--- controls: version: "rke-cis-1.24" id: 5 text: "Kubernetes Policies" type: "policies" groups: - id: 5.1 text: "RBAC and Service Accounts" checks: - id: 5.1.1 text: "Ensure that the cluster-admin role is only used where required (Manual)" type: "manual" remediation: | Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name] scored: false - id: 5.1.2 text: "Minimize access to secrets (Manual)" type: "manual" remediation: | Where possible, remove get, list and watch access to Secret objects in the cluster. scored: false - id: 5.1.3 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" type: "manual" remediation: | Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions. scored: false - id: 5.1.4 text: "Minimize access to create pods (Manual)" type: "manual" remediation: | Where possible, remove create access to pod objects in the cluster. scored: false - id: 5.1.5 text: "Ensure that default service accounts are not actively used. (Manual)" type: "manual" audit: check_for_default_sa.sh tests: test_items: - flag: "true" compare: op: eq value: "true" set: true remediation: | Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false scored: false - id: 5.1.6 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" type: "manual" remediation: | Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it. scored: false - id: 5.1.7 text: "Avoid use of system:masters group (Manual)" type: "manual" remediation: | Remove the system:masters group from all users in the cluster. scored: false - id: 5.1.8 text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)" type: "manual" remediation: | Where possible, remove the impersonate, bind and escalate rights from subjects. scored: false - id: 5.2 text: "Pod Security Standards" checks: - id: 5.2.1 text: "Ensure that the cluster has at least one active policy control mechanism in place (Manual)" type: "manual" remediation: | Ensure that either Pod Security Admission or an external policy control system is in place for every namespace which contains user workloads. scored: false - id: 5.2.2 text: "Minimize the admission of privileged containers (Manual)" type: "manual" remediation: | Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers. scored: false - id: 5.2.3 text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" audit: | kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.hostPID == null) or (.spec.hostPID == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' tests: bin_op: or test_items: - flag: "kubectl: not found" - flag: "jq: not found" - flag: count compare: op: gt value: 0 remediation: | Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostPID` containers. scored: true - id: 5.2.4 text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" audit: | kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.hostIPC == null) or (.spec.hostIPC == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' tests: bin_op: or test_items: - flag: "kubectl: not found" - flag: "jq: not found" - flag: count compare: op: gt value: 0 remediation: | Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostIPC` containers. scored: true - id: 5.2.5 text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" audit: | kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.hostNetwork == null) or (.spec.hostNetwork == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' tests: bin_op: or test_items: - flag: "kubectl: not found" - flag: "jq: not found" - flag: count compare: op: gt value: 0 remediation: | Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostNetwork` containers. scored: true - id: 5.2.6 text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" audit: | kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.allowPrivilegeEscalation == null) or (.spec.allowPrivilegeEscalation == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' tests: bin_op: or test_items: - flag: "kubectl: not found" - flag: "jq: not found" - flag: count compare: op: gt value: 0 remediation: | Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with `.spec.allowPrivilegeEscalation` set to `true`. scored: true - id: 5.2.7 text: "Minimize the admission of root containers (Manual)" type: "manual" remediation: | Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot` or `MustRunAs` with the range of UIDs not including 0, is set. scored: false - id: 5.2.8 text: "Minimize the admission of containers with the NET_RAW capability (Manual)" type: "manual" remediation: | Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with the `NET_RAW` capability. scored: false - id: 5.2.9 text: "Minimize the admission of containers with added capabilities (Manual)" type: "manual" remediation: | Ensure that `allowedCapabilities` is not present in policies for the cluster unless it is set to an empty array. scored: false - id: 5.2.10 text: "Minimize the admission of containers with capabilities assigned (Manual)" type: "manual" remediation: | Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities. scored: false - id: 5.2.11 text: "Minimize the admission of Windows HostProcess containers (Manual)" type: "manual" remediation: | Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers that have `.securityContext.windowsOptions.hostProcess` set to `true`. scored: false - id: 5.2.12 text: "Minimize the admission of HostPath volumes (Manual)" type: "manual" remediation: | Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with `hostPath` volumes. scored: false - id: 5.2.13 text: "Minimize the admission of containers which use HostPorts (Manual)" type: "manual" remediation: | Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers which use `hostPort` sections. scored: false - id: 5.3 text: "Network Policies and CNI" checks: - id: 5.3.1 text: "Ensure that the CNI in use supports NetworkPolicies (Manual)" type: "manual" remediation: | If the CNI plugin in use does not support network policies, consideration should be given to making use of a different plugin, or finding an alternate mechanism for restricting traffic in the Kubernetes cluster. scored: false - id: 5.3.2 text: "Ensure that all Namespaces have NetworkPolicies defined (Manual)" type: "skip" remediation: | Follow the documentation and create NetworkPolicy objects as you need them. scored: false - id: 5.4 text: "Secrets Management" checks: - id: 5.4.1 text: "Prefer using Secrets as files over Secrets as environment variables (Manual)" type: "manual" remediation: | If possible, rewrite application code to read Secrets from mounted secret files, rather than from environment variables. scored: false - id: 5.4.2 text: "Consider external secret storage (Manual)" type: "manual" remediation: | Refer to the Secrets management options offered by your cloud provider or a third-party secrets management solution. scored: false - id: 5.5 text: "Extensible Admission Control" checks: - id: 5.5.1 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" type: "manual" remediation: | Follow the Kubernetes documentation and setup image provenance. scored: false - id: 5.7 text: "General Policies" checks: - id: 5.7.1 text: "Create administrative boundaries between resources using namespaces (Manual)" type: "manual" remediation: | Follow the documentation and create namespaces for objects in your deployment as you need them. scored: false - id: 5.7.2 text: "Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)" type: "manual" remediation: | Use `securityContext` to enable the docker/default seccomp profile in your pod definitions. An example is as below: securityContext: seccompProfile: type: RuntimeDefault scored: false - id: 5.7.3 text: "Apply SecurityContext to your Pods and Containers (Manual)" type: "manual" remediation: | Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker Containers. scored: false - id: 5.7.4 text: "The default namespace should not be used (Automated)" audit: | #!/bin/bash set -eE handle_error() { echo "false" } trap 'handle_error' ERR count=$(kubectl get all -n default -o json | jq .items[] | jq -r 'select((.metadata.name!="kubernetes"))' | jq .metadata.name | wc -l) if [[ ${count} -gt 0 ]]; then echo "false" exit fi echo "true" tests: bin_op: or test_items: - flag: "kubectl: not found" - flag: "jq: not found" - flag: "true" remediation: | Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace. scored: true