github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/tkgi-1.2.53/policies.yaml (about) 1 --- 2 controls: 3 version: "tkgi-1.2.53" 4 id: 5 5 text: "Kubernetes Policies" 6 type: "policies" 7 groups: 8 - id: 5.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 5.1.1 12 text: "Ensure that the cluster-admin role is only used where required" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 Exception 21 This is site-specific setting. 22 scored: false 23 24 - id: 5.1.2 25 text: "Minimize access to secrets" 26 type: "manual" 27 remediation: | 28 Where possible, remove get, list and watch access to secret objects in the cluster. 29 Exception 30 This is site-specific setting. 31 scored: false 32 33 - id: 5.1.3 34 text: "Minimize wildcard use in Roles and ClusterRoles" 35 type: "manual" 36 remediation: | 37 Where possible replace any use of wildcards in clusterroles and roles with specific 38 objects or actions. 39 Exception 40 This is site-specific setting. 41 scored: false 42 43 - id: 5.1.4 44 text: "Minimize access to create pods" 45 type: "manual" 46 remediation: | 47 Where possible, remove create access to pod objects in the cluster. 48 Exception 49 This is site-specific setting. 50 scored: false 51 52 - id: 5.1.5 53 text: "Ensure that default service accounts are not actively used." 54 type: "manual" 55 remediation: | 56 Create explicit service accounts wherever a Kubernetes workload requires specific access 57 to the Kubernetes API server. 58 Modify the configuration of each default service account to include this value 59 automountServiceAccountToken: false 60 Exception 61 This is site-specific setting. 62 scored: false 63 64 - id: 5.1.6 65 text: "Ensure that Service Account Tokens are only mounted where necessary" 66 type: "manual" 67 remediation: | 68 Modify the definition of pods and service accounts which do not need to mount service 69 account tokens to disable it. 70 Exception 71 This is site-specific setting. 72 scored: false 73 74 - id: 5.2 75 text: "Pod Security Policies" 76 checks: 77 - id: 5.2.1 78 text: "Minimize the admission of privileged containers" 79 type: "manual" 80 remediation: | 81 Create a PSP as described in the Kubernetes documentation, ensuring that 82 the .spec.privileged field is omitted or set to false. 83 Exception 84 This is site-specific setting. 85 scored: false 86 87 - id: 5.2.2 88 text: "Minimize the admission of containers wishing to share the host process ID namespace" 89 type: "manual" 90 remediation: | 91 Create a PSP as described in the Kubernetes documentation, ensuring that the 92 .spec.hostPID field is omitted or set to false. 93 Exception 94 This is site-specific setting. 95 scored: false 96 97 - id: 5.2.3 98 text: "Minimize the admission of containers wishing to share the host IPC namespace" 99 type: "manual" 100 remediation: | 101 Create a PSP as described in the Kubernetes documentation, ensuring that the 102 .spec.hostIPC field is omitted or set to false. 103 Exception 104 This is site-specific setting. 105 scored: false 106 107 - id: 5.2.4 108 text: "Minimize the admission of containers wishing to share the host network namespace" 109 type: "manual" 110 remediation: | 111 Create a PSP as described in the Kubernetes documentation, ensuring that the 112 .spec.hostNetwork field is omitted or set to false. 113 Exception 114 This is site-specific setting. 115 scored: false 116 117 - id: 5.2.5 118 text: "Minimize the admission of containers with allowPrivilegeEscalation" 119 type: "manual" 120 remediation: | 121 Create a PSP as described in the Kubernetes documentation, ensuring that the 122 .spec.allowPrivilegeEscalation field is omitted or set to false. 123 Exception 124 This is site-specific setting. 125 scored: false 126 127 - id: 5.2.6 128 text: "Minimize the admission of root containers" 129 type: "manual" 130 remediation: | 131 Create a PSP as described in the Kubernetes documentation, ensuring that the 132 .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of 133 UIDs not including 0. 134 Exception 135 This is site-specific setting. 136 scored: false 137 138 - id: 5.2.7 139 text: "Minimize the admission of containers with the NET_RAW capability" 140 type: "manual" 141 remediation: | 142 Create a PSP as described in the Kubernetes documentation, ensuring that the 143 .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. 144 Exception 145 This is site-specific setting. 