mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-21 23:58:06 +00:00
Support CIS v1.5.1 (#673)
This commit is contained in:
parent
07f3c40dc7
commit
2d548597ae
@ -58,7 +58,7 @@ kube-bench supports the tests for Kubernetes as defined in the [CIS Kubernetes B
|
|||||||
|---|---|---|
|
|---|---|---|
|
||||||
| [1.3.0](https://workbench.cisecurity.org/benchmarks/602) | cis-1.3 | 1.11-1.12 |
|
| [1.3.0](https://workbench.cisecurity.org/benchmarks/602) | cis-1.3 | 1.11-1.12 |
|
||||||
| [1.4.1](https://workbench.cisecurity.org/benchmarks/2351) | cis-1.4 | 1.13-1.14 |
|
| [1.4.1](https://workbench.cisecurity.org/benchmarks/2351) | cis-1.4 | 1.13-1.14 |
|
||||||
| [1.5.0](https://workbench.cisecurity.org/benchmarks/1370) | cis-1.5 | 1.15- |
|
| [1.5.1](https://workbench.cisecurity.org/benchmarks/4892) | cis-1.5 | 1.15- |
|
||||||
| [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
|
| [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
|
||||||
| [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS |
|
| [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS |
|
||||||
| Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
|
| Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
|
||||||
|
@ -303,7 +303,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.20
|
- id: 1.1.20
|
||||||
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)"
|
||||||
audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a"
|
audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a"
|
||||||
use_multiple_values: true
|
use_multiple_values: true
|
||||||
tests:
|
tests:
|
||||||
@ -317,10 +317,10 @@ groups:
|
|||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chmod -R 644 /etc/kubernetes/pki/*.crt
|
chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 1.1.21
|
- id: 1.1.21
|
||||||
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)"
|
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)"
|
||||||
audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a"
|
audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a"
|
||||||
use_multiple_values: true
|
use_multiple_values: true
|
||||||
tests:
|
tests:
|
||||||
@ -334,7 +334,7 @@ groups:
|
|||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chmod -R 600 /etc/kubernetes/pki/*.key
|
chmod -R 600 /etc/kubernetes/pki/*.key
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 1.2
|
- id: 1.2
|
||||||
text: "API Server"
|
text: "API Server"
|
||||||
@ -880,7 +880,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.2.33
|
- id: 1.2.33
|
||||||
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)"
|
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)"
|
||||||
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -890,16 +890,16 @@ groups:
|
|||||||
Follow the Kubernetes documentation and configure a EncryptionConfig file.
|
Follow the Kubernetes documentation and configure a EncryptionConfig file.
|
||||||
Then, edit the API server pod specification file $apiserverconf
|
Then, edit the API server pod specification file $apiserverconf
|
||||||
on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
|
on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 1.2.34
|
- id: 1.2.34
|
||||||
text: "Ensure that encryption providers are appropriately configured (Scored)"
|
text: "Ensure that encryption providers are appropriately configured (Not Scored)"
|
||||||
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the Kubernetes documentation and configure a EncryptionConfig file.
|
Follow the Kubernetes documentation and configure a EncryptionConfig file.
|
||||||
In this file, choose aescbc, kms or secretbox as the encryption provider.
|
In this file, choose aescbc, kms or secretbox as the encryption provider.
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 1.2.35
|
- id: 1.2.35
|
||||||
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
|
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
|
||||||
@ -921,7 +921,7 @@ groups:
|
|||||||
text: "Controller Manager"
|
text: "Controller Manager"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.3.1
|
- id: 1.3.1
|
||||||
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
|
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)"
|
||||||
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -932,7 +932,7 @@ groups:
|
|||||||
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
|
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
|
||||||
for example:
|
for example:
|
||||||
--terminated-pod-gc-threshold=10
|
--terminated-pod-gc-threshold=10
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 1.3.2
|
- id: 1.3.2
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
|
@ -164,7 +164,7 @@ groups:
|
|||||||
text: "Kubelet"
|
text: "Kubelet"
|
||||||
checks:
|
checks:
|
||||||
- id: 4.2.1
|
- id: 4.2.1
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
text: "Ensure that the anonymous-auth argument is set to false (Scored)"
|
||||||
audit: "/bin/ps -fC $kubeletbin"
|
audit: "/bin/ps -fC $kubeletbin"
|
||||||
audit_config: "/bin/cat $kubeletconf"
|
audit_config: "/bin/cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
|
@ -184,10 +184,10 @@ groups:
|
|||||||
Follow the Kubernetes documentation and setup image provenance.
