mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-18 12:48:08 +00:00
127 lines
4.4 KiB
Plaintext
127 lines
4.4 KiB
Plaintext
|
---
|
||
|
controls:
|
||
|
id: 1
|
||
|
text: "Master Checks"
|
||
|
type: "master"
|
||
|
groups:
|
||
|
- id: 1.1
|
||
|
text: "Kube-apiserver"
|
||
|
checks:
|
||
|
- id: 1.1.1
|
||
|
text: "Ensure that the --allow-privileged argument is set (Scored)"
|
||
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||
|
tests:
|
||
|
test_items:
|
||
|
-
|
||
|
flag: "--allow-privileged"
|
||
|
set: true
|
||
|
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.2
|
||
|
text: "Ensure that the --basic-auth argument is not set (Scored)"
|
||
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||
|
tests:
|
||
|
test_item:
|
||
|
-
|
||
|
flag: "--basic-auth"
|
||
|
set: false
|
||
|
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.3
|
||
|
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||
|
tests:
|
||
|
test_items:
|
||
|
-
|
||
|
flag: "--insecure-port"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: 0
|
||
|
set: true
|
||
|
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.4
|
||
|
text: "Ensure that the --audit-log-maxage argument is set to 30 or appropriate (Scored)"
|
||
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||
|
tests:
|
||
|
test_items:
|
||
|
-
|
||
|
flag: "--audit-log-maxage"
|
||
|
compare:
|
||
|
op: gte
|
||
|
value: 30
|
||
|
set: true
|
||
|
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.5
|
||
|
text: "Ensure that the --max-backlog argument is set to 30 or less (Scored)"
|
||
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--max-backlog"
|
||
|
compare:
|
||
|
op: lt
|
||
|
value: 30
|
||
|
set: true
|
||
|
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.6
|
||
|
text: "Ensure admission control does not include AlwaysAdmit (Scored)"
|
||
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||
|
tests:
|
||
|
test_items:
|
||
|
-
|
||
|
flag: "--admission-control"
|
||
|
compare:
|
||
|
op: nothave
|
||
|
value: AlwaysAdmit
|
||
|
set: true
|
||
|
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.7
|
||
|
text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)"
|
||
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||
|
tests:
|
||
|
bin_op: and
|
||
|
test_items:
|
||
|
- flag: "--kubelet-client-certificate"
|
||
|
set: true
|
||
|
- flag: "--kubelet-clientkey"
|
||
|
set: true
|
||
|
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.8
|
||
|
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
-
|
||
|
flag: "--secure-port"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: 0
|
||
|
set: true
|
||
|
-
|
||
|
flag: "--secure-port"
|
||
|
set: false
|
||
|
remediation: "Edit the /etc/kubernetes/apiserver file on the master node and either remove the -secure-port argument from the KUBE_API_ARGS parameter or set it to a different desired port."
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.4.1
|
||
|
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
||
|
audit: "stat -c %a /etc/kubernetes/apiserver"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "644"
|
||
|
set: true
|
||
|
remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver"
|
||
|
scored: true
|