github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke2-cis-1.24/master.yaml (about) 1 --- 2 controls: 3 version: "rke2-cis-1.24" 4 id: 1 5 text: "Control Plane Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Control Plane Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)" 13 audit: "stat -c permissions=%a /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml" 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: eq 19 value: "644" 20 set: true 21 remediation: | 22 Run the below command (based on the file location on your system) on the 23 control plane node. 24 For example, chmod 644 $apiserverconf 25 scored: true 26 27 - id: 1.1.2 28 text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)" 29 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 30 tests: 31 test_items: 32 - flag: "root:root" 33 compare: 34 op: eq 35 value: "root:root" 36 set: true 37 remediation: | 38 Run the below command (based on the file location on your system) on the control plane node. 39 For example, chown root:root $apiserverconf 40 scored: true 41 42 - id: 1.1.3 43 text: "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)" 44 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 45 tests: 46 test_items: 47 - flag: "644" 48 compare: 49 op: eq 50 value: "600" 51 set: true 52 remediation: | 53 Run the below command (based on the file location on your system) on the control plane node. 54 For example, chmod 600 $controllermanagerconf 55 scored: true 56 57 - id: 1.1.4 58 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" 59 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 60 tests: 61 test_items: 62 - flag: "root:root" 63 compare: 64 op: eq 65 value: "root:root" 66 set: true 67 remediation: | 68 Run the below command (based on the file location on your system) on the control plane node. 69 For example, chown root:root $controllermanagerconf 70 scored: true 71 72 - id: 1.1.5 73 text: "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)" 74 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 75 tests: 76 test_items: 77 - flag: "600" 78 compare: 79 op: eq 80 value: "600" 81 set: true 82 remediation: | 83 Run the below command (based on the file location on your system) on the control plane node. 84 For example, chmod 600 $schedulerconf 85 scored: true 86 87 - id: 1.1.6 88 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" 89 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 90 tests: 91 test_items: 92 - flag: "root:root" 93 set: true 94 remediation: | 95 Run the below command (based on the file location on your system) on the control plane node. 96 For example, chown root:root $schedulerconf 97 scored: true 98 99 - id: 1.1.7 100 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" 101 audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" 102 use_multiple_values: true 103 tests: 104 test_items: 105 - flag: "permissions" 106 compare: 107 op: bitmask 108 value: "644" 109 remediation: | 110 Run the below command (based on the file location on your system) on the control plane node. 111 For example, 112 chmod 644 $etcdconf 113 scored: true 114 115 - id: 1.1.8 116 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" 117 audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" 118 tests: 119 test_items: 120 - flag: "root:root" 121 compare: 122 op: eq 123 value: "root:root" 124 set: true 125 remediation: | 126 Run the below command (based on the file location on your system) on the control plane node. 127 For example, 128 chown root:root $etcdconf 129 scored: true 130 131 - id: 1.1.9 132 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" 133 audit: | 134 ps -fC ${kubeletbin:-kubelet} | grep -- --cni-conf-dir || echo "/etc/cni/net.d" | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a 135 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a 136 use_multiple_values: true 137 tests: 138 test_items: 139 - flag: "permissions" 140 compare: 141 op: bitmask 142 value: "600" 143 remediation: | 144 Run the below command (based on the file location on your system) on the control plane node. 145 For example, chmod 600 <path/to/cni/files> 146 scored: false 147 148 - id: 1.1.10 149 text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" 150 audit: | 151 ps -fC ${kubeletbin:-kubelet} | grep -- --cni-conf-dir || echo "/etc/cni/net.d" | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G 152 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G 153 use_multiple_values: true 154 tests: 155 test_items: 156 - flag: "root:root" 157 remediation: | 158 Run the below command (based on the file location on your system) on the control plane node. 159 For example, 160 chown root:root <path/to/cni/files> 161 scored: false 162 163 - id: 1.1.11 164 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" 165 audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/db/etcd" 166 tests: 167 test_items: 168 - flag: "permissions" 169 compare: 170 op: bitmask 171 value: "700" 172 set: true 173 remediation: | 174 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 175 from the command 'ps -ef | grep etcd'. 