|
|
|
@ -436,6 +436,62 @@ groups:
|
|
|
|
|
KUBE_API_ARGS parameter to include \"--etcd-cafile=<path/to/ca-file>\""
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.1.32
|
|
|
|
|
text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--authorization-mode"
|
|
|
|
|
compare:
|
|
|
|
|
op: has
|
|
|
|
|
value: "Node"
|
|
|
|
|
set: true
|
|
|
|
|
remediation: "Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
|
|
|
|
|
parameter to a value to include --authorization-mode=Node. One such example could be
|
|
|
|
|
as below:\n
|
|
|
|
|
KUBE_API_ARGS=\"--authorization-mode=Node,RBAC\""
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.1.33
|
|
|
|
|
text: "Ensure that the admission control policy is set to NodeRestriction (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--admission-control"
|
|
|
|
|
compare:
|
|
|
|
|
op: has
|
|
|
|
|
value: "NodeRestriction"
|
|
|
|
|
set: true
|
|
|
|
|
remediation: "Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.
|
|
|
|
|
Then, edit the /etc/kubernetes/apiserver file on the master node and set the
|
|
|
|
|
KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,NodeRestriction,...\""
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.1.34
|
|
|
|
|
text: "1.1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--experimental-encryption-provider-config"
|
|
|
|
|
set: true
|
|
|
|
|
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit
|
|
|
|
|
the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
|
|
|
|
|
parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\""
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
# TODO: provide flag to WARN of manual tasks which we can't automate.
|
|
|
|
|
- id: 1.1.35
|
|
|
|
|
text: "Ensure that the encryption provider is set to aescbc (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "requires manual intervention"
|
|
|
|
|
set: true
|
|
|
|
|
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
|
|
|
|
choose aescbc as the encryption provider"
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- id: 1.2
|
|
|
|
|
text: "Scheduler"
|
|
|
|
|
checks:
|
|
|
|
@ -482,18 +538,6 @@ groups:
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.3.3
|
|
|
|
|
text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--insecure-experimental-approve-all-kubelet-csrs-for-group"
|
|
|
|
|
set: false
|
|
|
|
|
remediation: "Edit the $controllermanagerconf file on the master node and remove
|
|
|
|
|
the -insecure-experimental-approve-all-kubelet-csrs-for-group argument from the
|
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter"
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.3.4
|
|
|
|
|
text: "Ensure that the --use-service-account-credentials argument is set"
|
|
|
|
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
|
|
|
|
tests:
|
|
|
|
@ -507,7 +551,7 @@ groups:
|
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true"
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.3.5
|
|
|
|
|
- id: 1.3.4
|
|
|
|
|
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
|
|
|
|
tests:
|
|
|
|
@ -518,7 +562,7 @@ groups:
|
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to --service-account-private-keyfile=<filename>"
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.3.6
|
|
|
|
|
- id: 1.3.5
|
|
|
|
|
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
|
|
|
|
tests:
|
|
|
|
@ -528,6 +572,23 @@ groups:
|
|
|
|
|
remediation: "Edit the $controllermanagerconf file on the master node and set the
|
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
# TODO: 1.3.6 is manual, provide way to WARN
|
|
|
|
|
|
|
|
|
|
- id: 1.3.7
|
|
|
|
|
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "RotateKubeletServerCertificate"
|
|
|
|
|
compare:
|
|
|
|
|
op: eq
|
|
|
|
|
value: true
|
|
|
|
|
set: true
|
|
|
|
|
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
|
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
|
|
|
|
|
\"--feature-gates=RotateKubeletServerCertificate=true\""
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.4
|
|
|
|
|
text: "Configure Files"
|
|
|
|
|