github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke2-cis-1.7/master.yaml (about) 1 --- 2 controls: 3 version: "rke2-cis-1.7" 4 id: 1 5 text: "Control Plane Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Control Plane Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)" 13 audit: "stat -c permissions=%a /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml" 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "600" 20 set: true 21 remediation: | 22 Run the below command (based on the file location on your system) on the 23 control plane node. 24 For example, chmod 600 $apiserverconf 25 scored: true 26 27 - id: 1.1.2 28 text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)" 29 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 30 tests: 31 test_items: 32 - flag: "root:root" 33 compare: 34 op: eq 35 value: "root:root" 36 set: true 37 remediation: | 38 Run the below command (based on the file location on your system) on the control plane node. 39 For example, chown root:root $apiserverconf 40 scored: true 41 42 - id: 1.1.3 43 text: "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)" 44 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 45 tests: 46 test_items: 47 - flag: "permissions" 48 compare: 49 op: bitmask 50 value: "600" 51 set: true 52 remediation: | 53 Run the below command (based on the file location on your system) on the control plane node. 54 For example, chmod 600 $controllermanagerconf 55 scored: true 56 57 - id: 1.1.4 58 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" 59 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 60 tests: 61 test_items: 62 - flag: "root:root" 63 compare: 64 op: eq 65 value: "root:root" 66 set: true 67 remediation: | 68 Run the below command (based on the file location on your system) on the control plane node. 69 For example, chown root:root $controllermanagerconf 70 scored: true 71 72 - id: 1.1.5 73 text: "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)" 74 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 75 tests: 76 test_items: 77 - flag: "permissions" 78 compare: 79 op: bitmask 80 value: "600" 81 set: true 82 remediation: | 83 Run the below command (based on the file location on your system) on the control plane node. 84 For example, chmod 600 $schedulerconf 85 scored: true 86 87 - id: 1.1.6 88 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" 89 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 90 tests: 91 test_items: 92 - flag: "root:root" 93 set: true 94 remediation: | 95 Run the below command (based on the file location on your system) on the control plane node. 96 For example, chown root:root $schedulerconf 97 scored: true 98 99 - id: 1.1.7 100 text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)" 101 audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" 102 use_multiple_values: true 103 tests: 104 test_items: 105 - flag: "permissions" 106 compare: 107 op: bitmask 108 value: "600" 109 remediation: | 110 Run the below command (based on the file location on your system) on the control plane node. 111 For example, 112 chmod 600 $etcdconf 113 scored: true 114 115 - id: 1.1.8 116 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" 117 audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" 118 tests: 119 test_items: 120 - flag: "root:root" 121 compare: 122 op: eq 123 value: "root:root" 124 set: true 125 remediation: | 126 Run the below command (based on the file location on your system) on the control plane node. 127 For example, 128 chown root:root $etcdconf 129 scored: true 130 131 - id: 1.1.9 132 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" 133 audit: | 134 ps -fC ${kubeletbin:-kubelet} | grep -- --cni-conf-dir || echo "/etc/cni/net.d" | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a 135 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a 136 use_multiple_values: true 137 tests: 138 test_items: 139 - flag: "permissions" 140 compare: 141 op: bitmask 142 value: "600" 143 remediation: | 144 Run the below command (based on the file location on your system) on the control plane node. 145 For example, chmod 600 <path/to/cni/files> 146 scored: false 147 148 - id: 1.1.10 149 text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" 150 audit: | 151 ps -fC ${kubeletbin:-kubelet} | grep -- --cni-conf-dir || echo "/etc/cni/net.d" | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G 152 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G 153 use_multiple_values: true 154 tests: 155 test_items: 156 - flag: "root:root" 157 remediation: | 158 Run the below command (based on the file location on your system) on the control plane node. 159 For example, 160 chown root:root <path/to/cni/files> 161 scored: false 162 163 - id: 1.1.11 164 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" 165 audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/db/etcd" 166 tests: 167 test_items: 168 - flag: "permissions" 169 compare: 170 op: bitmask 171 value: "700" 172 set: true 173 remediation: | 174 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 175 from the command 'ps -ef | grep etcd'. 