自测指南 - v2.3.5
#
CIS Kubernetes Benchmark v1.5 - Rancher v2.3.5 with Kubernetes v1.15#
概述本文档是对 Rancher v2.3.5 安全加固指南的补充。加固指南提供了用于加固 Rancher 的生产环境集群的指南,该基准自测指南旨在帮助您针对安全基准中的每个控制,来评估加固集群的安全级别。本指南将逐步介绍各种控制,并提供更新的示例命令以审核 Rancher 创建的集群中的合规性。此文档的适用人群是:Rancher 运维人员、安全团队、审核员和决策者。
加固指南旨在与特定版本的安全加固指南,CIS Kubernetes Benchmark,Kubernetes 和 Rancher 一起使用:
自测指南版本 | Rancher 版本 | 安全加固指南版本 | Kubernetes 版本 | CIS Benchmark 版本 |
---|---|---|---|---|
自测指南 v2.3.5 | Rancher v2.3.5 | 安全加固指南 v2.3.5 | Kubernetes v1.15 | Benchmark v1.5 |
由于 Rancher 和 RKE 以容器的方式安装 Kubernetes,因此 CIS Kubernetes Benchmark 中的许多控制验证检查均不适用,完成 CIS 扫描后,这些检测对应的结论是Not Applicable
(不适用)。
有关每个审核的更多详细信息,包括测试失败的原因和补救措施,您可以参考 CIS Kubernetes Benchmark v1.5 的相应部分。登录CISecurity.org后,可以下载基准测试。
#
测试控制方法Rancher 和 RKE 通过 Docker 容器安装 Kubernetes 服务。配置在初始化时通过给容器传递参数的方式设置,而不是通过配置文件定义。
如果控制审核与原始 CIS 基准不同,则将提供 Rancher Labs 特定的审核命令以进行测试。执行测试时,您将需要访问所有三个 RKE 角色的主机上的 Docker 命令行。这些命令还利用了jq和kubectl(使用有效的 kubeconfig 文件)来测试和评估测试结果。
#
1 Master Node Security Configuration#
1.1 Master Node Configuration Files644
or more restrictive (Scored)#
1.1.1 Ensure that the API server pod specification file permissions are set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration is passed in as arguments at container run time.
root:root
(Scored)#
1.1.2 Ensure that the API server pod specification file ownership is set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration is passed in as arguments at container run time.
644
or more restrictive (Scored)#
1.1.3 Ensure that the controller manager pod specification file permissions are set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the controller manager. All configuration is passed in as arguments at container run time.
root:root
(Scored)#
1.1.4 Ensure that the controller manager pod specification file ownership is set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the controller manager. All configuration is passed in as arguments at container run time.
644
or more restrictive (Scored)#
1.1.5 Ensure that the scheduler pod specification file permissions are set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the scheduler. All configuration is passed in as arguments at container run time.
root:root
(Scored)#
1.1.6 Ensure that the scheduler pod specification file ownership is set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the scheduler. All configuration is passed in as arguments at container run time.
644
or more restrictive (Scored)#
1.1.7 Ensure that the etcd pod specification file permissions are set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for etcd. All configuration is passed in as arguments at container run time.
root:root
(Scored)#
1.1.8 Ensure that the etcd pod specification file ownership is set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for etcd. All configuration is passed in as arguments at container run time.
700
or more restrictive (Scored)#
1.1.11 Ensure that the etcd data directory permissions are set to Result: PASS
Remediation:
On the etcd server node, get the etcd data directory, passed as an argument --data-dir
,
from the below command:
Run the below command (based on the etcd data directory found above). For example,
Audit Script: 1.1.11.sh
Audit Execution:
Expected result:
etcd:etcd
(Scored)#
1.1.12 Ensure that the etcd data directory ownership is set to Result: PASS
Remediation:
On the etcd server node, get the etcd data directory, passed as an argument --data-dir
,
from the below command:
Run the below command (based on the etcd data directory found above). For example,
Audit Script: 1.1.12.sh
Audit Execution:
Expected result:
admin.conf
file permissions are set to 644
or more restrictive (Scored)#
1.1.13 Ensure that the Result: Not Applicable
Remediation:
RKE does not store the kubernetes default kubeconfig credentials file on the nodes. It’s presented to user where RKE is run.
We recommend that this kube_config_cluster.yml
file be kept in secure store.
root:root
(Scored)#
1.1.14 Ensure that the admin.conf file ownership is set to Result: Not Applicable
Remediation:
RKE does not store the kubernetes default kubeconfig credentials file on the nodes. It’s presented to user where RKE is run.
