github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/tkgi-1.2.53/controlplane.yaml (about) 1 --- 2 controls: 3 version: "tkgi-1.2.53" 4 id: 3 5 text: "Control Plane Configuration" 6 type: "controlplane" 7 groups: 8 - id: 3.1 9 text: "Authentication and Authorization" 10 checks: 11 - id: 3.1.1 12 text: "Client certificate authentication should not be used for users" 13 audit: ps -ef | grep kube-apiserver | grep -- "--oidc-issuer-url=" 14 type: "manual" 15 remediation: | 16 Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 17 implemented in place of client certificates. 18 Exception 19 This setting is site-specific. It can be set in the "Configure created clusters to use UAA as the OIDC provider." 20 section of the "UAA" 21 scored: false 22 23 - id: 3.2 24 text: "Logging" 25 checks: 26 - id: 3.2.1 27 text: "Ensure that a minimal audit policy is created" 28 audit: ps -ef | grep kube-apiserver | grep -v tini | grep -- "--audit-policy-file=" 29 tests: 30 test_items: 31 - flag: "--audit-policy-file" 32 remediation: | 33 Create an audit policy file for your cluster. 34 scored: true 35 36 - id: 3.2.2 37 text: "Ensure that the audit policy covers key security concerns" 38 audit: | 39 diff /var/vcap/jobs/kube-apiserver/config/audit_policy.yml \ <(echo "--- apiVersion: audit.k8s.io/v1beta1 kind: 40 Policy rules: - level: None resources: - group: '' resources: - endpoints - services - services/status users: - 41 system:kube-proxy verbs: - watch - level: None resources: - group: '' resources: - nodes - nodes/status users: - 42 kubelet verbs: - get - level: None resources: - group: '' resources: - nodes - nodes/status userGroups: - 43 system:nodes verbs: - get - level: None namespaces: - kube-system resources: - group: '' resources: - 44 endpoints users: - system:kube-controller-manager - system:kube-scheduler - system:serviceaccount:kube- 45 system:endpoint-controller verbs: - get - update - level: None resources: - group: '' resources: - namespaces - 46 namespaces/status - namespaces/finalize users: - system:apiserver verbs: - get - level: None resources: - 47 group: metrics.k8s.io users: - system:kube-controller-manager verbs: - get - list - level: None 48 nonResourceURLs: - \"/healthz*\" - \"/version\" - \"/swagger*\" - level: None resources: - group: '' resources: - 49 events - level: Request omitStages: - RequestReceived resources: - group: '' resources: - nodes/status - 50 pods/status userGroups: - system:nodes verbs: - update - patch - level: Request omitStages: - 51 RequestReceived users: - system:serviceaccount:kube-system:namespace-controller verbs: - deletecollection - 52 level: Metadata omitStages: - RequestReceived resources: - group: '' resources: - secrets - configmaps - group: 53 authentication.k8s.io resources: - tokenreviews - level: Request omitStages: - RequestReceived resources: - 54 group: '' - group: admissionregistration.k8s.io - group: apiextensions.k8s.io - group: apiregistration.k8s.io - 55 group: apps - group: authentication.k8s.io - group: authorization.k8s.io - group: autoscaling - group: batch - 56 group: certificates.k8s.io - group: extensions - group: metrics.k8s.io - group: networking.k8s.io - group: policy - 57 group: rbac.authorization.k8s.io - group: settings.k8s.io - group: storage.k8s.io verbs: - get - list - watch - level: 58 RequestResponse omitStages: - RequestReceived resources: - group: '' - group: admissionregistration.k8s.io - 59 group: apiextensions.k8s.io - group: apiregistration.k8s.io - group: apps - group: authentication.k8s.io - group: 60 authorization.k8s.io - group: autoscaling - group: batch - group: certificates.k8s.io - group: extensions - group: 61 metrics.k8s.io - group: networking.k8s.io - group: policy - group: rbac.authorization.k8s.io - group: 62 settings.k8s.io - group: storage.k8s.io - level: Metadata omitStages: - RequestReceived ") 63 type: "manual" 64 remediation: | 65 Consider modification of the audit policy in use on the cluster to include these items, at a 66 minimum. 67 scored: false