arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-05-24 17:58:50 +00:00
Code Issues Releases Wiki Activity

Support Linting YAML as part of Travis CI build (#554)

Browse Source 
* add yamllint command to travis CI

installs and runs a linter across the YAML in the
project to ensure consistency in the written YAML.

this uses yamllint and the default yamllint config with
"truthy" and "line-length" disabled.

* run dos2unix on CRLF files

* YAMLLINT: remove trailing spaces

* YAMLLint: add YAML document start

* YAMLLint: too many spaces around bracket

* YAMLLint: fix indentation

* YAMLLint: remove duplicate key

* YAMLLint: newline at end of file

* YAMLLint: Too few spaces after comma

* YAMLLint: too many spaces after colon
This commit is contained in:
James Ward 2020-01-06 04:18:25 -05:00 committed by Liz Rice
parent dc14cb14b0
commit 5f34058dc7
28 changed files with 8006 additions and 7992 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.goreleaser.yml
View File

@ -1,3 +1,4 @@
---
env: env:
- GO111MODULE=on - GO111MODULE=on
- KUBEBENCH_CFG=/etc/kube-bench/cfg - KUBEBENCH_CFG=/etc/kube-bench/cfg
@ -9,8 +10,8 @@ builds:
goarch: goarch:
- amd64 - amd64
ldflags: ldflags:
- "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion={{.Version}}" - "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion={{.Version}}"
- "-X github.com/aquasecurity/kube-bench/cmd.cfgDir={{.Env.KUBEBENCH_CFG}}" - "-X github.com/aquasecurity/kube-bench/cmd.cfgDir={{.Env.KUBEBENCH_CFG}}"
# Archive customization # Archive customization
archive: archive:
format: tar.gz format: tar.gz

2
.travis.yml
View File

@ -10,10 +10,12 @@ notifications:
before_install: before_install:
- sudo apt-get -qq update - sudo apt-get -qq update
- sudo apt-get install -y rpm - sudo apt-get install -y rpm
- pip install --user yamllint==1.18.0
- gem install --no-ri --no-rdoc fpm - gem install --no-ri --no-rdoc fpm
- go get -t -v ./... - go get -t -v ./...
script: script:
- yamllint -c ./.yamllint.yaml .
- GO111MODULE=on go test ./... - GO111MODULE=on go test ./...
- IMAGE_NAME=kube-bench make build-docker - IMAGE_NAME=kube-bench make build-docker
- docker run -v `pwd`:/host kube-bench install - docker run -v `pwd`:/host kube-bench install

6
.yamllint.yaml Normal file
View File

@ -0,0 +1,6 @@
---
extends: default
rules:
line-length: disable
truthy: disable

2956
cfg/cis-1.3/master.yaml
View File

File diff suppressed because it is too large Load Diff

1020
cfg/cis-1.3/node.yaml
View File

File diff suppressed because it is too large Load Diff

3084
cfg/cis-1.4/master.yaml
View File

File diff suppressed because it is too large Load Diff

1024
cfg/cis-1.4/node.yaml
View File

File diff suppressed because it is too large Load Diff

52
cfg/cis-1.5/controlplane.yaml
View File

@ -5,31 +5,31 @@ id: 3
text: "Control Plane Configuration" text: "Control Plane Configuration"
type: "controlplane" type: "controlplane"
groups: groups:
- id: 3.1 - id: 3.1
text: "Authentication and Authorization" text: "Authentication and Authorization"
checks: checks:
- id: 3.1.1 - id: 3.1.1
text: "Client certificate authentication should not be used for users (Not Scored) " text: "Client certificate authentication should not be used for users (Not Scored) "
type: "manual" type: "manual"
remediation: | remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates. implemented in place of client certificates.
scored: false scored: false
- id: 3.2 - id: 3.2
text: "Logging" text: "Logging"
checks: checks:
- id: 3.2.1 - id: 3.2.1
text: "Ensure that a minimal audit policy is created (Scored) " text: "Ensure that a minimal audit policy is created (Scored) "
type: "manual" type: "manual"
remediation: | remediation: |
Create an audit policy file for your cluster. Create an audit policy file for your cluster.
scored: true scored: true
- id: 3.2.2 - id: 3.2.2
text: "Ensure that the audit policy covers key security concerns (Not Scored) " text: "Ensure that the audit policy covers key security concerns (Not Scored) "
type: "manual" type: "manual"
remediation: | remediation: |
Consider modification of the audit policy in use on the cluster to include these items, at a Consider modification of the audit policy in use on the cluster to include these items, at a
minimum. minimum.
scored: false scored: false