We recommend that this kube_config_cluster.yml
file be kept in secure store.
scheduler.conf
file permissions are set to 644
or more restrictive (Scored)#
1.1.15 Ensure that the Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the scheduler. All configuration is passed in as arguments at container run time.
scheduler.conf
file ownership is set to root:root
(Scored)#
1.1.16 Ensure that the Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the scheduler. All configuration is passed in as arguments at container run time.
controller-manager.conf
file permissions are set to 644
or more restrictive (Scored)#
1.1.17 Ensure that the Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the controller manager. All configuration is passed in as arguments at container run time.
controller-manager.conf
file ownership is set to root:root
(Scored)#
1.1.18 Ensure that the Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the controller manager. All configuration is passed in as arguments at container run time.
root:root
(Scored)#
1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to Result: PASS
Remediation: Run the below command (based on the file location on your system) on the master node. For example,
Audit:
Expected result:
644
or more restrictive (Scored)#
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to Result: PASS
Remediation: Run the below command (based on the file location on your system) on the master node. For example,
Audit Script: check_files_permissions.sh
Audit Execution:
Expected result:
600
(Scored)#
1.1.21 Ensure that the Kubernetes PKI key file permissions are set to Result: PASS
Remediation: Run the below command (based on the file location on your system) on the master node. For example,
Audit Script: 1.1.21.sh
Audit Execution:
Expected result:
#
1.2 API Server--basic-auth-file
argument is not set (Scored)#
1.2.2 Ensure that the Result: PASS
Remediation:
Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and remove the --basic-auth-file=<filename>
parameter.
Audit:
Expected result:
--token-auth-file
parameter is not set (Scored)#
1.2.3 Ensure that the Result: PASS
Remediation:
Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and remove the --token-auth-file=<filename>
parameter.
Audit:
Expected result:
--kubelet-https
argument is set to true (Scored)#
1.2.4 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and remove the --kubelet-https
parameter.
Audit:
Expected result:
--kubelet-client-certificate
and --kubelet-client-key
arguments are set as appropriate (Scored)#
1.2.5 Ensure that the Result: PASS
Remediation:
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and kubelets. Then, edit API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the
kubelet client certificate and key parameters as below.
Audit:
Expected result:
--kubelet-certificate-authority
argument is set as appropriate (Scored)#
1.2.6 Ensure that the Result: PASS
Remediation:
Follow the Kubernetes documentation and setup the TLS connection between
the apiserver and kubelets. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the
--kubelet-certificate-authority
parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>
Audit:
Expected result:
--authorization-mode
argument is not set to AlwaysAllow
(Scored)#
1.2.7 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --authorization-mode
parameter to values other than AlwaysAllow
.
One such example could be as below.
Audit:
Expected result:
--authorization-mode
argument includes Node
(Scored)#
1.2.8 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --authorization-mode
parameter to a value that includes Node
.
Audit:
Expected result:
--authorization-mode
argument includes RBAC
(Scored)#
1.2.9 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --authorization-mode
parameter to a value that includes RBAC,
for example:
Audit:
Expected result:
AlwaysAdmit
is not set (Scored)#
1.2.11 Ensure that the admission control plugin Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and either remove the --enable-admission-plugins
parameter, or set it to a
value that does not include AlwaysAdmit
.
Audit:
Expected result:
ServiceAccount
is set (Scored)#
1.2.14 Ensure that the admission control plugin Result: PASS
Remediation:
Follow the documentation and create ServiceAccount objects as per your environment.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and ensure that the --disable-admission-plugins
parameter is set to a
value that does not include ServiceAccount
.
Audit:
Expected result:
NamespaceLifecycle
is set (Scored)#
1.2.15 Ensure that the admission control plugin Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --disable-admission-plugins
parameter to
ensure it does not include NamespaceLifecycle
.
Audit:
Expected result:
PodSecurityPolicy
is set (Scored)#
1.2.16 Ensure that the admission control plugin Result: PASS
Remediation:
Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins
parameter to a
value that includes PodSecurityPolicy
:
Then restart the API Server.
Audit:
Expected result:
NodeRestriction
is set (Scored)#
1.2.17 Ensure that the admission control plugin Result: PASS
Remediation:
Follow the Kubernetes documentation and configure NodeRestriction
plug-in on kubelets.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins
parameter to a
value that includes NodeRestriction
.
