mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2025-02-06 12:51:58 +00:00
3a2348eba7
* Create cis-1.10 yamls and Update info
- Modify yaml versions from 1.9 to 1.10
- Adapt configmap to cover cis-1.10
- Adapt docs and cmd files
* Adapt master.yaml
- 1.2.29 update cipher list to remove the following insecure ones (RC4-Based, 3DES-Based, RSA-Based AES CBC):
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA
ticket: https://workbench.cisecurity.org/community/43/tickets/21760
* Adapt policies.yaml
- 5.1.11 typo in sub-resource name 'certificatesigningrequest' https://workbench.cisecurity.org/tickets/21352
- 5.2.2 new audit to verify if a container is privileged or not. https://workbench.cisecurity.org/tickets/20919
- 5.2.3 new audit to verify the presence of hostPID opt-in across all pods. https://workbench.cisecurity.org/tickets/20919
- 5.2.4 new audit to verify the presence of hostIPC opt-in across all pods. https://workbench.cisecurity.org/tickets/20923
- 5.2.5 new audit to verify the presence of hostNetwork opt-in across all pods. https://workbench.cisecurity.org/tickets/20921
- 5.2.6 new audit to verify the presence of 'allowPrivilegeEscalation' to true across all pods' container(s)
- 5.2.6 the 'allowPrivilegeEscalation' setting is moved from 'spec' to 'securityContext' https://workbench.cisecurity.org/tickets/20922
- 5.2.9 new audit to verify the presence of added capabilities across all pods' container(s)
* Fix 5.2.6 remediation
560 lines
26 KiB
YAML
560 lines
26 KiB
YAML
---
|
|
controls:
|
|
version: "cis-1.10"
|
|
id: 5
|
|
text: "Kubernetes Policies"
|
|
type: "policies"
|
|
groups:
|
|
- id: 5.1
|
|
text: "RBAC and Service Accounts"
|
|
checks:
|
|
- id: 5.1.1
|
|
text: "Ensure that the cluster-admin role is only used where required (Automated)"
|
|
audit: |
|
|
kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name --no-headers | while read -r role_name role_binding subject
|
|
do
|
|
if [[ "${role_name}" != "cluster-admin" && "${role_binding}" == "cluster-admin" ]]; then
|
|
is_compliant="false"
|
|
else
|
|
is_compliant="true"
|
|
fi;
|
|
echo "**role_name: ${role_name} role_binding: ${role_binding} subject: ${subject} is_compliant: ${is_compliant}"
|
|
done
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "is_compliant"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
|
|
if they need this role or if they could use a role with fewer privileges.
|
|
Where possible, first bind users to a lower privileged role and then remove the
|
|
clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]
|
|
Condition: is_compliant is false if rolename is not cluster-admin and rolebinding is cluster-admin.
|
|
scored: true
|
|
|
|
- id: 5.1.2
|
|
text: "Minimize access to secrets (Automated)"
|
|
audit: "echo \"canGetListWatchSecretsAsSystemAuthenticated: $(kubectl auth can-i get,list,watch secrets --all-namespaces --as=system:authenticated)\""
|
|
tests:
|
|
test_items:
|
|
- flag: "canGetListWatchSecretsAsSystemAuthenticated"
|
|
compare:
|
|
op: eq
|
|
value: no
|
|
remediation: |
|
|
Where possible, remove get, list and watch access to Secret objects in the cluster.
|
|
scored: true
|
|
|
|
- id: 5.1.3
|
|
text: "Minimize wildcard use in Roles and ClusterRoles (Automated)"
|
|
audit: |
|
|
# Check Roles
|
|
kubectl get roles --all-namespaces -o custom-columns=ROLE_NAMESPACE:.metadata.namespace,ROLE_NAME:.metadata.name --no-headers | while read -r role_namespace role_name
|
|
do
|
|
role_rules=$(kubectl get role -n "${role_namespace}" "${role_name}" -o=json | jq -c '.rules')
|
|
if echo "${role_rules}" | grep -q "\[\"\*\"\]"; then
|
|
role_is_compliant="false"
|
|
else
|
|
role_is_compliant="true"
|
|
fi;
|
|
echo "**role_name: ${role_name} role_namespace: ${role_namespace} role_rules: ${role_rules} role_is_compliant: ${role_is_compliant}"
|
|
done
|
|
|
|
# Check ClusterRoles
|
|
kubectl get clusterroles -o custom-columns=CLUSTERROLE_NAME:.metadata.name --no-headers | while read -r clusterrole_name
|
|
do
|
|
clusterrole_rules=$(kubectl get clusterrole "${clusterrole_name}" -o=json | jq -c '.rules')
|
|
if echo "${clusterrole_rules}" | grep -q "\[\"\*\"\]"; then
|
|
clusterrole_is_compliant="false"
|
|
else
|
|
clusterrole_is_compliant="true"
|
|
fi;
|
|
echo "**clusterrole_name: ${clusterrole_name} clusterrole_rules: ${clusterrole_rules} clusterrole_is_compliant: ${clusterrole_is_compliant}"
|
|
done
|
|
use_multiple_values: true
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "role_is_compliant"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
set: true
|
|
- flag: "clusterrole_is_compliant"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
set: true
|
|
remediation: |
|
|
Where possible replace any use of wildcards ["*"] in roles and clusterroles with specific
|
|
objects or actions.