146 scored: false 147 148 - id: 5.2.8 149 text: "Minimize the admission of containers with added capabilities" 150 type: "manual" 151 remediation: | 152 Ensure that allowedCapabilities is not present in PSPs for the cluster unless 153 it is set to an empty array. 154 Exception 155 This is site-specific setting. 156 scored: false 157 158 - id: 5.2.9 159 text: "Minimize the admission of containers with capabilities assigned" 160 type: "manual" 161 remediation: | 162 Review the use of capabilites in applications running on your cluster. Where a namespace 163 contains applicaions which do not require any Linux capabities to operate consider adding 164 a PSP which forbids the admission of containers which do not drop all capabilities. 165 Exception 166 This is site-specific setting. 167 scored: false 168 169 - id: 5.3 170 text: "Network Policies and CNI" 171 checks: 172 - id: 5.3.1 173 text: "Ensure that the CNI in use supports Network Policies" 174 type: "manual" 175 remediation: | 176 If the CNI plugin in use does not support network policies, consideration should be given to 177 making use of a different plugin, or finding an alternate mechanism for restricting traffic 178 in the Kubernetes cluster. 179 Exception 180 This is site-specific setting. 181 scored: false 182 183 - id: 5.3.2 184 text: "Ensure that all Namespaces have Network Policies defined" 185 type: "manual" 186 remediation: | 187 Follow the documentation and create NetworkPolicy objects as you need them. 188 Exception 189 This is site-specific setting. 190 scored: false 191 192 - id: 5.4 193 text: "Secrets Management" 194 checks: 195 - id: 5.4.1 196 text: "Prefer using secrets as files over secrets as environment variables" 197 type: "manual" 198 remediation: | 199 if possible, rewrite application code to read secrets from mounted secret files, rather than 200 from environment variables. 201 Exception 202 This is site-specific setting. 203 scored: false 204 205 - id: 5.4.2 206 text: "Consider external secret storage" 207 type: "manual" 208 remediation: | 209 Refer to the secrets management options offered by your cloud provider or a third-party 210 secrets management solution. 211 Exception 212 This is site-specific setting. 213 scored: false 214 215 - id: 5.5 216 text: "Extensible Admission Control" 217 checks: 218 - id: 5.5.1 219 text: "Configure Image Provenance using ImagePolicyWebhook admission controller" 220 type: "manual" 221 remediation: | 222 Follow the Kubernetes documentation and setup image provenance. 223 Exception 224 This is site-specific setting. 225 scored: false 226 227 - id: 5.7 228 text: "General Policies" 229 checks: 230 - id: 5.7.1 231 text: "Create administrative boundaries between resources using namespaces" 232 type: "manual" 233 remediation: | 234 Follow the documentation and create namespaces for objects in your deployment as you need 235 them. 236 Exception 237 This is site-specific setting. 238 scored: false 239 240 - id: 5.7.2 241 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions" 242 type: "manual" 243 remediation: | 244 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you 245 would need to enable alpha features in the apiserver by passing "--feature- 246 gates=AllAlpha=true" argument. 247 Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS 248 parameter to "--feature-gates=AllAlpha=true" 249 KUBE_API_ARGS="--feature-gates=AllAlpha=true" 250 Based on your system, restart the kube-apiserver service. For example: 251 systemctl restart kube-apiserver.service 252 Use annotations to enable the docker/default seccomp profile in your pod definitions. An 253 example is as below: 254 apiVersion: v1 255 kind: Pod 256 metadata: 257 name: trustworthy-pod 258 annotations: 259 seccomp.security.alpha.kubernetes.io/pod: docker/default 260 spec: 261 containers: 262 - name: trustworthy-container 263 image: sotrustworthy:latest 264 Exception 265 This is site-specific setting. 266 scored: false 267 268 - id: 5.7.3 269 text: "Apply Security Context to Your Pods and Containers " 270 type: "manual" 271 remediation: | 272 Follow the Kubernetes documentation and apply security contexts to your pods. For a 273 suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker 274 Containers. 275 Exception 276 This is site-specific setting. 277 scored: false 278 279 - id: 5.7.4 280 text: "The default namespace should not be used" 281 type: "manual" 282 remediation: | 283 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 284 resources and that all new resources are created in a specific namespace. 285 Exception 286 This is site-specific setting. 287 scored: false