mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-19 05:08:07 +00:00
d988b81540
* Add initial commit for CIS GKE 1.0 benchmark * Update README with GKE instructions * Fix YAML linter issues * Set GKE benchmark k8s version to gke-1.0 * Add tests for gke-1.0 Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
349 lines
14 KiB
YAML
349 lines
14 KiB
YAML
---
|
|
controls:
|
|
version: "gke-1.0"
|
|
id: 1
|
|
text: "Control Plane Components"
|
|
type: "master"
|
|
groups:
|
|
- id: 1.1
|
|
text: "Master Node Configuration Files "
|
|
checks:
|
|
- id: 1.1.1
|
|
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.2
|
|
text: "Ensure that the API server pod specification file ownership is set to root:root (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.3
|
|
text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.4
|
|
text: "Ensure that the controller manager pod specification file ownership is set to root:root (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.5
|
|
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.6
|
|
text: "Ensure that the scheduler pod specification file ownership is set to root:root (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.7
|
|
text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.8
|
|
text: "Ensure that the etcd pod specification file ownership is set to root:root (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.9
|
|
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.10
|
|
text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.11
|
|
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.12
|
|
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.13
|
|
text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.14
|
|
text: "Ensure that the admin.conf file ownership is set to root:root (Not Scored) "
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.15
|
|
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: true
|
|
|
|
- id: 1.1.16
|
|
text: "Ensure that the scheduler.conf file ownership is set to root:root (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.17
|
|
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.18
|
|
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.19
|
|
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.20
|
|
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.1.21
|
|
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2
|
|
text: "API Server"
|
|
checks:
|
|
- id: 1.2.1
|
|
text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.2
|
|
text: "Ensure that the --basic-auth-file argument is not set (Not Scored)"
|
|
remediation: |
|
|
Although the use of the --basic-auth-file argument cannot be audited on GKE, you can
|
|
remediate the use of basic authentication. See Recommendation 6.8.1.
|
|
scored: false
|
|
|
|
- id: 1.2.3
|
|
text: "Ensure that the --token-auth-file parameter is not set (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.4
|
|
text: "Ensure that the --kubelet-https argument is set to true (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.5
|
|
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.6
|
|
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.7
|
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.8
|
|
text: "Ensure that the --authorization-mode argument includes Node (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.9
|
|
text: "Ensure that the --authorization-mode argument includes RBAC (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.10
|
|
text: "Ensure that the admission control plugin EventRateLimit is set (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.11
|
|
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.12
|
|
text: "Ensure that the admission control plugin AlwaysPullImages is set (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.13
|
|
text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.14
|
|
text: "Ensure that the admission control plugin ServiceAccount is set (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.15
|
|
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.16
|
|
text: "Ensure that the admission control plugin PodSecurityPolicy is set (Not Scored)"
|
|
remediation: |
|
|
To verify and remediate the use of Pod Security Policy on GKE, see Recommendation 6.10.3.
|
|
scored: false
|
|
|
|
- id: 1.2.17
|
|
text: "Ensure that the admission control plugin NodeRestriction is set (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.18
|
|
text: "Ensure that the --insecure-bind-address argument is not set (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.19
|
|
text: "Ensure that the --insecure-port argument is set to 0 (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.20
|
|
text: "Ensure that the --secure-port argument is not set to 0 (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.21
|
|
text: "Ensure that the --profiling argument is set to false (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.22
|
|
text: "Ensure that the --audit-log-path argument is set (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.23
|
|
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.24
|
|
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.25
|
|
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.26
|
|
text: "Ensure that the --request-timeout argument is set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.27
|
|
text: "Ensure that the --service-account-lookup argument is set to true (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.28
|
|
text: "Ensure that the --service-account-key-file argument is set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.29
|
|
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.30
|
|
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.31
|
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.32
|
|
text: "Ensure that the --etcd-cafile argument is set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.2.33
|
|
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)"
|
|
remediation: |
|
|
To verify and remediate the use of secret encryption on GKE, see Recommendation 6.3.1.
|
|
scored: false
|
|
|
|
- id: 1.2.34
|
|
text: "Ensure that encryption providers are appropriately configured (Not Scored)"
|
|
remediation: |
|
|
To verify and remediate the use of secret encryption on GKE, see Recommendation 6.3.1.
|
|
scored: false
|
|
|
|
- id: 1.2.35
|
|
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.3
|
|
text: "Controller Manager"
|
|
checks:
|
|
- id: 1.3.1
|
|
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.3.2
|
|
text: "Ensure that the --profiling argument is set to false (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.3.3
|
|
text: "Ensure that the --use-service-account-credentials argument is set to true (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.3.4
|
|
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.3.5
|
|
text: "Ensure that the --root-ca-file argument is set as appropriate (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.3.6
|
|
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.3.7
|
|
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.4
|
|
text: "Scheduler"
|
|
checks:
|
|
- id: 1.4.1
|
|
text: "Ensure that the --profiling argument is set to false (Not Scored)"
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|
|
|
|
- id: 1.4.2
|
|
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Not Scored) "
|
|
remediation: "This control cannot be modified in GKE."
|
|
scored: false
|