mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-04 13:58:14 +00:00
32 lines
1.3 KiB
YAML
32 lines
1.3 KiB
YAML
|
---
|
||
|
controls:
|
||
|
version: "aks-1.0"
|
||
|
id: 2
|
||
|
text: "Control Plane Configuration"
|
||
|
type: "controlplane"
|
||
|
groups:
|
||
|
- id: 2.1
|
||
|
text: "Authentication and Authorization"
|
||
|
checks:
|
||
|
- id: 2.1.1
|
||
|
text: "Enable Azure Active Directory Integration"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Use of OIDC should be implemented in place of client certificates. Cluster administrators can configure Kubernetes role-based access control (RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. See https://docs.microsoft.com/en-us/azure/aks/managed-aad.
|
||
|
scored: false
|
||
|
- id: 2.1.2
|
||
|
text: "Limit access to cluster configuration file"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Use Azure role-based access control to define access to the Kubernetes configuration file in Azure Kubernetes Service (AKS). See https://docs.microsoft.com/en-us/azure/aks/control-kubeconfig-access
|
||
|
scored: false
|
||
|
|
||
|
- id: 2.2
|
||
|
text: "Logging"
|
||
|
checks:
|
||
|
- id: 2.2.1
|
||
|
text: "Enable logging for the Kubernetes master components"
|
||
|
type: "manual"
|
||
|
remediation: "Enable log collection for the Kubernetes master components in the AKS cluster using Diagnostic settings."
|
||
|
scored: false
|