---
controls:
version: "cis-1.6"
id: 4
text: "Worker Node Security Configuration"
type: "node"
groups:
  - id: 4.1
    text: "Worker Node Configuration Files"
    checks:
      - id: 4.1.1
        text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)"
        audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
        tests:
          test_items:
            - flag: "permissions"
              compare:
                op: bitmask
                value: "644"
        remediation: |
          Run the below command (based on the file location on your system) on the each worker node.
          For example,
          chmod 644 $kubeletsvc
        scored: true

      - id: 4.1.2
        text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
        audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
        tests:
          test_items:
            - flag: root:root
        remediation: |
          Run the below command (based on the file location on your system) on the each worker node.
          For example,
          chown root:root $kubeletsvc
        scored: true

      - id: 4.1.3
        text: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)"
        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
        tests:
          bin_op: or
          test_items:
            - flag: "permissions"
              set: true
              compare:
                op: bitmask
                value: "644"
            - flag: "$proxykubeconfig"
              set: false
        remediation: |
          Run the below command (based on the file location on your system) on the each worker node.
          For example,
          chmod 644 $proxykubeconfig
        scored: false

      - id: 4.1.4
        text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)"
        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
        tests:
          bin_op: or
          test_items:
            - flag: root:root
            - flag: "$proxykubeconfig"
              set: false
        remediation: |
          Run the below command (based on the file location on your system) on the each worker node.
          For example, chown root:root $proxykubeconfig
        scored: false

      - id: 4.1.5
        text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)"
        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
        tests:
          test_items:
            - flag: "permissions"
              compare:
                op: bitmask
                value: "644"
        remediation: |
          Run the below command (based on the file location on your system) on the each worker node.
          For example,
          chmod 644 $kubeletkubeconfig
        scored: true

      - id: 4.1.6
        text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)"
        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
        tests:
          test_items:
            - flag: root:root
        remediation: |
          Run the below command (based on the file location on your system) on the each worker node.
          For example,
          chown root:root $kubeletkubeconfig
        scored: false

      - id: 4.1.7
        text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"
        audit: |
          CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
          if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
          if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
        tests:
          test_items:
            - flag: "permissions"
              compare:
                op: bitmask
                value: "644"
        remediation: |
          Run the following command to modify the file permissions of the
          --client-ca-file chmod 644 <filename>
        scored: false

      - id: 4.1.8
        text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
        audit: |
          CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
          if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
          if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
        tests:
          test_items:
            - flag: root:root
              compare:
                op: eq
                value: root:root
        remediation: |
          Run the following command to modify the ownership of the --client-ca-file.
          chown root:root <filename>
        scored: false

      - id: 4.1.9
        text: "Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)"
        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
        tests:
          test_items:
            - flag: "permissions"
              compare:
                op: bitmask
                value: "644"
        remediation: |
          Run the following command (using the config file location identified in the Audit step)
          chmod 644 $kubeletconf
        scored: true

      - id: 4.1.10
        text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)"
        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
        tests:
          test_items:
            - flag: root:root
        remediation: |
          Run the following command (using the config file location identified in the Audit step)
          chown root:root $kubeletconf
        scored: true

  - id: 4.2
    text: "Kubelet"
    checks:
      - id: 4.2.1
        text: "Ensure that the anonymous-auth argument is set to false (Automated)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          test_items:
            - flag: "--anonymous-auth"
              path: '{.authentication.anonymous.enabled}'
              compare:
                op: eq
                value: false
        remediation: |
          If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
          false.
          If using executable arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
          --anonymous-auth=false
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: true

      - id: 4.2.2
        text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          test_items:
            - flag: --authorization-mode
              path: '{.authorization.mode}'
              compare:
                op: nothave
                value: AlwaysAllow
        remediation: |
          If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If
          using executable arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the below parameter in KUBELET_AUTHZ_ARGS variable.
          --authorization-mode=Webhook
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: true

      - id: 4.2.3
        text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          test_items:
            - flag: --client-ca-file
              path: '{.authentication.x509.clientCAFile}'
        remediation: |
          If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
          the location of the client CA file.
          If using command line arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the below parameter in KUBELET_AUTHZ_ARGS variable.
          --client-ca-file=<path/to/client-ca-file>
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: true

      - id: 4.2.4
        text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          bin_op: or
          test_items:
            - flag: "--read-only-port"
              path: '{.readOnlyPort}'
              compare:
                op: eq
                value: 0
            - flag: "--read-only-port"
              path: '{.readOnlyPort}'
              set: false
        remediation: |
          If using a Kubelet config file, edit the file to set readOnlyPort to 0.
          If using command line arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
          --read-only-port=0
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: false