236
cfg/cis-1.5/etcd.yaml
View File

@ -5,127 +5,127 @@ id: 2
text: "Etcd Node Configuration" text: "Etcd Node Configuration"
type: "etcd" type: "etcd"
groups: groups:
- id: 2 - id: 2
text: "Etcd Node Configuration Files" text: "Etcd Node Configuration Files"
checks: checks:
- id: 2.1 - id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "--cert-file" - flag: "--cert-file"
set: true set: true
- flag: "--key-file" - flag: "--key-file"
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure TLS encryption. Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters. on the master node and set the below parameters.
--cert-file=</path/to/ca-file> --cert-file=</path/to/ca-file>
--key-file=</path/to/key-file> --key-file=</path/to/key-file>
scored: true scored: true
- id: 2.2 - id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Scored)" text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--client-cert-auth" - flag: "--client-cert-auth"
compare: compare:
op: eq op: eq
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdconf on the master Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter. node and set the below parameter.
--client-cert-auth="true" --client-cert-auth="true"
scored: true scored: true
- id: 2.3 - id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Scored)" text: "Ensure that the --auto-tls argument is not set to true (Scored)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--auto-tls" - flag: "--auto-tls"
set: false set: false
- flag: "--auto-tls" - flag: "--auto-tls"
compare: compare:
op: eq op: eq
value: false value: false
remediation: | remediation: |
Edit the etcd pod specification file $etcdconf on the master Edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false. node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false --auto-tls=false
scored: true scored: true
- id: 2.4 - id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
set as appropriate (Scored)" set as appropriate (Scored)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "--peer-cert-file" - flag: "--peer-cert-file"
set: true set: true
- flag: "--peer-key-file" - flag: "--peer-key-file"
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters. master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file> --peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file> --peer-key-file=</path/to/peer-key-file>
scored: true scored: true
- id: 2.5 - id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--peer-client-cert-auth" - flag: "--peer-client-cert-auth"
compare: compare:
op: eq op: eq
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdconf on the master Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter. node and set the below parameter.
--peer-client-cert-auth=true --peer-client-cert-auth=true
scored: true scored: true
- id: 2.6 - id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--peer-auto-tls" - flag: "--peer-auto-tls"
set: false set: false
- flag: "--peer-auto-tls" - flag: "--peer-auto-tls"
compare: compare:
op: eq op: eq
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdconf on the master Edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false. node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false --peer-auto-tls=false
scored: true scored: true
- id: 2.7 - id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--trusted-ca-file" - flag: "--trusted-ca-file"
set: true set: true
remediation: | remediation: |
[Manual test] [Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service. etcd service.
Then, edit the etcd pod specification file $etcdconf on the Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameter. master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file> --trusted-ca-file=</path/to/ca-file>
scored: false scored: false

