mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-25 07:58:10 +00:00
ab3881420c
* First draft of AKS configuration checks. * Updated Azure Configurations. Added more policy checks. * Finalized cfg components for AKS. * Fixed targets for aks-1.0 in common_test.go * Fixed yaml linting issues. * Fixed white space yaml linkting issues in policies.yaml * Fixed white space yaml linting issues in policies.yaml
32 lines
1.3 KiB
YAML
32 lines
1.3 KiB
YAML
---
|
|
controls:
|
|
version: "aks-1.0"
|
|
id: 2
|
|
text: "Control Plane Configuration"
|
|
type: "controlplane"
|
|
groups:
|
|
- id: 2.1
|
|
text: "Authentication and Authorization"
|
|
checks:
|
|
- id: 2.1.1
|
|
text: "Enable Azure Active Directory Integration"
|
|
type: "manual"
|
|
remediation: |
|
|
Use of OIDC should be implemented in place of client certificates. Cluster administrators can configure Kubernetes role-based access control (RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. See https://docs.microsoft.com/en-us/azure/aks/managed-aad.
|
|
scored: false
|
|
- id: 2.1.2
|
|
text: "Limit access to cluster configuration file"
|
|
type: "manual"
|
|
remediation: |
|
|
Use Azure role-based access control to define access to the Kubernetes configuration file in Azure Kubernetes Service (AKS). See https://docs.microsoft.com/en-us/azure/aks/control-kubeconfig-access
|
|
scored: false
|
|
|
|
- id: 2.2
|
|
text: "Logging"
|
|
checks:
|
|
- id: 2.2.1
|
|
text: "Enable logging for the Kubernetes master components"
|
|
type: "manual"
|
|
remediation: "Enable log collection for the Kubernetes master components in the AKS cluster using Diagnostic settings."
|
|
scored: false
|