github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke-cis-1.7/node.yaml (about) 1 --- 2 controls: 3 version: "rke-cis-1.7" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)" 13 type: "skip" 14 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "600" 21 remediation: | 22 Run the below command (based on the file location on your system) on the each worker node. 23 For example, chmod 600 $kubeletsvc 24 Not Applicable - Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. 25 All configuration is passed in as arguments at container run time. 26 scored: true 27 28 - id: 4.1.2 29 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 30 type: "skip" 31 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' ' 32 tests: 33 test_items: 34 - flag: root:root 35 remediation: | 36 Run the below command (based on the file location on your system) on the each worker node. 37 For example, 38 chown root:root $kubeletsvc 39 Not Applicable - Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. 40 All configuration is passed in as arguments at container run time. 41 scored: true 42 43 - id: 4.1.3 44 text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)" 45 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 46 tests: 47 bin_op: or 48 test_items: 49 - flag: "permissions" 50 set: true 51 compare: 52 op: bitmask 53 value: "600" 54 remediation: | 55 Run the below command (based on the file location on your system) on the each worker node. 56 For example, 57 chmod 600 $proxykubeconfig 58 scored: true 59 60 - id: 4.1.4 61 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Automated)" 62 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 63 tests: 64 bin_op: or 65 test_items: 66 - flag: root:root 67 remediation: | 68 Run the below command (based on the file location on your system) on the each worker node. 69 For example, chown root:root $proxykubeconfig 70 scored: true 71 72 - id: 4.1.5 73 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)" 74 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 75 tests: 76 test_items: 77 - flag: "permissions" 78 compare: 79 op: bitmask 80 value: "600" 81 remediation: | 82 Run the below command (based on the file location on your system) on the each worker node. 83 For example, 84 chmod 600 $kubeletkubeconfig 85 scored: true 86 87 - id: 4.1.6 88 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 89 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 90 tests: 91 test_items: 92 - flag: root:root 93 remediation: | 94 Run the below command (based on the file location on your system) on the each worker node. 95 For example, 96 chown root:root $kubeletkubeconfig 97 scored: true 98 99 - id: 4.1.7 100 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)" 101 audit: "stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem" 102 tests: 103 test_items: 104 - flag: "permissions" 105 compare: 106 op: bitmask 107 value: "600" 108 remediation: | 109 Run the following command to modify the file permissions of the 110 --client-ca-file chmod 600 <filename> 111 scored: true 112 113 - id: 4.1.8 114 text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)" 115 audit: "stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem" 116 tests: 117 test_items: 118 - flag: root:root 119 compare: 120 op: eq 121 value: root:root 122 remediation: | 123 Run the following command to modify the ownership of the --client-ca-file. 124 chown root:root <filename> 125 scored: true 126 127 - id: 4.1.9 128 text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)" 129 type: "skip" 130 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 131 tests: 132 test_items: 133 - flag: "permissions" 134 compare: 135 op: bitmask 136 value: "600" 137 remediation: | 138 Run the following command (using the config file location identified in the Audit step) 139 chmod 600 $kubeletconf 140 Not Applicable - Clusters provisioned by RKE do not require or maintain a configuration file for the kubelet. 141 All configuration is passed in as arguments at container run time. 142 scored: true 143 144 - id: 4.1.10 145 text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)" 146 type: "skip" 147 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 148 tests: 149 test_items: 150 - flag: root:root 151 remediation: | 152 Run the following command (using the config file location identified in the Audit step) 153 chown root:root $kubeletconf 154 Not Applicable - Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet. 155 All configuration is passed in as arguments at container run time. 156 scored: false 157 158 - id: 4.2 159 text: "Kubelet" 160 checks: 161 - id: 4.2.1 162 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 163 audit: "/bin/ps -fC $kubeletbin" 164 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 165 tests: 166 test_items: 167 - flag: "--anonymous-auth" 168 path: '{.authentication.anonymous.enabled}' 169 compare: 170 op: eq 171 value: false 172 remediation: | 173 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 174 `false`. 