2086
cfg/cis-1.5/master.yaml
View File

File diff suppressed because it is too large Load Diff

952
cfg/cis-1.5/node.yaml
View File

@ -5,501 +5,501 @@ id: 4
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"
groups: groups:
- id: 4.1 - id: 4.1
text: "Worker Node Configuration Files" text: "Worker Node Configuration Files"
checks: checks:
- id: 4.1.1 - id: 4.1.1
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
set: true set: true
compare: compare:
op: eq op: eq
value: "644" value: "644"
- flag: "640" - flag: "640"
set: true set: true
compare: compare:
op: eq op: eq
value: "640" value: "640"
- flag: "600" - flag: "600"
set: true set: true
compare: compare:
op: eq op: eq
value: "600" value: "600"
bin_op: or bin_op: or
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
chmod 644 $kubeletsvc chmod 644 $kubeletsvc
scored: true scored: true
- id: 4.1.2 - id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)" text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root
set: true set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
chown root:root $kubeletsvc chown root:root $kubeletsvc
scored: true scored: true
- id: 4.1.3 - id: 4.1.3
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' ' audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
set: true set: true
compare: compare:
op: eq op: eq
value: "644" value: "644"
- flag: "640" - flag: "640"
set: true set: true
compare: compare:
op: eq op: eq
value: "640" value: "640"
- flag: "600" - flag: "600"
set: true set: true
compare: compare:
op: eq op: eq
value: "600" value: "600"
bin_op: or bin_op: or
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
chmod 644 $proykubeconfig chmod 644 $proykubeconfig
scored: true scored: true
- id: 4.1.4 - id: 4.1.4
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root
set: true set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig
scored: true scored: true
- id: 4.1.5 - id: 4.1.5
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
set: true set: true
compare: compare:
op: eq op: eq
value: "644" value: "644"
- flag: "640" - flag: "640"
set: true set: true
compare: compare:
op: eq op: eq
value: "640" value: "640"
- flag: "600" - flag: "600"
set: true set: true
compare: compare:
op: eq op: eq
value: "600" value: "600"
bin_op: or bin_op: or
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
chmod 644 $kubeletkubeconfig chmod 644 $kubeletkubeconfig
scored: true scored: true
- id: 4.1.6 - id: 4.1.6
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root
set: true set: true
compare: compare:
op: eq op: eq
value: root:root value: root:root
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
chown root:root $kubeletkubeconfig chown root:root $kubeletkubeconfig
scored: true scored: true
- id: 4.1.7 - id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
types: "manual" types: "manual"
remediation: | remediation: |
Run the following command to modify the file permissions of the Run the following command to modify the file permissions of the
--client-ca-file chmod 644 <filename> --client-ca-file chmod 644 <filename>
scored: true scored: true
- id: 4.1.8 - id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root
set: true set: true
compare: compare:
op: eq op: eq
value: root:root value: root:root
remediation: | remediation: |
Run the following command to modify the ownership of the --client-ca-file. Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename> chown root:root <filename>
scored: true scored: true
- id: 4.1.9 - id: 4.1.9
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
tests: tests:
test_items: test_items:
- flag: "644" - flag: "644"
set: true set: true
compare: compare:
op: eq op: eq
value: "644" value: "644"
- flag: "640" - flag: "640"
set: true set: true
compare: compare:
op: eq op: eq
value: "640" value: "640"
- flag: "600" - flag: "600"
set: true set: true
compare: compare:
op: eq op: eq
value: "600" value: "600"
bin_op: or bin_op: or
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf chmod 644 $kubeletconf
scored: true scored: true
- id: 4.1.10 - id: 4.1.10
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root
set: true set: true
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identied in the Audit step)
chown root:root $kubeletconf chown root:root $kubeletconf
scored: true scored: true
- id: 4.2 - id: 4.2
text: "Kubelet" text: "Kubelet"
checks: checks:
- id: 4.2.1 - id: 4.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}' path: '{.authentication.anonymous.enabled}'
set: true set: true
compare: compare:
op: eq op: eq
value: false value: false
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false. false.
If using executable arguments, edit the kubelet service file If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false --anonymous-auth=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.2 - id: 4.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --authorization-mode - flag: --authorization-mode
path: '{.authorization.mode}' path: '{.authorization.mode}'
set: true set: true
compare: compare:
op: nothave op: nothave
value: AlwaysAllow value: AlwaysAllow
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable. set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook --authorization-mode=Webhook
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.3 - id: 4.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --client-ca-file - flag: --client-ca-file
path: '{.authentication.x509.clientCAFile}' path: '{.authentication.x509.clientCAFile}'
set: true set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file. the location of the client CA file.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable. set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file> --client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.4 - id: 4.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--read-only-port" - flag: "--read-only-port"
path: '{.readOnlyPort}' path: '{.readOnlyPort}'
set: true set: true
compare: compare:
op: eq op: eq
value: 0 value: 0
remediation: | remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0. If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0 --read-only-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.5 - id: 4.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --streaming-connection-idle-timeout - flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}' path: '{.streamingConnectionIdleTimeout}'
set: true set: true
compare: compare:
op: noteq op: noteq
value: 0 value: 0
- flag: --streaming-connection-idle-timeout - flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}' path: '{.streamingConnectionIdleTimeout}'
set: false set: false
bin_op: or bin_op: or
remediation: | remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0. value other than 0.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m --streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.6 - id: 4.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --protect-kernel-defaults - flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}' path: '{.protectKernelDefaults}'
set: true set: true
compare: compare:
op: eq op: eq
value: true value: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true. If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true --protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.7 - id: 4.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) " text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) "
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --make-iptables-util-chains - flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}' path: '{.makeIPTablesUtilChains}'
set: true set: true
compare: compare:
op: eq op: eq
value: true value: true
- flag: --make-iptables-util-chains - flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}' path: '{.makeIPTablesUtilChains}'
set: false set: false
bin_op: or bin_op: or
remediation: | remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true. If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.8 - id: 4.2.8
text: "Ensure that the --hostname-override argument is not set (Not Scored)" text: "Ensure that the --hostname-override argument is not set (Not Scored)"
# This is one of those properties that can only be set as a command line argument. # This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command # To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file. # instead reading the Kubelet Configuration file.
audit: "/bin/ps -fC $kubeletbin " audit: "/bin/ps -fC $kubeletbin "
tests: tests:
test_items: test_items:
- flag: --hostname-override - flag: --hostname-override
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: false
- id: 4.2.9 - id: 4.2.9
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored)" text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --event-qps - flag: --event-qps
path: '{.eventRecordQPS}' path: '{.eventRecordQPS}'
set: true set: true
compare: compare:
op: eq op: eq
value: 0 value: 0
remediation: | remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: false
- id: 4.2.10 - id: 4.2.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --tls-cert-file - flag: --tls-cert-file
path: '{.tlsCertFile}' path: '{.tlsCertFile}'
set: true set: true
- flag: --tls-private-key-file - flag: --tls-private-key-file
path: '{.tlsPrivateKeyFile}' path: '{.tlsPrivateKeyFile}'
set: true set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location If using a Kubelet config file, edit the file to set tlsCertFile to the location
of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
to the location of the corresponding private key file. to the location of the corresponding private key file.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable. set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file> --tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file> --tls-private-key-file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.11 - id: 4.2.11
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --rotate-certificates - flag: --rotate-certificates
path: '{.rotateCertificates}' path: '{.rotateCertificates}'
set: true set: true
compare: compare:
op: eq op: eq
value: true value: true
- flag: --rotate-certificates - flag: --rotate-certificates
path: '{.rotateCertificates}' path: '{.rotateCertificates}'
set: false set: false
bin_op: or bin_op: or
remediation: | remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true or If using a Kubelet config file, edit the file to add the line rotateCertificates: true or
remove it altogether to use the default value. remove it altogether to use the default value.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
variable. variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.12 - id: 4.2.12
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: RotateKubeletServerCertificate - flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}' path: '{.featureGates.RotateKubeletServerCertificate}'
set: true set: true
compare: compare:
op: eq op: eq
value: true value: true
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.13 - id: 4.2.13
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --tls-cipher-suites - flag: --tls-cipher-suites
path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' path: '{range .tlsCipherSuites[:]}{}{'',''}{end}'
set: true set: true
compare: compare:
op: valid_elements op: valid_elements
value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
remediation: | remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to If using a Kubelet config file, edit the file to set TLSCipherSuites: to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values. or to a subset of these values.
If using executable arguments, edit the kubelet service file If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and $kubeletsvc on each worker node and
set the --tls-cipher-suites parameter as follows, or to a subset of these values. set the --tls-cipher-suites parameter as follows, or to a subset of these values.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: false

