 483 tests: 484 test_items: 485 - flag: "--enable-admission-plugins" 486 compare: 487 op: has 488 value: "EventRateLimit" 489 remediation: | 490 Follow the Kubernetes documentation and set the desired limits in a configuration file. 491 Then, edit the API server pod specification file $apiserverconf 492 and set the below parameters. 493 --enable-admission-plugins=...,EventRateLimit,... 494 --admission-control-config-file=<path/to/configuration/file> 495 scored: false 496 497 - id: 1.2.10 498 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 499 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 500 tests: 501 bin_op: or 502 test_items: 503 - flag: "--enable-admission-plugins" 504 compare: 505 op: nothave 506 value: AlwaysAdmit 507 - flag: "--enable-admission-plugins" 508 set: false 509 remediation: | 510 Edit the API server pod specification file $apiserverconf 511 on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a 512 value that does not include AlwaysAdmit. 513 scored: true 514 515 - id: 1.2.11 516 text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)" 517 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 518 tests: 519 test_items: 520 - flag: "--enable-admission-plugins" 521 compare: 522 op: has 523 value: "AlwaysPullImages" 524 remediation: | 525 Edit the API server pod specification file $apiserverconf 526 on the control plane node and set the --enable-admission-plugins parameter to include 527 AlwaysPullImages. 528 --enable-admission-plugins=...,AlwaysPullImages,... 529 scored: false 530 531 - id: 1.2.12 532 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" 533 type: "skip" 534 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 535 tests: 536 bin_op: or 537 test_items: 538 - flag: "--enable-admission-plugins" 539 compare: 540 op: has 541 value: "SecurityContextDeny" 542 - flag: "--enable-admission-plugins" 543 compare: 544 op: has 545 value: "PodSecurityPolicy" 546 remediation: | 547 Edit the API server pod specification file $apiserverconf 548 on the control plane node and set the --enable-admission-plugins parameter to include 549 SecurityContextDeny, unless PodSecurityPolicy is already in place. 550 --enable-admission-plugins=...,SecurityContextDeny,... 551 Permissive - Enabling Pod Security Policy can cause applications to unexpectedly fail. 552 scored: false 553 554 - id: 1.2.13 555 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 556 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 557 tests: 558 bin_op: or 559 test_items: 560 - flag: "--disable-admission-plugins" 561 compare: 562 op: nothave 563 value: "ServiceAccount" 564 - flag: "--disable-admission-plugins" 565 set: false 566 remediation: | 567 Follow the documentation and create ServiceAccount objects as per your environment. 568 Then, edit the API server pod specification file $apiserverconf 569 on the control plane node and ensure that the --disable-admission-plugins parameter is set to a 570 value that does not include ServiceAccount. 571 scored: true 572 573 - id: 1.2.14 574 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 575 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 576 tests: 577 bin_op: or 578 test_items: 579 - flag: "--disable-admission-plugins" 580 compare: 581 op: nothave 582 value: "NamespaceLifecycle" 583 - flag: "--disable-admission-plugins" 584 set: false 585 remediation: | 586 Edit the API server pod specification file $apiserverconf 587 on the control plane node and set the --disable-admission-plugins parameter to 588 ensure it does not include NamespaceLifecycle. 589 scored: true 590 591 - id: 1.2.15 592 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 593 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 594 tests: 595 test_items: 596 - flag: "--enable-admission-plugins" 597 compare: 598 op: has 599 value: "NodeRestriction" 600 remediation: | 601 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 602 Then, edit the API server pod specification file $apiserverconf 603 on the control plane node and set the --enable-admission-plugins parameter to a 604 value that includes NodeRestriction. 605 --enable-admission-plugins=...,NodeRestriction,... 606 scored: true 607 608 - id: 1.2.16 609 text: "Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)" 610 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 611 tests: 612 bin_op: or 613 test_items: 614 - flag: "--secure-port" 615 compare: 616 op: gt 617 value: 0 618 - flag: "--secure-port" 619 set: false 620 remediation: | 621 Edit the API server pod specification file $apiserverconf 622 on the control plane node and either remove the --secure-port parameter or 623 set it to a different (non-zero) desired port. 624 scored: true 625 626 - id: 1.2.17 627 text: "Ensure that the --profiling argument is set to false (Automated)" 628 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 629 tests: 630 test_items: 631 - flag: "--profiling" 632 compare: 633 op: eq 634 value: false 635 remediation: | 636 Edit the API server pod specification file $apiserverconf 637 on the control plane node and set the below parameter. 