@ -5,501 +5,501 @@ id: 4
text : "Worker Node Security Configuration"
text : "Worker Node Security Configuration"
type : "node"
type : "node"
groups:
groups:
- id : 4.1
- id : 4.1
text : "Worker Node Configuration Files"
text : "Worker Node Configuration Files"
checks:
checks:
- id : 4.1 .1
- id : 4.1 .1
text : "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
text : "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
audit : '/bin/sh -c ' 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi' ' '
audit : '/bin/sh -c ' 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi' ' '
tests:
tests:
test_items:
test_items:
- flag : "644"
- flag : "644"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "644"
value : "644"
- flag : "640"
- flag : "640"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "640"
value : "640"
- flag : "600"
- flag : "600"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "600"
value : "600"
bin_op : or
bin_op : or
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the each worker node.
Run the below command (based on the file location on your system) on the each worker node.
For example,
For example,
chmod 644 $kubeletsvc
chmod 644 $kubeletsvc
scored : true
scored : true
- id : 4.1 .2
- id : 4.1 .2
text : "Ensure that the kubelet service file ownership is set to root:root (Scored)"
text : "Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit : '/bin/sh -c ' 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi' ' '
audit : '/bin/sh -c ' 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi' ' '
tests:
tests:
test_items:
test_items:
- flag : root:root
- flag : root:root
set : true
set : true
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the each worker node.
Run the below command (based on the file location on your system) on the each worker node.
For example,
For example,
chown root:root $kubeletsvc
chown root:root $kubeletsvc
scored : true
scored : true
- id : 4.1 .3
- id : 4.1 .3
text : "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
text : "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit : '/bin/sh -c ' 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi' ' '
audit : '/bin/sh -c ' 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi' ' '
tests:
tests:
test_items:
test_items:
- flag : "644"
- flag : "644"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "644"
value : "644"
- flag : "640"
- flag : "640"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "640"
value : "640"
- flag : "600"
- flag : "600"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "600"
value : "600"
bin_op : or
bin_op : or
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the each worker node.
Run the below command (based on the file location on your system) on the each worker node.
For example,
For example,
chmod 644 $proykubeconfig
chmod 644 $proykubeconfig
scored : true
scored : true
- id : 4.1 .4
- id : 4.1 .4
text : "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
text : "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit : '/bin/sh -c ' 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi' ' '
audit : '/bin/sh -c ' 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi' ' '
tests:
tests:
test_items:
test_items:
- flag : root:root
- flag : root:root
set : true
set : true
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the each worker node.
Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig
For example, chown root:root $proxykubeconfig
scored : true
scored : true
- id : 4.1 .5
- id : 4.1 .5
text : "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
text : "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
audit : '/bin/sh -c ' 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi' ' '
audit : '/bin/sh -c ' 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi' ' '
tests:
tests:
test_items:
test_items:
- flag : "644"
- flag : "644"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "644"
value : "644"
- flag : "640"
- flag : "640"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "640"
value : "640"
- flag : "600"
- flag : "600"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "600"
value : "600"
bin_op : or
bin_op : or
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the each worker node.
Run the below command (based on the file location on your system) on the each worker node.
For example,
For example,
chmod 644 $kubeletkubeconfig
chmod 644 $kubeletkubeconfig
scored : true
scored : true
- id : 4.1 .6
- id : 4.1 .6
text : "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
text : "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit : '/bin/sh -c ' 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi' ' '
audit : '/bin/sh -c ' 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi' ' '
tests:
tests:
test_items:
test_items:
- flag : root:root
- flag : root:root
set : true
set : true
compare:
compare:
op : eq
op : eq
value : root:root
value : root:root
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the each worker node.
Run the below command (based on the file location on your system) on the each worker node.
For example,
For example,
chown root:root $kubeletkubeconfig
chown root:root $kubeletkubeconfig
scored : true
scored : true
- id : 4.1 .7
- id : 4.1 .7
text : "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
text : "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
types : "manual"
types : "manual"
remediation : |
remediation : |
Run the following command to modify the file permissions of the
Run the following command to modify the file permissions of the
--client-ca-file chmod 644 <filename>
--client-ca-file chmod 644 <filename>
scored : true
scored : true
- id : 4.1 .8
- id : 4.1 .8
text : "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
text : "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit : '/bin/sh -c ' 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi' ' '
audit : '/bin/sh -c ' 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi' ' '
tests:
tests:
test_items:
test_items:
- flag : root:root
- flag : root:root
set : true
set : true
compare:
compare:
op : eq
op : eq
value : root:root
value : root:root
remediation : |
remediation : |
Run the following command to modify the ownership of the --client-ca-file.