418
cfg/cis-1.5/policies.yaml
View File

@ -5,235 +5,235 @@ id: 5
text: "Kubernetes Policies" text: "Kubernetes Policies"
type: "policies" type: "policies"
groups: groups:
- id: 5.1 - id: 5.1
text: "RBAC and Service Accounts" text: "RBAC and Service Accounts"
checks: checks:
- id: 5.1.1 - id: 5.1.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)" text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
if they need this role or if they could use a role with fewer privileges. if they need this role or if they could use a role with fewer privileges.
Where possible, first bind users to a lower privileged role and then remove the Where possible, first bind users to a lower privileged role and then remove the
clusterrolebinding to the cluster-admin role : clusterrolebinding to the cluster-admin role :
kubectl delete clusterrolebinding [name] kubectl delete clusterrolebinding [name]
scored: false scored: false
- id: 5.1.2 - id: 5.1.2
text: "Minimize access to secrets (Not Scored)" text: "Minimize access to secrets (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Where possible, remove get, list and watch access to secret objects in the cluster. Where possible, remove get, list and watch access to secret objects in the cluster.
scored: false scored: false
- id: 5.1.3 - id: 5.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Not Scored)" text: "Minimize wildcard use in Roles and ClusterRoles (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Where possible replace any use of wildcards in clusterroles and roles with specific Where possible replace any use of wildcards in clusterroles and roles with specific
objects or actions. objects or actions.
scored: false scored: false
- id: 5.1.4 - id: 5.1.4
text: "Minimize access to create pods (Not Scored)" text: "Minimize access to create pods (Not Scored)"
type: "manual" type: "manual"
Remediation: | Remediation: |
Where possible, remove create access to pod objects in the cluster. Where possible, remove create access to pod objects in the cluster.
scored: false scored: false
- id: 5.1.5 - id: 5.1.5
text: "Ensure that default service accounts are not actively used. (Scored)" text: "Ensure that default service accounts are not actively used. (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server. to the Kubernetes API server.
Modify the configuration of each default service account to include this value Modify the configuration of each default service account to include this value
automountServiceAccountToken: false automountServiceAccountToken: false
scored: true scored: true
- id: 5.1.6 - id: 5.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Not Scored)" text: "Ensure that Service Account Tokens are only mounted where necessary (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Modify the definition of pods and service accounts which do not need to mount service Modify the definition of pods and service accounts which do not need to mount service
account tokens to disable it. account tokens to disable it.
scored: false scored: false
- id: 5.2 - id: 5.2
text: "Pod Security Policies" text: "Pod Security Policies"
checks: checks:
- id: 5.2.1 - id: 5.2.1
text: "Minimize the admission of privileged containers (Not Scored)" text: "Minimize the admission of privileged containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that Create a PSP as described in the Kubernetes documentation, ensuring that
the .spec.privileged field is omitted or set to false. the .spec.privileged field is omitted or set to false.
scored: false scored: false
- id: 5.2.2 - id: 5.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Scored)" text: "Minimize the admission of containers wishing to share the host process ID namespace (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostPID field is omitted or set to false. .spec.hostPID field is omitted or set to false.
scored: true scored: true
- id: 5.2.3 - id: 5.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Scored)" text: "Minimize the admission of containers wishing to share the host IPC namespace (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostIPC field is omitted or set to false. .spec.hostIPC field is omitted or set to false.
scored: true scored: true
- id: 5.2.4 - id: 5.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Scored)" text: "Minimize the admission of containers wishing to share the host network namespace (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostNetwork field is omitted or set to false. .spec.hostNetwork field is omitted or set to false.
scored: true scored: true
- id: 5.2.5 - id: 5.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Scored)" text: "Minimize the admission of containers with allowPrivilegeEscalation (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.allowPrivilegeEscalation field is omitted or set to false. .spec.allowPrivilegeEscalation field is omitted or set to false.
scored: true scored: true
- id: 5.2.6 - id: 5.2.6
text: "Minimize the admission of root containers (Not Scored)" text: "Minimize the admission of root containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
UIDs not including 0. UIDs not including 0.
scored: false scored: false
- id: 5.2.7 - id: 5.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Not Scored)" text: "Minimize the admission of containers with the NET_RAW capability (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.requiredDropCapabilities is set to include either NET_RAW or ALL. .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false scored: false
- id: 5.2.8 - id: 5.2.8
text: "Minimize the admission of containers with added capabilities (Not Scored)" text: "Minimize the admission of containers with added capabilities (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array. it is set to an empty array.
scored: false scored: false
- id: 5.2.9 - id: 5.2.9
text: "Minimize the admission of containers with capabilities assigned (Not Scored) " text: "Minimize the admission of containers with capabilities assigned (Not Scored) "
type: "manual" type: "manual"
remediation: | remediation: |
Review the use of capabilites in applications runnning on your cluster. Where a namespace Review the use of capabilites in applications runnning on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider adding contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities. a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false scored: false
- id: 5.3 - id: 5.3
text: "Network Policies and CNI" text: "Network Policies and CNI"
checks: checks:
- id: 5.3.1 - id: 5.3.1
text: "Ensure that the CNI in use supports Network Policies (Not Scored)" text: "Ensure that the CNI in use supports Network Policies (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
If the CNI plugin in use does not support network policies, consideration should be given to If the CNI plugin in use does not support network policies, consideration should be given to
making use of a different plugin, or finding an alternate mechanism for restricting traffic making use of a different plugin, or finding an alternate mechanism for restricting traffic
in the Kubernetes cluster. in the Kubernetes cluster.
scored: false scored: false
- id: 5.3.2 - id: 5.3.2
text: "Ensure that all Namespaces have Network Policies defined (Scored)" text: "Ensure that all Namespaces have Network Policies defined (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the documentation and create NetworkPolicy objects as you need them. Follow the documentation and create NetworkPolicy objects as you need them.
scored: true scored: true
- id: 5.4 - id: 5.4
text: "Secrets Management" text: "Secrets Management"
checks: checks:
- id: 5.4.1 - id: 5.4.1
text: "Prefer using secrets as files over secrets as environment variables (Not Scored)" text: "Prefer using secrets as files over secrets as environment variables (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
if possible, rewrite application code to read secrets from mounted secret files, rather than if possible, rewrite application code to read secrets from mounted secret files, rather than
from environment variables. from environment variables.
scored: false scored: false
- id: 5.4.2 - id: 5.4.2
text: "Consider external secret storage (Not Scored)" text: "Consider external secret storage (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Refer to the secrets management options offered by your cloud provider or a third-party Refer to the secrets management options offered by your cloud provider or a third-party
secrets management solution. secrets management solution.
scored: false scored: false
- id: 5.5 - id: 5.5
text: "Extensible Admission Control" text: "Extensible Admission Control"
checks: checks:
- id: 5.5.1 - id: 5.5.1
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and setup image provenance. Follow the Kubernetes documentation and setup image provenance.
scored: false scored: false
- id: 5.6 - id: 5.6
text: "General Policies" text: "General Policies"
checks: checks:
- id: 5.6.1 - id: 5.6.1
text: "Create administrative boundaries between resources using namespaces (Not Scored)" text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the documentation and create namespaces for objects in your deployment as you need Follow the documentation and create namespaces for objects in your deployment as you need
them. them.
scored: false scored: false
- id: 5.6.2 - id: 5.6.2
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature- would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument. gates=AllAlpha=true" argument.
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
parameter to "--feature-gates=AllAlpha=true" parameter to "--feature-gates=AllAlpha=true"
KUBE_API_ARGS="--feature-gates=AllAlpha=true" KUBE_API_ARGS="--feature-gates=AllAlpha=true"
Based on your system, restart the kube-apiserver service. For example: Based on your system, restart the kube-apiserver service. For example:
systemctl restart kube-apiserver.service systemctl restart kube-apiserver.service
Use annotations to enable the docker/default seccomp profile in your pod definitions. An Use annotations to enable the docker/default seccomp profile in your pod definitions. An
example is as below: example is as below:
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: trustworthy-pod name: trustworthy-pod
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: docker/default seccomp.security.alpha.kubernetes.io/pod: docker/default
spec: spec:
containers: containers:
- name: trustworthy-container - name: trustworthy-container
image: sotrustworthy:latest image: sotrustworthy:latest
scored: false scored: false
- id: 5.6.3 - id: 5.6.3
text: "Apply Security Context to Your Pods and Containers (Not Scored)" text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers. Containers.
scored: false scored: false
- id: 5.6.4 - id: 5.6.4
text: "The default namespace should not be used (Scored)" text: "The default namespace should not be used (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace. resources and that all new resources are created in a specific namespace.
scored: true scored: true