|
|
Condition: role_is_compliant is false if ["*"] is found in rules.
|
|
Condition: clusterrole_is_compliant is false if ["*"] is found in rules.
|
|
scored: true
|
|
|
|
- id: 5.1.4
|
|
text: "Minimize access to create pods (Automated)"
|
|
audit: |
|
|
echo "canCreatePodsAsSystemAuthenticated: $(kubectl auth can-i create pods --all-namespaces --as=system:authenticated)"
|
|
tests:
|
|
test_items:
|
|
- flag: "canCreatePodsAsSystemAuthenticated"
|
|
compare:
|
|
op: eq
|
|
value: no
|
|
remediation: |
|
|
Where possible, remove create access to pod objects in the cluster.
|
|
scored: true
|
|
- id: 5.1.5
|
|
text: "Ensure that default service accounts are not actively used (Automated)"
|
|
audit: |
|
|
kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | " namespace: \(.metadata.namespace), kind: \(.kind), name: \(.metadata.name), automountServiceAccountToken: \(.automountServiceAccountToken | if . == null then "notset" else . end )"' | xargs -L 1
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "automountServiceAccountToken"
|
|
compare:
|
|
op: eq
|
|
value: false
|
|
set: true
|
|
remediation: |
|
|
Create explicit service accounts wherever a Kubernetes workload requires specific access
|
|
to the Kubernetes API server.
|
|
Modify the configuration of each default service account to include this value
|
|
`automountServiceAccountToken: false`.
|
|
scored: true
|
|
|
|
- id: 5.1.6
|
|
text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)"
|
|
audit: |
|
|
kubectl get pods --all-namespaces -o custom-columns=POD_NAMESPACE:.metadata.namespace,POD_NAME:.metadata.name,POD_SERVICE_ACCOUNT:.spec.serviceAccount,POD_IS_AUTOMOUNTSERVICEACCOUNTTOKEN:.spec.automountServiceAccountToken --no-headers | while read -r pod_namespace pod_name pod_service_account pod_is_automountserviceaccounttoken
|
|
do
|
|
# Retrieve automountServiceAccountToken's value for ServiceAccount and Pod, set to notset if null or <none>.
|
|
svacc_is_automountserviceaccounttoken=$(kubectl get serviceaccount -n "${pod_namespace}" "${pod_service_account}" -o json | jq -r '.automountServiceAccountToken' | sed -e 's/<none>/notset/g' -e 's/null/notset/g')
|
|
pod_is_automountserviceaccounttoken=$(echo "${pod_is_automountserviceaccounttoken}" | sed -e 's/<none>/notset/g' -e 's/null/notset/g')
|
|
if [ "${svacc_is_automountserviceaccounttoken}" = "false" ] && ( [ "${pod_is_automountserviceaccounttoken}" = "false" ] || [ "${pod_is_automountserviceaccounttoken}" = "notset" ] ); then
|
|
is_compliant="true"
|
|
elif [ "${svacc_is_automountserviceaccounttoken}" = "true" ] && [ "${pod_is_automountserviceaccounttoken}" = "false" ]; then
|
|
is_compliant="true"
|
|
else
|
|
is_compliant="false"
|
|
fi
|
|
echo "**namespace: ${pod_namespace} pod_name: ${pod_name} service_account: ${pod_service_account} pod_is_automountserviceaccounttoken: ${pod_is_automountserviceaccounttoken} svacc_is_automountServiceAccountToken: ${svacc_is_automountserviceaccounttoken} is_compliant: ${is_compliant}"
|
|
done
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "is_compliant"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
Modify the definition of ServiceAccounts and Pods which do not need to mount service
|
|
account tokens to disable it, with `automountServiceAccountToken: false`.