176 Run the below command (based on the etcd data directory found above). For example, 177 chmod 700 /var/lib/etcd 178 scored: true 179 180 - id: 1.1.12 181 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" 182 type: "skip" 183 audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd" 184 tests: 185 test_items: 186 - flag: "etcd:etcd" 187 remediation: | 188 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 189 from the command 'ps -ef | grep etcd'. 190 Run the below command (based on the etcd data directory found above). 191 For example, chown etcd:etcd /var/lib/etcd 192 scored: true 193 194 - id: 1.1.13 195 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" 196 audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/cred/admin.kubeconfig" 197 tests: 198 test_items: 199 - flag: "permissions" 200 compare: 201 op: bitmask 202 value: "600" 203 set: true 204 remediation: | 205 Run the below command (based on the file location on your system) on the control plane node. 206 For example, chmod 600 /etc/kubernetes/admin.conf 207 scored: true 208 209 - id: 1.1.14 210 text: "Ensure that the admin.conf file ownership is set to root:root (Automated)" 211 audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/admin.kubeconfig" 212 tests: 213 test_items: 214 - flag: "root:root" 215 compare: 216 op: eq 217 value: "root:root" 218 set: true 219 remediation: | 220 Run the below command (based on the file location on your system) on the control plane node. 221 For example, chown root:root /etc/kubernetes/admin.conf 222 scored: true 223 224 - id: 1.1.15 225 text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)" 226 audit: "stat -c %a /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" 227 tests: 228 test_items: 229 - flag: "600" 230 compare: 231 op: eq 232 value: "600" 233 set: true 234 remediation: | 235 Run the below command (based on the file location on your system) on the control plane node. 236 For example, 237 chmod 600 $schedulerkubeconfig 238 scored: true 239 240 - id: 1.1.16 241 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" 242 audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" 243 tests: 244 test_items: 245 - flag: "root:root" 246 compare: 247 op: eq 248 value: "root:root" 249 set: true 250 remediation: | 251 Run the below command (based on the file location on your system) on the control plane node. 252 For example, 253 chown root:root $schedulerkubeconfig 254 scored: true 255 256 - id: 1.1.17 257 text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)" 258 audit: "stat -c %a /var/lib/rancher/rke2/server/cred/controller.kubeconfig" 259 tests: 260 test_items: 261 - flag: "600" 262 compare: 263 op: eq 264 value: "600" 265 set: true 266 remediation: | 267 Run the below command (based on the file location on your system) on the control plane node. 268 For example, 269 chmod 600 $controllermanagerkubeconfig 270 scored: true 271 272 - id: 1.1.18 273 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" 274 audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" 275 tests: 276 test_items: 277 - flag: "root:root" 278 compare: 279 op: eq 280 value: "root:root" 281 set: true 282 remediation: | 283 Run the below command (based on the file location on your system) on the control plane node. 284 For example, 285 chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig 286 scored: true 287 288 - id: 1.1.19 289 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 290 audit: "stat -c %U:%G /var/lib/rancher/rke2/server/tls" 291 use_multiple_values: true 292 tests: 293 test_items: 294 - flag: "root:root" 295 compare: 296 op: eq 297 value: "root:root" 298 set: true 299 remediation: | 300 Run the below command (based on the file location on your system) on the control plane node. 301 For example, 302 chown -R root:root /etc/kubernetes/pki/ 303 scored: true 304 305 - id: 1.1.20 306 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" 307 audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/tls/*.crt" 308 use_multiple_values: true 309 tests: 310 test_items: 311 - flag: "permissions" 312 compare: 313 op: bitmask 314 value: "600" 315 set: true 316 remediation: | 317 Run the below command (based on the file