github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke2-cis-1.24/policies.yaml (about) 1 --- 2 controls: 3 version: "rke2-cis-1.24" 4 id: 5 5 text: "Kubernetes Policies" 6 type: "policies" 7 groups: 8 - id: 5.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 5.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Manual)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 5.1.2 23 text: "Minimize access to secrets (Manual)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to Secret objects in the cluster. 27 scored: false 28 29 - id: 5.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 scored: false 36 37 - id: 5.1.4 38 text: "Minimize access to create pods (Manual)" 39 type: "manual" 40 remediation: | 41 Where possible, remove create access to pod objects in the cluster. 42 scored: false 43 44 - id: 5.1.5 45 text: "Ensure that default service accounts are not actively used. (Manual)" 46 type: "manual" 47 remediation: | 48 Create explicit service accounts wherever a Kubernetes workload requires specific access 49 to the Kubernetes API server. 50 Modify the configuration of each default service account to include this value 51 automountServiceAccountToken: false 52 scored: false 53 54 - id: 5.1.6 55 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" 56 type: "manual" 57 remediation: | 58 Modify the definition of pods and service accounts which do not need to mount service 59 account tokens to disable it. 60 scored: false 61 62 - id: 5.1.7 63 text: "Avoid use of system:masters group (Manual)" 64 type: "manual" 65 remediation: | 66 Remove the system:masters group from all users in the cluster. 67 scored: false 68 69 - id: 5.1.8 70 text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)" 71 type: "manual" 72 remediation: | 73 Where possible, remove the impersonate, bind and escalate rights from subjects. 74 scored: false 75 76 - id: 5.2 77 text: "Pod Security Standards" 78 checks: 79 - id: 5.2.1 80 text: "Ensure that the cluster has at least one active policy control mechanism in place (Manual)" 81 type: "manual" 82 remediation: | 83 Ensure that either Pod Security Admission or an external policy control system is in place 84 for every namespace which contains user workloads. 85 scored: false 86 87 - id: 5.2.2 88 text: "Minimize the admission of privileged containers (Manual)" 89 type: "manual" 90 remediation: | 91 Add policies to each namespace in the cluster which has user workloads to restrict the 92 admission of privileged containers. 93 scored: false 94 95 - id: 5.2.3 96 text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)" 97 type: "manual" 98 remediation: | 99 Add policies to each namespace in the cluster which has user workloads to restrict the 100 admission of `hostPID` containers. 101 scored: false 102 103 - id: 5.2.4 104 text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)" 105 type: "manual" 106 remediation: | 107 Add policies to each namespace in the cluster which has user workloads to restrict the 108 admission of `hostIPC` containers. 109 scored: false 110 111 - id: 5.2.5 112 text: "Minimize the admission of containers wishing to share the host network namespace (Manual)" 113 type: "manual" 114 remediation: | 115 Add policies to each namespace in the cluster which has user workloads to restrict the 116 admission of `hostNetwork` containers. 117 scored: false 118 119 - id: 5.2.6 120 text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)" 121 type: "manual" 122 remediation: | 123 Add policies to each namespace in the cluster which has user workloads to restrict the 124 admission of containers with `.spec.allowPrivilegeEscalation` set to `true`. 125 scored: false 126 127 - id: 5.2.7 128 text: "Minimize the admission of root containers (Manual)" 129 type: "manual" 130 remediation: | 131 Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot` 132 or `MustRunAs` with the range of UIDs not including 0, is set. 133 scored: false 134 135 - id: 5.2.8 136 text: "Minimize the admission of containers with the NET_RAW capability (Manual)" 137 type: "manual" 138 remediation: | 139 Add policies to each namespace in the cluster which has user workloads to restrict the 140 admission of containers with the `NET_RAW` capability. 