--- controls: id: 1 text: "Master Checks" type: "master" groups: - id: 1.1 text: "Kube-apiserver" checks: - id: 1.1.1 text: "Ensure that the --allow-privileged argument is set (Scored)" audit: "ps -ef | grep kube-apiserver | grep -v grep" tests: test_items: - flag: "--allow-privileged" set: true remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" scored: true - id: 1.1.2 text: "Ensure that the --basic-auth argument is not set (Scored)" audit: "ps -ef | grep kube-apiserver | grep -v grep" tests: test_item: - flag: "--basic-auth" set: false remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" scored: true - id: 1.1.3 text: "Ensure that the --insecure-port argument is set to 0 (Scored)" audit: "ps -ef | grep kube-apiserver | grep -v grep" tests: test_items: - flag: "--insecure-port" compare: op: eq value: 0 set: true remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" scored: true - id: 1.1.4 text: "Ensure that the --audit-log-maxage argument is set to 30 or appropriate (Scored)" audit: "ps -ef | grep kube-apiserver | grep -v grep" tests: test_items: - flag: "--audit-log-maxage" compare: op: gte value: 30 set: true remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" scored: true - id: 1.1.5 text: "Ensure that the --max-backlog argument is set to 30 or less (Scored)" audit: "ps -ef | grep kube-apiserver | grep -v grep" tests: test_items: - flag: "--max-backlog" compare: op: lt value: 30 set: true remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" scored: true - id: 1.1.6 text: "Ensure admission control does not include AlwaysAdmit (Scored)" audit: "ps -ef | grep kube-apiserver | grep -v grep" tests: test_items: - flag: "--admission-control" compare: op: nothave value: AlwaysAdmit set: true remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" scored: true - id: 1.1.7 text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)" audit: "ps -ef | grep kube-apiserver | grep -v grep" tests: bin_op: and test_items: - flag: "--kubelet-client-certificate" set: true - flag: "--kubelet-clientkey" set: true remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" scored: true - id: 1.1.8 text: "Ensure that the --secure-port argument is not set to 0 (Scored)" audit: "ps -ef | grep kube-apiserver | grep -v grep" tests: bin_op: or test_items: - flag: "--secure-port" compare: op: eq value: 0 set: true - flag: "--secure-port" set: false remediation: "Edit the /etc/kubernetes/apiserver file on the master node and either remove the -secure-port argument from the KUBE_API_ARGS parameter or set it to a different desired port." scored: true - id: 1.4.1 text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" audit: "stat -c %a /etc/kubernetes/apiserver" tests: test_items: - flag: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver" scored: true - id: 2.1.14 text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" audit: "ps -ef | grep kubelet | grep -v grep" tests: test_items: - flag: "KubeletClient" compare: op: eq value: true set: true remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver" scored: true