location on your system) on the control plane node. 318 For example, 319 chmod -R 600 /var/lib/rancher/rke2/server/tls/*.crt 320 scored: false 321 322 - id: 1.1.21 323 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" 324 audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/tls/*.key" 325 use_multiple_values: true 326 tests: 327 test_items: 328 - flag: "permissions" 329 compare: 330 op: eq 331 value: "600" 332 set: true 333 remediation: | 334 Run the below command (based on the file location on your system) on the control plane node. 335 For example, 336 chmod -R 600 /var/lib/rancher/rke2/server/tls/*.key 337 scored: false 338 339 - id: 1.2 340 text: "API Server" 341 checks: 342 - id: 1.2.1 343 text: "Ensure that the --anonymous-auth argument is set to false (Manual)" 344 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 345 type: manual 346 tests: 347 test_items: 348 - flag: "--anonymous-auth" 349 compare: 350 op: eq 351 value: false 352 remediation: | 353 Edit the API server pod specification file $apiserverconf 354 on the control plane node and set the below parameter. 355 --anonymous-auth=false 356 scored: false 357 358 - id: 1.2.2 359 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 360 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 361 tests: 362 test_items: 363 - flag: "--token-auth-file" 364 set: false 365 remediation: | 366 Follow the documentation and configure alternate mechanisms for authentication. Then, 367 edit the API server pod specification file $apiserverconf 368 on the control plane node and remove the --token-auth-file=<filename> parameter. 369 scored: true 370 371 - id: 1.2.3 372 text: "Ensure that the --DenyServiceExternalIPs is not set (Automated)" 373 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 374 tests: 375 bin_op: or 376 test_items: 377 - flag: "--enable-admission-plugins" 378 compare: 379 op: nothave 380 value: "DenyServiceExternalIPs" 381 set: true 382 - flag: "--enable-admission-plugins" 383 set: false 384 remediation: | 385 Edit the API server pod specification file $apiserverconf 386 on the control plane node and remove the `DenyServiceExternalIPs` 387 from enabled admission plugins. 388 scored: true 389 390 - id: 1.2.4 391 text: "Ensure that the --kubelet-https argument is set to true (Automated)" 392 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 393 tests: 394 bin_op: or 395 test_items: 396 - flag: "--kubelet-https" 397 compare: 398 op: eq 399 value: true 400 - flag: "--kubelet-https" 401 set: false 402 remediation: | 403 Edit the API server pod specification file $apiserverconf 404 on the control plane node and remove the --kubelet-https parameter. 405 scored: true 406 407 - id: 1.2.5 408 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 409 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 410 tests: 411 bin_op: and 412 test_items: 413 - flag: "--kubelet-client-certificate" 414 set: true 415 - flag: "--kubelet-client-key" 416 set: true 417 remediation: | 418 Follow the Kubernetes documentation and set up the TLS connection between the 419 apiserver and kubelets. Then, edit API server pod specification file 420 $apiserverconf on the control plane node and set the 421 kubelet client certificate and key parameters as below. 422 --kubelet-client-certificate=<path/to/client-certificate-file> 423 --kubelet-client-key=<path/to/client-key-file> 424 scored: true 425 426 - id: 1.2.6 427 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" 428 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 429 tests: 430 test_items: 431 - flag: "--kubelet-certificate-authority" 432 set: true 433 remediation: | 434 Follow the Kubernetes documentation and setup the TLS connection between 435 the apiserver and kubelets. Then, edit the API server pod specification file 436 $apiserverconf on the control plane node and set the 437 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. 438 --kubelet-certificate-authority=<ca-string> 439 scored: true 440 441 - id: 1.2.7 442 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 443 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 444 tests: 445 test_items: 446 - flag: "--authorization-mode" 447 compare: 448 op: nothave 449 value: "AlwaysAllow" 450 set: true 451 remediation: | 452 Edit the API server pod specification file $apiserverconf 453 on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow. 454 One such example could be as below. 