176 Run the below command (based on the etcd data directory found above). For example, 177 chmod 700 /var/lib/etcd 178 scored: true 179 180 - id: 1.1.12 181 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" 182 type: "skip" 183 audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd" 184 tests: 185 test_items: 186 - flag: "etcd:etcd" 187 remediation: | 188 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 189 from the command 'ps -ef | grep etcd'. 190 Run the below command (based on the etcd data directory found above). 191 For example, chown etcd:etcd /var/lib/etcd 192 scored: true 193 194 - id: 1.1.13 195 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" 196 audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/cred/admin.kubeconfig" 197 tests: 198 test_items: 199 - flag: "permissions" 200 compare: 201 op: bitmask 202 value: "600" 203 set: true 204 remediation: | 205 Run the below command (based on the file location on your system) on the control plane node. 206 For example, chmod 600 /etc/kubernetes/admin.conf 207 scored: true 208 209 - id: 1.1.14 210 text: "Ensure that the admin.conf file ownership is set to root:root (Automated)" 211 audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/admin.kubeconfig" 212 tests: 213 test_items: 214 - flag: "root:root" 215 compare: 216 op: eq 217 value: "root:root" 218 set: true 219 remediation: | 220 Run the below command (based on the file location on your system) on the control plane node. 221 For example, chown root:root /etc/kubernetes/admin.conf 222 scored: true 223 224 - id: 1.1.15 225 text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)" 226 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'" 227 tests: 228 test_items: 229 - flag: "600" 230 compare: 231 op: eq 232 value: "600" 233 set: true 234 remediation: | 235 Run the below command (based on the file location on your system) on the control plane node. 236 For example, 237 chmod 600 $schedulerkubeconfig 238 scored: true 239 240 - id: 1.1.16 241 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" 242 audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig" 243 tests: 244 test_items: 245 - flag: "root:root" 246 compare: 247 op: eq 248 value: "root:root" 249 set: true 250 remediation: | 251 Run the below command (based on the file location on your system) on the control plane node. 252 For example, 253 chown root:root $schedulerkubeconfig 254 scored: true 255 256 - id: 1.1.17 257 text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)" 258 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'" 259 tests: 260 test_items: 261 - flag: "600" 262 compare: 263 op: eq 264 value: "600" 265 set: true 266 remediation: | 267 Run the below command (based on the file location on your system) on the control plane node. 268 For example, 269 chmod 600 $controllermanagerkubeconfig 270 scored: true 271 272 - id: 1.1.18 273 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" 274 audit: "stat -c %U:%G /var/lib/rancher/rke2/server/cred/controller.kubeconfig" 275 tests: 276 test_items: 277 - flag: "root:root" 278 compare: 279 op: eq 280 value: "root:root" 281 set: true 282 remediation: | 283 Run the below command (based on the file location on your system) on the control plane node. 284 For example, 285 chown root:root /var/lib/rancher/rke2/server/cred/controller.kubeconfig 286 scored: true 287 288 - id: 1.1.19 289 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 290 audit: "stat -c %U:%G /var/lib/rancher/rke2/server/tls" 291 use_multiple_values: true 292 tests: 293 test_items: 294 - flag: "root:root" 295 compare: 296 op: eq 297 value: "root:root" 298 set: true 299 remediation: | 300 Run the below command (based on the file location on your system) on the control plane node. 301 For example, 302 chown -R root:root /etc/kubernetes/pki/ 303 scored: true 304 305 - id: 1.1.20 306 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" 307 audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/tls/*.crt" 308 use_multiple_values: true 309 tests: 310 test_items: 311 - flag: "permissions" 