|
|
If both the ServiceAccount and the Pod's .spec specify a value for automountServiceAccountToken, the Pod spec takes precedence.
|
|
Condition: Pod is_compliant to true when
|
|
- ServiceAccount is automountServiceAccountToken: false and Pod is automountServiceAccountToken: false or notset
|
|
- ServiceAccount is automountServiceAccountToken: true notset and Pod is automountServiceAccountToken: false
|
|
scored: true
|
|
|
|
- id: 5.1.7
|
|
text: "Avoid use of system:masters group (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Remove the system:masters group from all users in the cluster.
|
|
scored: false
|
|
|
|
- id: 5.1.8
|
|
text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible, remove the impersonate, bind and escalate rights from subjects.
|
|
scored: false
|
|
|
|
- id: 5.1.9
|
|
text: "Minimize access to create persistent volumes (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible, remove create access to PersistentVolume objects in the cluster.
|
|
scored: false
|
|
|
|
- id: 5.1.10
|
|
text: "Minimize access to the proxy sub-resource of nodes (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible, remove access to the proxy sub-resource of node objects.
|
|
scored: false
|
|
|
|
- id: 5.1.11
|
|
text: "Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible, remove access to the approval sub-resource of certificatesigningrequests objects.
|
|
scored: false
|
|
|
|
- id: 5.1.12
|
|
text: "Minimize access to webhook configuration objects (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects
|
|
scored: false
|
|
|
|
- id: 5.1.13
|
|
text: "Minimize access to the service account token creation (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible, remove access to the token sub-resource of serviceaccount objects.
|
|
scored: false
|
|
|
|
- id: 5.2
|
|
text: "Pod Security Standards"
|
|
checks:
|
|
- id: 5.2.1
|
|
text: "Ensure that the cluster has at least one active policy control mechanism in place (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Ensure that either Pod Security Admission or an external policy control system is in place
|
|
for every namespace which contains user workloads.
|
|
scored: false
|
|
|
|
- id: 5.2.2
|
|
text: "Minimize the admission of privileged containers (Manual)"
|
|
audit: |
|
|
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
|
|
do
|
|
# Retrieve container(s) for each Pod.
|
|
kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o json | jq -c '.spec.containers[]' | while read -r container
|
|
do
|
|
# Retrieve container's name.
|
|
container_name=$(echo ${container} | jq -r '.name')
|
|
# Retrieve container's .securityContext.privileged value.
|
|
container_privileged=$(echo ${container} | jq -r '.securityContext.privileged' | sed -e 's/null/notset/g')
|
|
if [ "${container_privileged}" = "false" ] || [ "${container_privileged}" = "notset" ] ; then
|
|
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} is_container_privileged: ${container_privileged} is_compliant: true"
|
|
else
|
|
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} is_container_privileged: ${container_privileged} is_compliant: false"
|
|
fi
|
|
done
|
|
done
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "is_compliant"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
Add policies to each namespace in the cluster which has user workloads to restrict the
|
|
admission of privileged containers.
|
|
Audit: the audit list all pods' containers to retrieve their .securityContext.privileged value.
|
|
Condition: is_compliant is false if container's `.securityContext.privileged` is set to `true`.
|
|
Default: by default, there are no restrictions on the creation of privileged containers.
|
|
scored: false
|
|
|
|
- id: 5.2.3
|
|
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
|
|
audit: |
|
|
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
|
|
do
|
|
# Retrieve spec.hostPID for each pod.
|
|
pod_hostpid=$(kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o jsonpath='{.spec.hostPID}' 2>/dev/null)
|
|
if [ -z "${pod_hostpid}" ]; then
|
|
pod_hostpid="false"
|
|
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostpid: ${pod_hostpid} is_compliant: true"
|
|
else
|
|
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostpid: ${pod_hostpid} is_compliant: false"
|
|
fi
|
|
done
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "is_compliant"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
Add policies to each namespace in the cluster which has user workloads to restrict the
|
|
admission of `hostPID` containers.
|
|
Audit: the audit retrieves each Pod' spec.hostPID.
|
|
Condition: is_compliant is false if Pod's spec.hostPID is set to `true`.
|
|
Default: by default, there are no restrictions on the creation of hostPID containers.
