---
controls:
id: 1
text: "Master Checks"
type: "master"
groups:
- id: 1.1
  text: "Kube-apiserver"
  checks:
    - id: 1.1.1
      text: "Ensure that the --allow-privileged argument is set (Scored)"
      audit: "ps -ef | grep kube-apiserver | grep -v grep"
      tests:
        test_items:
          -
            flag: "--allow-privileged"
            set: true
      remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
      scored: true

    - id: 1.1.2
      text: "Ensure that the --basic-auth argument is not set (Scored)"
      audit: "ps -ef | grep kube-apiserver | grep -v grep"
      tests:
        test_item:
          -
            flag: "--basic-auth"
            set: false
      remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
      scored: true

    - id: 1.1.3
      text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
      audit: "ps -ef | grep kube-apiserver | grep -v grep"
      tests:
        test_items:
          -
            flag: "--insecure-port"
            compare:
              op: eq
              value: 0
            set: true
      remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
      scored: true

    - id: 1.1.4
      text: "Ensure that the --audit-log-maxage argument is set to 30 or appropriate (Scored)"
      audit: "ps -ef | grep kube-apiserver | grep -v grep"
      tests:
        test_items:
          -
            flag: "--audit-log-maxage"
            compare:
              op: gte
              value: 30
            set: true
      remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
      scored: true

    - id: 1.1.5
      text: "Ensure that the --max-backlog argument is set to 30 or less (Scored)"
      audit: "ps -ef | grep kube-apiserver | grep -v grep"
      tests:
        test_items:
          - flag: "--max-backlog"
            compare:
              op: lt
              value: 30
            set: true
      remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
      scored: true

    - id: 1.1.6
      text: "Ensure admission control does not include AlwaysAdmit (Scored)"
      audit: "ps -ef | grep kube-apiserver | grep -v grep"
      tests:
        test_items:
          -
            flag: "--admission-control"
            compare:
              op: nothave
              value: AlwaysAdmit
            set: true
      remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
      scored: true

    - id: 1.1.7
      text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)"
      audit: "ps -ef | grep kube-apiserver | grep -v grep"
      tests:
        bin_op: and
        test_items:
        - flag: "--kubelet-client-certificate"
          set: true
        - flag: "--kubelet-clientkey"
          set: true
      remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
      scored: true

    - id: 1.1.8
      text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
      audit: "ps -ef | grep kube-apiserver | grep -v grep"
      tests:
        bin_op: or
        test_items:
          -
            flag:  "--secure-port"
            compare:
              op: eq
              value: 0
            set: true
          -
            flag: "--secure-port"
            set: false
      remediation: "Edit the /etc/kubernetes/apiserver file on the master node and either remove the -secure-port argument from the KUBE_API_ARGS parameter or set it to a different desired port."
      scored: true

    - id: 1.4.1
      text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
      audit: "stat -c %a /etc/kubernetes/apiserver"
      tests:
        test_items:
        - flag: "644"
          set: true
      remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver"
      scored: true