Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider.
For example,
@ -1001,8 +1002,9 @@ groups:
text:"Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit:"stat -c %a <path/to/cni/files>"
type:manual
type:"manual"
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 <path/to/cni/files>
@ -1012,8 +1014,9 @@ groups:
text:"Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)"
audit:"stat -c %U:%G <path/to/cni/files>"
type:manual
type:"manual"
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root <path/to/cni/files>
@ -1297,6 +1300,7 @@ groups:
- flag:"--trusted-ca-file"
set:true
remediation:|
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
@ -1311,6 +1315,7 @@ groups:
text:"Ensure that the cluster-admin role is only used where required (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name]
scored:false
@ -1319,6 +1324,7 @@ groups:
text:"Create administrative boundaries between resources using namespaces (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you
need them.
scored:false
@ -1327,6 +1333,7 @@ groups:
text:"Create network segmentation using Network Policies (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored:false
@ -1335,6 +1342,7 @@ groups:
definitions (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
@ -1361,6 +1369,7 @@ groups:
text:"Apply Security Context to Your Pods and Containers (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
@ -1370,6 +1379,7 @@ groups:
text:"Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored:false
@ -1377,6 +1387,7 @@ groups:
text:"Configure Network policies as appropriate (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic:
@ -1393,6 +1404,7 @@ groups:
privileged containers usage (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored:false
@ -1403,6 +1415,7 @@ groups:
text:"Do not admit privileged containers (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
scored:false
@ -1410,6 +1423,7 @@ groups:
text:"Do not admit containers wishing to share the host process ID namespace (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
scored:false
@ -1417,6 +1431,7 @@ groups:
text:"Do not admit containers wishing to share the host IPC namespace (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
scored:false
@ -1424,6 +1439,7 @@ groups:
text:"Do not admit containers wishing to share the host network namespace (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
scored:false
@ -1431,6 +1447,7 @@ groups:
text:"Do not admit containers with allowPrivilegeEscalation (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
scored:false
@ -1438,6 +1455,7 @@ groups:
text:"Do not admit root containers (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
scored:false
@ -1445,5 +1463,6 @@ groups:
text:"Do not admit containers with dangerous capabilities (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider.
For example,
@ -1003,8 +1005,9 @@ groups:
text:"Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit:"stat -c %a <path/to/cni/files>"
type:manual
type:"manual"
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 <path/to/cni/files>
@ -1014,8 +1017,9 @@ groups:
text:"Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)"
audit:"stat -c %U:%G <path/to/cni/files>"
type:manual
type:"manual"
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root <path/to/cni/files>
@ -1194,6 +1198,7 @@ groups:
value:"root root"
set:true
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example, chown -R root:root /etc/kubernetes/pki/
scored:true
@ -1221,6 +1226,7 @@ groups:
value:"600"
set:true
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
scored:true
@ -1237,6 +1243,7 @@ groups:
value:"600"
set:true
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 600 /etc/kubernetes/pki/*.key
scored:true
@ -1358,6 +1365,7 @@ groups:
- flag:"--trusted-ca-file"
set:true
remediation:|
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
@ -1372,6 +1380,7 @@ groups:
text:"Ensure that the cluster-admin role is only used where required (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name]
scored:false
@ -1380,6 +1389,7 @@ groups:
text:"Create administrative boundaries between resources using namespaces (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you
need them.
scored:false
@ -1388,6 +1398,7 @@ groups:
text:"Create network segmentation using Network Policies (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored:false
@ -1396,6 +1407,7 @@ groups:
definitions (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
@ -1422,6 +1434,7 @@ groups:
text:"Apply Security Context to Your Pods and Containers (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
@ -1431,6 +1444,7 @@ groups:
text:"Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored:false
@ -1438,6 +1452,7 @@ groups:
text:"Configure Network policies as appropriate (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic:
@ -1454,6 +1469,7 @@ groups:
privileged containers usage (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored:false
@ -1464,6 +1480,7 @@ groups:
text:"Do not admit privileged containers (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
scored:false
@ -1471,6 +1488,7 @@ groups:
text:"Do not admit containers wishing to share the host process ID namespace (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
scored:false
@ -1478,6 +1496,7 @@ groups:
text:"Do not admit containers wishing to share the host IPC namespace (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
scored:false
@ -1485,6 +1504,7 @@ groups:
text:"Do not admit containers wishing to share the host network namespace (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
scored:false
@ -1492,6 +1512,7 @@ groups:
text:" Do not admit containers with allowPrivilegeEscalation (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
scored:false
@ -1499,6 +1520,7 @@ groups:
text:"Do not admit root containers (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
scored:false
@ -1506,5 +1528,6 @@ groups:
text:"Do not admit containers with dangerous capabilities (Not Scored)"
type:"manual"
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.