--- controls: version: rh-1.0 id: 5 text: "Kubernetes Policies" type: "policies" groups: - id: 5.1 text: "RBAC and Service Accounts" checks: - id: 5.1.1 text: "Ensure that the cluster-admin role is only used where required (Manual)" type: "manual" remediation: | Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name] scored: false - id: 5.1.2 text: "Minimize access to secrets (Manual)" type: "manual" remediation: | Where possible, remove get, list and watch access to secret objects in the cluster. scored: false - id: 5.1.3 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" type: "manual" remediation: | Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions. scored: false - id: 5.1.4 text: "Minimize access to create pods (Manual)" type: "manual" remediation: | Where possible, remove create access to pod objects in the cluster. scored: false - id: 5.1.5 text: "Ensure that default service accounts are not actively used. (Manual)" type: "manual" remediation: | None required. scored: false - id: 5.1.6 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" type: "manual" remediation: | Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it. scored: false - id: 5.2 text: "Pod Security Policies" checks: - id: 5.2.1 text: "Minimize the admission of privileged containers (Manual)" audit: | # needs verification for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allow Privileged"; done tests: test_items: - flag: "false" remediation: | Create a SCC as described in the OpenShift documentation, ensuring that the Allow Privileged field is set to false. scored: false - id: 5.2.2 text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)" audit: | for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allow Host PID"; done tests: test_items: - flag: "false" remediation: | Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host PID field is set to false. scored: false - id: 5.2.3 text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)" audit: | for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allow Host IPC"; done tests: test_items: - flag: "false" remediation: | Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host IPC field is set to false. scored: false - id: 5.2.4 text: "Minimize the admission of containers wishing to share the host network namespace (Manual)" audit: | for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allow Host Network"; done tests: test_items: - flag: "false" remediation: | Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host Network field is omitted or set to false. scored: false - id: 5.2.5 text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)" audit: | for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allow Privilege Escalation"; done tests: test_items: - flag: "false" remediation: | Create a SCC as described in the OpenShift documentation, ensuring that the Allow Privilege Escalation field is omitted or set to false. scored: false - id: 5.2.6 text: "Minimize the admission of root containers (Manual)" audit: | # needs verification for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Run As User Strategy"; done #For SCCs with MustRunAs verify that the range of UIDs does not include 0 for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "\sUID"; done tests: bin_op: or test_items: - flag: "MustRunAsNonRoot" - flag: "MustRunAs" compare: op: nothave value: 0 remediation: | None required. By default, OpenShift includes the non-root SCC with the the Run As User Strategy is set to either MustRunAsNonRoot. If additional SCCs are appropriate, follow the OpenShift documentation to create custom SCCs. scored: false - id: 5.2.7 text: "Minimize the admission of containers with the NET_RAW capability (Manual)" audit: | # needs verification for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Required Drop Capabilities"; done tests: bin_op: or test_items: - flag: "ALL" - flag: "NET_RAW" remediation: | Create a SCC as described in the OpenShift documentation, ensuring that the Required Drop Capabilities is set to include either NET_RAW or ALL. scored: false - id: 5.2.8 text: "Minimize the admission of containers with added capabilities (Manual)" type: "manual" remediation: | Ensure that Allowed Capabilities is set to an empty array for every SCC in the cluster except for the privileged SCC. scored: false - id: 5.2.9 text: "Minimize the admission of containers with capabilities assigned (Manual)" type: "manual" remediation: | Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a SCC which forbids the admission of containers which do not drop all capabilities. scored: false - id: 5.3 text: "Network Policies and CNI" checks: - id: 5.3.1 text: "Ensure that the CNI in use supports Network Policies (Manual)" type: "manual" remediation: | None required. scored: false - id: 5.3.2 text: "Ensure that all Namespaces have Network Policies defined (Manual)" type: "manual" remediation: | Follow the documentation and create NetworkPolicy objects as you need them. scored: false - id: 5.4 text: "Secrets Management" checks: - id: 5.4.1 text: "Prefer using secrets as files over secrets as environment variables (Manual)" type: "manual" remediation: | If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables. scored: false - id: 5.4.2 text: "Consider external secret storage (Manual)" type: "manual" remediation: | Refer to the secrets management options offered by your cloud provider or a third-party secrets management solution. scored: false - id: 5.5 text: "Extensible Admission Control" checks: - id: 5.5.1 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" type: "manual" remediation: | Follow the OpenShift documentation: [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html scored: false - id: 5.7 text: "General Policies" checks: - id: 5.7.1 text: "Create administrative boundaries between resources using namespaces (Manual)" type: "manual" remediation: | Follow the documentation and create namespaces for objects in your deployment as you need them. scored: false - id: 5.7.2 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" type: "manual" remediation: | To enable the default seccomp profile, use the reserved value /runtime/default that will make sure that the pod uses the default policy available on the host. scored: false - id: 5.7.3 text: "Apply Security Context to Your Pods and Containers (Manual)" type: "manual" remediation: | Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers. scored: false - id: 5.7.4 text: "The default namespace should not be used (Manual)" type: "manual" remediation: | Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace. scored: false