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
chown root:root <filename>
scored : true
scored : true
- id : 4.1 .9
- id : 4.1 .9
text : "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
text : "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit : '/bin/sh -c ' 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi' ' '
audit : '/bin/sh -c ' 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi' ' '
tests:
tests:
test_items:
test_items:
- flag : "644"
- flag : "644"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "644"
value : "644"
- flag : "640"
- flag : "640"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "640"
value : "640"
- flag : "600"
- flag : "600"
set : true
set : true
compare:
compare:
op : eq
op : eq
value : "600"
value : "600"
bin_op : or
bin_op : or
remediation : |
remediation : |
Run the following command (using the config file location identied in the Audit step)
Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf
chmod 644 $kubeletconf
scored : true
scored : true
- id : 4.1 .10
- id : 4.1 .10
text : "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
text : "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit : '/bin/sh -c ' 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi' ' '
audit : '/bin/sh -c ' 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi' ' '
tests:
tests:
test_items:
test_items:
- flag : root:root
- flag : root:root
set : true
set : true
remediation : |
remediation : |
Run the following command (using the config file location identied in the Audit step)
Run the following command (using the config file location identied in the Audit step)
chown root:root $kubeletconf
chown root:root $kubeletconf
scored : true
scored : true
- id : 4.2
- id : 4.2
text : "Kubelet"
text : "Kubelet"
checks:
checks:
- id : 4.2 .1
- id : 4.2 .1
text : "Ensure that the --anonymous-auth argument is set to false (Scored)"
text : "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : "--anonymous-auth"
- flag : "--anonymous-auth"
path : '{.authentication.anonymous.enabled}'
path : '{.authentication.anonymous.enabled}'
set : true
set : true
compare:
compare:
op : eq
op : eq
value : false
value : false
remediation : |
remediation : |
If using a Kubelet config file, edit the file to set authentication: anonymous : enabled to
If using a Kubelet config file, edit the file to set authentication: anonymous : enabled to
false .
false .
If using executable arguments, edit the kubelet service file
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
--anonymous-auth=false
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : true
scored : true
- id : 4.2 .2
- id : 4.2 .2
text : "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
text : "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : --authorization-mode
- flag : --authorization-mode
path : '{.authorization.mode}'
path : '{.authorization.mode}'
set : true
set : true
compare:
compare:
op : nothave
op : nothave
value : AlwaysAllow
value : AlwaysAllow
remediation : |
remediation : |
If using a Kubelet config file, edit the file to set authorization : mode to Webhook. If
If using a Kubelet config file, edit the file to set authorization : mode to Webhook. If
using executable arguments, edit the kubelet service file
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : true
scored : true
- id : 4.2 .3
- id : 4.2 .3
text : "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
text : "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : --client-ca-file
- flag : --client-ca-file
path : '{.authentication.x509.clientCAFile}'
path : '{.authentication.x509.clientCAFile}'
set : true
set : true
remediation : |
remediation : |
If using a Kubelet config file, edit the file to set authentication: x509 : clientCAFile to
If using a Kubelet config file, edit the file to set authentication: x509 : clientCAFile to
the location of the client CA file.
the location of the client CA file.
If using command line arguments, edit the kubelet service file
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : true
scored : true
- id : 4.2 .4
- id : 4.2 .4
text : "Ensure that the --read-only-port argument is set to 0 (Scored)"
text : "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : "--read-only-port"
- flag : "--read-only-port"
path : '{.readOnlyPort}'
path : '{.readOnlyPort}'
set : true
set : true
compare:
compare:
op : eq
op : eq
value : 0
value : 0
remediation : |
remediation : |
If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
--read-only-port=0
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : true
scored : true
- id : 4.2 .5
- id : 4.2 .5
text : "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
text : "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : --streaming-connection-idle-timeout
- flag : --streaming-connection-idle-timeout
path : '{.streamingConnectionIdleTimeout}'
path : '{.streamingConnectionIdleTimeout}'
set : true
set : true
compare:
compare:
op : noteq
op : noteq
value : 0
value : 0
- flag : --streaming-connection-idle-timeout
- flag : --streaming-connection-idle-timeout
path : '{.streamingConnectionIdleTimeout}'
path : '{.streamingConnectionIdleTimeout}'
set : false
set : false
bin_op : or
bin_op : or
remediation : |
remediation : |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
value other than 0.
If using command line arguments, edit the kubelet service file
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : true
scored : true
- id : 4.2 .6
- id : 4.2 .6
text : "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
text : "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : --protect-kernel-defaults
- flag : --protect-kernel-defaults
path : '{.protectKernelDefaults}'
path : '{.protectKernelDefaults}'
set : true
set : true
compare:
compare:
op : eq
op : eq
value : true
value : true
remediation : |
remediation : |
If using a Kubelet config file, edit the file to set protectKernelDefaults : true .
If using a Kubelet config file, edit the file to set protectKernelDefaults : true .
If using command line arguments, edit the kubelet service file
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : true
scored : true
- id : 4.2 .7
- id : 4.2 .7
text : "Ensure that the --make-iptables-util-chains argument is set to true (Scored) "
text : "Ensure that the --make-iptables-util-chains argument is set to true (Scored) "
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : --make-iptables-util-chains
- flag : --make-iptables-util-chains
path : '{.makeIPTablesUtilChains}'
path : '{.makeIPTablesUtilChains}'
set : true
set : true
compare:
compare:
op : eq
op : eq
value : true
value : true
- flag : --make-iptables-util-chains
- flag : --make-iptables-util-chains
path : '{.makeIPTablesUtilChains}'
path : '{.makeIPTablesUtilChains}'
set : false
set : false
bin_op : or
bin_op : or
remediation : |
remediation : |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains : true .