455 --authorization-mode=RBAC 456 scored: true 457 458 - id: 1.2.8 459 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 460 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 461 tests: 462 test_items: 463 - flag: "--authorization-mode" 464 compare: 465 op: has 466 value: "Node" 467 set: true 468 remediation: | 469 Edit the API server pod specification file $apiserverconf 470 on the control plane node and set the --authorization-mode parameter to a value that includes Node. 471 --authorization-mode=Node,RBAC 472 scored: true 473 474 - id: 1.2.9 475 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 476 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 477 tests: 478 test_items: 479 - flag: "--authorization-mode" 480 compare: 481 op: has 482 value: "RBAC" 483 set: true 484 remediation: | 485 Edit the API server pod specification file $apiserverconf 486 on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, 487 for example `--authorization-mode=Node,RBAC`. 488 scored: true 489 490 - id: 1.2.10 491 text: "Ensure that the admission control plugin EventRateLimit is set (Manual)" 492 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 493 tests: 494 test_items: 495 - flag: "--enable-admission-plugins" 496 compare: 497 op: has 498 value: "EventRateLimit" 499 set: true 500 remediation: | 501 Follow the Kubernetes documentation and set the desired limits in a configuration file. 502 Then, edit the API server pod specification file $apiserverconf 503 and set the below parameters. 504 --enable-admission-plugins=...,EventRateLimit,... 505 --admission-control-config-file=<path/to/configuration/file> 506 scored: false 507 508 - id: 1.2.11 509 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 510 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 511 tests: 512 bin_op: or 513 test_items: 514 - flag: "--enable-admission-plugins" 515 compare: 516 op: nothave 517 value: AlwaysAdmit 518 set: true 519 - flag: "--enable-admission-plugins" 520 set: false 521 remediation: | 522 Edit the API server pod specification file $apiserverconf 523 on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a 524 value that does not include AlwaysAdmit. 525 scored: true 526 527 - id: 1.2.12 528 text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)" 529 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 530 tests: 531 test_items: 532 - flag: "--enable-admission-plugins" 533 compare: 534 op: has 535 value: "AlwaysPullImages" 536 set: true 537 remediation: | 538 Edit the API server pod specification file $apiserverconf 539 on the control plane node and set the --enable-admission-plugins parameter to include 540 AlwaysPullImages. 541 --enable-admission-plugins=...,AlwaysPullImages,... 542 scored: false 543 544 - id: 1.2.13 545 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" 546 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 547 tests: 548 bin_op: or 549 test_items: 550 - flag: "--enable-admission-plugins" 551 compare: 552 op: has 553 value: "SecurityContextDeny" 554 set: true 555 - flag: "--enable-admission-plugins" 556 compare: 557 op: has 558 value: "PodSecurityPolicy" 559 set: true 560 remediation: | 561 Edit the API server pod specification file $apiserverconf 562 on the control plane node and set the --enable-admission-plugins parameter to include 563 SecurityContextDeny, unless PodSecurityPolicy is already in place. 564 --enable-admission-plugins=...,SecurityContextDeny,... 565 scored: false 566 567 - id: 1.2.14 568 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 569 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 570 tests: 571 bin_op: or 572 test_items: 573 - flag: "--disable-admission-plugins" 574 compare: 575 op: nothave 576 value: "ServiceAccount" 577 - flag: "--disable-admission-plugins" 578 set: false 579 remediation: | 580 Follow the documentation and create ServiceAccount objects as per your environment. 581 Then, edit the API server pod specification file $apiserverconf 582 on the control plane node and ensure that the --disable-admission-plugins parameter is set to a 583 value that does not include ServiceAccount. 584 scored: true 585 586 - id: 1.2.15 587 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 588 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 589 tests: 590 bin_op: or 591 test_items: 592 - flag: "--disable-admission-plugins" 593 compare: 594 op: nothave 595 value: "NamespaceLifecycle" 596 - flag: "--disable-admission-plugins" 597 set: false 598 remediation: | 599 Edit the API server pod specification file $apiserverconf 600 on the control plane node and set the --disable-admission-plugins parameter to 601 ensure it does not include NamespaceLifecycle. 