Audit:
Expected result:
--insecure-bind-address
argument is not set (Scored)#
1.2.18 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and remove the --insecure-bind-address
parameter.
Audit:
Expected result:
--insecure-port
argument is set to 0
(Scored)#
1.2.19 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
Audit:
Expected result:
--secure-port
argument is not set to 0
(Scored)#
1.2.20 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and either remove the --secure-port
parameter or
set it to a different (non-zero) desired port.
Audit:
Expected result:
--profiling
argument is set to false
(Scored)#
1.2.21 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
Audit:
Expected result:
--audit-log-path
argument is set (Scored)#
1.2.22 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-path
parameter to a suitable path and
file where you would like audit logs to be written, for example:
Audit:
Expected result:
--audit-log-maxage
argument is set to 30
or as appropriate (Scored)#
1.2.23 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxage
parameter to 30
or as an appropriate number of days:
Audit:
Expected result:
--audit-log-maxbackup
argument is set to 10
or as appropriate (Scored)#
1.2.24 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxbackup
parameter to 10
or to an appropriate
value.
Audit:
Expected result:
--audit-log-maxsize
argument is set to 100
or as appropriate (Scored)#
1.2.25 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxsize
parameter to an appropriate size in MB.
For example, to set it as 100
MB:
Audit:
Expected result:
--request-timeout
argument is set as appropriate (Scored)#
1.2.26 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
and set the below parameter as appropriate and if needed.
For example,
Audit:
Expected result:
--service-account-lookup
argument is set to true
(Scored)#
1.2.27 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
Alternatively, you can delete the --service-account-lookup
parameter from this file so
that the default takes effect.
Audit:
Expected result:
--service-account-key-file
argument is set as appropriate (Scored)#
1.2.28 Ensure that the Result: PASS
Remediation:
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --service-account-key-file
parameter
to the public key file for service accounts:
Audit:
Expected result:
--etcd-certfile
and --etcd-keyfile
arguments are set as appropriate (Scored)#
1.2.29 Ensure that the Result: PASS
Remediation:
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the etcd certificate and key file parameters.
Audit:
Expected result:
--tls-cert-file
and --tls-private-key-file
arguments are set as appropriate (Scored)#
1.2.30 Ensure that the Result: PASS
Remediation:
Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the TLS certificate and private key file parameters.
Audit:
Expected result:
--client-ca-file
argument is set as appropriate (Scored)#
1.2.31 Ensure that the Result: PASS
Remediation:
Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the client certificate authority file.
Audit:
Expected result:
--etcd-cafile
argument is set as appropriate (Scored)#
1.2.32 Ensure that the Result: PASS
Remediation:
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the etcd certificate authority file parameter.
Audit:
Expected result:
--encryption-provider-config
argument is set as appropriate (Scored)#
1.2.33 Ensure that the Result: PASS
Remediation:
Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --encryption-provider-config
parameter to the path of that file:
Audit:
Expected result:
#
1.2.34 Ensure that encryption providers are appropriately configured (Scored)Result: PASS
Remediation:
Follow the Kubernetes documentation and configure a EncryptionConfig
file.
In this file, choose aescbc, kms or secretbox as the encryption provider.
Audit Script: 1.2.34.sh
Audit Execution:
Expected result:
#
1.3 Controller Manager--terminated-pod-gc-threshold
argument is set as appropriate (Scored)#
1.3.1 Ensure that the Result: PASS
Remediation:
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --terminated-pod-gc-threshold
to an appropriate threshold,
for example:
Audit:
Expected result:
--profiling
argument is set to false (Scored)#
1.3.2 Ensure that the Result: PASS
Remediation:
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the below parameter.
Audit:
Expected result:
--use-service-account-credentials
argument is set to true
(Scored)#
1.3.3 Ensure that the Result: PASS
Remediation:
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node to set the below parameter.
Audit:
Expected result:
--service-account-private-key-file
argument is set as appropriate (Scored)#
1.3.4 Ensure that the Result: PASS
Remediation:
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --service-account-private-key-file
parameter
to the private key file for service accounts.
Audit:
Expected result:
--root-ca-file
argument is set as appropriate (Scored)#
1.3.5 Ensure that the Result: PASS
Remediation:
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --root-ca-file
parameter to the certificate bundle file`.
Audit:
Expected result:
RotateKubeletServerCertificate
argument is set to true
(Scored)#
1.3.6 Ensure that the Result: PASS
Remediation:
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --feature-gates
parameter to include RotateKubeletServerCertificate=true
.
