1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-18 14:18:08 +00:00
kube-bench/cfg/gke-1.0/master.yaml

349 lines
14 KiB
YAML
Raw Normal View History

---
controls:
version: "gke-1.0"
id: 1
text: "Control Plane Components"
type: "master"
groups:
- id: 1.1
text: "Master Node Configuration Files "
checks:
- id: 1.1.1
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.2
text: "Ensure that the API server pod specification file ownership is set to root:root (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.3
text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.4
text: "Ensure that the controller manager pod specification file ownership is set to root:root (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.5
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.6
text: "Ensure that the scheduler pod specification file ownership is set to root:root (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.7
text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.8
text: "Ensure that the etcd pod specification file ownership is set to root:root (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.13
text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.14
text: "Ensure that the admin.conf file ownership is set to root:root (Not Scored) "
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: true
- id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.19
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2
text: "API Server"
checks:
- id: 1.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.2
text: "Ensure that the --basic-auth-file argument is not set (Not Scored)"
remediation: |
Although the use of the --basic-auth-file argument cannot be audited on GKE, you can
remediate the use of basic authentication. See Recommendation 6.8.1.
scored: false
- id: 1.2.3
text: "Ensure that the --token-auth-file parameter is not set (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.4
text: "Ensure that the --kubelet-https argument is set to true (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.5
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.6
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.7
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.8
text: "Ensure that the --authorization-mode argument includes Node (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.9
text: "Ensure that the --authorization-mode argument includes RBAC (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.10
text: "Ensure that the admission control plugin EventRateLimit is set (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.11
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.12
text: "Ensure that the admission control plugin AlwaysPullImages is set (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.13
text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.14
text: "Ensure that the admission control plugin ServiceAccount is set (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.15
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.16
text: "Ensure that the admission control plugin PodSecurityPolicy is set (Not Scored)"
remediation: |
To verify and remediate the use of Pod Security Policy on GKE, see Recommendation 6.10.3.
scored: false
- id: 1.2.17
text: "Ensure that the admission control plugin NodeRestriction is set (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.18
text: "Ensure that the --insecure-bind-address argument is not set (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.19
text: "Ensure that the --insecure-port argument is set to 0 (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.20
text: "Ensure that the --secure-port argument is not set to 0 (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.21
text: "Ensure that the --profiling argument is set to false (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.22
text: "Ensure that the --audit-log-path argument is set (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.23
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.24
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.25
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.26
text: "Ensure that the --request-timeout argument is set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.27
text: "Ensure that the --service-account-lookup argument is set to true (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.28
text: "Ensure that the --service-account-key-file argument is set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.29
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.30
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.31
text: "Ensure that the --client-ca-file argument is set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.32
text: "Ensure that the --etcd-cafile argument is set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.2.33
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)"
remediation: |
To verify and remediate the use of secret encryption on GKE, see Recommendation 6.3.1.
scored: false
- id: 1.2.34
text: "Ensure that encryption providers are appropriately configured (Not Scored)"
remediation: |
To verify and remediate the use of secret encryption on GKE, see Recommendation 6.3.1.
scored: false
- id: 1.2.35
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.3
text: "Controller Manager"
checks:
- id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set to true (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.3.6
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.3.7
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.4
text: "Scheduler"
checks:
- id: 1.4.1
text: "Ensure that the --profiling argument is set to false (Not Scored)"
remediation: "This control cannot be modified in GKE."
scored: false
- id: 1.4.2
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Not Scored) "
remediation: "This control cannot be modified in GKE."
scored: false