--- controls: version: "1.13" id: "2" text: Worker Node Security Configuration type: "node" groups: - id: "2.1" text: Kubelet checks: - id: 2.1.1 text: Ensure that the --anonymous-auth argument is set to false (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: "--anonymous-auth" path: '{.authentication.anonymous.enabled}' set: true compare: op: eq value: false remediation: | If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false . If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --anonymous-auth=false Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.2 text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --authorization-mode path: '{.authorization.mode}' set: true compare: op: nothave value: AlwaysAllow remediation: | If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --authorization-mode=Webhook Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.3 text: Ensure that the --client-ca-file argument is set as appropriate (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --client-ca-file path: '{.authentication.x509.clientCAFile}' set: true remediation: | If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to the location of the client CA file. If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --client-ca-file= Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.4 text: Ensure that the --read-only-port argument is set to 0 (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: "--read-only-port" path: '{.readOnlyPort}' set: true compare: op: eq value: 0 remediation: | If using a Kubelet config file, edit the file to set readOnlyPort to 0 . If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --read-only-port=0 Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.5 text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --streaming-connection-idle-timeout path: '{.streamingConnectionIdleTimeout}' set: true compare: op: noteq value: 0 - flag: --streaming-connection-idle-timeout path: '{.streamingConnectionIdleTimeout}' set: false bin_op: or remediation: | If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a value other than 0. If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.6 text: Ensure that the --protect-kernel-defaults argument is set to true (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --protect-kernel-defaults path: '{.protectKernelDefaults}' set: true compare: op: eq value: true remediation: | If using a Kubelet config file, edit the file to set protectKernelDefaults: true . If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.7 text: Ensure that the --make-iptables-util-chains argument is set to true (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --make-iptables-util-chains path: '{.makeIPTablesUtilChains}' set: true compare: op: eq value: true - flag: --make-iptables-util-chains path: '{.makeIPTablesUtilChains}' set: false bin_op: or remediation: | If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true . If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and remove the --make-iptables-util-chains argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.8 text: Ensure that the --hostname-override argument is not set (Scored) # This is one of those properties that can only be set as a command line argument. # To check if the property is set as expected, we need to parse the kubelet command # instead reading the Kubelet Configuration file. audit: "/bin/ps -fC $kubeletbin " tests: test_items: - flag: --hostname-override set: false remediation: | Edit the kubelet service file $kubeletsvc on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.9 text: Ensure that the --event-qps argument is set to 0 (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --event-qps path: '{.eventRecordQPS}' set: true compare: op: eq value: 0 remediation: | If using a Kubelet config file, edit the file to set eventRecordQPS: 0 . If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --event-qps=0 Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.10 text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --tls-cert-file path: '{.tlsCertFile}' set: true - flag: --tls-private-key-file path: '{.tlsPrivateKeyFile}' set: true bin_op: and remediation: | If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameters in KUBELET_CERTIFICATE_ARGS variable. --tls-cert-file= file= Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.11 text: '[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0' # This is one of those properties that can only be set as a command line argument. # To check if the property is set as expected, we need to parse the kubelet command # instead reading the Kubelet Configuration file. audit: "/bin/ps -fC $kubeletbin " type: skip tests: test_items: - flag: --cadvisor-port set: true compare: op: eq value: 0 - flag: --cadvisor-port set: false bin_op: or remediation: | Edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. --cadvisor-port=0 Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: false - id: 2.1.12 text: Ensure that the --rotate-certificates argument is not set to false (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --rotate-certificates path: '{.rotateCertificates}' set: true compare: op: eq value: true - flag: --rotate-certificates path: '{.rotateCertificates}' set: false bin_op: or remediation: | If using a Kubelet config file, edit the file to add the line rotateCertificates: true. If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.13 text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: RotateKubeletServerCertificate path: '{.featureGates.RotateKubeletServerCertificate}' set: true compare: op: eq value: true remediation: | Edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. --feature-gates=RotateKubeletServerCertificate=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service scored: true - id: 2.1.14 text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored) audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --tls-cipher-suites path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' set: true compare: op: valid_elements value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 remediation: | If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter. --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 scored: false - id: "2.2" text: Configuration Files checks: - id: 2.2.1 text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored) audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' tests: test_items: - flag: "permissions" set: true compare: op: bitmask value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 $kubeletkubeconfig scored: true - id: 2.2.2 text: Ensure that the kubelet.conf file ownership is set to root:root (Scored) audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' tests: test_items: - flag: root:root set: true compare: op: eq value: root:root remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $kubeletkubeconfig scored: true - id: 2.2.3 text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored) audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' tests: test_items: - flag: "permissions" set: true compare: op: bitmask value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 $kubeletsvc scored: true - id: 2.2.4 text: Ensure that the kubelet service file ownership is set to root:root (Scored) audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' ' tests: test_items: - flag: root:root set: true remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $kubeletsvc scored: true - id: 2.2.5 text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' tests: test_items: - flag: "permissions" set: true compare: op: bitmask value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 $proxykubeconfig scored: true - id: 2.2.6 text: Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' tests: test_items: - flag: root:root set: true remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig scored: true - id: 2.2.7 text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c permissions=%a $kubeletcafile; fi'" tests: bin_op: or test_items: - flag: "permissions" compare: op: bitmask value: "644" set: true remediation: | Run the following command to modify the file permissions of the --client-ca-file chmod 644 scored: true - id: 2.2.8 text: Ensure that the client certificate authorities file ownership is set to root:root (Scored) audit: | CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') if [[ -z $CAFILE ]]; then CAFILE=$kubeletcafile fi if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: test_items: - flag: root:root set: true compare: op: eq value: root:root remediation: | Run the following command to modify the ownership of the --client-ca-file . chown root:root scored: true - id: 2.2.9 text: Ensure that the kubelet configuration file ownership is set to root:root (Scored) audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' tests: test_items: - flag: root:root set: true remediation: | Run the following command (using the config file location identified in the Audit step) chown root:root $kubeletconf scored: true - id: 2.2.10 text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' tests: test_items: - flag: "permissions" set: true compare: op: bitmask value: "644" remediation: | Run the following command (using the config file location identified in the Audit step) chmod 644 $kubeletconf scored: true