602 scored: true 603 604 - id: 1.2.16 605 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 606 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 607 tests: 608 test_items: 609 - flag: "--enable-admission-plugins" 610 compare: 611 op: has 612 value: "NodeRestriction" 613 set: true 614 remediation: | 615 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 616 Then, edit the API server pod specification file $apiserverconf 617 on the control plane node and set the --enable-admission-plugins parameter to a 618 value that includes NodeRestriction. 619 --enable-admission-plugins=...,NodeRestriction,... 620 scored: true 621 622 - id: 1.2.17 623 text: "Ensure that the --secure-port argument is not set to 0 (Automated)" 624 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 625 tests: 626 bin_op: or 627 test_items: 628 - flag: "--secure-port" 629 compare: 630 op: gt 631 value: 0 632 set: true 633 - flag: "--secure-port" 634 set: false 635 remediation: | 636 Edit the API server pod specification file $apiserverconf 637 on the control plane node and either remove the --secure-port parameter or 638 set it to a different (non-zero) desired port. 639 scored: true 640 641 - id: 1.2.18 642 text: "Ensure that the --profiling argument is set to false (Automated)" 643 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 644 tests: 645 test_items: 646 - flag: "--profiling" 647 compare: 648 op: eq 649 value: false 650 set: true 651 remediation: | 652 Edit the API server pod specification file $apiserverconf 653 on the control plane node and set the below parameter. 654 --profiling=false 655 scored: true 656 657 - id: 1.2.19 658 text: "Ensure that the --audit-log-path argument is set (Automated)" 659 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 660 type: "skip" 661 tests: 662 test_items: 663 - flag: "--audit-log-path" 664 set: true 665 remediation: | 666 Edit the API server pod specification file $apiserverconf 667 on the control plane node and set the --audit-log-path parameter to a suitable path and 668 file where you would like audit logs to be written, for example, 669 --audit-log-path=/var/log/apiserver/audit.log 670 scored: true 671 672 - id: 1.2.20 673 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 674 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 675 type: "skip" 676 tests: 677 test_items: 678 - flag: "--audit-log-maxage" 679 compare: 680 op: gte 681 value: 30 682 set: true 683 remediation: | 684 Edit the API server pod specification file $apiserverconf 685 on the control plane node and set the --audit-log-maxage parameter to 30 686 or as an appropriate number of days, for example, 687 --audit-log-maxage=30 688 scored: true 689 690 - id: 1.2.21 691 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 692 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 693 type: "skip" 694 tests: 695 test_items: 696 - flag: "--audit-log-maxbackup" 697 compare: 698 op: gte 699 value: 10 700 set: true 701 remediation: | 702 Edit the API server pod specification file $apiserverconf 703 on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 704 value. For example, 705 --audit-log-maxbackup=10 706 scored: true 707 708 - id: 1.2.22 709 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 710 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 711 type: "skip" 712 tests: 713 test_items: 714 - flag: "--audit-log-maxsize" 715 compare: 716 op: gte 717 value: 100 718 set: true 719 remediation: | 720 Edit the API server pod specification file $apiserverconf 721 on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. 722 For example, to set it as 100 MB, --audit-log-maxsize=100 723 scored: true 724 725 - id: 1.2.23 726 text: "Ensure that the --request-timeout argument is set as appropriate (Automated)" 727 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 728 tests: 729 bin_op: or 730 test_items: 731 - flag: "--request-timeout" 732 set: false 733 - flag: "--request-timeout" 734 remediation: | 735 Edit the API server pod specification file $apiserverconf 736 and set the below parameter as appropriate and if needed. 737 For example, --request-timeout=300s 738 scored: true 739 740 - id: 1.2.24 741 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 742 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 743 tests: 744 bin_op: or 745 test_items: 746 - flag: "--service-account-lookup" 747 set: false 748 - flag: "--service-account-lookup" 749 compare: 750 op: eq 751 value: true 752 remediation: | 753 Edit the API server pod specification file $apiserverconf 754 on the control plane node and set the below parameter. 755 --service-account-lookup=true 756 Alternatively, you can delete the --service-account-lookup parameter from this file so 757 that the default takes effect. 