arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-23 00:28:07 +00:00
Code Issues Releases Wiki Activity

Update new cis configurations

Browse Source
This commit is contained in:
Darius Mejeras 2023-11-20 15:11:59 +02:00
parent 53bc12229a
commit 865ce7cb54
8 changed files with 105 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
cfg/aks-1.3/node.yaml
View File

@ -64,7 +64,7 @@ groups:
text: "Kubelet" text: "Kubelet"
checks: checks:
- id: 3.2.1 - id: 3.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Manual)" text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -84,10 +84,10 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.2 - id: 3.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Manual)" text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -106,10 +106,10 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.3 - id: 3.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Manual)" text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -127,7 +127,7 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.4 - id: 3.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Manual)" text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
@ -153,7 +153,7 @@ groups:
scored: false scored: false
- id: 3.2.5 - id: 3.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -178,10 +178,10 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.6 - id: 3.2.6
text: "Ensure that the --make-iptables-util-chains argument is set to true (Manual) " text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) "
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -205,7 +205,7 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.7 - id: 3.2.7
text: "Ensure that the --hostname-override argument is not set (Manual)" text: "Ensure that the --hostname-override argument is not set (Manual)"
@ -227,7 +227,7 @@ groups:
scored: false scored: false
- id: 3.2.8 - id: 3.2.8
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)" text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -246,10 +246,10 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.9 - id: 3.2.9
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)" text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -274,7 +274,7 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.10 - id: 3.2.10
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)" text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)"

54
cfg/aks-1.3/policies.yaml
View File

@ -60,74 +60,66 @@ groups:
scored: false scored: false
- id: 4.2 - id: 4.2
text: "Pod Security Policies" text: "Pod Security Standards"
checks: checks:
- id: 4.2.1 - id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)" text: "Minimize the admission of privileged containers (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that Add policies to each namespace in the cluster which has user workloads
the .spec.privileged field is omitted or set to false. to restrict the admission of privileged containers.
scored: false scored: false
- id: 4.2.2 - id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.hostPID field is omitted or set to false. to restrict the admission of hostPID containers.
scored: false scored: false
- id: 4.2.3 - id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.hostIPC field is omitted or set to false. to restrict the admission of hostIPC containers.
scored: false scored: false
- id: 4.2.4 - id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.hostNetwork field is omitted or set to false. to restrict the admission of hostNetwork containers.
scored: false scored: false
- id: 4.2.5 - id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.allowPrivilegeEscalation field is omitted or set to false. to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.
scored: false scored: false
- id: 4.2.6 - id: 4.2.6
text: "Minimize the admission of root containers (Automated)" text: "Minimize the admission of root containers (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a policy for each namespace in the cluster,
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of ensuring that either MustRunAsNonRoot or MustRunAs
UIDs not including 0. with the range of UIDs not including 0, is set.
scored: false scored: false
- id: 4.2.7 - id: 4.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Automated)" text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Ensure that allowedCapabilities is not present in policies for the cluster unless
.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false
- id: 4.2.8
text: "Minimize the admission of containers with added capabilities (Automated)"
type: "manual"
remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array. it is set to an empty array.
scored: false scored: false
- id: 4.2.9 - id: 4.2.8
text: "Minimize the admission of containers with capabilities assigned (Manual)" text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |

10
cfg/eks-1.3.0/managedservices.yaml
View File

@ -79,7 +79,7 @@ groups:
scored: false scored: false
- id: 5.3 - id: 5.3
text: "AWS Key Management Service (KMS)" text: "AWS EKS Key Management Service (KMS)"
checks: checks:
- id: 5.3.1 - id: 5.3.1
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)" text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)"
@ -95,25 +95,25 @@ groups:
text: "Cluster Networking" text: "Cluster Networking"
checks: checks:
- id: 5.4.1 - id: 5.4.1
text: "Restrict Access to the Control Plane Endpoint (Manual)" text: "Restrict Access to the Control Plane Endpoint (Automated)"
type: "manual" type: "manual"
remediation: "No remediation" remediation: "No remediation"
scored: false scored: false
- id: 5.4.2 - id: 5.4.2
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)" text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)"
type: "manual" type: "manual"
remediation: "No remediation" remediation: "No remediation"
scored: false scored: false
- id: 5.4.3 - id: 5.4.3
text: "Ensure clusters are created with Private Nodes (Manual)" text: "Ensure clusters are created with Private Nodes (Automated)"
type: "manual" type: "manual"
remediation: "No remediation" remediation: "No remediation"
scored: false scored: false
- id: 5.4.4 - id: 5.4.4
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)" text: "Ensure Network Policy is Enabled and set as appropriate (Automated)"
type: "manual" type: "manual"
remediation: "No remediation" remediation: "No remediation"
scored: false scored: false