Audit:
Expected result:
--bind-address argument
is set to 127.0.0.1
(Scored)#
1.3.7 Ensure that the Result: PASS
Remediation:
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and ensure the correct value for the --bind-address
parameter.
Audit:
Expected result:
#
1.4 Scheduler--profiling
argument is set to false
(Scored)#
1.4.1 Ensure that the Result: PASS
Remediation:
Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml
file
on the master node and set the below parameter.
Audit:
Expected result:
--bind-address
argument is set to 127.0.0.1
(Scored)#
1.4.2 Ensure that the Result: PASS
Remediation:
Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml
on the master node and ensure the correct value for the --bind-address
parameter.
Audit:
Expected result:
#
2 Etcd Node Configuration#
2 Etcd Node Configuration Files--cert-file
and --key-file
arguments are set as appropriate (Scored)#
2.1 Ensure that the Result: PASS
Remediation:
Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters.
Audit:
Expected result:
--client-cert-auth
argument is set to true
(Scored)#
2.2 Ensure that the Result: PASS
Remediation:
Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master
node and set the below parameter.
Audit:
Expected result:
--auto-tls
argument is not set to true
(Scored)#
2.3 Ensure that the Result: PASS
Remediation:
Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master
node and either remove the --auto-tls
parameter or set it to false
.
Audit:
Expected result:
--peer-cert-file
and --peer-key-file
arguments are set as appropriate (Scored)#
2.4 Ensure that the Result: PASS
Remediation:
Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the
master node and set the below parameters.
Audit:
Expected result:
--peer-client-cert-auth
argument is set to true
(Scored)#
2.5 Ensure that the Result: PASS
Remediation:
Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master
node and set the below parameter.
Audit:
Expected result:
--peer-auto-tls
argument is not set to true
(Scored)#
2.6 Ensure that the Result: PASS
Remediation:
Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master
node and either remove the --peer-auto-tls
parameter or set it to false
.
Audit:
Expected result:
#
3 Control Plane Configuration#
3.2 Logging#
3.2.1 Ensure that a minimal audit policy is created (Scored)Result: PASS
Remediation: Create an audit policy file for your cluster.
Audit Script: 3.2.1.sh
Audit Execution:
Expected result:
#
4 Worker Node Security Configuration#
4.1 Worker Node Configuration Files644
or more restrictive (Scored)#
4.1.1 Ensure that the kubelet service file permissions are set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the kubelet service. All configuration is passed in as arguments at container run time.
root:root
(Scored)#
4.1.2 Ensure that the kubelet service file ownership is set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the kubelet service. All configuration is passed in as arguments at container run time.
644
or more restrictive (Scored)#
4.1.3 Ensure that the proxy kubeconfig file permissions are set to Result: PASS
Remediation: Run the below command (based on the file location on your system) on the each worker node. For example,
Audit:
Expected result:
root:root
(Scored)#
4.1.4 Ensure that the proxy kubeconfig file ownership is set to Result: PASS
Remediation: Run the below command (based on the file location on your system) on the each worker node. For example,
Audit:
Expected result:
644
or more restrictive (Scored)#
4.1.5 Ensure that the kubelet.conf file permissions are set to Result: PASS
Remediation: Run the below command (based on the file location on your system) on the each worker node. For example,
Audit:
Expected result:
root:root
(Scored)#
4.1.6 Ensure that the kubelet.conf file ownership is set to Result: PASS
Remediation: Run the below command (based on the file location on your system) on the each worker node. For example,
Audit:
Expected result:
644
or more restrictive (Scored)#
4.1.7 Ensure that the certificate authorities file permissions are set to Result: PASS
Remediation: Run the following command to modify the file permissions of the
Audit:
Expected result:
root:root
(Scored)#
4.1.8 Ensure that the client certificate authorities file ownership is set to Result: PASS
Remediation:
Run the following command to modify the ownership of the --client-ca-file
.
Audit:
Expected result:
644
or more restrictive (Scored)#
4.1.9 Ensure that the kubelet configuration file has permissions set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the kubelet service. All configuration is passed in as arguments at container run time.
root:root
(Scored)#
4.1.10 Ensure that the kubelet configuration file ownership is set to Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the kubelet service. All configuration is passed in as arguments at container run time.
#
4.2 Kubelet--anonymous-auth argument
is set to false (Scored)#
4.2.1 Ensure that the Result: PASS
Remediation:
If using a Kubelet config file, edit the file to set authentication: anonymous
: enabled to
false
.