312 compare: 313 op: bitmask 314 value: "600" 315 set: true 316 remediation: | 317 Run the below command (based on the file location on your system) on the control plane node. 318 For example, 319 chmod -R 600 /var/lib/rancher/rke2/server/tls/*.crt 320 scored: false 321 322 - id: 1.1.21 323 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" 324 audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/tls/*.key" 325 use_multiple_values: true 326 tests: 327 test_items: 328 - flag: "permissions" 329 compare: 330 op: bitmask 331 value: "600" 332 set: true 333 remediation: | 334 Run the below command (based on the file location on your system) on the control plane node. 335 For example, 336 chmod -R 600 /var/lib/rancher/rke2/server/tls/*.key 337 scored: false 338 339 - id: 1.2 340 text: "API Server" 341 checks: 342 - id: 1.2.1 343 text: "Ensure that the --anonymous-auth argument is set to false (Manual)" 344 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 345 type: manual 346 tests: 347 test_items: 348 - flag: "--anonymous-auth" 349 compare: 350 op: eq 351 value: false 352 remediation: | 353 Edit the API server pod specification file $apiserverconf 354 on the control plane node and set the below parameter. 355 --anonymous-auth=false 356 scored: false 357 358 - id: 1.2.2 359 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 360 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 361 tests: 362 test_items: 363 - flag: "--token-auth-file" 364 set: false 365 remediation: | 366 Follow the documentation and configure alternate mechanisms for authentication. Then, 367 edit the API server pod specification file $apiserverconf 368 on the control plane node and remove the --token-auth-file=<filename> parameter. 369 scored: true 370 371 - id: 1.2.3 372 text: "Ensure that the --DenyServiceExternalIPs is not set (Automated)" 373 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 374 tests: 375 bin_op: or 376 test_items: 377 - flag: "--enable-admission-plugins" 378 compare: 379 op: nothave 380 value: "DenyServiceExternalIPs" 381 set: true 382 - flag: "--enable-admission-plugins" 383 set: false 384 remediation: | 385 Edit the API server pod specification file $apiserverconf 386 on the control plane node and remove the `DenyServiceExternalIPs` 387 from enabled admission plugins. 388 scored: true 389 390 - id: 1.2.4 391 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 392 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 393 tests: 394 bin_op: and 395 test_items: 396 - flag: "--kubelet-client-certificate" 397 set: true 398 - flag: "--kubelet-client-key" 399 set: true 400 remediation: | 401 Follow the Kubernetes documentation and set up the TLS connection between the 402 apiserver and kubelets. Then, edit API server pod specification file 403 $apiserverconf on the control plane node and set the 404 kubelet client certificate and key parameters as below. 405 --kubelet-client-certificate=<path/to/client-certificate-file> 406 --kubelet-client-key=<path/to/client-key-file> 407 scored: true 408 409 - id: 1.2.5 410 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" 411 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 412 tests: 413 test_items: 414 - flag: "--kubelet-certificate-authority" 415 set: true 416 remediation: | 417 Follow the Kubernetes documentation and setup the TLS connection between 418 the apiserver and kubelets. Then, edit the API server pod specification file 419 $apiserverconf on the control plane node and set the 420 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. 421 --kubelet-certificate-authority=<ca-string> 422 scored: true 423 424 - id: 1.2.6 425 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 426 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 427 tests: 428 test_items: 429 - flag: "--authorization-mode" 430 compare: 431 op: nothave 432 value: "AlwaysAllow" 433 set: true 434 remediation: | 435 Edit the API server pod specification file $apiserverconf 436 on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow. 437 One such example could be as below. 438 --authorization-mode=RBAC 439 scored: true 440 441 - id: 1.2.7 442 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 443 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 444 tests: 445 test_items: 446 - flag: "--authorization-mode" 447 compare: 448 op: has 449 value: "Node" 450 set: true 451 remediation: | 452 Edit the API server pod specification file $apiserverconf 453 on the control plane node and set the --authorization-mode parameter to a value that includes Node. 454 --authorization-mode=Node,RBAC 455 scored: true 456 457 - id: 1.2.8 458 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 459 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 460 tests: 461 test_items: 462 - flag: "--authorization-mode" 463 compare: 464 op: has 465 value: "RBAC" 466 set: true 467 remediation: | 468 Edit the API server pod specification file $apiserverconf 469 on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, 470 for example `--authorization-mode=Node,RBAC`. 