2873
cfg/rh-0.7/master.yaml
View File

File diff suppressed because it is too large Load Diff

690
cfg/rh-0.7/node.yaml
View File

@ -4,373 +4,373 @@ id: 2
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"
groups: groups:
- id: 7 - id: 7
text: "Kubelet" text: "Kubelet"
checks: checks:
- id: 7.1 - id: 7.1
text: "Use Security Context Constraints to manage privileged containers as needed" text: "Use Security Context Constraints to manage privileged containers as needed"
type: "skip" type: "skip"
scored: true scored: true
- id: 7.2 - id: 7.2
text: "Ensure anonymous-auth is not disabled" text: "Ensure anonymous-auth is not disabled"
type: "skip" type: "skip"
scored: true scored: true
- id: 7.3 - id: 7.3
text: "Verify that the --authorization-mode argument is set to WebHook" text: "Verify that the --authorization-mode argument is set to WebHook"
audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml" audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "authorization-mode" - flag: "authorization-mode"
set: false set: false
- flag: "authorization-mode" - flag: "authorization-mode"
compare: compare:
op: has op: has
value: "Webhook" value: "Webhook"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook". kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
scored: true scored: true
- id: 7.4 - id: 7.4
text: "Verify the OpenShift default for the client-ca-file argument" text: "Verify the OpenShift default for the client-ca-file argument"
audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml" audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "client-ca-file" - flag: "client-ca-file"
set: false set: false
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following: Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
grep -A1 client-ca-file /etc/origin/node/node-config.yaml grep -A1 client-ca-file /etc/origin/node/node-config.yaml
Reset to the OpenShift default. Reset to the OpenShift default.
See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65 See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
The config file does not have this defined in kubeletArgument, but in PodManifestConfig. The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
scored: true scored: true
- id: 7.5 - id: 7.5
text: "Verify the OpenShift default setting for the read-only-port argument" text: "Verify the OpenShift default setting for the read-only-port argument"
audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml" audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "read-only-port" - flag: "read-only-port"
set: false set: false
- flag: "read-only-port" - flag: "read-only-port"
compare: compare:
op: has op: has
value: "0" value: "0"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied. Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
scored: true scored: true
- id: 7.6 - id: 7.6
text: "Adjust the streaming-connection-idle-timeout argument" text: "Adjust the streaming-connection-idle-timeout argument"
audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml" audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "streaming-connection-idle-timeout" - flag: "streaming-connection-idle-timeout"
set: false set: false
- flag: "5m" - flag: "5m"
set: false set: false
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
value like the following in node-config.yaml. value like the following in node-config.yaml.
kubeletArguments: kubeletArguments:
 streaming-connection-idle-timeout:  streaming-connection-idle-timeout:
   - "5m"    - "5m"
scored: true scored: true
- id: 7.7 - id: 7.7
text: "Verify the OpenShift defaults for the protect-kernel-defaults argument" text: "Verify the OpenShift defaults for the protect-kernel-defaults argument"
type: "skip" type: "skip"
scored: true scored: true
- id: 7.8 - id: 7.8
text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument" text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml" audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "make-iptables-util-chains" - flag: "make-iptables-util-chains"
set: false set: false
- flag: "make-iptables-util-chains" - flag: "make-iptables-util-chains"
compare: compare:
op: has op: has
value: "true" value: "true"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
default value of true. default value of true.
scored: true scored: true
- id: 7.9 - id: 7.9
text: "Verify that the --keep-terminated-pod-volumes argument is set to false" text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml" audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "keep-terminated-pod-volumes" - flag: "keep-terminated-pod-volumes"
compare: compare:
op: has op: has
value: "false" value: "false"
set: true set: true
remediation: | remediation: |
Reset to the OpenShift defaults Reset to the OpenShift defaults
scored: true scored: true
- id: 7.10 - id: 7.10
text: "Verify the OpenShift defaults for the hostname-override argument" text: "Verify the OpenShift defaults for the hostname-override argument"
type: "skip" type: "skip"
scored: true scored: true
- id: 7.11 - id: 7.11
text: "Set the --event-qps argument to 0" text: "Set the --event-qps argument to 0"
audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml" audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "event-qps" - flag: "event-qps"
set: false set: false
- flag: "event-qps" - flag: "event-qps"
compare: compare:
op: has op: has
value: "0" value: "0"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
the kubeletArguments section of. the kubeletArguments section of.
scored: true scored: true
- id: 7.12 - id: 7.12
text: "Verify the OpenShift cert-dir flag for HTTPS traffic" text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml" audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "/etc/origin/node/certificates" - flag: "/etc/origin/node/certificates"
compare: compare:
op: has op: has
