Update controls to CIS Kubernetes Benchmark v1.1.0

7 years ago · e08e069174
parent a6a784f55f
commit e08e069174
6 changed files with 153 additions and 16 deletions
--- a/cfg/master.yaml
+++ b/cfg/master.yaml
@ -436,6 +436,62 @@ groups:
              KUBE_API_ARGS parameter to include \"--etcd-cafile=<path/to/ca-file>\""
      scored: true

+    - id: 1.1.32
+      text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
+      audit: "ps -ef | grep $apiserverbin | grep -v grep"
+      tests:
+        test_items:
+        - flag: "--authorization-mode"
+          compare:
+            op: has
+            value: "Node"
+          set: true
+      remediation: "Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
+              parameter to a value to include --authorization-mode=Node. One such example could be
+              as below:\n
+              KUBE_API_ARGS=\"--authorization-mode=Node,RBAC\""
+      scored: true
+
+    - id: 1.1.33
+      text: "Ensure that the admission control policy is set to NodeRestriction (Scored)"
+      audit: "ps -ef | grep $apiserverbin | grep -v grep"
+      tests:
+        test_items:
+        - flag: "--admission-control"
+          compare:
+            op: has
+            value: "NodeRestriction"
+          set: true
+      remediation: "Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.
+              Then, edit the /etc/kubernetes/apiserver file on the master node and set the
+              KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,NodeRestriction,...\""
+      scored: true
+
+    - id: 1.1.34
+      text: "1.1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)"
+      audit: "ps -ef | grep $apiserverbin | grep -v grep"
+      tests:
+        test_items:
+        - flag: "--experimental-encryption-provider-config"
+          set: true
+      remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit
+              the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
+              parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\""
+      scored: true
+
+# TODO: provide flag to WARN of manual tasks which we can't automate.
+    - id: 1.1.35
+      text: "Ensure that the encryption provider is set to aescbc (Scored)"
+      audit: "ps -ef | grep $apiserverbin | grep -v grep"
+      tests:
+        test_items:
+        - flag: "requires manual intervention"
+          set: true
+      remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
+              choose aescbc as the encryption provider"
+      scored: true
+
+
 - id: 1.2
  text: "Scheduler"
  checks:
@ -482,18 +538,6 @@ groups:
      scored: true
 
    - id: 1.3.3
-      text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)"
-      audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
-      tests:
-        test_items:
-        - flag: "--insecure-experimental-approve-all-kubelet-csrs-for-group"
-          set: false
-      remediation: "Edit the $controllermanagerconf file on the master node and remove 
-              the -insecure-experimental-approve-all-kubelet-csrs-for-group argument from the 
-              KUBE_CONTROLLER_MANAGER_ARGS parameter"
-      scored: true
-
-    - id: 1.3.4
      text: "Ensure that the --use-service-account-credentials argument is set"
      audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
      tests:
@ -507,7 +551,7 @@ groups:
              KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true"
      scored: true

-    - id: 1.3.5
+    - id: 1.3.4
      text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
      audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
      tests:
@ -518,7 +562,7 @@ groups:
              KUBE_CONTROLLER_MANAGER_ARGS parameter to --service-account-private-keyfile=<filename>"
      scored: true

-    - id: 1.3.6
+    - id: 1.3.5
      text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
      audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
      tests:
@ -528,6 +572,23 @@ groups:
      remediation: "Edit the $controllermanagerconf file on the master node and set the 
              KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
      scored: true
+
+# TODO: 1.3.6 is manual, provide way to WARN
+
+    - id: 1.3.7
+      text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
+      audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+      tests:
+        test_items:
+        - flag: "RotateKubeletServerCertificate"
+          compare:
+            op: eq
+            value: true
+          set: true
+      remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
+              KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include 
+              \"--feature-gates=RotateKubeletServerCertificate=true\""
+      scored: true
 
 - id: 1.4
  text: "Configure Files"
--- a/cfg/node.yaml
+++ b/cfg/node.yaml
@ -188,6 +188,34 @@ groups:
              to \"--cadvisor-port=0\""
      scored: true