471 scored: true 472 473 - id: 1.2.9 474 text: "Ensure that the admission control plugin EventRateLimit is set (Manual)" 475 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 476 tests: 477 test_items: 478 - flag: "--enable-admission-plugins" 479 compare: 480 op: has 481 value: "EventRateLimit" 482 set: true 483 remediation: | 484 Follow the Kubernetes documentation and set the desired limits in a configuration file. 485 Then, edit the API server pod specification file $apiserverconf 486 and set the below parameters. 487 --enable-admission-plugins=...,EventRateLimit,... 488 --admission-control-config-file=<path/to/configuration/file> 489 scored: false 490 491 - id: 1.2.10 492 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 493 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 494 tests: 495 bin_op: or 496 test_items: 497 - flag: "--enable-admission-plugins" 498 compare: 499 op: nothave 500 value: AlwaysAdmit 501 set: true 502 - flag: "--enable-admission-plugins" 503 set: false 504 remediation: | 505 Edit the API server pod specification file $apiserverconf 506 on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a 507 value that does not include AlwaysAdmit. 508 scored: true 509 510 - id: 1.2.11 511 text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)" 512 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 513 tests: 514 test_items: 515 - flag: "--enable-admission-plugins" 516 compare: 517 op: has 518 value: "AlwaysPullImages" 519 set: true 520 remediation: | 521 Edit the API server pod specification file $apiserverconf 522 on the control plane node and set the --enable-admission-plugins parameter to include 523 AlwaysPullImages. 524 --enable-admission-plugins=...,AlwaysPullImages,... 525 scored: false 526 527 - id: 1.2.12 528 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" 529 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 530 tests: 531 bin_op: or 532 test_items: 533 - flag: "--enable-admission-plugins" 534 compare: 535 op: has 536 value: "SecurityContextDeny" 537 set: true 538 - flag: "--enable-admission-plugins" 539 compare: 540 op: has 541 value: "PodSecurityPolicy" 542 set: true 543 remediation: | 544 Edit the API server pod specification file $apiserverconf 545 on the control plane node and set the --enable-admission-plugins parameter to include 546 SecurityContextDeny, unless PodSecurityPolicy is already in place. 547 --enable-admission-plugins=...,SecurityContextDeny,... 548 scored: false 549 550 - id: 1.2.13 551 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 552 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 553 tests: 554 bin_op: or 555 test_items: 556 - flag: "--disable-admission-plugins" 557 compare: 558 op: nothave 559 value: "ServiceAccount" 560 - flag: "--disable-admission-plugins" 561 set: false 562 remediation: | 563 Follow the documentation and create ServiceAccount objects as per your environment. 564 Then, edit the API server pod specification file $apiserverconf 565 on the control plane node and ensure that the --disable-admission-plugins parameter is set to a 566 value that does not include ServiceAccount. 567 scored: true 568 569 - id: 1.2.14 570 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 571 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 572 tests: 573 bin_op: or 574 test_items: 575 - flag: "--disable-admission-plugins" 576 compare: 577 op: nothave 578 value: "NamespaceLifecycle" 579 - flag: "--disable-admission-plugins" 580 set: false 581 remediation: | 582 Edit the API server pod specification file $apiserverconf 583 on the control plane node and set the --disable-admission-plugins parameter to 584 ensure it does not include NamespaceLifecycle. 585 scored: true 586 587 - id: 1.2.15 588 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 589 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 590 tests: 591 test_items: 592 - flag: "--enable-admission-plugins" 593 compare: 594 op: has 595 value: "NodeRestriction" 596 set: true 597 remediation: | 598 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 599 Then, edit the API server pod specification file $apiserverconf 600 on the control plane node and set the --enable-admission-plugins parameter to a 601 value that includes NodeRestriction. 