mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-22 16:18:07 +00:00
Update new cis configurations
This commit is contained in:
parent
53bc12229a
commit
865ce7cb54
@ -64,7 +64,7 @@ groups:
|
||||
text: "Kubelet"
|
||||
checks:
|
||||
- id: 3.2.1
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Manual)"
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -84,10 +84,10 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.2
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Manual)"
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -106,10 +106,10 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.3
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Manual)"
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -127,7 +127,7 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.4
|
||||
text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
|
||||
@ -153,7 +153,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 3.2.5
|
||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
|
||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -178,10 +178,10 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.6
|
||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Manual) "
|
||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) "
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -205,7 +205,7 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.7
|
||||
text: "Ensure that the --hostname-override argument is not set (Manual)"
|
||||
@ -227,7 +227,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 3.2.8
|
||||
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"
|
||||
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -246,10 +246,10 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.9
|
||||
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
|
||||
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -274,7 +274,7 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.10
|
||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)"
|
||||
|
@ -60,74 +60,66 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2
|
||||
text: "Pod Security Policies"
|
||||
text: "Pod Security Standards"
|
||||
checks:
|
||||
- id: 4.2.1
|
||||
text: "Minimize the admission of privileged containers (Automated)"
|
||||
text: "Minimize the admission of privileged containers (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that
|
||||
the .spec.privileged field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of privileged containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.2
|
||||
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
|
||||
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.hostPID field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of hostPID containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.3
|
||||
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
|
||||
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.hostIPC field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of hostIPC containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.4
|
||||
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
|
||||
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.hostNetwork field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of hostNetwork containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.5
|
||||
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
|
||||
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.allowPrivilegeEscalation field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.6
|
||||
text: "Minimize the admission of root containers (Automated)"
|
||||
text: "Minimize the admission of root containers (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
|
||||
UIDs not including 0.
|
||||
Create a policy for each namespace in the cluster,
|
||||
ensuring that either MustRunAsNonRoot or MustRunAs
|
||||
with the range of UIDs not including 0, is set.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.7
|
||||
text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
|
||||
text: "Minimize the admission of containers with added capabilities (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.8
|
||||
text: "Minimize the admission of containers with added capabilities (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
|
||||
Ensure that allowedCapabilities is not present in policies for the cluster unless
|
||||
it is set to an empty array.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.9
|
||||
- id: 4.2.8
|
||||
text: "Minimize the admission of containers with capabilities assigned (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
|
@ -79,7 +79,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 5.3
|
||||
text: "AWS Key Management Service (KMS)"
|
||||
text: "AWS EKS Key Management Service (KMS)"
|
||||
checks:
|
||||
- id: 5.3.1
|
||||
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)"
|
||||
@ -95,25 +95,25 @@ groups:
|
||||
text: "Cluster Networking"
|
||||
checks:
|
||||
- id: 5.4.1
|
||||
text: "Restrict Access to the Control Plane Endpoint (Manual)"
|
||||
text: "Restrict Access to the Control Plane Endpoint (Automated)"
|
||||
type: "manual"
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.4.2
|
||||
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
|
||||
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)"
|
||||
type: "manual"
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.4.3
|
||||
text: "Ensure clusters are created with Private Nodes (Manual)"
|
||||
text: "Ensure clusters are created with Private Nodes (Automated)"
|
||||
type: "manual"
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.4.4
|
||||
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
|
||||
text: "Ensure Network Policy is Enabled and set as appropriate (Automated)"
|
||||
type: "manual"
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
@ -111,7 +111,7 @@ groups:
|
||||
scored: true
|
||||
|
||||
- id: 3.2.3
|
||||
text: "Ensure that a Client CA File is Configured (Manual)"
|
||||
text: "Ensure that a Client CA File is Configured (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -129,7 +129,7 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.4
|
||||
text: "Ensure that the --read-only-port is disabled (Manual)"
|
||||
@ -248,7 +248,7 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.9
|
||||
text: "Ensure that the --rotate-certificates argument is not present or is set to true (Manual)"
|
||||
@ -279,7 +279,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 3.2.10
|
||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)"
|
||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -297,7 +297,7 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
- id: 3.3
|
||||
text: "Container Optimized OS"
|
||||
checks:
|
||||
|
@ -74,62 +74,61 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2
|
||||
text: "Pod Security Policies"
|
||||
text: "Pod Security Standards"
|
||||
checks:
|
||||
- id: 4.2.1
|
||||
text: "Minimize the admission of privileged containers (Automated)"
|
||||
text: "Minimize the admission of privileged containers (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that
|
||||
the .spec.privileged field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of privileged containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.2
|
||||
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
|
||||
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.hostPID field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of hostPID containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.3
|
||||
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
|
||||
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.hostIPC field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of hostIPC containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.4
|
||||
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
|
||||
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.hostNetwork field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of hostNetwork containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.5
|
||||
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
|
||||
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.allowPrivilegeEscalation field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.6
|
||||
text: "Minimize the admission of root containers (Automated)"
|
||||
text: "Minimize the admission of root containers (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
|
||||
UIDs not including 0.