value: "/etc/origin/node/certificates" value: "/etc/origin/node/certificates"
set: true set: true
remediation: | remediation: |
Reset to the OpenShift default values. Reset to the OpenShift default values.
scored: true scored: true
- id: 7.13 - id: 7.13
text: "Verify the OpenShift default of 0 for the cadvisor-port argument" text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml" audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "cadvisor-port" - flag: "cadvisor-port"
set: false set: false
- flag: "cadvisor-port" - flag: "cadvisor-port"
compare: compare:
op: has op: has
value: "0" value: "0"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
if it is set in the kubeletArguments section. if it is set in the kubeletArguments section.
scored: true scored: true
- id: 7.14 - id: 7.14
text: "Verify that the RotateKubeletClientCertificate argument is set to true" text: "Verify that the RotateKubeletClientCertificate argument is set to true"
audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml" audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletClientCertificate=true" - flag: "RotateKubeletClientCertificate=true"
compare: compare:
op: has op: has
value: "true" value: "true"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true. Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
scored: true scored: true
- id: 7.15 - id: 7.15
text: "Verify that the RotateKubeletServerCertificate argument is set to true" text: "Verify that the RotateKubeletServerCertificate argument is set to true"
audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml" audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletServerCertificate=true" - flag: "RotateKubeletServerCertificate=true"
compare: compare:
op: has op: has
value: "true" value: "true"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true. Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
scored: true scored: true
- id: 8 - id: 8
text: "Configuration Files" text: "Configuration Files"
checks: checks:
- id: 8.1 - id: 8.1
text: "Verify the OpenShift default permissions for the kubelet.conf file" text: "Verify the OpenShift default permissions for the kubelet.conf file"
audit: "stat -c %a /etc/origin/node/node.kubeconfig" audit: "stat -c %a /etc/origin/node/node.kubeconfig"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640" - flag: "640"
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true set: true
- flag: "600" - flag: "600"
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig chmod 644 /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 8.2 - id: 8.2
text: "Verify the kubeconfig file ownership of root:root" text: "Verify the kubeconfig file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare: compare:
op: eq op: eq
value: root:root value: root:root
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/origin/node/node.kubeconfig chown root:root /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 8.3 - id: 8.3
text: "Verify the kubelet service file permissions of 644" text: "Verify the kubelet service file permissions of 644"
audit: "stat -c %a $nodesvc" audit: "stat -c %a $nodesvc"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640" - flag: "640"
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true set: true
- flag: "600" - flag: "600"
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 $nodesvc chmod 644 $nodesvc
scored: true scored: true
- id: 8.4 - id: 8.4
text: "Verify the kubelet service file ownership of root:root" text: "Verify the kubelet service file ownership of root:root"
audit: "stat -c %U:%G $nodesvc" audit: "stat -c %U:%G $nodesvc"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare: compare:
op: eq op: eq
value: root:root value: root:root
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root $nodesvc chown root:root $nodesvc
scored: true scored: true
- id: 8.5 - id: 8.5
text: "Verify the OpenShift default permissions for the proxy kubeconfig file" text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
audit: "stat -c %a /etc/origin/node/node.kubeconfig" audit: "stat -c %a /etc/origin/node/node.kubeconfig"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640" - flag: "640"
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true set: true
- flag: "600" - flag: "600"
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig chmod 644 /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 8.6 - id: 8.6
text: "Verify the proxy kubeconfig file ownership of root:root" text: "Verify the proxy kubeconfig file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare: compare:
op: eq op: eq
value: root:root value: root:root
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/origin/node/node.kubeconfig chown root:root /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 8.7 - id: 8.7
text: "Verify the OpenShift default permissions for the certificate authorities file." text: "Verify the OpenShift default permissions for the certificate authorities file."
audit: "stat -c %a /etc/origin/node/client-ca.crt" audit: "stat -c %a /etc/origin/node/client-ca.crt"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640" - flag: "640"
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true set: true
- flag: "600" - flag: "600"
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/origin/node/client-ca.crt chmod 644 /etc/origin/node/client-ca.crt
scored: true scored: true
- id: 8.8 - id: 8.8
text: "Verify the client certificate authorities file ownership of root:root" text: "Verify the client certificate authorities file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/client-ca.crt" audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare: compare:
op: eq op: eq
value: root:root value: root:root
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/origin/node/client-ca.crt chown root:root /etc/origin/node/client-ca.crt
scored: true scored: true