602 --enable-admission-plugins=...,NodeRestriction,... 603 scored: true 604 605 - id: 1.2.16 606 text: "Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)" 607 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 608 tests: 609 bin_op: or 610 test_items: 611 - flag: "--secure-port" 612 compare: 613 op: gt 614 value: 0 615 set: true 616 - flag: "--secure-port" 617 set: false 618 remediation: | 619 Edit the API server pod specification file $apiserverconf 620 on the control plane node and either remove the --secure-port parameter or 621 set it to a different (non-zero) desired port. 622 scored: true 623 624 - id: 1.2.17 625 text: "Ensure that the --profiling argument is set to false (Automated)" 626 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 627 tests: 628 test_items: 629 - flag: "--profiling" 630 compare: 631 op: eq 632 value: false 633 set: true 634 remediation: | 635 Edit the API server pod specification file $apiserverconf 636 on the control plane node and set the below parameter. 637 --profiling=false 638 scored: true 639 640 - id: 1.2.18 641 text: "Ensure that the --audit-log-path argument is set (Automated)" 642 type: "skip" 643 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 644 tests: 645 test_items: 646 - flag: "--audit-log-path" 647 set: true 648 remediation: | 649 Edit the API server pod specification file $apiserverconf 650 on the control plane node and set the --audit-log-path parameter to a suitable path and 651 file where you would like audit logs to be written, for example, 652 --audit-log-path=/var/log/apiserver/audit.log 653 Permissive. 654 scored: true 655 656 - id: 1.2.19 657 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 658 type: "skip" 659 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 660 tests: 661 test_items: 662 - flag: "--audit-log-maxage" 663 compare: 664 op: gte 665 value: 30 666 set: true 667 remediation: | 668 Edit the API server pod specification file $apiserverconf 669 on the control plane node and set the --audit-log-maxage parameter to 30 670 or as an appropriate number of days, for example, 671 --audit-log-maxage=30 672 Permissive. 673 scored: true 674 675 - id: 1.2.20 676 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 677 type: "skip" 678 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 679 tests: 680 test_items: 681 - flag: "--audit-log-maxbackup" 682 compare: 683 op: gte 684 value: 10 685 set: true 686 remediation: | 687 Edit the API server pod specification file $apiserverconf 688 on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 689 value. For example, 690 --audit-log-maxbackup=10 691 Permissive. 692 scored: true 693 694 - id: 1.2.21 695 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 696 type: "skip" 697 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 698 tests: 699 test_items: 700 - flag: "--audit-log-maxsize" 701 compare: 702 op: gte 703 value: 100 704 set: true 705 remediation: | 706 Edit the API server pod specification file $apiserverconf 707 on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. 708 For example, to set it as 100 MB, --audit-log-maxsize=100 709 scored: true 710 711 - id: 1.2.22 712 text: "Ensure that the --request-timeout argument is set as appropriate (Automated)" 713 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 714 tests: 715 bin_op: or 716 test_items: 717 - flag: "--request-timeout" 718 set: false 719 - flag: "--request-timeout" 720 remediation: | 721 Edit the API server pod specification file $apiserverconf 722 and set the below parameter as appropriate and if needed. 723 For example, --request-timeout=300s 724 scored: true 725 726 - id: 1.2.23 727 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 728 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 729 tests: 730 bin_op: or 731 test_items: 732 - flag: "--service-account-lookup" 733 set: false 734 - flag: "--service-account-lookup" 735 compare: 736 op: eq 737 value: true 738 remediation: | 739 Edit the API server pod specification file $apiserverconf 740 on the control plane node and set the below parameter. 741 --service-account-lookup=true 742 Alternatively, you can delete the --service-account-lookup parameter from this file so 743 that the default takes effect. 