10
cfg/eks-1.3.0/node.yaml
View File

@ -111,7 +111,7 @@ groups:
scored: true scored: true
- id: 3.2.3 - id: 3.2.3
text: "Ensure that a Client CA File is Configured (Manual)" text: "Ensure that a Client CA File is Configured (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -129,7 +129,7 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.4 - id: 3.2.4
text: "Ensure that the --read-only-port is disabled (Manual)" text: "Ensure that the --read-only-port is disabled (Manual)"
@ -248,7 +248,7 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.9 - id: 3.2.9
text: "Ensure that the --rotate-certificates argument is not present or is set to true (Manual)" text: "Ensure that the --rotate-certificates argument is not present or is set to true (Manual)"
@ -279,7 +279,7 @@ groups:
scored: false scored: false
- id: 3.2.10 - id: 3.2.10
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)" text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -297,7 +297,7 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.3 - id: 3.3
text: "Container Optimized OS" text: "Container Optimized OS"
checks: checks:

45
cfg/eks-1.3.0/policies.yaml
View File

@ -74,62 +74,61 @@ groups:
scored: false scored: false
- id: 4.2 - id: 4.2
text: "Pod Security Policies" text: "Pod Security Standards"
checks: checks:
- id: 4.2.1 - id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)" text: "Minimize the admission of privileged containers (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that Add policies to each namespace in the cluster which has user workloads
the .spec.privileged field is omitted or set to false. to restrict the admission of privileged containers.
scored: false scored: false
- id: 4.2.2 - id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.hostPID field is omitted or set to false. to restrict the admission of hostPID containers.
scored: false scored: false
- id: 4.2.3 - id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.hostIPC field is omitted or set to false. to restrict the admission of hostIPC containers.
scored: false scored: false
- id: 4.2.4 - id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.hostNetwork field is omitted or set to false. to restrict the admission of hostNetwork containers.
scored: false scored: false
- id: 4.2.5 - id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.allowPrivilegeEscalation field is omitted or set to false. to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.
scored: false scored: false
- id: 4.2.6 - id: 4.2.6
text: "Minimize the admission of root containers (Automated)" text: "Minimize the admission of root containers (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a policy for each namespace in the cluster, ensuring
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.
UIDs not including 0.
scored: false scored: false
- id: 4.2.7 - id: 4.2.7
text: "Minimize the admission of containers with added capabilities (Manual)" text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless Ensure that allowedCapabilities is not present in policies for the cluster unless
it is set to an empty array. it is set to an empty array.
scored: false scored: false
@ -138,8 +137,8 @@ groups:
type: "manual" type: "manual"
remediation: | remediation: |
Review the use of capabilities in applications running on your cluster. Where a namespace Review the use of capabilities in applications running on your cluster. Where a namespace
contains applications which do not require any Linux capabities to operate consider adding contains applications which do not require any Linux capabilities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities. a policy which forbids the admission of containers which do not drop all capabilities.
scored: false scored: false
- id: 4.3 - id: 4.3