If using executable arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS
variable.
Based on your system, restart the kubelet service. For example:
Audit:
Audit Config:
Expected result:
--authorization-mode
argument is not set to AlwaysAllow
(Scored)#
4.2.2 Ensure that the Result: PASS
Remediation:
If using a Kubelet config file, edit the file to set authorization: mode
to Webhook
. If
using executable arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS
variable.
Based on your system, restart the kubelet service. For example:
Audit:
Audit Config:
Expected result:
--client-ca-file
argument is set as appropriate (Scored)#
4.2.3 Ensure that the Result: PASS
Remediation:
If using a Kubelet config file, edit the file to set authentication: x509
: clientCAFile
to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS
variable.
Based on your system, restart the kubelet service. For example:
Audit:
Audit Config:
Expected result:
--read-only-port
argument is set to 0
(Scored)#
4.2.4 Ensure that the Result: PASS
Remediation:
If using a Kubelet config file, edit the file to set readOnlyPort
to 0
.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS
variable.
Based on your system, restart the kubelet service. For example:
Audit:
Audit Config:
Expected result:
--streaming-connection-idle-timeout
argument is not set to 0
(Scored)#
4.2.5 Ensure that the Result: PASS
Remediation:
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout
to a
value other than 0
.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS
variable.
Based on your system, restart the kubelet service. For example:
Audit:
Audit Config:
Expected result:
--protect-kernel-defaults
argument is set to true
(Scored)#
4.2.6 Ensure that the Result: PASS
Remediation:
If using a Kubelet config file, edit the file to set protectKernelDefaults
: true
.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS
variable.
Based on your system, restart the kubelet service. For example:
Audit:
Audit Config:
Expected result:
--make-iptables-util-chains
argument is set to true
(Scored)#
4.2.7 Ensure that the Result: PASS
Remediation:
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains
: true
.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and
remove the --make-iptables-util-chains
argument from the
KUBELET_SYSTEM_PODS_ARGS
variable.
Based on your system, restart the kubelet service. For example:
Audit:
Audit Config:
Expected result:
--tls-cert-file
and --tls-private-key-file
arguments are set as appropriate (Scored)#
4.2.10 Ensure that the Result: Not Applicable
Remediation: RKE doesn’t require or maintain a configuration file for the kubelet service. All configuration is passed in as arguments at container run time.
--rotate-certificates
argument is not set to false
(Scored)#
4.2.11 Ensure that the Result: PASS
Remediation:
If using a Kubelet config file, edit the file to add the line rotateCertificates
: true
or
remove it altogether to use the default value.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and
remove --rotate-certificates=false
argument from the KUBELET_CERTIFICATE_ARGS
variable.
Based on your system, restart the kubelet service. For example:
Audit:
Audit Config:
Expected result:
RotateKubeletServerCertificate
argument is set to true
(Scored)#
4.2.12 Ensure that the Result: PASS
Remediation:
Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS
variable.
Based on your system, restart the kubelet service. For example:
Audit:
Audit Config:
Expected result:
#
5 Kubernetes Policies#
5.1 RBAC and Service Accounts#
5.1.5 Ensure that default service accounts are not actively used. (Scored)Result: PASS
Remediation: Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value
Audit Script: 5.1.5.sh
Audit Execution:
Expected result:
#
5.2 Pod Security Policies#
5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Scored)Result: PASS
Remediation:
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostPID
field is omitted or set to false
.
Audit:
Expected result:
#
5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Scored)Result: PASS
Remediation:
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostIPC
field is omitted or set to false
.
Audit:
Expected result:
#
5.2.4 Minimize the admission of containers wishing to share the host network namespace (Scored)Result: PASS
Remediation:
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostNetwork
field is omitted or set to false
.
Audit:
Expected result:
allowPrivilegeEscalation
(Scored)#
5.2.5 Minimize the admission of containers with Result: PASS
Remediation:
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.allowPrivilegeEscalation
field is omitted or set to false
.
Audit:
Expected result:
#
5.3 Network Policies and CNI#
5.3.2 Ensure that all Namespaces have Network Policies defined (Scored)Result: PASS
Remediation:
Follow the documentation and create NetworkPolicy
objects as you need them.
Audit Script: 5.3.2.sh
Audit Execution:
Expected result:
#
5.6 General Policies#
5.6.4 The default namespace should not be used (Scored)Result: PASS
Remediation: Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.
Audit Script: 5.6.4.sh
Audit Execution:
Expected result: