github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke2-cis-1.7/node.yaml (about) 1 --- 2 controls: 3 version: "rke2-cis-1.7" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 type: "skip" 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "600" 21 remediation: | 22 Run the below command (based on the file location on your system) on the each worker node. 23 For example, chmod 600 $kubeletsvc 24 Not Applicable. 25 scored: true 26 27 - id: 4.1.2 28 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 29 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' ' 30 type: "skip" 31 tests: 32 test_items: 33 - flag: "root:root" 34 set: true 35 remediation: | 36 Run the below command (based on the file location on your system) on the each worker node. 37 For example, 38 chown root:root $kubeletsvc 39 Not applicable. 40 scored: true 41 42 - id: 4.1.3 43 text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)" 44 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 45 tests: 46 bin_op: or 47 test_items: 48 - flag: "permissions" 49 compare: 50 op: bitmask 51 value: "600" 52 remediation: | 53 Run the below command (based on the file location on your system) on the each worker node. 54 For example, 55 chmod 600 $proxykubeconfig 56 scored: false 57 58 - id: 4.1.4 59 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 60 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 61 tests: 62 bin_op: or 63 test_items: 64 - flag: root:root 65 remediation: | 66 Run the below command (based on the file location on your system) on the each worker node. 67 For example, chown root:root $proxykubeconfig 68 scored: false 69 70 - id: 4.1.5 71 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)" 72 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 73 tests: 74 test_items: 75 - flag: "permissions" 76 compare: 77 op: bitmask 78 value: "600" 79 set: true 80 remediation: | 81 Run the below command (based on the file location on your system) on the each worker node. 82 For example, 83 chmod 600 $kubeletkubeconfig 84 scored: true 85 86 - id: 4.1.6 87 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 88 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 89 tests: 90 test_items: 91 - flag: root:root 92 set: true 93 compare: 94 op: eq 95 value: root:root 96 remediation: | 97 Run the below command (based on the file location on your system) on the each worker node. 98 For example, 99 chown root:root $kubeletkubeconfig 100 scored: true 101 102 - id: 4.1.7 103 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)" 104 audit: "check_cafile_permissions.sh" 105 tests: 106 test_items: 107 - flag: "permissions" 108 compare: 109 op: bitmask 110 value: "600" 111 set: true 112 remediation: | 113 Run the following command to modify the file permissions of the 114 --client-ca-file chmod 600 <filename> 115 scored: false 116 117 - id: 4.1.8 118 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 119 audit: "check_cafile_ownership.sh" 120 tests: 121 test_items: 122 - flag: root:root 123 compare: 124 op: eq 125 value: root:root 126 remediation: | 127 Run the following command to modify the ownership of the --client-ca-file. 128 chown root:root <filename> 129 scored: false 130 131 - id: 4.1.9 132 text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)" 133 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 134 tests: 135 test_items: 136 - flag: "permissions" 137 compare: 138 op: bitmask 139 value: "600" 140 set: true 141 remediation: | 142 Run the following command (using the config file location identified in the Audit step) 143 chmod 600 $kubeletconf 144 scored: true 145 146 - id: 4.1.10 147 text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Automated)" 148 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 149 tests: 150 test_items: 151 - flag: root:root 152 set: true 153 remediation: | 154 Run the following command (using the config file location identified in the Audit step) 155 chown root:root $kubeletconf 156 scored: true 157 158 - id: 4.2 159 text: "Kubelet" 160 checks: 161 - id: 4.2.1 162 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 163 audit: "/bin/ps -fC $kubeletbin" 164 audit_config: "/bin/cat $kubeletconf" 165 tests: 166 test_items: 167 - flag: "--anonymous-auth" 168 path: '{.authentication.anonymous.enabled}' 169 compare: 170 op: eq 171 value: false 172 remediation: | 173 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 174 `false`. 