github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke2-cis-1.7/policies.yaml (about) 1 --- 2 controls: 3 version: "rke2-cis-1.7" 4 id: 5 5 text: "Kubernetes Policies" 6 type: "policies" 7 groups: 8 - id: 5.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 5.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Manual)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 5.1.2 23 text: "Minimize access to secrets (Manual)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to Secret objects in the cluster. 27 scored: false 28 29 - id: 5.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 scored: false 36 37 - id: 5.1.4 38 text: "Minimize access to create pods (Manual)" 39 type: "manual" 40 remediation: | 41 Where possible, remove create access to pod objects in the cluster. 42 scored: false 43 44 - id: 5.1.5 45 text: "Ensure that default service accounts are not actively used. (Manual)" 46 type: "manual" 47 remediation: | 48 Create explicit service accounts wherever a Kubernetes workload requires specific access 49 to the Kubernetes API server. 50 Modify the configuration of each default service account to include this value 51 automountServiceAccountToken: false 52 scored: false 53 54 - id: 5.1.6 55 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" 56 type: "manual" 57 remediation: | 58 Modify the definition of pods and service accounts which do not need to mount service 59 account tokens to disable it. 60 scored: false 61 62 - id: 5.1.7 63 text: "Avoid use of system:masters group (Manual)" 64 type: "manual" 65 remediation: | 66 Remove the system:masters group from all users in the cluster. 67 scored: false 68 69 - id: 5.1.8 70 text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)" 71 type: "manual" 72 remediation: | 73 Where possible, remove the impersonate, bind and escalate rights from subjects. 74 scored: false 75 76 - id: 5.1.9 77 text: "Minimize access to create persistent volumes (Manual)" 78 type: "manual" 79 remediation: | 80 Where possible, remove create access to PersistentVolume objects in the cluster. 81 scored: false 82 83 - id: 5.1.10 84 text: "Minimize access to the proxy sub-resource of nodes (Manual)" 85 type: "manual" 86 remediation: | 87 Where possible, remove access to the proxy sub-resource of node objects. 88 scored: false 89 90 - id: 5.1.11 91 text: "Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)" 92 type: "manual" 93 remediation: | 94 Where possible, remove access to the approval sub-resource of certificatesigningrequest objects. 95 scored: false 96 97 - id: 5.1.12 98 text: "Minimize access to webhook configuration objects (Manual)" 99 type: "manual" 100 remediation: | 101 Where possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects 102 scored: false 103 104 - id: 5.1.13 105 text: "Minimize access to the service account token creation (Manual)" 106 type: "manual" 107 remediation: | 108 Where possible, remove access to the token sub-resource of serviceaccount objects. 109 scored: false 110 111 - id: 5.2 112 text: "Pod Security Standards" 113 checks: 114 - id: 5.2.1 115 text: "Ensure that the cluster has at least one active policy control mechanism in place (Manual)" 116 type: "manual" 117 remediation: | 118 Ensure that either Pod Security Admission or an external policy control system is in place 119 for every namespace which contains user workloads. 120 scored: false 121 122 - id: 5.2.2 123 text: "Minimize the admission of privileged containers (Manual)" 124 type: "manual" 125 remediation: | 126 Add policies to each namespace in the cluster which has user workloads to restrict the 127 admission of privileged containers. 128 scored: false 129 130 - id: 5.2.3 131 text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)" 132 type: "manual" 133 remediation: | 134 Add policies to each namespace in the cluster which has user workloads to restrict the 135 admission of `hostPID` containers. 136 scored: false 137 138 - id: 5.2.4 139 text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)" 140 type: "manual" 141 remediation: | 142 Add policies to each namespace in the cluster which has user workloads to restrict the 143 admission of `hostIPC` containers. 144 scored: false 145 146 - id: 5.2.5 147 text: "Minimize the admission of containers wishing to share the host network namespace (Manual)" 148 type: "manual" 149 remediation: | 150 Add policies to each namespace in the cluster which has user workloads to restrict the 151 admission of `hostNetwork` containers. 152 scored: false 153 154 - id: 5.2.6 155 text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)" 156 type: "manual" 157 remediation: | 158 Add policies to each namespace in the cluster which has user workloads to restrict the 159 admission of containers with `.spec.allowPrivilegeEscalation` set to `true`. 