|
|
scored: false
|
|
|
|
- id: 5.2.4
|
|
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
|
|
audit: |
|
|
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
|
|
do
|
|
# Retrieve spec.hostIPC for each pod.
|
|
pod_hostipc=$(kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o jsonpath='{.spec.hostIPC}' 2>/dev/null)
|
|
if [ -z "${pod_hostipc}" ]; then
|
|
pod_hostipc="false"
|
|
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostipc: ${pod_hostipc} is_compliant: true"
|
|
else
|
|
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostipc: ${pod_hostipc} is_compliant: false"
|
|
fi
|
|
done
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "is_compliant"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
Add policies to each namespace in the cluster which has user workloads to restrict the
|
|
admission of `hostIPC` containers.
|
|
Audit: the audit retrieves each Pod' spec.IPC.
|
|
Condition: is_compliant is false if Pod's spec.hostIPC is set to `true`.
|
|
Default: by default, there are no restrictions on the creation of hostIPC containers.
|
|
scored: false
|
|
|
|
- id: 5.2.5
|
|
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
|
|
audit: |
|
|
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
|
|
do
|
|
# Retrieve spec.hostNetwork for each pod.
|
|
pod_hostnetwork=$(kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o jsonpath='{.spec.hostNetwork}' 2>/dev/null)
|
|
if [ -z "${pod_hostnetwork}" ]; then
|
|
pod_hostnetwork="false"
|
|
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostnetwork: ${pod_hostnetwork} is_compliant: true"
|
|
else
|
|
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostnetwork: ${pod_hostnetwork} is_compliant: false"
|
|
fi
|
|
done
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "is_compliant"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
Add policies to each namespace in the cluster which has user workloads to restrict the
|
|
admission of `hostNetwork` containers.
|
|
Audit: the audit retrieves each Pod' spec.hostNetwork.
|
|
Condition: is_compliant is false if Pod's spec.hostNetwork is set to `true`.
|
|
Default: by default, there are no restrictions on the creation of hostNetwork containers.
|
|
scored: false
|
|
|
|
- id: 5.2.6
|
|
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
|
|
audit: |
|
|
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
|
|
do
|
|
# Retrieve container(s) for each Pod.
|
|
kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o json | jq -c '.spec.containers[]' | while read -r container
|
|
do
|
|
# Retrieve container's name
|
|
container_name=$(echo ${container} | jq -r '.name')
|
|
# Retrieve container's .securityContext.allowPrivilegeEscalation
|
|
container_allowprivesc=$(echo ${container} | jq -r '.securityContext.allowPrivilegeEscalation' | sed -e 's/null/notset/g')
|
|
if [ "${container_allowprivesc}" = "false" ] || [ "${container_allowprivesc}" = "notset" ]; then
|
|
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} is_container_allowprivesc: ${container_allowprivesc} is_compliant: true"
|
|
else
|
|
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} is_container_allowprivesc: ${container_allowprivesc} is_compliant: false"
|
|
fi
|
|
done
|
|
done
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "is_compliant"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
Add policies to each namespace in the cluster which has user workloads to restrict the
|
|
admission of containers with `.securityContext.allowPrivilegeEscalation` set to `true`.
|
|
Audit: the audit retrieves each Pod's container(s) `.securityContext.allowPrivilegeEscalation`.
|
|
Condition: is_compliant is false if container's `.securityContext.allowPrivilegeEscalation` is set to `true`.
|
|
Default: If notset, privilege escalation is allowed (default to true). However if PSP/PSA is used with a `restricted` profile,
|
|
privilege escalation is explicitly disallowed unless configured otherwise.
|
|
scored: false
|
|
|
|
- id: 5.2.7
|
|
text: "Minimize the admission of root containers (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot`
|
|
or `MustRunAs` with the range of UIDs not including 0, is set.
|
|
scored: false
|
|
|
|
- id: 5.2.8
|
|
text: "Minimize the admission of containers with the NET_RAW capability (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Add policies to each namespace in the cluster which has user workloads to restrict the
|
|
admission of containers with the `NET_RAW` capability.
|
|
scored: false
|
|
|
|
- id: 5.2.9
|
|
text: "Minimize the admission of containers with added capabilities (Manual)"
|
|
audit: |
|
|
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
|
|
do
|
|
# Retrieve container(s) for each Pod.
|
|
kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o json | jq -c '.spec.containers[]' | while read -r container
|
|
do
|
|
# Retrieve container's name
|
|
container_name=$(echo ${container} | jq -r '.name')
|
|
# Retrieve container's added capabilities
|
|
container_caps_add=$(echo ${container} | jq -r '.securityContext.capabilities.add' | sed -e 's/null/notset/g')