|
Follow the Kubernetes documentation and setup image provenance.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 5.6
|
- id: 5.7
|
||||||
text: "General Policies"
|
text: "General Policies"
|
||||||
checks:
|
checks:
|
||||||
- id: 5.6.1
|
- id: 5.7.1
|
||||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -195,7 +195,7 @@ groups:
|
|||||||
them.
|
them.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 5.6.2
|
- id: 5.7.2
|
||||||
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -221,7 +221,7 @@ groups:
|
|||||||
image: sotrustworthy:latest
|
image: sotrustworthy:latest
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 5.6.3
|
- id: 5.7.3
|
||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -230,7 +230,7 @@ groups:
|
|||||||
Containers.
|
Containers.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 5.6.4
|
- id: 5.7.4
|
||||||
text: "The default namespace should not be used (Scored)"
|
text: "The default namespace should not be used (Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
14
integration/testdata/cis-1.5/job-master.data
vendored
14
integration/testdata/cis-1.5/job-master.data
vendored
@ -19,8 +19,8 @@
|
|||||||
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
|
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
|
||||||
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
|
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
|
||||||
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
|
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
|
||||||
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
|
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)
|
||||||
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
|
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)
|
||||||
[INFO] 1.2 API Server
|
[INFO] 1.2 API Server
|
||||||
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
|
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
|
||||||
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
|
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
|
||||||
@ -54,11 +54,11 @@
|
|||||||
[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
|
[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
|
||||||
[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
||||||
[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
|
[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
|
||||||
[FAIL] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
|
[WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)
|
||||||
[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Scored)
|
[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored)
|
||||||
[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
|
[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
|
||||||
[INFO] 1.3 Controller Manager
|
[INFO] 1.3 Controller Manager
|
||||||
[FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)
|
[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)
|
||||||
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
|
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
|
||||||
[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
|
[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
|
||||||
[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
|
[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
|
||||||
@ -171,6 +171,6 @@ on the master node and set the below parameter.
|
|||||||
|
|
||||||
== Summary ==
|
== Summary ==
|
||||||
44 checks PASS
|
44 checks PASS
|
||||||
13 checks FAIL
|
11 checks FAIL
|
||||||
8 checks WARN
|
10 checks WARN
|
||||||
0 checks INFO
|
0 checks INFO
|
||||||
|
2
integration/testdata/cis-1.5/job-node.data
vendored
2
integration/testdata/cis-1.5/job-node.data
vendored
@ -11,7 +11,7 @@
|
|||||||
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||||
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||||
[INFO] 4.2 Kubelet
|
[INFO] 4.2 Kubelet
|
||||||
[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored)
|
[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored)
|
||||||
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
|
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
|
||||||
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
||||||
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
|
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
|
||||||
|
34
integration/testdata/cis-1.5/job.data
vendored
34
integration/testdata/cis-1.5/job.data
vendored
@ -19,8 +19,8 @@
|
|||||||
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
|
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
|
||||||
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
|
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
|
||||||
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
|
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
|
||||||
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
|
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)
|
||||||
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
|
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)
|
||||||
[INFO] 1.2 API Server
|
[INFO] 1.2 API Server
|
||||||
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
|
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
|
||||||
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
|
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
|
||||||
@ -54,11 +54,11 @@
|
|||||||
[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
|
[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
|
||||||
[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
||||||
[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
|
[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
|
||||||
[FAIL] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
|
[WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)
|
||||||
[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Scored)
|
[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored)
|
||||||
[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
|
[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
|
||||||
[INFO] 1.3 Controller Manager
|
[INFO] 1.3 Controller Manager
|
||||||
[FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)
|
[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)
|
||||||
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
|
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
|
||||||
[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
|
[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
|
||||||
[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
|
[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
|
||||||
@ -171,8 +171,8 @@ on the master node and set the below parameter.