638 --profiling=false 639 scored: true 640 641 - id: 1.2.18 642 text: "Ensure that the --audit-log-path argument is set (Automated)" 643 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 644 tests: 645 test_items: 646 - flag: "--audit-log-path" 647 remediation: | 648 Edit the API server pod specification file $apiserverconf 649 on the control plane node and set the --audit-log-path parameter to a suitable path and 650 file where you would like audit logs to be written, for example, 651 --audit-log-path=/var/log/apiserver/audit.log 652 scored: true 653 654 - id: 1.2.19 655 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 656 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 657 tests: 658 test_items: 659 - flag: "--audit-log-maxage" 660 compare: 661 op: gte 662 value: 30 663 remediation: | 664 Edit the API server pod specification file $apiserverconf 665 on the control plane node and set the --audit-log-maxage parameter to 30 666 or as an appropriate number of days, for example, 667 --audit-log-maxage=30 668 scored: true 669 670 - id: 1.2.20 671 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 672 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 673 tests: 674 test_items: 675 - flag: "--audit-log-maxbackup" 676 compare: 677 op: gte 678 value: 10 679 remediation: | 680 Edit the API server pod specification file $apiserverconf 681 on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 682 value. For example, 683 --audit-log-maxbackup=10 684 scored: true 685 686 - id: 1.2.21 687 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 688 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 689 tests: 690 test_items: 691 - flag: "--audit-log-maxsize" 692 compare: 693 op: gte 694 value: 100 695 remediation: | 696 Edit the API server pod specification file $apiserverconf 697 on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. 698 For example, to set it as 100 MB, --audit-log-maxsize=100 699 scored: true 700 701 - id: 1.2.22 702 text: "Ensure that the --request-timeout argument is set as appropriate (Manual)" 703 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 704 type: manual 705 remediation: | 706 Edit the API server pod specification file $apiserverconf 707 and set the below parameter as appropriate and if needed. 708 For example, --request-timeout=300s 709 scored: false 710 711 - id: 1.2.23 712 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 713 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 714 tests: 715 bin_op: or 716 test_items: 717 - flag: "--service-account-lookup" 718 set: false 719 - flag: "--service-account-lookup" 720 compare: 721 op: eq 722 value: true 723 remediation: | 724 Edit the API server pod specification file $apiserverconf 725 on the control plane node and set the below parameter. 726 --service-account-lookup=true 727 Alternatively, you can delete the --service-account-lookup parameter from this file so 728 that the default takes effect. 729 scored: true 730 731 - id: 1.2.24 732 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 733 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 734 tests: 735 test_items: 736 - flag: "--service-account-key-file" 737 remediation: | 738 Edit the API server pod specification file $apiserverconf 739 on the control plane node and set the --service-account-key-file parameter 740 to the public key file for service accounts. For example, 741 --service-account-key-file=<filename> 742 scored: true 743 744 - id: 1.2.25 745 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 746 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 747 tests: 748 bin_op: and 749 test_items: 750 - flag: "--etcd-certfile" 751 - flag: "--etcd-keyfile" 752 remediation: | 753 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 754 Then, edit the API server pod specification file $apiserverconf 755 on the control plane node and set the etcd certificate and key file parameters. 756 --etcd-certfile=<path/to/client-certificate-file> 757 --etcd-keyfile=<path/to/client-key-file> 758 scored: true 759 760 - id: 1.2.26 761 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 762 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 763 tests: 764 bin_op: and 765 test_items: 766 - flag: "--tls-cert-file" 767 - flag: "--tls-private-key-file" 768 remediation: | 769 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 770 Then, edit the API server pod specification file $apiserverconf 771 on the control plane node and set the TLS certificate and private key file parameters. 772 --tls-cert-file=<path/to/tls-certificate-file> 773 --tls-private-key-file=<path/to/tls-key-file> 774 scored: true 775 776 - id: 1.2.27 777 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 778 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 779 tests: 780 test_items: 781 - flag: "--client-ca-file" 782 remediation: | 783 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 784 Then, edit the API server pod specification file $apiserverconf 785 on the control plane node and set the client certificate authority file. 786 --client-ca-file=<path/to/client-ca-file> 787 scored: true 788 789 - id: 1.2.28 790 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 791 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 792 tests: 793 test_items: 794 - flag: "--etcd-cafile" 795 remediation: | 796 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 797 Then, edit the API server pod specification file $apiserverconf 798 on the control plane node and set the etcd certificate authority file parameter. 799 --etcd-cafile=<path/to/ca-file> 800 scored: true 801 802 - id: 1.2.29 803 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" 804 type: "skip" 805 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 806 tests: 807 test_items: 808 - flag: "--encryption-provider-config" 809 remediation: | 810 Follow the Kubernetes documentation and configure a EncryptionConfig file. 811 Then, edit the API server pod specification file $apiserverconf 812 on the control plane node and set the --encryption-provider-config parameter to the path of that file. 813 For example, --encryption-provider-config=</path/to/EncryptionConfig/File> 814 Permissive - Enabling encryption changes how data can be recovered as data is encrypted. 815 scored: false 816 817 - id: 1.2.30 818 text: "Ensure that encryption providers are appropriately configured (Manual)" 819 type: "skip" 820 audit: | 821 ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%') 822 if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi 823 tests: 824 test_items: 825 - flag: "provider" 826 compare: 827 op: valid_elements 828 value: "aescbc,kms,secretbox" 829 remediation: | 830 Follow the Kubernetes documentation and configure a EncryptionConfig file. 831 In this file, choose aescbc, kms or secretbox as the encryption provider. 