+    - id: 2.1.14
+      text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
+      audit: "ps -ef | grep $kubeletbin | grep -v grep"
+      tests:
+        test_items:
+          - flag: "RotateKubeletClientCertificate"
+            compare:
+              op: eq
+              value: true
+            set: true
+      remediation: "Edit the /etc/kubernetes/kubelet file on each node and set the KUBELET_ARGS parameter
+              to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"."
+      scored: true
+
+    - id: 2.1.15
+      text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
+      audit: "ps -ef | grep $kubeletbin | grep -v grep"
+      tests:
+        test_items:
+          - flag: "RotateKubeletServerCertificate"
+            compare:
+              op: eq
+              value: true
+            set: true
+      remediation: "Edit the /etc/kubernetes/kubelet file on each node and set the KUBELET_ARGS parameter
+              to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"."
+      scored: true
+
 - id: 2.2
  text: "Configuration Files"
  checks:
@ -256,3 +284,28 @@ groups:
      remediation: "Run the below command (based on the file location on your system) on the each worker node. 
              \nFor example, chown root:root $proxyconf"
      scored: true
+
+# TODO: provide flag to WARN about manual checks.
+    - id: 2.2.7
+      text: "Ensure that the certificate authorities file permissions are set to
+              644 or more restrictive (Scored)"
+      audit: "if test -e $ca-file; then stat -c %a $ca-file; fi"
+      tests:
+        test_items:
+          - flag: "644"
+            set: true
+      remediation: "Run the following command to modify the file permissions of the --client-ca-file
+              \nchmod 644 <filename>"
+      scored: true
+
+# TODO: provide flag to WARN about manual checks.
+    - id: 2.2.8
+      text: "Ensure that the client certificate authorities file ownership is set to root:root"
+      audit: "if test -e $ca-file; then stat -c %U:%G $ca-file; fi"
+      tests:
+        test_items:
+          - flag: "notexist:notexist"
+            set: true
+      remediation: "Run the following command to modify the ownership of the --client-ca-file.
+              \nchown root:root <filename>"
+      scored: true
--- a/check/data
+++ b/check/data
@ -124,3 +124,16 @@ groups:
          set: true
      remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver"
      scored: true
+
+    - id: 2.1.14
+      text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
+      audit: "ps -ef | grep kubelet | grep -v grep"
+      tests:
+        test_items:
+        - flag: "KubeletClient"
+          compare:
+            op: eq
+            value: true
+          set: true
+      remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver"
+      scored: true
--- a/check/test.go
+++ b/check/test.go
@ -57,7 +57,7 @@ func (t *testItem) execute(s string) (result bool) {
 		isset := match

 		if isset && t.Compare.Op != "" {
-			pttn := t.Flag + `=(\S*) *`
+			pttn := t.Flag + `=([^\s,]*) *`
 			flagRe := regexp.MustCompile(pttn)
 			vals := flagRe.FindStringSubmatch(s)

--- a/check/test_test.go
+++ b/check/test_test.go
@ -87,6 +87,16 @@ func TestTestExecute(t *testing.T) {
 			"text",
 			"644",
 		},
+		{
+			controls.Groups[0].Checks[9].Tests,
+			"flag value is comma-separated",
+			"2:35 ../kubelet --features-gates=KubeletClient=true,KubeletServer=true",
+		},
+		{
+			controls.Groups[0].Checks[9].Tests,
+			"flag value is comma-separated",
+			"2:35 ../kubelet --features-gates=KubeletServer=true,KubeletClient=true",
+		},
 	}

 	for _, c := range cases {
--- a/cmd/common.go
+++ b/cmd/common.go
@ -46,7 +46,7 @@ var (
 	errmsgs string

 	// TODO: Consider specifying this in config file.
-	kubeVersion = "1.6"
+	kubeVersion = "1.7.0"
 )

 func runChecks(t check.NodeType) {