175 If using executable arguments, edit the kubelet service file 176 $kubeletsvc on each worker node and 177 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 178 `--anonymous-auth=false` 179 Based on your system, restart the kubelet service. For example, 180 systemctl daemon-reload 181 systemctl restart kubelet.service 182 scored: true 183 184 - id: 4.2.2 185 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 186 audit: "/bin/ps -fC $kubeletbin" 187 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 188 tests: 189 test_items: 190 - flag: --authorization-mode 191 path: '{.authorization.mode}' 192 compare: 193 op: nothave 194 value: AlwaysAllow 195 remediation: | 196 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 197 using executable arguments, edit the kubelet service file 198 $kubeletsvc on each worker node and 199 set the below parameter in KUBELET_AUTHZ_ARGS variable. 200 --authorization-mode=Webhook 201 Based on your system, restart the kubelet service. For example, 202 systemctl daemon-reload 203 systemctl restart kubelet.service 204 scored: true 205 206 - id: 4.2.3 207 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 208 audit: "/bin/ps -fC $kubeletbin" 209 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 210 tests: 211 test_items: 212 - flag: --client-ca-file 213 path: '{.authentication.x509.clientCAFile}' 214 remediation: | 215 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 216 the location of the client CA file. 217 If using command line arguments, edit the kubelet service file 218 $kubeletsvc on each worker node and 219 set the below parameter in KUBELET_AUTHZ_ARGS variable. 220 --client-ca-file=<path/to/client-ca-file> 221 Based on your system, restart the kubelet service. For example, 222 systemctl daemon-reload 223 systemctl restart kubelet.service 224 scored: true 225 226 - id: 4.2.4 227 text: "Verify that the --read-only-port argument is set to 0 (Automated)" 228 audit: "/bin/ps -fC $kubeletbin" 229 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 230 tests: 231 bin_op: or 232 test_items: 233 - flag: "--read-only-port" 234 path: '{.readOnlyPort}' 235 compare: 236 op: eq 237 value: 0 238 - flag: "--read-only-port" 239 path: '{.readOnlyPort}' 240 set: false 241 remediation: | 242 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 243 If using command line arguments, edit the kubelet service file 244 $kubeletsvc on each worker node and 245 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 246 --read-only-port=0 247 Based on your system, restart the kubelet service. For example, 248 systemctl daemon-reload 249 systemctl restart kubelet.service 250 scored: true 251 252 - id: 4.2.5 253 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 254 audit: "/bin/ps -fC $kubeletbin" 255 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 256 tests: 257 test_items: 258 - flag: --streaming-connection-idle-timeout 259 path: '{.streamingConnectionIdleTimeout}' 260 compare: 261 op: noteq 262 value: 0 263 - flag: --streaming-connection-idle-timeout 264 path: '{.streamingConnectionIdleTimeout}' 265 set: false 266 bin_op: or 267 remediation: | 268 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 269 value other than 0. 270 If using command line arguments, edit the kubelet service file 271 $kubeletsvc on each worker node and 272 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 273 --streaming-connection-idle-timeout=5m 274 Based on your system, restart the kubelet service. For example, 275 systemctl daemon-reload 276 systemctl restart kubelet.service 277 scored: false 278 279 - id: 4.2.6 280 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 281 audit: "/bin/ps -fC $kubeletbin" 282 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 283 tests: 284 test_items: 285 - flag: --make-iptables-util-chains 286 path: '{.makeIPTablesUtilChains}' 287 compare: 288 op: eq 289 value: true 290 - flag: --make-iptables-util-chains 291 path: '{.makeIPTablesUtilChains}' 292 set: false 293 bin_op: or 294 remediation: | 295 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 296 If using command line arguments, edit the kubelet service file 297 $kubeletsvc on each worker node and 298 remove the --make-iptables-util-chains argument from the 299 KUBELET_SYSTEM_PODS_ARGS variable. 300 Based on your system, restart the kubelet service. For example: 301 systemctl daemon-reload 302 systemctl restart kubelet.service 303 scored: true 304 305 - id: 4.2.7 306 text: "Ensure that the --hostname-override argument is not set (Manual)" 307 # This is one of those properties that can only be set as a command line argument. 308 # To check if the property is set as expected, we need to parse the kubelet command 309 # instead reading the Kubelet Configuration file. 310 type: "skip" 311 audit: "/bin/ps -fC $kubeletbin " 312 tests: 313 test_items: 314 - flag: --hostname-override 315 set: false 316 remediation: | 317 Edit the kubelet service file $kubeletsvc 318 on each worker node and remove the --hostname-override argument from the 319 KUBELET_SYSTEM_PODS_ARGS variable. 