mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-15 20:39:08 +00:00
34 lines
1.2 KiB
YAML
34 lines
1.2 KiB
YAML
|
---
|
||
|
|
controls:
|
||
|
|
version: "eks-stig-kubernetes-v1r6"
|
||
|
|
id: 4
|
||
|
|
text: "Policies"
|
||
|
|
type: "policies"
|
||
|
|
groups:
|
||
|
|
- id: 4.1
|
||
|
|
text: "Policies - DISA Category Code I"
|
||
|
|
checks:
|
||
|
|
- id: V-242381
|
||
|
|
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
|
||
|
|
type: "manual"
|
||
|
|
remediation: |
|
||
|
|
Create explicit service accounts wherever a Kubernetes workload requires specific access
|
||
|
|
to the Kubernetes API server.
|
||
|
|
Modify the configuration of each default service account to include this value
|
||
|
|
automountServiceAccountToken: false
|
||
|
|
scored: false
|
||
|
|
|
||
|
|
- id: V-242383
|
||
|
|
text: "User-managed resources must be created in dedicated namespaces. (Manual)"
|
||
|
|
type: "manual"
|
||
|
|
remediation: |
|
||
|
|
Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
|
||
|
|
scored: false
|
||
|
|
|
||
|
|
- id: V-242417
|
||
|
|
text: "Kubernetes must separate user functionality. (Manual)"
|
||
|
|
type: "manual"
|
||
|
|
remediation: |
|
||
|
|
Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
|
||
|
|
scored: false
|