Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider.
choose aescbc as the encryption provider.
For example,
For example,
@ -1001,8 +1002,9 @@ groups:
text:"Ensure that the Container Network Interface file permissions are
text:"Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
set to 644 or more restrictive (Not Scored)"
audit:"stat -c %a <path/to/cni/files>"
audit:"stat -c %a <path/to/cni/files>"
type:manual
type:"manual"
remediation:|
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example,
For example,
chmod 644 <path/to/cni/files>
chmod 644 <path/to/cni/files>
@ -1012,8 +1014,9 @@ groups:
text:"Ensure that the Container Network Interface file ownership is set
text:"Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)"
to root:root (Not Scored)"
audit:"stat -c %U:%G <path/to/cni/files>"
audit:"stat -c %U:%G <path/to/cni/files>"
type:manual
type:"manual"
remediation:|
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example,
For example,
chown root:root <path/to/cni/files>
chown root:root <path/to/cni/files>
@ -1297,6 +1300,7 @@ groups:
- flag:"--trusted-ca-file"
- flag:"--trusted-ca-file"
set:true
set:true
remediation:|
remediation:|
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
Then, edit the etcd pod specification file $etcdconf on the
@ -1311,6 +1315,7 @@ groups:
text:"Ensure that the cluster-admin role is only used where required (Not Scored)"
text:"Ensure that the cluster-admin role is only used where required (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Remove any unneeded clusterrolebindings :
Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name]
kubectl delete clusterrolebinding [name]
scored:false
scored:false
@ -1319,6 +1324,7 @@ groups:
text:"Create administrative boundaries between resources using namespaces (Not Scored)"
text:"Create administrative boundaries between resources using namespaces (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you
Follow the documentation and create namespaces for objects in your deployment as you
need them.
need them.
scored:false
scored:false
@ -1327,6 +1333,7 @@ groups:
text:"Create network segmentation using Network Policies (Not Scored)"
text:"Create network segmentation using Network Policies (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
Follow the documentation and create NetworkPolicy objects as you need them.
scored:false
scored:false
@ -1335,6 +1342,7 @@ groups:
definitions (Not Scored)"
definitions (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
gates=AllAlpha=true" argument.
@ -1361,6 +1369,7 @@ groups:
text:"Apply Security Context to Your Pods and Containers (Not Scored)"
text:"Apply Security Context to Your Pods and Containers (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
Containers.
@ -1370,6 +1379,7 @@ groups:
text:"Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
text:"Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
Follow the Kubernetes documentation and setup image provenance.
scored:false
scored:false
@ -1377,6 +1387,7 @@ groups:
text:"Configure Network policies as appropriate (Not Scored)"
text:"Configure Network policies as appropriate (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a
For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic:
NetworkPolicy that selects all pods but does not allow any traffic:
@ -1393,6 +1404,7 @@ groups:
privileged containers usage (Not Scored)"
privileged containers usage (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored:false
scored:false
@ -1403,6 +1415,7 @@ groups:
text:"Do not admit privileged containers (Not Scored)"
text:"Do not admit privileged containers (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
scored:false
scored:false
@ -1410,6 +1423,7 @@ groups:
text:"Do not admit containers wishing to share the host process ID namespace (Not Scored)"
text:"Do not admit containers wishing to share the host process ID namespace (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
scored:false
scored:false
@ -1417,6 +1431,7 @@ groups:
text:"Do not admit containers wishing to share the host IPC namespace (Not Scored)"
text:"Do not admit containers wishing to share the host IPC namespace (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
scored:false
scored:false
@ -1424,6 +1439,7 @@ groups:
text:"Do not admit containers wishing to share the host network namespace (Not Scored)"
text:"Do not admit containers wishing to share the host network namespace (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
scored:false
scored:false
@ -1431,6 +1447,7 @@ groups:
text:"Do not admit containers with allowPrivilegeEscalation (Not Scored)"
text:"Do not admit containers with allowPrivilegeEscalation (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
scored:false
scored:false
@ -1438,6 +1455,7 @@ groups:
text:"Do not admit root containers (Not Scored)"
text:"Do not admit root containers (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
scored:false
scored:false
@ -1445,5 +1463,6 @@ groups:
text:"Do not admit containers with dangerous capabilities (Not Scored)"
text:"Do not admit containers with dangerous capabilities (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider.
choose aescbc as the encryption provider.