73
hack/debug.yaml
View File

@ -1,3 +1,4 @@
---
# use this pod with: kubectl run ubuntu -it --pid=host -- /bin/bash # use this pod with: kubectl run ubuntu -it --pid=host -- /bin/bash
# this allows you to debug what is running on the host. # this allows you to debug what is running on the host.
apiVersion: v1 apiVersion: v1
@ -7,40 +8,40 @@ metadata:
spec: spec:
hostPID: true hostPID: true
containers: containers:
- name: ubuntu - name: ubuntu
image: ubuntu image: ubuntu
command: [ "/bin/bash", "-c", "--" ] command: ["/bin/bash", "-c", "--"]
args: [ "while true; do sleep 30; done;" ] args: ["while true; do sleep 30; done;"]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet
- name: etc-systemd - name: etc-systemd
mountPath: /etc/systemd mountPath: /etc/systemd
- name: etc-kubernetes - name: etc-kubernetes
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command. # You can omit this mount if you specify --version as part of the command.
- name: usr-bin - name: usr-bin
mountPath: /usr/bin mountPath: /usr/bin
- name: kind-bin - name: kind-bin
mountPath: /kind/bin mountPath: /kind/bin
resources: resources:
limits: limits:
memory: "128Mi" memory: "128Mi"
cpu: "500m" cpu: "500m"
volumes: volumes:
- name: var-lib-kubelet - name: var-lib-kubelet
hostPath: hostPath:
path: "/var/lib/kubelet" path: "/var/lib/kubelet"
- name: etc-systemd - name: etc-systemd
hostPath: hostPath:
path: "/etc/systemd" path: "/etc/systemd"
- name: etc-kubernetes - name: etc-kubernetes
hostPath: hostPath:
path: "/etc/kubernetes" path: "/etc/kubernetes"
- name: usr-bin - name: usr-bin
hostPath: hostPath:
path: "/usr/bin" path: "/usr/bin"
- name: kind-bin - name: kind-bin
hostPath: hostPath:
path: "/kind/bin" path: "/kind/bin"

73
hack/kind.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
@ -10,41 +11,41 @@ spec:
spec: spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:${VERSION} image: aquasec/kube-bench:${VERSION}
command: ["kube-bench"] command: ["kube-bench"]
volumeMounts: volumeMounts:
- name: var-lib-etcd - name: var-lib-etcd
mountPath: /var/lib/etcd mountPath: /var/lib/etcd
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet
- name: etc-systemd - name: etc-systemd
mountPath: /etc/systemd mountPath: /etc/systemd
- name: etc-kubernetes - name: etc-kubernetes
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command. # You can omit this mount if you specify --version as part of the command.
- name: usr-bin - name: usr-bin
mountPath: /usr/bin mountPath: /usr/bin
- name: kind-bin - name: kind-bin
mountPath: /kind/bin mountPath: /kind/bin
restartPolicy: Never restartPolicy: Never
volumes: volumes:
- name: var-lib-etcd - name: var-lib-etcd
hostPath: hostPath:
path: "/var/lib/etcd" path: "/var/lib/etcd"
- name: var-lib-kubelet - name: var-lib-kubelet
hostPath: hostPath:
path: "/var/lib/kubelet" path: "/var/lib/kubelet"
- name: etc-systemd - name: etc-systemd
hostPath: hostPath:
path: "/etc/systemd" path: "/etc/systemd"
- name: etc-kubernetes - name: etc-kubernetes
hostPath: hostPath:
path: "/etc/kubernetes" path: "/etc/kubernetes"
- name: usr-bin - name: usr-bin
hostPath: hostPath:
path: "/usr/bin" path: "/usr/bin"
- name: kind-bin - name: kind-bin
hostPath: hostPath:
path: "/kind/bin" path: "/kind/bin"

22
integration/testdata/add-tls-kind-k8s114.yaml vendored
View File

@ -1,19 +1,19 @@
---
apiVersion: kind.sigs.k8s.io/v1alpha3 apiVersion: kind.sigs.k8s.io/v1alpha3
kind: Cluster kind: Cluster
networking: networking:
apiServerAddress: "0.0.0.0" apiServerAddress: "0.0.0.0"
kubeadmConfigPatchesJson6902: kubeadmConfigPatchesJson6902:
- group: kubelet.config.k8s.io - group: kubelet.config.k8s.io
version: v1beta1 version: v1beta1
kind: KubeletConfiguration kind: KubeletConfiguration
patch: | patch: |
- op: add - op: add
path: /tlsCipherSuites path: /tlsCipherSuites
value: ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] value: ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
nodes: nodes:
# the control plane node config # the control plane node config
- role: control-plane - role: control-plane
image: "kindest/node:v1.14.6" image: "kindest/node:v1.14.6"

