2021-04-29 14:08:41 +00:00
|
|
|
---
|
|
|
|
controls:
|
|
|
|
version: rh-1.0
|
|
|
|
id: 5
|
|
|
|
text: "Kubernetes Policies"
|
|
|
|
type: "policies"
|
|
|
|
groups:
|
|
|
|
- id: 5.1
|
|
|
|
text: "RBAC and Service Accounts"
|
|
|
|
checks:
|
|
|
|
- id: 5.1.1
|
|
|
|
text: "Ensure that the cluster-admin role is only used where required (Manual)"
|
|
|
|
type: "manual"
|
2024-01-23 06:56:40 +00:00
|
|
|
audit: |
|
|
|
|
#To get a list of users and service accounts with the cluster-admin role
|
|
|
|
oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind |
|
|
|
|
grep cluster-admin
|
|
|
|
#To verity that kbueadmin is removed, no results should be returned
|
|
|
|
oc get secrets kubeadmin -n kube-system
|
2021-04-29 14:08:41 +00:00
|
|
|
remediation: |
|
|
|
|
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
|
|
|
|
if they need this role or if they could use a role with fewer privileges.
|
|
|
|
Where possible, first bind users to a lower privileged role and then remove the
|
|
|
|
clusterrolebinding to the cluster-admin role :
|
|
|
|
kubectl delete clusterrolebinding [name]
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.1.2
|
|
|
|
text: "Minimize access to secrets (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
Where possible, remove get, list and watch access to secret objects in the cluster.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.1.3
|
|
|
|
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
|
|
|
|
type: "manual"
|
2024-01-23 06:56:40 +00:00
|
|
|
audit: |
|
|
|
|
#needs verification
|
|
|
|
oc get roles --all-namespaces -o yaml
|
|
|
|
for i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc
|
|
|
|
describe clusterrole ${i}; done
|
|
|
|
#Retrieve the cluster roles defined in the cluster and review for wildcards
|
|
|
|
oc get clusterroles -o yaml
|
|
|
|
for i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do
|
|
|
|
oc describe clusterrole ${i}; done
|
2021-04-29 14:08:41 +00:00
|
|
|
remediation: |
|
|
|
|
Where possible replace any use of wildcards in clusterroles and roles with specific
|
|
|
|
objects or actions.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.1.4
|
|
|
|
text: "Minimize access to create pods (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
Where possible, remove create access to pod objects in the cluster.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.1.5
|
|
|
|
text: "Ensure that default service accounts are not actively used. (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
None required.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.1.6
|
|
|
|
text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
Modify the definition of pods and service accounts which do not need to mount service
|
|
|
|
account tokens to disable it.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.2
|
|
|
|
text: "Pod Security Policies"
|
|
|
|
checks:
|
|
|
|
- id: 5.2.1
|
|
|
|
text: "Minimize the admission of privileged containers (Manual)"
|
|
|
|
audit: |
|
|
|
|
# needs verification
|
2024-04-18 06:01:17 +00:00
|
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,allowPrivilegedContainer:.allowPrivilegedContainer
|
2021-04-29 14:08:41 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "false"
|
|
|
|
remediation: |
|
|
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Allow
|
|
|
|
Privileged field is set to false.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.2.2
|
|
|
|
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
|
|
|
|
audit: |
|
2024-04-18 06:01:17 +00:00
|
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,allowHostPID:.allowHostPID
|
2021-04-29 14:08:41 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "false"
|
|
|
|
remediation: |
|
|
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host
|
|
|
|
PID field is set to false.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.2.3
|
|
|
|
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
|
|
|
|
audit: |
|
2024-04-18 06:01:17 +00:00
|
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,allowHostIPC:.allowHostIPC
|
2021-04-29 14:08:41 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "false"
|
|
|
|
remediation: |
|
|
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host
|
|
|
|
IPC field is set to false.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.2.4
|
|
|
|
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
|
|
|
|
audit: |
|
2024-04-18 06:01:17 +00:00
|
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,allowHostNetwork:.allowHostNetwork
|
2021-04-29 14:08:41 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "false"
|
|
|
|
remediation: |
|
|
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host
|
|
|
|
Network field is omitted or set to false.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.2.5
|
|
|
|
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
|
|
|
|
audit: |
|
2024-04-18 06:01:17 +00:00
|
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,allowPrivilegeEscalation:.allowPrivilegeEscalation
|
2021-04-29 14:08:41 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "false"
|
|
|
|
remediation: |
|
|
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Allow
|
|
|
|
Privilege Escalation field is omitted or set to false.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.2.6
|
|
|
|
text: "Minimize the admission of root containers (Manual)"
|
|
|
|
audit: |
|
2024-04-18 06:01:17 +00:00
|
|
|
# needs verification # | awk 'NR>1 {gsub("map\\[type:", "", $2); gsub("\\]$", "", $2); print $1 ":" $2}'
|
|
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,runAsUser:.runAsUser.type
|
2021-04-29 14:08:41 +00:00
|
|
|
#For SCCs with MustRunAs verify that the range of UIDs does not include 0
|
2024-04-18 06:01:17 +00:00
|