758 scored: true 759 760 - id: 1.2.25 761 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 762 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 763 tests: 764 test_items: 765 - flag: "--service-account-key-file" 766 set: true 767 remediation: | 768 Edit the API server pod specification file $apiserverconf 769 on the control plane node and set the --service-account-key-file parameter 770 to the public key file for service accounts. For example, 771 --service-account-key-file=<filename> 772 scored: true 773 774 - id: 1.2.26 775 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 776 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 777 tests: 778 bin_op: and 779 test_items: 780 - flag: "--etcd-certfile" 781 set: true 782 - flag: "--etcd-keyfile" 783 set: true 784 remediation: | 785 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 786 Then, edit the API server pod specification file $apiserverconf 787 on the control plane node and set the etcd certificate and key file parameters. 788 --etcd-certfile=<path/to/client-certificate-file> 789 --etcd-keyfile=<path/to/client-key-file> 790 scored: true 791 792 - id: 1.2.27 793 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 794 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 795 tests: 796 bin_op: and 797 test_items: 798 - flag: "--tls-cert-file" 799 set: true 800 - flag: "--tls-private-key-file" 801 set: true 802 remediation: | 803 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 804 Then, edit the API server pod specification file $apiserverconf 805 on the control plane node and set the TLS certificate and private key file parameters. 806 --tls-cert-file=<path/to/tls-certificate-file> 807 --tls-private-key-file=<path/to/tls-key-file> 808 scored: true 809 810 - id: 1.2.28 811 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 812 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 813 tests: 814 test_items: 815 - flag: "--client-ca-file" 816 set: true 817 remediation: | 818 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 819 Then, edit the API server pod specification file $apiserverconf 820 on the control plane node and set the client certificate authority file. 821 --client-ca-file=<path/to/client-ca-file> 822 scored: true 823 824 - id: 1.2.29 825 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 826 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 827 tests: 828 test_items: 829 - flag: "--etcd-cafile" 830 set: true 831 remediation: | 832 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 833 Then, edit the API server pod specification file $apiserverconf 834 on the control plane node and set the etcd certificate authority file parameter. 835 --etcd-cafile=<path/to/ca-file> 836 scored: true 837 838 - id: 1.2.30 839 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" 840 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 841 tests: 842 test_items: 843 - flag: "--encryption-provider-config" 844 remediation: | 845 Follow the Kubernetes documentation and configure a EncryptionConfig file. 846 Then, edit the API server pod specification file $apiserverconf 847 on the control plane node and set the --encryption-provider-config parameter to the path of that file. 848 For example, --encryption-provider-config=</path/to/EncryptionConfig/File> 849 scored: false 850 851 - id: 1.2.31 852 text: "Ensure that encryption providers are appropriately configured (Manual)" 853 type: "skip" 854 audit: | 855 ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%') 856 if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi 857 tests: 858 test_items: 859 - flag: "provider" 860 compare: 861 op: valid_elements 862 value: "aescbc,kms,secretbox" 863 remediation: | 864 Follow the Kubernetes documentation and configure a EncryptionConfig file. 865 In this file, choose aescbc, kms or secretbox as the encryption provider. 866 scored: false 867 868 - id: 1.2.32 869 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" 870 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 871 tests: 872 test_items: 873 - flag: "--tls-cipher-suites" 874 compare: 875 op: valid_elements 876 value: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" 877 remediation: | 878 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 879 on the control plane node and set the below parameter. 