kube-bench/cfg/aks-1.0/controlplane.yaml

---
controls:
version: "aks-1.0"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
  - id: 2.1
    text: "Logging"
    checks:
      - id: 2.1.1
        text: "Enable audit Logs"
        type: "manual"
        remediation: |
          Azure audit logs are enabled and managed in the Azure portal. To enable log collection for
          the Kubernetes master components in your AKS cluster, open the Azure portal in a web
          browser and complete the following steps:
          1. Select the resource group for your AKS cluster, such as myResourceGroup. Don't
             select the resource group that contains your individual AKS cluster resources, such
             as MC_myResourceGroup_myAKSCluster_eastus.
          2. On the left-hand side, choose Diagnostic settings.
          3. Select your AKS cluster, such as myAKSCluster, then choose to Add diagnostic setting.
          4. Enter a name, such as myAKSClusterLogs, then select the option to Send to Log Analytics.
          5. Select an existing workspace or create a new one. If you create a workspace, provide
             a workspace name, a resource group, and a location.
          6. In the list of available logs, select the logs you wish to enable. For this example,
             enable the kube-audit and kube-audit-admin logs. Common logs include the kube-
             apiserver, kube-controller-manager, and kube-scheduler. You can return and change
             the collected logs once Log Analytics workspaces are enabled.
          7. When ready, select Save to enable collection of the selected logs.
        scored: false
Created config and test files for Azure Kubernetes Service (AKS). (#733) * First draft of AKS configuration checks. * Updated Azure Configurations. Added more policy checks. * Finalized cfg components for AKS. * Fixed targets for aks-1.0 in common_test.go * Fixed yaml linting issues. * Fixed white space yaml linkting issues in policies.yaml * Fixed white space yaml linting issues in policies.yaml 2020-11-16 12:35:57 +00:00			`---`
			`controls:`
			`version: "aks-1.0"`
			`id: 2`
			`text: "Control Plane Configuration"`
			`type: "controlplane"`
			`groups:`
			`- id: 2.1`
Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0 (#1042) * Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0 * fix typo * fix empty remediation Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com> 2021-11-14 13:37:54 +00:00			`text: "Logging"`
Created config and test files for Azure Kubernetes Service (AKS). (#733) * First draft of AKS configuration checks. * Updated Azure Configurations. Added more policy checks. * Finalized cfg components for AKS. * Fixed targets for aks-1.0 in common_test.go * Fixed yaml linting issues. * Fixed white space yaml linkting issues in policies.yaml * Fixed white space yaml linting issues in policies.yaml 2020-11-16 12:35:57 +00:00			`checks:`
			`- id: 2.1.1`
Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0 (#1042) * Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0 * fix typo * fix empty remediation Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com> 2021-11-14 13:37:54 +00:00			`text: "Enable audit Logs"`
Created config and test files for Azure Kubernetes Service (AKS). (#733) * First draft of AKS configuration checks. * Updated Azure Configurations. Added more policy checks. * Finalized cfg components for AKS. * Fixed targets for aks-1.0 in common_test.go * Fixed yaml linting issues. * Fixed white space yaml linkting issues in policies.yaml * Fixed white space yaml linting issues in policies.yaml 2020-11-16 12:35:57 +00:00			`type: "manual"`
			`remediation: \|`
Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0 (#1042) * Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0 * fix typo * fix empty remediation Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com> 2021-11-14 13:37:54 +00:00			`Azure audit logs are enabled and managed in the Azure portal. To enable log collection for`
			`the Kubernetes master components in your AKS cluster, open the Azure portal in a web`
			`browser and complete the following steps:`
			`1. Select the resource group for your AKS cluster, such as myResourceGroup. Don't`
			`select the resource group that contains your individual AKS cluster resources, such`
			`as MC_myResourceGroup_myAKSCluster_eastus.`
			`2. On the left-hand side, choose Diagnostic settings.`
			`3. Select your AKS cluster, such as myAKSCluster, then choose to Add diagnostic setting.`
			`4. Enter a name, such as myAKSClusterLogs, then select the option to Send to Log Analytics.`
			`5. Select an existing workspace or create a new one. If you create a workspace, provide`
			`a workspace name, a resource group, and a location.`
			`6. In the list of available logs, select the logs you wish to enable. For this example,`
			`enable the kube-audit and kube-audit-admin logs. Common logs include the kube-`
			`apiserver, kube-controller-manager, and kube-scheduler. You can return and change`
			`the collected logs once Log Analytics workspaces are enabled.`
			`7. When ready, select Save to enable collection of the selected logs.`
Created config and test files for Azure Kubernetes Service (AKS). (#733) * First draft of AKS configuration checks. * Updated Azure Configurations. Added more policy checks. * Finalized cfg components for AKS. * Fixed targets for aks-1.0 in common_test.go * Fixed yaml linting issues. * Fixed white space yaml linkting issues in policies.yaml * Fixed white space yaml linting issues in policies.yaml 2020-11-16 12:35:57 +00:00			`scored: false`