744 scored: true 745 746 - id: 1.2.24 747 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 748 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 749 tests: 750 test_items: 751 - flag: "--service-account-key-file" 752 set: true 753 remediation: | 754 Edit the API server pod specification file $apiserverconf 755 on the control plane node and set the --service-account-key-file parameter 756 to the public key file for service accounts. For example, 757 --service-account-key-file=<filename> 758 scored: true 759 760 - id: 1.2.25 761 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 762 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 763 tests: 764 bin_op: and 765 test_items: 766 - flag: "--etcd-certfile" 767 set: true 768 - flag: "--etcd-keyfile" 769 set: true 770 remediation: | 771 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 772 Then, edit the API server pod specification file $apiserverconf 773 on the control plane node and set the etcd certificate and key file parameters. 774 --etcd-certfile=<path/to/client-certificate-file> 775 --etcd-keyfile=<path/to/client-key-file> 776 scored: true 777 778 - id: 1.2.26 779 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 780 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 781 tests: 782 bin_op: and 783 test_items: 784 - flag: "--tls-cert-file" 785 set: true 786 - flag: "--tls-private-key-file" 787 set: true 788 remediation: | 789 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 790 Then, edit the API server pod specification file $apiserverconf 791 on the control plane node and set the TLS certificate and private key file parameters. 792 --tls-cert-file=<path/to/tls-certificate-file> 793 --tls-private-key-file=<path/to/tls-key-file> 794 scored: true 795 796 - id: 1.2.27 797 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 798 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 799 tests: 800 test_items: 801 - flag: "--client-ca-file" 802 set: true 803 remediation: | 804 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 805 Then, edit the API server pod specification file $apiserverconf 806 on the control plane node and set the client certificate authority file. 807 --client-ca-file=<path/to/client-ca-file> 808 scored: true 809 810 - id: 1.2.28 811 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 812 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 813 tests: 814 test_items: 815 - flag: "--etcd-cafile" 816 set: true 817 remediation: | 818 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 819 Then, edit the API server pod specification file $apiserverconf 820 on the control plane node and set the etcd certificate authority file parameter. 821 --etcd-cafile=<path/to/ca-file> 822 scored: true 823 824 - id: 1.2.29 825 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" 826 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 827 tests: 828 test_items: 829 - flag: "--encryption-provider-config" 830 remediation: | 831 Follow the Kubernetes documentation and configure a EncryptionConfig file. 832 Then, edit the API server pod specification file $apiserverconf 833 on the control plane node and set the --encryption-provider-config parameter to the path of that file. 834 For example, --encryption-provider-config=</path/to/EncryptionConfig/File> 835 scored: false 836 837 - id: 1.2.30 838 text: "Ensure that encryption providers are appropriately configured (Manual)" 839 type: "skip" 840 audit: | 841 ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%') 842 if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi 843 tests: 844 test_items: 845 - flag: "provider" 846 compare: 847 op: valid_elements 848 value: "aescbc,kms,secretbox" 849 remediation: | 850 Follow the Kubernetes documentation and configure a EncryptionConfig file. 851 In this file, choose aescbc, kms or secretbox as the encryption provider. 852 Permissive. 853 scored: false 854 855 - id: 1.2.31 856 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" 857 type: skip 858 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 859 tests: 860 test_items: 861 - flag: "--tls-cipher-suites" 862 compare: 863 op: valid_elements 864 value: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" 865 remediation: | 866 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 867 on the control plane node and set the below parameter. 868 --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, 869 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 870 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 871 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 872 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 873 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 874 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, 875 TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 876 Not Applicable. 