14
cfg/gke-1.4.0/managedservices.yaml
View File

@ -10,7 +10,7 @@ groups:
checks: checks:
- id: 5.1.1 - id: 5.1.1
text: "Ensure Image Vulnerability Scanning using GCR Container Analysis text: "Ensure Image Vulnerability Scanning using GCR Container Analysis
or a third-party provider (Manual)" or a third-party provider (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Using Command Line: Using Command Line:
@ -102,7 +102,7 @@ groups:
checks: checks:
- id: 5.2.1 - id: 5.2.1
text: "Ensure GKE clusters are not running using the Compute Engine text: "Ensure GKE clusters are not running using the Compute Engine
default service account (Manual)" default service account (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Using Command Line: Using Command Line:
@ -165,7 +165,7 @@ groups:
text: "Cloud Key Management Service (Cloud KMS)" text: "Cloud Key Management Service (Cloud KMS)"
checks: checks:
- id: 5.3.1 - id: 5.3.1
text: "Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Manual)" text: "Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Using Command Line: Using Command Line:
@ -256,7 +256,7 @@ groups:
text: "Node Configuration and Maintenance" text: "Node Configuration and Maintenance"
checks: checks:
- id: 5.5.1 - id: 5.5.1
text: "Ensure Container-Optimized OS (COS) is used for GKE node images (Automated)" text: "Ensure Container-Optimized OS (cos_containerd) is used for GKE node images (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Using Command Line: Using Command Line:
@ -382,7 +382,7 @@ groups:
scored: false scored: false
- id: 5.6.3 - id: 5.6.3
text: "Ensure Master Authorized Networks is Enabled (Manual)" text: "Ensure Master Authorized Networks is Enabled (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Using Command Line: Using Command Line:
@ -406,7 +406,7 @@ groups:
scored: false scored: false
- id: 5.6.4 - id: 5.6.4
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)" text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Using Command Line: Using Command Line:
@ -421,7 +421,7 @@ groups:
scored: false scored: false
- id: 5.6.5 - id: 5.6.5
text: "Ensure clusters are created with Private Nodes (Manual)" text: "Ensure clusters are created with Private Nodes (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Using Command Line: Using Command Line:

8
cfg/gke-1.4.0/node.yaml
View File

@ -241,7 +241,7 @@ groups:
scored: true scored: true
- id: 3.2.9 - id: 3.2.9
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -262,10 +262,10 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.10 - id: 3.2.10
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)" text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -289,7 +289,7 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: true
- id: 3.2.11 - id: 3.2.11
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"

59
cfg/gke-1.4.0/policies.yaml
View File

@ -60,80 +60,71 @@ groups:
scored: false scored: false
- id: 4.2 - id: 4.2
text: "Pod Security Policies" text: "Pod Security Standards"
checks: checks:
- id: 4.2.1 - id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)" text: "Minimize the admission of privileged containers (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that Add policies to each namespace in the cluster which has user workloads
the .spec.privileged field is omitted or set to false. to restrict the admission of privileged containers.
scored: false scored: false
- id: 4.2.2 - id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.hostPID field is omitted or set to false. to restrict the admission of hostPID containers.
scored: false scored: false
- id: 4.2.3 - id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.hostIPC field is omitted or set to false. to restrict the admission of hostIPC containers.
scored: false scored: false
- id: 4.2.4 - id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.hostNetwork field is omitted or set to false. to restrict the admission of hostNetwork containers.
scored: false scored: false
- id: 4.2.5 - id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Add policies to each namespace in the cluster which has user workloads
.spec.allowPrivilegeEscalation field is omitted or set to false. to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.
scored: false scored: false
- id: 4.2.6 - id: 4.2.6
text: "Minimize the admission of root containers (Automated)" text: "Minimize the admission of root containers (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a policy for each namespace in the cluster,
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of ensuring that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.
UIDs not including 0.
scored: false scored: false
- id: 4.2.7 - id: 4.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Automated)" text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Ensure that allowedCapabilities is not present in policies for the cluster unless
.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false
- id: 4.2.8
text: "Minimize the admission of containers with added capabilities (Automated)"
type: "manual"
remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array. it is set to an empty array.
scored: false scored: false
- id: 4.2.9 - id: 4.2.8
text: "Minimize the admission of containers with capabilities assigned (Manual) " text: "Minimize the admission of containers with capabilities assigned (Manual) "
type: "manual" type: "manual"
remediation: | remediation: |
Review the use of capabilites in applications running on your cluster. Where a namespace Review the use of capabilities in applications running on your cluster. Where a namespace
contains applications which do not require any Linux capabities to operate consider adding contains applications which do not require any Linux capabilities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities. a policy which forbids the admission of containers which do not drop all capabilities.
scored: false scored: false
- id: 4.3 - id: 4.3