      - id: 4.2.5
        text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          test_items:
            - flag: --streaming-connection-idle-timeout
              path: '{.streamingConnectionIdleTimeout}'
              compare:
                op: noteq
                value: 0
            - flag: --streaming-connection-idle-timeout
              path: '{.streamingConnectionIdleTimeout}'
              set: false
          bin_op: or
        remediation: |
          If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
          value other than 0.
          If using command line arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
          --streaming-connection-idle-timeout=5m
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: false

      - id: 4.2.6
        text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          test_items:
            - flag: --protect-kernel-defaults
              path: '{.protectKernelDefaults}'
              compare:
                op: eq
                value: true
        remediation: |
          If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
          If using command line arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
          --protect-kernel-defaults=true
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: true

      - id: 4.2.7
        text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          test_items:
            - flag: --make-iptables-util-chains
              path: '{.makeIPTablesUtilChains}'
              compare:
                op: eq
                value: true
            - flag: --make-iptables-util-chains
              path: '{.makeIPTablesUtilChains}'
              set: false
          bin_op: or
        remediation: |
          If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.
          If using command line arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          remove the --make-iptables-util-chains argument from the
          KUBELET_SYSTEM_PODS_ARGS variable.
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: true

      - id: 4.2.8
        text: "Ensure that the --hostname-override argument is not set (Manual)"
        # This is one of those properties that can only be set as a command line argument.
        # To check if the property is set as expected, we need to parse the kubelet command
        # instead reading the Kubelet Configuration file.
        audit: "/bin/ps -fC $kubeletbin "
        tests:
          test_items:
            - flag: --hostname-override
              set: false
        remediation: |
          Edit the kubelet service file $kubeletsvc
          on each worker node and remove the --hostname-override argument from the
          KUBELET_SYSTEM_PODS_ARGS variable.
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: false

      - id: 4.2.9
        text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          test_items:
            - flag: --event-qps
              path: '{.eventRecordQPS}'
              compare:
                op: eq
                value: 0
        remediation: |
          If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
          If using command line arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: false

      - id: 4.2.10
        text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          test_items:
            - flag: --tls-cert-file
              path: '{.tlsCertFile}'
            - flag: --tls-private-key-file
              path: '{.tlsPrivateKeyFile}'
        remediation: |
          If using a Kubelet config file, edit the file to set tlsCertFile to the location
          of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
          to the location of the corresponding private key file.
          If using command line arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
          --tls-cert-file=<path/to/tls-certificate-file>
          --tls-private-key-file=<path/to/tls-key-file>
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: false

      - id: 4.2.11
        text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          test_items:
            - flag: --rotate-certificates
              path: '{.rotateCertificates}'
              compare:
                op: eq
                value: true
            - flag: --rotate-certificates
              path: '{.rotateCertificates}'
              set: false
          bin_op: or
        remediation: |
          If using a Kubelet config file, edit the file to add the line rotateCertificates: true or
          remove it altogether to use the default value.
          If using command line arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
          variable.
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: false

      - id: 4.2.12
        text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          bin_op: or
          test_items:
            - flag: RotateKubeletServerCertificate
              path: '{.featureGates.RotateKubeletServerCertificate}'
              compare:
                op: nothave
                value: false
            - flag: RotateKubeletServerCertificate
              path: '{.featureGates.RotateKubeletServerCertificate}'
              set: false
        remediation: |
          Edit the kubelet service file $kubeletsvc
          on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
          --feature-gates=RotateKubeletServerCertificate=true
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: false

      - id: 4.2.13
        text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"
        audit: "/bin/ps -fC $kubeletbin"
        audit_config: "/bin/cat $kubeletconf"
        tests:
          test_items:
            - flag: --tls-cipher-suites
              path: '{range .tlsCipherSuites[:]}{}{'',''}{end}'
              compare:
                op: valid_elements
                value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
        remediation: |
          If using a Kubelet config file, edit the file to set TLSCipherSuites: to
          TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
          or to a subset of these values.
          If using executable arguments, edit the kubelet service file
          $kubeletsvc on each worker node and
          set the --tls-cipher-suites parameter as follows, or to a subset of these values.
          --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
          Based on your system, restart the kubelet service. For example:
          systemctl daemon-reload
          systemctl restart kubelet.service
        scored: false