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains : true .
If using command line arguments, edit the kubelet service file
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : true
scored : true
- id : 4.2 .8
- id : 4.2 .8
text : "Ensure that the --hostname-override argument is not set (Not Scored)"
text : "Ensure that the --hostname-override argument is not set (Not Scored)"
# This is one of those properties that can only be set as a command line argument.
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
# instead reading the Kubelet Configuration file.
audit : "/bin/ps -fC $kubeletbin "
audit : "/bin/ps -fC $kubeletbin "
tests:
tests:
test_items:
test_items:
- flag : --hostname-override
- flag : --hostname-override
set : false
set : false
remediation : |
remediation : |
Edit the kubelet service file $kubeletsvc
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : false
scored : false
- id : 4.2 .9
- id : 4.2 .9
text : "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored)"
text : "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : --event-qps
- flag : --event-qps
path : '{.eventRecordQPS}'
path : '{.eventRecordQPS}'
set : true
set : true
compare:
compare:
op : eq
op : eq
value : 0
value : 0
remediation : |
remediation : |
If using a Kubelet config file, edit the file to set eventRecordQPS : to an appropriate level.
If using a Kubelet config file, edit the file to set eventRecordQPS : to an appropriate level.
If using command line arguments, edit the kubelet service file
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : false
scored : false
- id : 4.2 .10
- id : 4.2 .10
text : "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
text : "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : --tls-cert-file
- flag : --tls-cert-file
path : '{.tlsCertFile}'
path : '{.tlsCertFile}'
set : true
set : true
- flag : --tls-private-key-file
- flag : --tls-private-key-file
path : '{.tlsPrivateKeyFile}'
path : '{.tlsPrivateKeyFile}'
set : true
set : true
remediation : |
remediation : |
If using a Kubelet config file, edit the file to set tlsCertFile to the location
If using a Kubelet config file, edit the file to set tlsCertFile to the location
of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
to the location of the corresponding private key file.
to the location of the corresponding private key file.
If using command line arguments, edit the kubelet service file
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
--tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file>
--tls-private-key-file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : true
scored : true
- id : 4.2 .11
- id : 4.2 .11
text : "Ensure that the --rotate-certificates argument is not set to false (Scored)"
text : "Ensure that the --rotate-certificates argument is not set to false (Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : --rotate-certificates
- flag : --rotate-certificates
path : '{.rotateCertificates}'
path : '{.rotateCertificates}'
set : true
set : true
compare:
compare:
op : eq
op : eq
value : true
value : true
- flag : --rotate-certificates
- flag : --rotate-certificates
path : '{.rotateCertificates}'
path : '{.rotateCertificates}'
set : false
set : false
bin_op : or
bin_op : or
remediation : |
remediation : |
If using a Kubelet config file, edit the file to add the line rotateCertificates : true or
If using a Kubelet config file, edit the file to add the line rotateCertificates : true or
remove it altogether to use the default value.
remove it altogether to use the default value.
If using command line arguments, edit the kubelet service file
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
variable.
variable.
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : true
scored : true
- id : 4.2 .12
- id : 4.2 .12
text : "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
text : "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : RotateKubeletServerCertificate
- flag : RotateKubeletServerCertificate
path : '{.featureGates.RotateKubeletServerCertificate}'
path : '{.featureGates.RotateKubeletServerCertificate}'
set : true
set : true
compare:
compare:
op : eq
op : eq
value : true
value : true
remediation : |
remediation : |
Edit the kubelet service file $kubeletsvc
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : true
scored : true
- id : 4.2 .13
- id : 4.2 .13
text : "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
text : "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit : "/bin/ps -fC $kubeletbin"
audit : "/bin/ps -fC $kubeletbin"
audit_config : "/bin/cat $kubeletconf"
audit_config : "/bin/cat $kubeletconf"
tests:
tests:
test_items:
test_items:
- flag : --tls-cipher-suites
- flag : --tls-cipher-suites
path : '{range .tlsCipherSuites[:]}{}{' ',' '}{end}'
path : '{range .tlsCipherSuites[:]}{}{' ',' '}{end}'
set : true
set : true
compare:
compare:
op : valid_elements
op : valid_elements
value : TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
value : TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
remediation : |
remediation : |
If using a Kubelet config file, edit the file to set TLSCipherSuites : to
If using a Kubelet config file, edit the file to set TLSCipherSuites : to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values.
or to a subset of these values.
If using executable arguments, edit the kubelet service file
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
$kubeletsvc on each worker node and
set the --tls-cipher-suites parameter as follows, or to a subset of these values.
set the --tls-cipher-suites parameter as follows, or to a subset of these values.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
Based on your system, restart the kubelet service. For example :
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
scored : false
scored : false