42
job-eks.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
@ -7,26 +8,25 @@ spec:
spec: spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
# Push the image to your ECR and then refer to it here # Push the image to your ECR and then refer to it here
image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref> image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
command: ["kube-bench", "--version", "1.11"] command: ["kube-bench", "--version", "1.11"]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet
- name: etc-systemd - name: etc-systemd
mountPath: /etc/systemd mountPath: /etc/systemd
- name: etc-kubernetes - name: etc-kubernetes
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
restartPolicy: Never restartPolicy: Never
volumes: volumes:
- name: var-lib-kubelet - name: var-lib-kubelet
hostPath: hostPath:
path: "/var/lib/kubelet" path: "/var/lib/kubelet"
- name: etc-systemd - name: etc-systemd
hostPath: hostPath:
path: "/etc/systemd" path: "/etc/systemd"
- name: etc-kubernetes - name: etc-kubernetes
hostPath: hostPath:
path: "/etc/kubernetes" path: "/etc/kubernetes"

45
job-iks.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
@ -7,27 +8,27 @@ spec:
spec: spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:latest image: aquasec/kube-bench:latest
command: ["kube-bench", "--version", "1.13", "node"] command: ["kube-bench", "--version", "1.13", "node"]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet
- name: etc-systemd - name: etc-systemd
mountPath: /etc/systemd mountPath: /etc/systemd
- name: etc-kubernetes - name: etc-kubernetes
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
restartPolicy: Never restartPolicy: Never
volumes: volumes:
- name: var-lib-kubelet - name: var-lib-kubelet
hostPath: hostPath:
path: "/var/lib/kubelet" path: "/var/lib/kubelet"
- name: etc-systemd - name: etc-systemd
hostPath: hostPath:
path: "/lib/systemd" path: "/lib/systemd"
- name: etc-kubernetes - name: etc-kubernetes
hostPath: hostPath:
path: "/etc/kubernetes" path: "/etc/kubernetes"
- name: usr-bin - name: usr-bin
hostPath: hostPath:
path: "/usr/bin" path: "/usr/bin"

49
job-master.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
@ -9,30 +10,30 @@ spec:
nodeSelector: nodeSelector:
node-role.kubernetes.io/master: "" node-role.kubernetes.io/master: ""
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
operator: Exists operator: Exists
effect: NoSchedule effect: NoSchedule
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:latest image: aquasec/kube-bench:latest
command: ["kube-bench","master"] command: ["kube-bench", "master"]
volumeMounts: volumeMounts:
- name: var-lib-etcd - name: var-lib-etcd
mountPath: /var/lib/etcd mountPath: /var/lib/etcd
- name: etc-kubernetes - name: etc-kubernetes
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command. # You can omit this mount if you specify --version as part of the command.
- name: usr-bin - name: usr-bin
mountPath: /usr/bin mountPath: /usr/bin
restartPolicy: Never restartPolicy: Never
volumes: volumes:
- name: var-lib-etcd - name: var-lib-etcd
hostPath: hostPath:
path: "/var/lib/etcd" path: "/var/lib/etcd"
- name: etc-kubernetes - name: etc-kubernetes
hostPath: hostPath:
path: "/etc/kubernetes" path: "/etc/kubernetes"
- name: usr-bin - name: usr-bin
hostPath: hostPath:
path: "/usr/bin" path: "/usr/bin"

53
job-node.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
@ -7,31 +8,31 @@ spec:
spec: spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:latest image: aquasec/kube-bench:latest
command: ["kube-bench","node"] command: ["kube-bench", "node"]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet
- name: etc-systemd - name: etc-systemd
mountPath: /etc/systemd mountPath: /etc/systemd
- name: etc-kubernetes - name: etc-kubernetes
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command. # You can omit this mount if you specify --version as part of the command.
- name: usr-bin - name: usr-bin
mountPath: /usr/bin mountPath: /usr/bin
restartPolicy: Never restartPolicy: Never
volumes: volumes:
- name: var-lib-kubelet - name: var-lib-kubelet
hostPath: hostPath:
path: "/var/lib/kubelet" path: "/var/lib/kubelet"
- name: etc-systemd - name: etc-systemd
hostPath: hostPath:
path: "/etc/systemd" path: "/etc/systemd"
- name: etc-kubernetes - name: etc-kubernetes
hostPath: hostPath:
path: "/etc/kubernetes" path: "/etc/kubernetes"
- name: usr-bin - name: usr-bin
hostPath: hostPath:
path: "/usr/bin" path: "/usr/bin"

63
job.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
@ -10,36 +11,36 @@ spec:
spec: spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:latest image: aquasec/kube-bench:latest
command: ["kube-bench"] command: ["kube-bench"]
volumeMounts: volumeMounts:
- name: var-lib-etcd - name: var-lib-etcd
mountPath: /var/lib/etcd mountPath: /var/lib/etcd
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet
- name: etc-systemd - name: etc-systemd
mountPath: /etc/systemd mountPath: /etc/systemd
- name: etc-kubernetes - name: etc-kubernetes
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command. # You can omit this mount if you specify --version as part of the command.
- name: usr-bin - name: usr-bin
mountPath: /usr/bin mountPath: /usr/bin
restartPolicy: Never restartPolicy: Never
volumes: volumes:
- name: var-lib-etcd - name: var-lib-etcd
hostPath: hostPath:
path: "/var/lib/etcd" path: "/var/lib/etcd"
- name: var-lib-kubelet - name: var-lib-kubelet
hostPath: hostPath:
path: "/var/lib/kubelet" path: "/var/lib/kubelet"
- name: etc-systemd - name: etc-systemd
hostPath: hostPath:
path: "/etc/systemd" path: "/etc/systemd"
- name: etc-kubernetes - name: etc-kubernetes
hostPath: hostPath:
path: "/etc/kubernetes" path: "/etc/kubernetes"
- name: usr-bin - name: usr-bin
hostPath: hostPath:
path: "/usr/bin" path: "/usr/bin"