877 scored: false 878 879 880 - id: 1.3 881 text: "Controller Manager" 882 checks: 883 - id: 1.3.1 884 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" 885 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 886 tests: 887 test_items: 888 - flag: "--terminated-pod-gc-threshold" 889 remediation: | 890 Edit the Controller Manager pod specification file $controllermanagerconf 891 on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, 892 for example, --terminated-pod-gc-threshold=10 893 scored: false 894 895 - id: 1.3.2 896 text: "Ensure that the --profiling argument is set to false (Automated)" 897 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 898 tests: 899 test_items: 900 - flag: "--profiling" 901 compare: 902 op: eq 903 value: false 904 set: true 905 remediation: | 906 Edit the Controller Manager pod specification file $controllermanagerconf 907 on the control plane node and set the below parameter. 908 --profiling=false 909 scored: true 910 911 - id: 1.3.3 912 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 913 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 914 tests: 915 test_items: 916 - flag: "--use-service-account-credentials" 917 compare: 918 op: noteq 919 value: false 920 set: true 921 remediation: | 922 Edit the Controller Manager pod specification file $controllermanagerconf 923 on the control plane node to set the below parameter. 924 --use-service-account-credentials=true 925 scored: true 926 927 - id: 1.3.4 928 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 929 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 930 tests: 931 test_items: 932 - flag: "--service-account-private-key-file" 933 set: true 934 remediation: | 935 Edit the Controller Manager pod specification file $controllermanagerconf 936 on the control plane node and set the --service-account-private-key-file parameter 937 to the private key file for service accounts. 938 --service-account-private-key-file=<filename> 939 scored: true 940 941 - id: 1.3.5 942 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 943 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 944 tests: 945 test_items: 946 - flag: "--root-ca-file" 947 set: true 948 remediation: | 949 Edit the Controller Manager pod specification file $controllermanagerconf 950 on the control plane node and set the --root-ca-file parameter to the certificate bundle file`. 951 --root-ca-file=<path/to/file> 952 scored: true 953 954 - id: 1.3.6 955 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 956 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 957 tests: 958 bin_op: or 959 test_items: 960 - flag: "--feature-gates" 961 compare: 962 op: nothave 963 value: "RotateKubeletServerCertificate=false" 964 set: true 965 - flag: "--feature-gates" 966 set: false 967 remediation: | 968 Edit the Controller Manager pod specification file $controllermanagerconf 969 on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 970 --feature-gates=RotateKubeletServerCertificate=true 971 scored: true 972 type: skip 973 974 - id: 1.3.7 975 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 976 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 977 tests: 978 bin_op: or 979 test_items: 980 - flag: "--bind-address" 981 compare: 982 op: eq 983 value: "127.0.0.1" 984 set: true 985 - flag: "--bind-address" 986 set: false 987 remediation: | 988 Edit the Controller Manager pod specification file $controllermanagerconf 989 on the control plane node and ensure the correct value for the --bind-address parameter 990 scored: true 991 992 - id: 1.4 993 text: "Scheduler" 994 checks: 995 - id: 1.4.1 996 text: "Ensure that the --profiling argument is set to false (Automated)" 997 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 998 tests: 999 test_items: 1000 - flag: "--profiling" 1001 compare: 1002 op: eq 1003 value: false 1004 set: true 1005 remediation: | 1006 Edit the Scheduler pod specification file $schedulerconf file 1007 on the control plane node and set the below parameter. 1008 --profiling=false 1009 scored: true 1010 1011 - id: 1.4.2 1012 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 1013 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 1014 tests: 1015 bin_op: or 1016 test_items: 1017 - flag: "--bind-address" 1018 compare: 1019 op: eq 1020 value: "127.0.0.1" 1021 set: true 1022 - flag: "--bind-address" 1023 set: false 1024 remediation: | 1025 Edit the Scheduler pod specification file $schedulerconf 1026 on the control plane node and ensure the correct value for the --bind-address parameter 1027 scored: true