|
|
|
|
@ -11,6 +11,12 @@ groups:
|
|
|
|
|
- id: 5.1.1
|
|
|
|
|
text: "Ensure that the cluster-admin role is only used where required (Manual)"
|
|
|
|
|
type: "manual"
|
|
|
|
|
audit: |
|
|
|
|
|
#To get a list of users and service accounts with the cluster-admin role
|
|
|
|
|
oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind |
|
|
|
|
|
grep cluster-admin
|
|
|
|
|
#To verity that kbueadmin is removed, no results should be returned
|
|
|
|
|
oc get secrets kubeadmin -n kube-system
|
|
|
|
|
remediation: |
|
|
|
|
|
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
|
|
|
|
|
if they need this role or if they could use a role with fewer privileges.
|
|
|
|
|
@ -29,6 +35,15 @@ groups:
|
|
|
|
|
- id: 5.1.3
|
|
|
|
|
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
|
|
|
|
|
type: "manual"
|
|
|
|
|
audit: |
|
|
|
|
|
#needs verification
|
|
|
|
|
oc get roles --all-namespaces -o yaml
|
|
|
|
|
for i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc
|
|
|
|
|
describe clusterrole ${i}; done
|
|
|
|
|
#Retrieve the cluster roles defined in the cluster and review for wildcards
|
|
|
|
|
oc get clusterroles -o yaml
|
|
|
|
|
for i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do
|
|
|
|
|
oc describe clusterrole ${i}; done
|
|
|
|
|
remediation: |
|
|
|
|
|
Where possible replace any use of wildcards in clusterroles and roles with specific
|
|
|
|
|
objects or actions.
|
|
|
|
|
@ -213,6 +228,9 @@ groups:
|
|
|
|
|
- id: 5.3.2
|
|
|
|
|
text: "Ensure that all Namespaces have Network Policies defined (Manual)"
|
|
|
|
|
type: "manual"
|
|
|
|
|
audit: |
|
|
|
|
|
#Run the following command and review the NetworkPolicy objects created in the cluster.
|
|
|
|
|
oc -n all get networkpolicy
|
|
|
|
|
remediation: |
|
|
|
|
|
Follow the documentation and create NetworkPolicy objects as you need them.
|
|
|
|
|
scored: false
|
|
|
|
|
@ -223,6 +241,10 @@ groups:
|
|
|
|
|
- id: 5.4.1
|
|
|
|
|
text: "Prefer using secrets as files over secrets as environment variables (Manual)"
|
|
|
|
|
type: "manual"
|
|
|
|
|
audit: |
|
|
|
|
|
#Run the following command to find references to objects which use environment variables defined from secrets.
|
|
|
|
|
oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind}
|
|
|
|
|
{.metadata.name} {"\n"}{end}' -A
|
|
|
|
|
remediation: |
|
|
|
|
|
If possible, rewrite application code to read secrets from mounted secret files, rather than
|
|
|
|
|
from environment variables.
|
|
|
|
|
@ -252,6 +274,10 @@ groups:
|
|
|
|
|
- id: 5.7.1
|
|
|
|
|
text: "Create administrative boundaries between resources using namespaces (Manual)"
|
|
|
|
|
type: "manual"
|
|
|
|
|
audit: |
|
|
|
|
|
#Run the following command and review the namespaces created in the cluster.
|
|
|
|
|
oc get namespaces
|
|
|
|
|
#Ensure that these namespaces are the ones you need and are adequately administered as per your requirements.
|
|
|
|
|
remediation: |
|
|
|
|
|
Follow the documentation and create namespaces for objects in your deployment as you need
|
|
|
|
|
them.
|
|
|
|
|
@ -277,6 +303,11 @@ groups:
|
|
|
|
|
- id: 5.7.4
|
|
|
|
|
text: "The default namespace should not be used (Manual)"
|
|
|
|
|
type: "manual"
|
|
|
|
|
audit: |
|
|
|
|
|
#Run this command to list objects in default namespace
|
|
|
|
|
oc project default
|
|
|
|
|
oc get all
|
|
|
|
|
#The only entries there should be system managed resources such as the kubernetes and openshift service
|
|
|
|
|
remediation: |
|
|
|
|
|
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
|
|
|
|
|
resources and that all new resources are created in a specific namespace.
|
|
|
|
|
|
chenk
4 months ago
committed by