175 If using executable arguments, edit the kubelet service file 176 $kubeletsvc on each worker node and 177 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 178 `--anonymous-auth=false` 179 Based on your system, restart the kubelet service. For example, 180 systemctl daemon-reload 181 systemctl restart kubelet.service 182 scored: true 183 184 - id: 4.2.2 185 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 186 audit: "/bin/ps -fC $kubeletbin" 187 audit_config: "/bin/cat $kubeletconf" 188 tests: 189 test_items: 190 - flag: --authorization-mode 191 path: '{.authorization.mode}' 192 compare: 193 op: nothave 194 value: AlwaysAllow 195 remediation: | 196 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 197 using executable arguments, edit the kubelet service file 198 $kubeletsvc on each worker node and 199 set the below parameter in KUBELET_AUTHZ_ARGS variable. 200 --authorization-mode=Webhook 201 Based on your system, restart the kubelet service. For example, 202 systemctl daemon-reload 203 systemctl restart kubelet.service 204 scored: true 205 206 - id: 4.2.3 207 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 208 audit: "/bin/ps -fC $kubeletbin" 209 audit_config: "/bin/cat $kubeletconf" 210 tests: 211 test_items: 212 - flag: --client-ca-file 213 path: '{.authentication.x509.clientCAFile}' 214 remediation: | 215 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 216 the location of the client CA file. 217 If using command line arguments, edit the kubelet service file 218 $kubeletsvc on each worker node and 219 set the below parameter in KUBELET_AUTHZ_ARGS variable. 220 --client-ca-file=<path/to/client-ca-file> 221 Based on your system, restart the kubelet service. For example, 222 systemctl daemon-reload 223 systemctl restart kubelet.service 224 scored: true 225 226 - id: 4.2.4 227 text: "Verify that the --read-only-port argument is set to 0 (Manual)" 228 audit: "/bin/ps -fC $kubeletbin" 229 audit_config: "/bin/cat $kubeletconf" 230 tests: 231 bin_op: or 232 test_items: 233 - flag: "--read-only-port" 234 path: '{.readOnlyPort}' 235 compare: 236 op: eq 237 value: 0 238 - flag: "--read-only-port" 239 path: '{.readOnlyPort}' 240 set: false 241 remediation: | 242 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 243 If using command line arguments, edit the kubelet service file 244 $kubeletsvc on each worker node and 245 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 246 --read-only-port=0 247 Based on your system, restart the kubelet service. For example, 248 systemctl daemon-reload 249 systemctl restart kubelet.service 250 scored: false 251 252 - id: 4.2.5 253 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 254 audit: "/bin/ps -fC $kubeletbin" 255 audit_config: "/bin/cat $kubeletconf" 256 tests: 257 test_items: 258 - flag: --streaming-connection-idle-timeout 259 path: '{.streamingConnectionIdleTimeout}' 260 compare: 261 op: noteq 262 value: 0 263 - flag: --streaming-connection-idle-timeout 264 path: '{.streamingConnectionIdleTimeout}' 265 set: false 266 bin_op: or 267 remediation: | 268 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 269 value other than 0. 270 If using command line arguments, edit the kubelet service file 271 $kubeletsvc on each worker node and 272 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 273 --streaming-connection-idle-timeout=5m 274 Based on your system, restart the kubelet service. For example, 275 systemctl daemon-reload 276 systemctl restart kubelet.service 277 scored: false 278 279 - id: 4.2.6 280 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 281 audit: "/bin/ps -fC $kubeletbin" 282 audit_config: "/bin/cat $kubeletconf" 283 tests: 284 test_items: 285 - flag: --make-iptables-util-chains 286 path: '{.makeIPTablesUtilChains}' 287 compare: 288 op: eq 289 value: true 290 - flag: --make-iptables-util-chains 291 path: '{.makeIPTablesUtilChains}' 292 set: false 293 bin_op: or 294 remediation: | 295 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 296 If using command line arguments, edit the kubelet service file 297 $kubeletsvc on each worker node and 298 remove the --make-iptables-util-chains argument from the 299 KUBELET_SYSTEM_PODS_ARGS variable. 300 Based on your system, restart the kubelet service. For example: 301 systemctl daemon-reload 302 systemctl restart kubelet.service 303 scored: true 304 305 - id: 4.2.7 306 text: "Ensure that the --hostname-override argument is not set (Manual)" 307 # This is one of those properties that can only be set as a command line argument. 308 # To check if the property is set as expected, we need to parse the kubelet command 309 # instead reading the Kubelet Configuration file. 310 audit: "/bin/ps -fC $kubeletbin " 311 type: skip 312 tests: 313 test_items: 314 - flag: --hostname-override 315 set: false 316 remediation: | 317 Edit the kubelet service file $kubeletsvc 318 on each worker node and remove the --hostname-override argument from the 319 KUBELET_SYSTEM_PODS_ARGS variable. 320 Based on your system, restart the kubelet service. For example, 321 systemctl daemon-reload 322 systemctl restart kubelet.service 323 Not Applicable. 