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,uidRangeMin:.runAsUser.uidRangeMin,uidRangeMax:.runAsUser.uidRangeMax
|
2021-04-29 14:08:41 +00:00
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
- flag: "MustRunAsNonRoot"
|
|
|
|
- flag: "MustRunAs"
|
|
|
|
compare:
|
|
|
|
op: nothave
|
|
|
|
value: 0
|
|
|
|
remediation: |
|
|
|
|
None required. By default, OpenShift includes the non-root SCC with the the Run As User
|
|
|
|
Strategy is set to either MustRunAsNonRoot. If additional SCCs are appropriate, follow the
|
|
|
|
OpenShift documentation to create custom SCCs.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.2.7
|
|
|
|
text: "Minimize the admission of containers with the NET_RAW capability (Manual)"
|
|
|
|
audit: |
|
|
|
|
# needs verification
|
2024-04-18 06:01:17 +00:00
|
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,requiredDropCapabilities:.requiredDropCapabilities
|
2021-04-29 14:08:41 +00:00
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
- flag: "ALL"
|
|
|
|
- flag: "NET_RAW"
|
|
|
|
remediation: |
|
|
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Required
|
|
|
|
Drop Capabilities is set to include either NET_RAW or ALL.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.2.8
|
|
|
|
text: "Minimize the admission of containers with added capabilities (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
Ensure that Allowed Capabilities is set to an empty array for every SCC in the cluster
|
|
|
|
except for the privileged SCC.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.2.9
|
|
|
|
text: "Minimize the admission of containers with capabilities assigned (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
Review the use of capabilites in applications running on your cluster. Where a namespace
|
|
|
|
contains applicaions which do not require any Linux capabities to operate consider
|
|
|
|
adding a SCC which forbids the admission of containers which do not drop all capabilities.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.3
|
|
|
|
text: "Network Policies and CNI"
|
|
|
|
checks:
|
|
|
|
- id: 5.3.1
|
|
|
|
text: "Ensure that the CNI in use supports Network Policies (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
None required.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.3.2
|
|
|
|
text: "Ensure that all Namespaces have Network Policies defined (Manual)"
|
|
|
|
type: "manual"
|
2024-01-23 06:56:40 +00:00
|
|
|
audit: |
|
|
|
|
#Run the following command and review the NetworkPolicy objects created in the cluster.
|
|
|
|
oc -n all get networkpolicy
|
2021-04-29 14:08:41 +00:00
|
|
|
remediation: |
|
|
|
|
Follow the documentation and create NetworkPolicy objects as you need them.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.4
|
|
|
|
text: "Secrets Management"
|
|
|
|
checks:
|
|
|
|
- id: 5.4.1
|
|
|
|
text: "Prefer using secrets as files over secrets as environment variables (Manual)"
|
|
|
|
type: "manual"
|
2024-01-23 06:56:40 +00:00
|
|
|
audit: |
|
|
|
|
#Run the following command to find references to objects which use environment variables defined from secrets.
|
|
|
|
oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind}
|
|
|
|
{.metadata.name} {"\n"}{end}' -A
|
2021-04-29 14:08:41 +00:00
|
|
|
remediation: |
|
|
|
|
If possible, rewrite application code to read secrets from mounted secret files, rather than
|
|
|
|
from environment variables.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.4.2
|
|
|
|
text: "Consider external secret storage (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
Refer to the secrets management options offered by your cloud provider or a third-party
|
|
|
|
secrets management solution.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.5
|
|
|
|
text: "Extensible Admission Control"
|
|
|
|
checks:
|
|
|
|
- id: 5.5.1
|
|
|
|
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
Follow the OpenShift documentation: [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.7
|
|
|
|
text: "General Policies"
|
|
|
|
checks:
|
|
|
|
- id: 5.7.1
|
|
|
|
text: "Create administrative boundaries between resources using namespaces (Manual)"
|
|
|
|
type: "manual"
|
2024-01-23 06:56:40 +00:00
|
|
|
audit: |
|
|
|
|
#Run the following command and review the namespaces created in the cluster.
|
|
|
|
oc get namespaces
|
|
|
|
#Ensure that these namespaces are the ones you need and are adequately administered as per your requirements.
|
2021-04-29 14:08:41 +00:00
|
|
|
remediation: |
|
|
|
|
Follow the documentation and create namespaces for objects in your deployment as you need
|
|
|
|
them.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.7.2
|
|
|
|
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
To enable the default seccomp profile, use the reserved value /runtime/default that will
|
|
|
|
make sure that the pod uses the default policy available on the host.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.7.3
|
|
|
|
text: "Apply Security Context to Your Pods and Containers (Manual)"
|
|
|
|
type: "manual"
|
|
|
|
remediation: |
|
|
|
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
|
|
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
|
|
|
Containers.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 5.7.4
|
|
|
|
text: "The default namespace should not be used (Manual)"
|
|
|
|
type: "manual"
|
2024-01-23 06:56:40 +00:00
|
|
|
audit: |
|
|
|
|
#Run this command to list objects in default namespace
|
|
|
|
oc project default
|
|
|
|
oc get all
|
|
|
|
#The only entries there should be system managed resources such as the kubernetes and openshift service
|
2021-04-29 14:08:41 +00:00
|
|
|
remediation: |
|
|
|
|
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
|
|
|
|
resources and that all new resources are created in a specific namespace.
|
|
|
|
scored: false
|