mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-24 07:28:06 +00:00
a34047c105
* Adding eks-stig-kubernetes-v1r6 * Fixing lint errors * Reformatting texts * Removing pinned docker tag * Updating Expected Stig Output Co-authored-by: EC2 Default User <ec2-user@ip-10-0-44-222.ec2.internal>
34 lines
1.2 KiB
YAML
34 lines
1.2 KiB
YAML
---
|
|
controls:
|
|
version: "eks-stig-kubernetes-v1r6"
|
|
id: 4
|
|
text: "Policies"
|
|
type: "policies"
|
|
groups:
|
|
- id: 4.1
|
|
text: "Policies - DISA Category Code I"
|
|
checks:
|
|
- id: V-242381
|
|
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Create explicit service accounts wherever a Kubernetes workload requires specific access
|
|
to the Kubernetes API server.
|
|
Modify the configuration of each default service account to include this value
|
|
automountServiceAccountToken: false
|
|
scored: false
|
|
|
|
- id: V-242383
|
|
text: "User-managed resources must be created in dedicated namespaces. (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
|
|
scored: false
|
|
|
|
- id: V-242417
|
|
text: "Kubernetes must separate user functionality. (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
|
|
scored: false
|