|
|
# Set is_compliant to true by default.
|
|
is_compliant=true
|
|
caps_list=""
|
|
if [ "${container_caps_add}" != "notset" ]; then
|
|
# Loop through all caps and append caps_list, then set is_compliant to false.
|
|
for cap in $(echo "${container_caps_add}" | jq -r '.[]'); do
|
|
caps_list+="${cap},"
|
|
is_compliant=false
|
|
done
|
|
# Remove trailing comma for the last list member.
|
|
caps_list=${caps_list%,}
|
|
fi
|
|
if [ "${is_compliant}" = true ]; then
|
|
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} container_caps_add: ${container_caps_add} is_compliant: true"
|
|
else
|
|
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} container_caps_add: ${caps_list} is_compliant: false"
|
|
fi
|
|
done
|
|
done
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "is_compliant"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
Ensure that `allowedCapabilities` is not present in policies for the cluster unless
|
|
it is set to an empty array.
|
|
Audit: the audit retrieves each Pod's container(s) added capabilities.
|
|
Condition: is_compliant is false if added capabilities are added for a given container.
|
|
Default: Containers run with a default set of capabilities as assigned by the Container Runtime.
|
|
scored: false
|
|
|
|
- id: 5.2.10
|
|
text: "Minimize the admission of containers with capabilities assigned (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Review the use of capabilites in applications running on your cluster. Where a namespace
|
|
contains applicaions which do not require any Linux capabities to operate consider adding
|
|
a PSP which forbids the admission of containers which do not drop all capabilities.
|
|
scored: false
|
|
|
|
- id: 5.2.11
|
|
text: "Minimize the admission of Windows HostProcess containers (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Add policies to each namespace in the cluster which has user workloads to restrict the
|
|
admission of containers that have `.securityContext.windowsOptions.hostProcess` set to `true`.
|
|
scored: false
|
|
|
|
- id: 5.2.12
|
|
text: "Minimize the admission of HostPath volumes (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Add policies to each namespace in the cluster which has user workloads to restrict the
|
|
admission of containers with `hostPath` volumes.
|
|
scored: false
|
|
|
|
- id: 5.2.13
|
|
text: "Minimize the admission of containers which use HostPorts (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Add policies to each namespace in the cluster which has user workloads to restrict the
|
|
admission of containers which use `hostPort` sections.
|
|
scored: false
|
|
|
|
- id: 5.3
|
|
text: "Network Policies and CNI"
|
|
checks:
|
|
- id: 5.3.1
|
|
text: "Ensure that the CNI in use supports NetworkPolicies (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
If the CNI plugin in use does not support network policies, consideration should be given to
|
|
making use of a different plugin, or finding an alternate mechanism for restricting traffic
|
|
in the Kubernetes cluster.
|
|
scored: false
|
|
|
|
- id: 5.3.2
|
|
text: "Ensure that all Namespaces have NetworkPolicies defined (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Follow the documentation and create NetworkPolicy objects as you need them.
|
|
scored: false
|
|
|
|
- id: 5.4
|
|
text: "Secrets Management"
|
|
checks:
|
|
- id: 5.4.1
|
|
text: "Prefer using Secrets as files over Secrets as environment variables (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
If possible, rewrite application code to read Secrets from mounted secret files, rather than
|
|
from environment variables.
|
|
scored: false
|
|
|
|
- id: 5.4.2
|
|
text: "Consider external secret storage (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Refer to the Secrets management options offered by your cloud provider or a third-party
|
|
secrets management solution.
|
|
scored: false
|
|
|
|
- id: 5.5
|
|
text: "Extensible Admission Control"
|
|
checks:
|
|
- id: 5.5.1
|
|
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Follow the Kubernetes documentation and setup image provenance.
|
|
scored: false
|
|
|
|
- id: 5.7
|
|
text: "General Policies"
|
|
checks:
|
|
- id: 5.7.1
|
|
text: "Create administrative boundaries between resources using namespaces (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Follow the documentation and create namespaces for objects in your deployment as you need
|
|
them.
|
|
scored: false
|
|
|
|
- id: 5.7.2
|
|
text: "Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Use `securityContext` to enable the docker/default seccomp profile in your pod definitions.
|
|
An example is as below:
|
|
securityContext:
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
scored: false
|
|
|
|
- id: 5.7.3
|
|
text: "Apply SecurityContext to your Pods and Containers (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a
|
|
suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker
|
|
Containers.
|
|
scored: false
|
|
|
|
- id: 5.7.4
|
|
text: "The default namespace should not be used (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
|
|
resources and that all new resources are created in a specific namespace.
|
|
scored: false
|