141 scored: false 142 143 - id: 5.2.9 144 text: "Minimize the admission of containers with added capabilities (Automated)" 145 type: "manual" 146 remediation: | 147 Ensure that `allowedCapabilities` is not present in policies for the cluster unless 148 it is set to an empty array. 149 scored: false 150 151 - id: 5.2.10 152 text: "Minimize the admission of containers with capabilities assigned (Manual)" 153 type: "manual" 154 remediation: | 155 Review the use of capabilites in applications running on your cluster. Where a namespace 156 contains applicaions which do not require any Linux capabities to operate consider adding 157 a PSP which forbids the admission of containers which do not drop all capabilities. 158 scored: false 159 160 - id: 5.2.11 161 text: "Minimize the admission of Windows HostProcess containers (Manual)" 162 type: "manual" 163 remediation: | 164 Add policies to each namespace in the cluster which has user workloads to restrict the 165 admission of containers that have `.securityContext.windowsOptions.hostProcess` set to `true`. 166 scored: false 167 168 - id: 5.2.12 169 text: "Minimize the admission of HostPath volumes (Manual)" 170 type: "manual" 171 remediation: | 172 Add policies to each namespace in the cluster which has user workloads to restrict the 173 admission of containers with `hostPath` volumes. 174 scored: false 175 176 - id: 5.2.13 177 text: "Minimize the admission of containers which use HostPorts (Manual)" 178 type: "manual" 179 remediation: | 180 Add policies to each namespace in the cluster which has user workloads to restrict the 181 admission of containers which use `hostPort` sections. 182 scored: false 183 184 - id: 5.3 185 text: "Network Policies and CNI" 186 checks: 187 - id: 5.3.1 188 text: "Ensure that the CNI in use supports NetworkPolicies (Manual)" 189 type: "manual" 190 remediation: | 191 If the CNI plugin in use does not support network policies, consideration should be given to 192 making use of a different plugin, or finding an alternate mechanism for restricting traffic 193 in the Kubernetes cluster. 194 scored: false 195 196 - id: 5.3.2 197 text: "Ensure that all Namespaces have NetworkPolicies defined (Manual)" 198 type: "manual" 199 remediation: | 200 Follow the documentation and create NetworkPolicy objects as you need them. 201 scored: false 202 203 - id: 5.4 204 text: "Secrets Management" 205 checks: 206 - id: 5.4.1 207 text: "Prefer using Secrets as files over Secrets as environment variables (Manual)" 208 type: "manual" 209 remediation: | 210 If possible, rewrite application code to read Secrets from mounted secret files, rather than 211 from environment variables. 212 scored: false 213 214 - id: 5.4.2 215 text: "Consider external secret storage (Manual)" 216 type: "manual" 217 remediation: | 218 Refer to the Secrets management options offered by your cloud provider or a third-party 219 secrets management solution. 220 scored: false 221 222 - id: 5.5 223 text: "Extensible Admission Control" 224 checks: 225 - id: 5.5.1 226 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" 227 type: "manual" 228 remediation: | 229 Follow the Kubernetes documentation and setup image provenance. 230 scored: false 231 232 - id: 5.7 233 text: "General Policies" 234 checks: 235 - id: 5.7.1 236 text: "Create administrative boundaries between resources using namespaces (Manual)" 237 type: "manual" 238 remediation: | 239 Follow the documentation and create namespaces for objects in your deployment as you need 240 them. 241 scored: false 242 243 - id: 5.7.2 244 text: "Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)" 245 type: "manual" 246 remediation: | 247 Use `securityContext` to enable the docker/default seccomp profile in your pod definitions. 248 An example is as below: 249 securityContext: 250 seccompProfile: 251 type: RuntimeDefault 252 scored: false 253 254 - id: 5.7.3 255 text: "Apply SecurityContext to your Pods and Containers (Manual)" 256 type: "manual" 257 remediation: | 258 Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a 259 suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker 260 Containers. 261 scored: false 262 263 - id: 5.7.4 264 text: "The default namespace should not be used (Manual)" 265 type: "manual" 266 remediation: | 267 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 268 resources and that all new resources are created in a specific namespace. 269 scored: false