160 scored: false 161 162 - id: 5.2.7 163 text: "Minimize the admission of root containers (Manual)" 164 type: "manual" 165 remediation: | 166 Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot` 167 or `MustRunAs` with the range of UIDs not including 0, is set. 168 scored: false 169 170 - id: 5.2.8 171 text: "Minimize the admission of containers with the NET_RAW capability (Manual)" 172 type: "manual" 173 remediation: | 174 Add policies to each namespace in the cluster which has user workloads to restrict the 175 admission of containers with the `NET_RAW` capability. 176 scored: false 177 178 - id: 5.2.9 179 text: "Minimize the admission of containers with added capabilities (Automated)" 180 type: "manual" 181 remediation: | 182 Ensure that `allowedCapabilities` is not present in policies for the cluster unless 183 it is set to an empty array. 184 scored: false 185 186 - id: 5.2.10 187 text: "Minimize the admission of containers with capabilities assigned (Manual)" 188 type: "manual" 189 remediation: | 190 Review the use of capabilites in applications running on your cluster. Where a namespace 191 contains applicaions which do not require any Linux capabities to operate consider adding 192 a PSP which forbids the admission of containers which do not drop all capabilities. 193 scored: false 194 195 - id: 5.2.11 196 text: "Minimize the admission of Windows HostProcess containers (Manual)" 197 type: "manual" 198 remediation: | 199 Add policies to each namespace in the cluster which has user workloads to restrict the 200 admission of containers that have `.securityContext.windowsOptions.hostProcess` set to `true`. 201 scored: false 202 203 - id: 5.2.12 204 text: "Minimize the admission of HostPath volumes (Manual)" 205 type: "manual" 206 remediation: | 207 Add policies to each namespace in the cluster which has user workloads to restrict the 208 admission of containers with `hostPath` volumes. 209 scored: false 210 211 - id: 5.2.13 212 text: "Minimize the admission of containers which use HostPorts (Manual)" 213 type: "manual" 214 remediation: | 215 Add policies to each namespace in the cluster which has user workloads to restrict the 216 admission of containers which use `hostPort` sections. 217 scored: false 218 219 - id: 5.3 220 text: "Network Policies and CNI" 221 checks: 222 - id: 5.3.1 223 text: "Ensure that the CNI in use supports NetworkPolicies (Manual)" 224 type: "manual" 225 remediation: | 226 If the CNI plugin in use does not support network policies, consideration should be given to 227 making use of a different plugin, or finding an alternate mechanism for restricting traffic 228 in the Kubernetes cluster. 229 scored: false 230 231 - id: 5.3.2 232 text: "Ensure that all Namespaces have NetworkPolicies defined (Manual)" 233 type: "manual" 234 remediation: | 235 Follow the documentation and create NetworkPolicy objects as you need them. 236 scored: false 237 238 - id: 5.4 239 text: "Secrets Management" 240 checks: 241 - id: 5.4.1 242 text: "Prefer using Secrets as files over Secrets as environment variables (Manual)" 243 type: "manual" 244 remediation: | 245 If possible, rewrite application code to read Secrets from mounted secret files, rather than 246 from environment variables. 247 scored: false 248 249 - id: 5.4.2 250 text: "Consider external secret storage (Manual)" 251 type: "manual" 252 remediation: | 253 Refer to the Secrets management options offered by your cloud provider or a third-party 254 secrets management solution. 255 scored: false 256 257 - id: 5.5 258 text: "Extensible Admission Control" 259 checks: 260 - id: 5.5.1 261 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" 262 type: "manual" 263 remediation: | 264 Follow the Kubernetes documentation and setup image provenance. 265 scored: false 266 267 - id: 5.7 268 text: "General Policies" 269 checks: 270 - id: 5.7.1 271 text: "Create administrative boundaries between resources using namespaces (Manual)" 272 type: "manual" 273 remediation: | 274 Follow the documentation and create namespaces for objects in your deployment as you need 275 them. 276 scored: false 277 278 - id: 5.7.2 279 text: "Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)" 280 type: "manual" 281 remediation: | 282 Use `securityContext` to enable the docker/default seccomp profile in your pod definitions. 283 An example is as below: 284 securityContext: 285 seccompProfile: 286 type: RuntimeDefault 287 scored: false 288 289 - id: 5.7.3 290 text: "Apply SecurityContext to your Pods and Containers (Manual)" 291 type: "manual" 292 remediation: | 293 Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a 294 suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker 295 Containers. 296 scored: false 297 298 - id: 5.7.4 299 text: "The default namespace should not be used (Manual)" 300 type: "manual" 301 remediation: | 302 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 303 resources and that all new resources are created in a specific namespace. 304 scored: false