--- controls: version: "tkgi-1.2.53" id: 5 text: "Kubernetes Policies" type: "policies" groups: - id: 5.1 text: "RBAC and Service Accounts" checks: - id: 5.1.1 text: "Ensure that the cluster-admin role is only used where required" type: "manual" remediation: | Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name] Exception This is site-specific setting. scored: false - id: 5.1.2 text: "Minimize access to secrets" type: "manual" remediation: | Where possible, remove get, list and watch access to secret objects in the cluster. Exception This is site-specific setting. scored: false - id: 5.1.3 text: "Minimize wildcard use in Roles and ClusterRoles" type: "manual" remediation: | Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions. Exception This is site-specific setting. scored: false - id: 5.1.4 text: "Minimize access to create pods" type: "manual" remediation: | Where possible, remove create access to pod objects in the cluster. Exception This is site-specific setting. scored: false - id: 5.1.5 text: "Ensure that default service accounts are not actively used." type: "manual" remediation: | Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false Exception This is site-specific setting. scored: false - id: 5.1.6 text: "Ensure that Service Account Tokens are only mounted where necessary" type: "manual" remediation: | Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it. Exception This is site-specific setting. scored: false - id: 5.2 text: "Pod Security Policies" checks: - id: 5.2.1 text: "Minimize the admission of privileged containers" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false. Exception This is site-specific setting. scored: false - id: 5.2.2 text: "Minimize the admission of containers wishing to share the host process ID namespace" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false. Exception This is site-specific setting. scored: false - id: 5.2.3 text: "Minimize the admission of containers wishing to share the host IPC namespace" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false. Exception This is site-specific setting. scored: false - id: 5.2.4 text: "Minimize the admission of containers wishing to share the host network namespace" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false. Exception This is site-specific setting. scored: false - id: 5.2.5 text: "Minimize the admission of containers with allowPrivilegeEscalation" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false. Exception This is site-specific setting. scored: false - id: 5.2.6 text: "Minimize the admission of root containers" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0. Exception This is site-specific setting. scored: false - id: 5.2.7 text: "Minimize the admission of containers with the NET_RAW capability" type: "manual" remediation: | Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. Exception This is site-specific setting. scored: false - id: 5.2.8 text: "Minimize the admission of containers with added capabilities" type: "manual" remediation: | Ensure that allowedCapabilities is not present in PSPs for the cluster unless it is set to an empty array. Exception This is site-specific setting. scored: false - id: 5.2.9 text: "Minimize the admission of containers with capabilities assigned" type: "manual" remediation: | Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities. Exception This is site-specific setting. scored: false - id: 5.3 text: "Network Policies and CNI" checks: - id: 5.3.1 text: "Ensure that the CNI in use supports Network Policies" type: "manual" remediation: | If the CNI plugin in use does not support network policies, consideration should be given to making use of a different plugin, or finding an alternate mechanism for restricting traffic in the Kubernetes cluster. Exception This is site-specific setting. scored: false - id: 5.3.2 text: "Ensure that all Namespaces have Network Policies defined" type: "manual" remediation: | Follow the documentation and create NetworkPolicy objects as you need them. Exception This is site-specific setting. scored: false - id: 5.4 text: "Secrets Management" checks: - id: 5.4.1 text: "Prefer using secrets as files over secrets as environment variables" type: "manual" remediation: | if possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables. Exception This is site-specific setting. scored: false - id: 5.4.2 text: "Consider external secret storage" type: "manual" remediation: | Refer to the secrets management options offered by your cloud provider or a third-party secrets management solution. Exception This is site-specific setting. scored: false - id: 5.5 text: "Extensible Admission Control" checks: - id: 5.5.1 text: "Configure Image Provenance using ImagePolicyWebhook admission controller" type: "manual" remediation: | Follow the Kubernetes documentation and setup image provenance. Exception This is site-specific setting. scored: false - id: 5.7 text: "General Policies" checks: - id: 5.7.1 text: "Create administrative boundaries between resources using namespaces" type: "manual" remediation: | Follow the documentation and create namespaces for objects in your deployment as you need them. Exception This is site-specific setting. scored: false - id: 5.7.2 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions" type: "manual" remediation: | Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing "--feature- gates=AllAlpha=true" argument. Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS parameter to "--feature-gates=AllAlpha=true" KUBE_API_ARGS="--feature-gates=AllAlpha=true" Based on your system, restart the kube-apiserver service. For example: systemctl restart kube-apiserver.service Use annotations to enable the docker/default seccomp profile in your pod definitions. An example is as below: apiVersion: v1 kind: Pod metadata: name: trustworthy-pod annotations: seccomp.security.alpha.kubernetes.io/pod: docker/default spec: containers: - name: trustworthy-container image: sotrustworthy:latest Exception This is site-specific setting. scored: false - id: 5.7.3 text: "Apply Security Context to Your Pods and Containers " type: "manual" remediation: | Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers. Exception This is site-specific setting. scored: false - id: 5.7.4 text: "The default namespace should not be used" type: "manual" remediation: | Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace. Exception This is site-specific setting. scored: false