For example,
For example,
@ -1003,8 +1005,9 @@ groups:
text:"Ensure that the Container Network Interface file permissions are
text:"Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
set to 644 or more restrictive (Not Scored)"
audit:"stat -c %a <path/to/cni/files>"
audit:"stat -c %a <path/to/cni/files>"
type:manual
type:"manual"
remediation:|
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example,
For example,
chmod 644 <path/to/cni/files>
chmod 644 <path/to/cni/files>
@ -1014,8 +1017,9 @@ groups:
text:"Ensure that the Container Network Interface file ownership is set
text:"Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)"
to root:root (Not Scored)"
audit:"stat -c %U:%G <path/to/cni/files>"
audit:"stat -c %U:%G <path/to/cni/files>"
type:manual
type:"manual"
remediation:|
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example,
For example,
chown root:root <path/to/cni/files>
chown root:root <path/to/cni/files>
@ -1194,6 +1198,7 @@ groups:
value:"root root"
value:"root root"
set:true
set:true
remediation:|
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chown -R root:root /etc/kubernetes/pki/
For example, chown -R root:root /etc/kubernetes/pki/
scored:true
scored:true
@ -1221,6 +1226,7 @@ groups:
value:"600"
value:"600"
set:true
set:true
remediation:|
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
scored:true
scored:true
@ -1237,6 +1243,7 @@ groups:
value:"600"
value:"600"
set:true
set:true
remediation:|
remediation:|
[Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 600 /etc/kubernetes/pki/*.key
For example, chmod -R 600 /etc/kubernetes/pki/*.key
scored:true
scored:true
@ -1358,6 +1365,7 @@ groups:
- flag:"--trusted-ca-file"
- flag:"--trusted-ca-file"
set:true
set:true
remediation:|
remediation:|
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
Then, edit the etcd pod specification file $etcdconf on the
@ -1372,6 +1380,7 @@ groups:
text:"Ensure that the cluster-admin role is only used where required (Not Scored)"
text:"Ensure that the cluster-admin role is only used where required (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Remove any unneeded clusterrolebindings :
Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name]
kubectl delete clusterrolebinding [name]
scored:false
scored:false
@ -1380,6 +1389,7 @@ groups:
text:"Create administrative boundaries between resources using namespaces (Not Scored)"
text:"Create administrative boundaries between resources using namespaces (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you
Follow the documentation and create namespaces for objects in your deployment as you
need them.
need them.
scored:false
scored:false
@ -1388,6 +1398,7 @@ groups:
text:"Create network segmentation using Network Policies (Not Scored)"
text:"Create network segmentation using Network Policies (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
Follow the documentation and create NetworkPolicy objects as you need them.
scored:false
scored:false
@ -1396,6 +1407,7 @@ groups:
definitions (Not Scored)"
definitions (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
gates=AllAlpha=true" argument.
@ -1422,6 +1434,7 @@ groups:
text:"Apply Security Context to Your Pods and Containers (Not Scored)"
text:"Apply Security Context to Your Pods and Containers (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
Containers.
@ -1431,6 +1444,7 @@ groups:
text:"Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
text:"Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
Follow the Kubernetes documentation and setup image provenance.
scored:false
scored:false
@ -1438,6 +1452,7 @@ groups:
text:"Configure Network policies as appropriate (Not Scored)"
text:"Configure Network policies as appropriate (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a
For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic:
NetworkPolicy that selects all pods but does not allow any traffic:
@ -1454,6 +1469,7 @@ groups:
privileged containers usage (Not Scored)"
privileged containers usage (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored:false
scored:false
@ -1464,6 +1480,7 @@ groups:
text:"Do not admit privileged containers (Not Scored)"
text:"Do not admit privileged containers (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
scored:false
scored:false
@ -1471,6 +1488,7 @@ groups:
text:"Do not admit containers wishing to share the host process ID namespace (Not Scored)"
text:"Do not admit containers wishing to share the host process ID namespace (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
scored:false
scored:false
@ -1478,6 +1496,7 @@ groups:
text:"Do not admit containers wishing to share the host IPC namespace (Not Scored)"
text:"Do not admit containers wishing to share the host IPC namespace (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
scored:false
scored:false
@ -1485,6 +1504,7 @@ groups:
text:"Do not admit containers wishing to share the host network namespace (Not Scored)"
text:"Do not admit containers wishing to share the host network namespace (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
scored:false
scored:false
@ -1492,6 +1512,7 @@ groups:
text:" Do not admit containers with allowPrivilegeEscalation (Not Scored)"
text:" Do not admit containers with allowPrivilegeEscalation (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
scored:false
scored:false
@ -1499,6 +1520,7 @@ groups:
text:"Do not admit root containers (Not Scored)"
text:"Do not admit root containers (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
scored:false
scored:false
@ -1506,5 +1528,6 @@ groups:
text:"Do not admit containers with dangerous capabilities (Not Scored)"
text:"Do not admit containers with dangerous capabilities (Not Scored)"
type:"manual"
type:"manual"
remediation:|
remediation:|
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.