832 Permissive - Enabling encryption changes how data can be recovered as data is encrypted. 833 scored: false 834 835 - id: 1.2.31 836 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" 837 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 838 tests: 839 test_items: 840 - flag: "--tls-cipher-suites" 841 compare: 842 op: valid_elements 843 value: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" 844 remediation: | 845 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 846 on the control plane node and set the below parameter. 847 --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, 848 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 849 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 850 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 851 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 852 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 853 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, 854 TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 855 scored: false 856 857 - id: 1.3 858 text: "Controller Manager" 859 checks: 860 - id: 1.3.1 861 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Automated)" 862 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 863 tests: 864 test_items: 865 - flag: "--terminated-pod-gc-threshold" 866 remediation: | 867 Edit the Controller Manager pod specification file $controllermanagerconf 868 on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, 869 for example, --terminated-pod-gc-threshold=10 870 scored: true 871 872 - id: 1.3.2 873 text: "Ensure that the --profiling argument is set to false (Automated)" 874 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 875 tests: 876 test_items: 877 - flag: "--profiling" 878 compare: 879 op: eq 880 value: false 881 remediation: | 882 Edit the Controller Manager pod specification file $controllermanagerconf 883 on the control plane node and set the below parameter. 884 --profiling=false 885 scored: true 886 887 - id: 1.3.3 888 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 889 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 890 tests: 891 test_items: 892 - flag: "--use-service-account-credentials" 893 compare: 894 op: noteq 895 value: false 896 remediation: | 897 Edit the Controller Manager pod specification file $controllermanagerconf 898 on the control plane node to set the below parameter. 899 --use-service-account-credentials=true 900 scored: true 901 902 - id: 1.3.4 903 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 904 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 905 tests: 906 test_items: 907 - flag: "--service-account-private-key-file" 908 remediation: | 909 Edit the Controller Manager pod specification file $controllermanagerconf 910 on the control plane node and set the --service-account-private-key-file parameter 911 to the private key file for service accounts. 912 --service-account-private-key-file=<filename> 913 scored: true 914 915 - id: 1.3.5 916 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 917 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 918 tests: 919 test_items: 920 - flag: "--root-ca-file" 921 remediation: | 922 Edit the Controller Manager pod specification file $controllermanagerconf 923 on the control plane node and set the --root-ca-file parameter to the certificate bundle file`. 924 --root-ca-file=<path/to/file> 925 scored: true 926 927 - id: 1.3.6 928 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 929 type: "skip" 930 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 931 tests: 932 bin_op: or 933 test_items: 934 - flag: "--feature-gates" 935 compare: 936 op: nothave 937 value: "RotateKubeletServerCertificate=false" 938 set: true 939 - flag: "--feature-gates" 940 set: false 941 remediation: | 942 Edit the Controller Manager pod specification file $controllermanagerconf 943 on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 944 --feature-gates=RotateKubeletServerCertificate=true 945 Cluster provisioned by RKE handles certificate rotation directly through RKE. 946 scored: true 947 948 - id: 1.3.7 949 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 950 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 951 tests: 952 bin_op: or 953 test_items: 954 - flag: "--bind-address" 955 compare: 956 op: eq 957 value: "127.0.0.1" 958 - flag: "--bind-address" 959 set: false 960 remediation: | 961 Edit the Controller Manager pod specification file $controllermanagerconf 962 on the control plane node and ensure the correct value for the --bind-address parameter 963 scored: true 964 965 - id: 1.4 966 text: "Scheduler" 967 checks: 968 - id: 1.4.1 969 text: "Ensure that the --profiling argument is set to false (Automated)" 970 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 971 tests: 972 test_items: 973 - flag: "--profiling" 974 compare: 975 op: eq 976 value: false 977 remediation: | 978 Edit the Scheduler pod specification file $schedulerconf file 979 on the control plane node and set the below parameter. 980 --profiling=false 981 scored: true 982 983 - id: 1.4.2 984 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 985 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 986 tests: 987 bin_op: or 988 test_items: 989 - flag: "--bind-address" 990 compare: 991 op: eq 992 value: "127.0.0.1" 993 - flag: "--bind-address" 994 set: false 995 remediation: | 996 Edit the Scheduler pod specification file $schedulerconf 997 on the control plane node and ensure the correct value for the --bind-address parameter 998 scored: true