kube-bench/cfg/aks-1.0/controlplane.yaml

---
controls:
version: "aks-1.0"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
  - id: 2.1
    text: "Authentication and Authorization"
    checks:
      - id: 2.1.1
        text: "Enable Azure Active Directory Integration"
        type: "manual"
        remediation: |
          Use of OIDC should be implemented in place of client certificates. Cluster administrators can configure Kubernetes role-based access control (RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. See https://docs.microsoft.com/en-us/azure/aks/managed-aad.
        scored: false
      - id: 2.1.2
        text: "Limit access to cluster configuration file"
        type: "manual"
        remediation: |
          Use Azure role-based access control to define access to the Kubernetes configuration file in Azure Kubernetes Service (AKS). See https://docs.microsoft.com/en-us/azure/aks/control-kubeconfig-access
        scored: false

  - id: 2.2
    text: "Logging"
    checks:
      - id: 2.2.1
        text: "Enable logging for the Kubernetes master components"
        type: "manual"
        remediation: "Enable log collection for the Kubernetes master components in the AKS cluster using Diagnostic settings."
        scored: false
Created config and test files for Azure Kubernetes Service (AKS). (#733) * First draft of AKS configuration checks. * Updated Azure Configurations. Added more policy checks. * Finalized cfg components for AKS. * Fixed targets for aks-1.0 in common_test.go * Fixed yaml linting issues. * Fixed white space yaml linkting issues in policies.yaml * Fixed white space yaml linting issues in policies.yaml 2020-11-16 12:35:57 +00:00			`---`
			`controls:`
			`version: "aks-1.0"`
			`id: 2`
			`text: "Control Plane Configuration"`
			`type: "controlplane"`
			`groups:`
			`- id: 2.1`
			`text: "Authentication and Authorization"`
			`checks:`
			`- id: 2.1.1`
			`text: "Enable Azure Active Directory Integration"`
			`type: "manual"`
			`remediation: \|`
			`Use of OIDC should be implemented in place of client certificates. Cluster administrators can configure Kubernetes role-based access control (RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. See https://docs.microsoft.com/en-us/azure/aks/managed-aad.`
			`scored: false`
			`- id: 2.1.2`
			`text: "Limit access to cluster configuration file"`
			`type: "manual"`
			`remediation: \|`
			`Use Azure role-based access control to define access to the Kubernetes configuration file in Azure Kubernetes Service (AKS). See https://docs.microsoft.com/en-us/azure/aks/control-kubeconfig-access`
			`scored: false`

			`- id: 2.2`
			`text: "Logging"`
			`checks:`
			`- id: 2.2.1`
			`text: "Enable logging for the Kubernetes master components"`
			`type: "manual"`
			`remediation: "Enable log collection for the Kubernetes master components in the AKS cluster using Diagnostic settings."`
			`scored: false`