324 scored: false 325 326 - id: 4.2.8 327 text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)" 328 audit: "/bin/ps -fC $kubeletbin" 329 audit_config: "/bin/cat $kubeletconf" 330 tests: 331 test_items: 332 - flag: --event-qps 333 path: '{.eventRecordQPS}' 334 compare: 335 op: gte 336 value: 0 337 - flag: --event-qps 338 path: '{.eventRecordQPS}' 339 set: false 340 bin_op: or 341 remediation: | 342 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 343 If using command line arguments, edit the kubelet service file 344 $kubeletsvc on each worker node and 345 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 346 Based on your system, restart the kubelet service. For example, 347 systemctl daemon-reload 348 systemctl restart kubelet.service 349 scored: false 350 351 - id: 4.2.9 352 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 353 audit: "/bin/ps -fC $kubeletbin" 354 audit_config: "/bin/cat $kubeletconf" 355 tests: 356 test_items: 357 - flag: --tls-cert-file 358 path: '{.tlsCertFile}' 359 - flag: --tls-private-key-file 360 path: '{.tlsPrivateKeyFile}' 361 remediation: | 362 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 363 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 364 to the location of the corresponding private key file. 365 If using command line arguments, edit the kubelet service file 366 $kubeletsvc on each worker node and 367 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 368 --tls-cert-file=<path/to/tls-certificate-file> 369 --tls-private-key-file=<path/to/tls-key-file> 370 Based on your system, restart the kubelet service. For example, 371 systemctl daemon-reload 372 systemctl restart kubelet.service 373 scored: false 374 375 - id: 4.2.10 376 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 377 audit: "/bin/ps -fC $kubeletbin" 378 audit_config: "/bin/cat $kubeletconf" 379 tests: 380 test_items: 381 - flag: --rotate-certificates 382 path: '{.rotateCertificates}' 383 compare: 384 op: eq 385 value: true 386 - flag: --rotate-certificates 387 path: '{.rotateCertificates}' 388 set: false 389 bin_op: or 390 remediation: | 391 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 392 remove it altogether to use the default value. 393 If using command line arguments, edit the kubelet service file 394 $kubeletsvc on each worker node and 395 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 396 variable. 397 Based on your system, restart the kubelet service. For example, 398 systemctl daemon-reload 399 systemctl restart kubelet.service 400 scored: true 401 402 - id: 4.2.11 403 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 404 audit: "/bin/ps -fC $kubeletbin" 405 audit_config: "/bin/cat $kubeletconf" 406 tests: 407 bin_op: or 408 test_items: 409 - flag: RotateKubeletServerCertificate 410 path: '{.featureGates.RotateKubeletServerCertificate}' 411 compare: 412 op: nothave 413 value: false 414 - flag: RotateKubeletServerCertificate 415 path: '{.featureGates.RotateKubeletServerCertificate}' 416 set: false 417 remediation: | 418 Edit the kubelet service file $kubeletsvc 419 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 420 --feature-gates=RotateKubeletServerCertificate=true 421 Based on your system, restart the kubelet service. For example: 422 systemctl daemon-reload 423 systemctl restart kubelet.service 424 scored: false 425 426 - id: 4.2.12 427 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 428 audit: "/bin/ps -fC $kubeletbin" 429 audit_config: "/bin/cat $kubeletconf" 430 tests: 431 test_items: 432 - flag: --tls-cipher-suites 433 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 434 compare: 435 op: valid_elements 436 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 437 remediation: | 438 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 439 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 440 or to a subset of these values. 441 If using executable arguments, edit the kubelet service file 442 $kubeletsvc on each worker node and 443 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 444 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 445 Based on your system, restart the kubelet service. For example: 446 systemctl daemon-reload 447 systemctl restart kubelet.service 448 scored: false 449 450 - id: 4.2.13 451 text: "Ensure that a limit is set on pod PIDs (Manual)" 452 audit: "/bin/ps -fC $kubeletbin" 453 audit_config: "/bin/cat $kubeletconf" 454 tests: 455 test_items: 456 - flag: --pod-max-pids 457 path: '{.podPidsLimit}' 458 remediation: | 459 Decide on an appropriate level for this parameter and set it, 460 either via the --pod-max-pids command line parameter or the PodPidsLimit configuration file setting. 461 scored: false