|
|||||||
|
|
||||||
== Summary ==
|
== Summary ==
|
||||||
44 checks PASS
|
44 checks PASS
|
||||||
13 checks FAIL
|
11 checks FAIL
|
||||||
8 checks WARN
|
10 checks WARN
|
||||||
0 checks INFO
|
0 checks INFO
|
||||||
[INFO] 2 Etcd Node Configuration
|
[INFO] 2 Etcd Node Configuration
|
||||||
[INFO] 2 Etcd Node Configuration Files
|
[INFO] 2 Etcd Node Configuration Files
|
||||||
@ -224,7 +224,7 @@ minimum.
|
|||||||
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||||
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||||
[INFO] 4.2 Kubelet
|
[INFO] 4.2 Kubelet
|
||||||
[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored)
|
[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored)
|
||||||
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
|
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
|
||||||
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
||||||
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
|
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
|
||||||
@ -314,11 +314,11 @@ systemctl restart kubelet.service
|
|||||||
[WARN] 5.4.2 Consider external secret storage (Not Scored)
|
[WARN] 5.4.2 Consider external secret storage (Not Scored)
|
||||||
[INFO] 5.5 Extensible Admission Control
|
[INFO] 5.5 Extensible Admission Control
|
||||||
[WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)
|
[WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)
|
||||||
[INFO] 5.6 General Policies
|
[INFO] 5.7 General Policies
|
||||||
[WARN] 5.6.1 Create administrative boundaries between resources using namespaces (Not Scored)
|
[WARN] 5.7.1 Create administrative boundaries between resources using namespaces (Not Scored)
|
||||||
[WARN] 5.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)
|
[WARN] 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)
|
||||||
[WARN] 5.6.3 Apply Security Context to Your Pods and Containers (Not Scored)
|
[WARN] 5.7.3 Apply Security Context to Your Pods and Containers (Not Scored)
|
||||||
[WARN] 5.6.4 The default namespace should not be used (Scored)
|
[WARN] 5.7.4 The default namespace should not be used (Scored)
|
||||||
|
|
||||||
== Remediations ==
|
== Remediations ==
|
||||||
5.1.1 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
|
5.1.1 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
|
||||||
@ -385,10 +385,10 @@ secrets management solution.
|
|||||||
|
|
||||||
5.5.1 Follow the Kubernetes documentation and setup image provenance.
|
5.5.1 Follow the Kubernetes documentation and setup image provenance.
|
||||||
|
|
||||||
5.6.1 Follow the documentation and create namespaces for objects in your deployment as you need
|
5.7.1 Follow the documentation and create namespaces for objects in your deployment as you need
|
||||||
them.
|
them.
|
||||||
|
|
||||||
5.6.2 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
5.7.2 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||||
would need to enable alpha features in the apiserver by passing "--feature-
|
would need to enable alpha features in the apiserver by passing "--feature-
|
||||||
gates=AllAlpha=true" argument.
|
gates=AllAlpha=true" argument.
|
||||||
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
|
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
|
||||||
@ -409,11 +409,11 @@ spec:
|
|||||||
- name: trustworthy-container
|
- name: trustworthy-container
|
||||||
image: sotrustworthy:latest
|
image: sotrustworthy:latest
|
||||||
|
|
||||||
5.6.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
5.7.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||||
Containers.
|
Containers.
|
||||||
|
|
||||||
5.6.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
|
5.7.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
|
||||||
resources and that all new resources are created in a specific namespace.
|
resources and that all new resources are created in a specific namespace.
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user