320 Based on your system, restart the kubelet service. For example, 321 systemctl daemon-reload 322 systemctl restart kubelet.service 323 Not Applicable - Clusters provisioned by RKE set the --hostname-override to avoid any hostname configuration errors 324 scored: false 325 326 - id: 4.2.8 327 text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)" 328 audit: "/bin/ps -fC $kubeletbin" 329 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 330 tests: 331 test_items: 332 - flag: --event-qps 333 path: '{.eventRecordQPS}' 334 compare: 335 op: gte 336 value: 0 337 - flag: --event-qps 338 path: '{.eventRecordQPS}' 339 set: false 340 bin_op: or 341 remediation: | 342 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 343 If using command line arguments, edit the kubelet service file 344 $kubeletsvc on each worker node and 345 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 346 Based on your system, restart the kubelet service. For example, 347 systemctl daemon-reload 348 systemctl restart kubelet.service 349 scored: false 350 351 - id: 4.2.9 352 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 353 type: "skip" 354 audit: "/bin/ps -fC $kubeletbin" 355 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 356 tests: 357 test_items: 358 - flag: --tls-cert-file 359 path: '{.tlsCertFile}' 360 - flag: --tls-private-key-file 361 path: '{.tlsPrivateKeyFile}' 362 remediation: | 363 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 364 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 365 to the location of the corresponding private key file. 366 If using command line arguments, edit the kubelet service file 367 $kubeletsvc on each worker node and 368 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 369 --tls-cert-file=<path/to/tls-certificate-file> 370 --tls-private-key-file=<path/to/tls-key-file> 371 Based on your system, restart the kubelet service. For example, 372 systemctl daemon-reload 373 systemctl restart kubelet.service 374 Permissive - When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. 375 scored: false 376 377 - id: 4.2.10 378 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 379 audit: "/bin/ps -fC $kubeletbin" 380 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 381 tests: 382 test_items: 383 - flag: --rotate-certificates 384 path: '{.rotateCertificates}' 385 compare: 386 op: eq 387 value: true 388 - flag: --rotate-certificates 389 path: '{.rotateCertificates}' 390 set: false 391 bin_op: or 392 remediation: | 393 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 394 remove it altogether to use the default value. 395 If using command line arguments, edit the kubelet service file 396 $kubeletsvc on each worker node and 397 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 398 variable. 399 Based on your system, restart the kubelet service. For example, 400 systemctl daemon-reload 401 systemctl restart kubelet.service 402 scored: true 403 404 - id: 4.2.11 405 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 406 type: "skip" 407 audit: "/bin/ps -fC $kubeletbin" 408 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 409 tests: 410 bin_op: or 411 test_items: 412 - flag: RotateKubeletServerCertificate 413 path: '{.featureGates.RotateKubeletServerCertificate}' 414 compare: 415 op: nothave 416 value: false 417 - flag: RotateKubeletServerCertificate 418 path: '{.featureGates.RotateKubeletServerCertificate}' 419 set: false 420 remediation: | 421 Edit the kubelet service file $kubeletsvc 422 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 423 --feature-gates=RotateKubeletServerCertificate=true 424 Based on your system, restart the kubelet service. For example: 425 systemctl daemon-reload 426 systemctl restart kubelet.service 427 Not Applicable - Clusters provisioned by RKE handles certificate rotation directly through RKE. 428 scored: false 429 430 - id: 4.2.12 431 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated)" 432 audit: "/bin/ps -fC $kubeletbin" 433 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 434 tests: 435 test_items: 436 - flag: --tls-cipher-suites 437 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 438 compare: 439 op: valid_elements 440 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 441 remediation: | 442 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 443 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 444 or to a subset of these values. 445 If using executable arguments, edit the kubelet service file 446 $kubeletsvc on each worker node and 447 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 448 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 449 Based on your system, restart the kubelet service. For example: 450 systemctl daemon-reload 451 systemctl restart kubelet.service 452 scored: true 453 454 - id: 4.2.13 455 text: "Ensure that a limit is set on pod PIDs (Manual)" 456 audit: "/bin/ps -fC $kubeletbin" 457 audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " 458 tests: 459 test_items: 460 - flag: --pod-max-pids 461 path: '{.podPidsLimit}' 462 remediation: | 463 Decide on an appropriate level for this parameter and set it, 464 either via the --pod-max-pids command line parameter or the PodPidsLimit configuration file setting. 465 scored: false