880 --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, 881 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 882 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 883 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 884 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 885 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 886 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, 887 TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 888 scored: false 889 type: skip 890 891 - id: 1.3 892 text: "Controller Manager" 893 checks: 894 - id: 1.3.1 895 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" 896 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 897 tests: 898 test_items: 899 - flag: "--terminated-pod-gc-threshold" 900 remediation: | 901 Edit the Controller Manager pod specification file $controllermanagerconf 902 on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, 903 for example, --terminated-pod-gc-threshold=10 904 scored: false 905 906 - id: 1.3.2 907 text: "Ensure that the --profiling argument is set to false (Automated)" 908 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 909 tests: 910 test_items: 911 - flag: "--profiling" 912 compare: 913 op: eq 914 value: false 915 set: true 916 remediation: | 917 Edit the Controller Manager pod specification file $controllermanagerconf 918 on the control plane node and set the below parameter. 919 --profiling=false 920 scored: true 921 922 - id: 1.3.3 923 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 924 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 925 tests: 926 test_items: 927 - flag: "--use-service-account-credentials" 928 compare: 929 op: noteq 930 value: false 931 set: true 932 remediation: | 933 Edit the Controller Manager pod specification file $controllermanagerconf 934 on the control plane node to set the below parameter. 935 --use-service-account-credentials=true 936 scored: true 937 938 - id: 1.3.4 939 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 940 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 941 tests: 942 test_items: 943 - flag: "--service-account-private-key-file" 944 set: true 945 remediation: | 946 Edit the Controller Manager pod specification file $controllermanagerconf 947 on the control plane node and set the --service-account-private-key-file parameter 948 to the private key file for service accounts. 949 --service-account-private-key-file=<filename> 950 scored: true 951 952 - id: 1.3.5 953 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 954 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 955 tests: 956 test_items: 957 - flag: "--root-ca-file" 958 set: true 959 remediation: | 960 Edit the Controller Manager pod specification file $controllermanagerconf 961 on the control plane node and set the --root-ca-file parameter to the certificate bundle file`. 962 --root-ca-file=<path/to/file> 963 scored: true 964 965 - id: 1.3.6 966 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 967 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 968 tests: 969 bin_op: or 970 test_items: 971 - flag: "--feature-gates" 972 compare: 973 op: nothave 974 value: "RotateKubeletServerCertificate=false" 975 set: true 976 - flag: "--feature-gates" 977 set: false 978 remediation: | 979 Edit the Controller Manager pod specification file $controllermanagerconf 980 on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 981 --feature-gates=RotateKubeletServerCertificate=true 982 scored: true 983 type: skip 984 985 - id: 1.3.7 986 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 987 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 988 tests: 989 bin_op: or 990 test_items: 991 - flag: "--bind-address" 992 compare: 993 op: eq 994 value: "127.0.0.1" 995 set: true 996 - flag: "--bind-address" 997 set: false 998 remediation: | 999 Edit the Controller Manager pod specification file $controllermanagerconf 1000 on the control plane node and ensure the correct value for the --bind-address parameter 1001 scored: true 1002 1003 - id: 1.4 1004 text: "Scheduler" 1005 checks: 1006 - id: 1.4.1 1007 text: "Ensure that the --profiling argument is set to false (Automated)" 1008 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 1009 tests: 1010 test_items: 1011 - flag: "--profiling" 1012 compare: 1013 op: eq 1014 value: false 1015 set: true 1016 remediation: | 1017 Edit the Scheduler pod specification file $schedulerconf file 1018 on the control plane node and set the below parameter. 1019 --profiling=false 1020 scored: true 1021 1022 - id: 1.4.2 1023 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 1024 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 1025 tests: 1026 bin_op: or 1027 test_items: 1028 - flag: "--bind-address" 1029 compare: 1030 op: eq 1031 value: "127.0.0.1" 1032 set: true 1033 - flag: "--bind-address" 1034 set: false 1035 remediation: | 1036 Edit the Scheduler pod specification file $schedulerconf 1037 on the control plane node and ensure the correct value for the --bind-address parameter 1038 scored: true