--- controls: version: 1.8 id: 3 text: "Federated Deployments" type: "federated" groups: - id: 3.1 text: "Federation API Server" checks: - id: 3.1.1 text: "Ensure that the --anonymous-auth argument is set to false (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--anonymous-auth" compare: op: eq value: false set: true remediation: | Edit the deployment specs and set --anonymous-auth=false . kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.2 text: "Ensure that the --basic-auth-file argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--basic-auth-file" set: false remediation: | Follow the documentation and configure alternate mechanisms for authentication. Then, edit the deployment specs and remove "--basic-auth-file=" . kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.3 text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-allow-any-token" set: false remediation: | Edit the deployment specs and remove --insecure-allow-any-token . kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.4 text: "Ensure that the --insecure-bind-address argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-bind-address" set: false remediation: | Edit the deployment specs and remove --insecure-bind-address . kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.5 text: "Ensure that the --insecure-port argument is set to 0 (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-port" compare: op: eq value: 0 set: true remediation: | Edit the deployment specs and set --insecure-port=0 . kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.6 text: "Ensure that the --secure-port argument is not set to 0 (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: or test_items: - flag: "--secure-port" compare: op: gt value: 0 set: true - flag: "--secure-port" set: false remediation: | Edit the deployment specs and set the --secure-port argument to the desired port. kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.7 text: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--profiling" compare: op: eq value: false set: true remediation: | Edit the deployment specs and set "--profiling=false" : kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system score: true - id: 3.1.8 text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--admission-control" compare: op: nothave value: AlwaysAdmit set: true remediation: | Edit the deployment specs and set --admission-control argument to a value that does not include AlwaysAdmit . kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.9 text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "admission-control" compare: op: has value: "NamespaceLifecycle" set: true remediation: | Edit the deployment specs and set --admission-control argument to a value that includes NamespaceLifecycle . kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.10 text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-path" set: true remediation: "Edit the deployment specs and set --audit-log-path argument as appropriate.\n kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" scored: true - id: 3.1.11 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxage" compare: op: gte value: 30 set: true remediation: | Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate. kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.12 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxbackup" compare: op: gte value: 10 set: true remediation: | Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate. kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.13 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxsize" compare: op: gte value: 100 set: true remediation: | Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate. kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.14 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--authorization-mode" compare: op: nothave value: "AlwaysAllow" set: true remediation: | Edit the deployment specs and set --authorization-mode argument to a value other than AlwaysAllow kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.15 text: "Ensure that the --token-auth-file parameter is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--token-auth-file" set: false remediation: | Follow the documentation and configure alternate mechanisms for authentication. Then, edit the deployment specs and remove the --token-auth-file= argument. kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.16 text: "Ensure that the --service-account-lookup argument is set to true (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--service-account-lookup" compare: op: eq value: true set: true remediation: | Edit the deployment specs and set "--service-account-lookup=true" . kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.17 text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--service-account-key-file" set: true remediation: | Edit the deployment specs and set --service-account-key-file argument as appropriate. kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.18 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: and test_items: - flag: "--etcd-certfile" set: true - flag: "--etcd-keyfile" set: true remediation: | Follow the Kubernetes documentation and set up the TLS connection between the federation apiserver and etcd. Then, edit the deployment specs and set "--etcd- certfile=" and "--etcd- keyfile=" arguments. kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.1.19 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: and test_items: - flag: "--tls-cert-file" set: true - flag: "--tls-private-key-file" set: true remediation: | Follow the Kubernetes documentation and set up the TLS connection on the federation apiserver. Then, edit the deployment specs and set "--tls-cert-file=" and "--tls-private-key-file=" : kubectl edit deployments federation-apiserver-deployment -- namespace=federation-system scored: true - id: 3.2 text: "Federation Controller Manager" checks: - id: 3.2.1 text: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" tests: test_items: - flag: "--profiling" compare: op: eq value: false set: true remediation: | Edit the deployment specs and set "--profiling=false" : kubectl edit deployments federation-controller-manager-deployment -- namespace=federation-system scored: true