|
||||
Create a policy for each namespace in the cluster, ensuring
|
||||
that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.7
|
||||
text: "Minimize the admission of containers with added capabilities (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
|
||||
Ensure that allowedCapabilities is not present in policies for the cluster unless
|
||||
it is set to an empty array.
|
||||
scored: false
|
||||
|
||||
@ -138,8 +137,8 @@ groups:
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Review the use of capabilities in applications running on your cluster. Where a namespace
|
||||
contains applications which do not require any Linux capabities to operate consider adding
|
||||
a PSP which forbids the admission of containers which do not drop all capabilities.
|
||||
contains applications which do not require any Linux capabilities to operate consider adding
|
||||
a policy which forbids the admission of containers which do not drop all capabilities.
|
||||
scored: false
|
||||
|
||||
- id: 4.3
|
||||
|
@ -10,7 +10,7 @@ groups:
|
||||
checks:
|
||||
- id: 5.1.1
|
||||
text: "Ensure Image Vulnerability Scanning using GCR Container Analysis
|
||||
or a third-party provider (Manual)"
|
||||
or a third-party provider (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Using Command Line:
|
||||
@ -102,7 +102,7 @@ groups:
|
||||
checks:
|
||||
- id: 5.2.1
|
||||
text: "Ensure GKE clusters are not running using the Compute Engine
|
||||
default service account (Manual)"
|
||||
default service account (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Using Command Line:
|
||||
@ -165,7 +165,7 @@ groups:
|
||||
text: "Cloud Key Management Service (Cloud KMS)"
|
||||
checks:
|
||||
- id: 5.3.1
|
||||
text: "Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Manual)"
|
||||
text: "Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Using Command Line:
|
||||
@ -256,7 +256,7 @@ groups:
|
||||
text: "Node Configuration and Maintenance"
|
||||
checks:
|
||||
- id: 5.5.1
|
||||
text: "Ensure Container-Optimized OS (COS) is used for GKE node images (Automated)"
|
||||
text: "Ensure Container-Optimized OS (cos_containerd) is used for GKE node images (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Using Command Line:
|
||||
@ -382,7 +382,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 5.6.3
|
||||
text: "Ensure Master Authorized Networks is Enabled (Manual)"
|
||||
text: "Ensure Master Authorized Networks is Enabled (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Using Command Line:
|
||||
@ -406,7 +406,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 5.6.4
|
||||
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
|
||||
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Using Command Line:
|
||||
@ -421,7 +421,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 5.6.5
|
||||
text: "Ensure clusters are created with Private Nodes (Manual)"
|
||||
text: "Ensure clusters are created with Private Nodes (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Using Command Line:
|
||||
|
@ -241,7 +241,7 @@ groups:
|
||||
scored: true
|
||||
|
||||
- id: 3.2.9
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -262,10 +262,10 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.10
|
||||
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
|
||||
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -289,7 +289,7 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
scored: true
|
||||
|
||||
- id: 3.2.11
|
||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
|
||||
|
@ -60,80 +60,71 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2
|
||||
text: "Pod Security Policies"
|
||||
text: "Pod Security Standards"
|
||||
checks:
|
||||
- id: 4.2.1
|
||||
text: "Minimize the admission of privileged containers (Automated)"
|
||||
text: "Minimize the admission of privileged containers (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that
|
||||
the .spec.privileged field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of privileged containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.2
|
||||
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
|
||||
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.hostPID field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of hostPID containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.3
|
||||
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
|
||||
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.hostIPC field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of hostIPC containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.4
|
||||
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
|
||||
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.hostNetwork field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of hostNetwork containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.5
|
||||
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
|
||||
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.allowPrivilegeEscalation field is omitted or set to false.
|
||||
Add policies to each namespace in the cluster which has user workloads
|
||||
to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.6
|
||||
text: "Minimize the admission of root containers (Automated)"
|
||||
text: "Minimize the admission of root containers (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
|
||||
UIDs not including 0.
|
||||
Create a policy for each namespace in the cluster,
|
||||
ensuring that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.7
|
||||
text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
|
||||
text: "Minimize the admission of containers with added capabilities (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.8
|
||||
text: "Minimize the admission of containers with added capabilities (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
|
||||
Ensure that allowedCapabilities is not present in policies for the cluster unless
|
||||
it is set to an empty array.
|
||||
scored: false
|
||||
|
||||
- id: 4.2.9
|
||||
- id: 4.2.8
|
||||
text: "Minimize the admission of containers with capabilities assigned (Manual) "
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Review the use of capabilites in applications running on your cluster. Where a namespace
|
||||
contains applications which do not require any Linux capabities to operate consider adding
|
||||
a PSP which forbids the admission of containers which do not drop all capabilities.
|
||||
Review the use of capabilities in applications running on your cluster. Where a namespace
|
||||
contains applications which do not require any Linux capabilities to operate consider adding
|
||||
a policy which forbids the admission of containers which do not drop all capabilities.
|
||||
scored: false
|
||||
|
||||
- id: 4.3
|
||||
|
Loading…
Reference in New Issue
Block a user