1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-24 08:58:11 +00:00
kube-bench/cfg/cis-1.6-k3s/master.yaml
Derek Nola e1d1053358
Fix to empty grep and other cis-1.6-k3s checks (#1352)
* Fix to empty grep and other k3s checks

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Lint fix

Signed-off-by: Derek Nola <derek.nola@suse.com>

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-01-13 18:06:57 +02:00

787 lines
33 KiB
YAML

---
controls:
version: "cis-1.6-k3s"
id: 1
text: "Master Node Security Configuration"
type: "master"
groups:
- id: 1.1
text: "Master Node Configuration Files"
checks:
- id: 1.1.1
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 1.1.2
text: "Ensure that the API server pod specification file ownership is set to root:root (Not Applicable)"
scored: false
- id: 1.1.3
text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 1.1.4
text: "Ensure that the controller manager pod specification file ownership is set to root:root (Not Applicable)"
scored: false
- id: 1.1.5
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 1.1.6
text: "Ensure that the scheduler pod specification file ownership is set to root:root (Not Applicable)"
scored: false
- id: 1.1.7
text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 1.1.8
text: "Ensure that the etcd pod specification file ownership is set to root:root (Not Applicable)"
scored: false
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Applicable)"
scored: false
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive if etcd is used (Automated)"
audit: stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "700"
remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the below command:
journalctl -u k3s | grep 'Managed etcd' | grep -v grep
Run the below command (based on the etcd data directory found above). For example,
chmod 700 /var/lib/rancher/k3s/server/db/etcd
scored: true
- id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd if etcd is used (Not Applicable)"
scored: false
- id: 1.1.13
text: "Ensure that the admin.kubeconfig file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the k3s node.
For example,
chmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig
scored: true
- id: 1.1.14
text: "Ensure that the admin.kubeconfig file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the k3s node.
For example,
chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig
scored: true
- id: 1.1.15
text: "Ensure that the scheduler.kubeconfig file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the k3s node.
For example,
chmod 644 $schedulerkubeconfig
scored: true
- id: 1.1.16
text: "Ensure that the scheduler.kubeconfig file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the k3s node.
For example,
chown root:root $schedulerkubeconfig
scored: true
- id: 1.1.17
text: "Ensure that the cloud-controller.kubeconfig file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $controllermanagerkubeconfig
scored: true
- id: 1.1.18
text: "Ensure that the $controllermanagerkubeconfig file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $controllermanagerkubeconfig
scored: true
- id: 1.1.19
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls"
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the k3s node.
For example,
chown -R root:root /var/lib/rancher/k3s/server/tls
scored: true
- id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated)"
audit: "find /var/lib/rancher/k3s/server/tls/ -name '*.crt' | xargs stat -c permissions=%a"
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 644 /var/lib/rancher/k3s/server/tls/*.crt
scored: true
- id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"
audit: "find /var/lib/rancher/k3s/server/tls/ -name '*.key' | xargs stat -c permissions=%a"
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.key
scored: true
- id: 1.2
text: "API Server"
checks:
- id: 1.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth"
tests:
test_items:
- flag: "--anonymous-auth"
compare:
op: eq
value: false
remediation: |
By default, K3s kube-apiserver is configured to run with --anonymous-auth=false flag and value.
scored: false
- id: 1.2.2
text: "Ensure that the --basic-auth-file argument is not set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "basic-auth-file" | cat
tests:
test_items:
- flag: "--basic-auth-file"
set: false
remediation: |
By default, K3s does not run with basic authentication enabled. No manual remediation is needed.
scored: true
- id: 1.2.3
text: "Ensure that the --token-auth-file parameter is not set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "token-auth-file" | cat
tests:
test_items:
- flag: "--token-auth-file"
set: false
remediation: |
By default, K3s does not run with basic authentication enabled. No manual remediation is needed.
scored: true
- id: 1.2.4
text: "Ensure that the --kubelet-https argument is set to true (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "kubelet-https" | cat
tests:
bin_op: or
test_items:
- flag: "--kubelet-https"
compare:
op: eq
value: true
- flag: "--kubelet-https"
set: false
remediation: |
By default, K3s kube-apiserver doesn't run with the --kubelet-https parameter as it runs with TLS. No manual remediation is needed.
scored: true
- id: 1.2.5
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'kubelet-client-certificate|kubelet-client-key'
tests:
bin_op: and
test_items:
- flag: "--kubelet-client-certificate"
- flag: "--kubelet-client-key"
remediation: |
By default, K3s kube-apiserver is ran with these arguments for secure communication with kubelet. No manual remediation is needed.
scored: true
- id: 1.2.6
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "kubelet-certificate-authority"
tests:
test_items:
- flag: "--kubelet-certificate-authority"
remediation: |
By default, K3s kube-apiserver is ran with this argument for secure communication with kubelet. No manual remediation is needed.
scored: true
- id: 1.2.7
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: nothave
value: "AlwaysAllow"
remediation: |
By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed.
scored: true
- id: 1.2.8
text: "Ensure that the --authorization-mode argument includes Node (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: has
value: "Node"
remediation: |
By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed.
scored: true
- id: 1.2.9
text: "Ensure that the --authorization-mode argument includes RBAC (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: has
value: "RBAC"
remediation: |
By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed.
scored: true
- id: 1.2.10
text: "Ensure that the admission control plugin EventRateLimit is set (Manual)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "EventRateLimit"
remediation: |
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument.
To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file.
Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
scored: false
- id: 1.2.11
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: nothave
value: AlwaysAdmit
- flag: "--enable-admission-plugins"
set: false
remediation: |
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument.
No manual remediation needed.
scored: true
- id: 1.2.12
text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "AlwaysPullImages"
remediation: |
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument.
To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file.
Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
scored: false
- id: 1.2.13
text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "SecurityContextDeny"
- flag: "--enable-admission-plugins"
compare:
op: has
value: "PodSecurityPolicy"
remediation: |
K3s would need to have the SecurityContextDeny admission plugin enabled by passing it as an argument to K3s.
--kube-apiserver-arg='enable-admission-plugins=SecurityContextDeny
scored: false
- id: 1.2.14
text: "Ensure that the admission control plugin ServiceAccount is set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "ServiceAccount"
tests:
bin_op: or
test_items:
- flag: "--disable-admission-plugins"
compare:
op: nothave
value: "ServiceAccount"
- flag: "--disable-admission-plugins"
set: false
remediation: |
By default, K3s does not use this argument.
If there's a desire to use this argument, follow the documentation and create ServiceAccount objects as per your environment.
Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
scored: true
- id: 1.2.15
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "disable-admission-plugins" | cat
tests:
bin_op: or
test_items:
- flag: "--disable-admission-plugins"
compare:
op: nothave
value: "NamespaceLifecycle"
- flag: "--disable-admission-plugins"
set: false
remediation: |
By default, K3s does not use this argument. No manual remediation needed.
scored: true
- id: 1.2.16
text: "Ensure that the admission control plugin PodSecurityPolicy is set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "PodSecurityPolicy"
remediation: |
K3s would need to have the PodSecurityPolicy admission plugin enabled by passing it as an argument to K3s.
--kube-apiserver-arg='enable-admission-plugins=PodSecurityPolicy.
scored: true
- id: 1.2.17
text: "Ensure that the admission control plugin NodeRestriction is set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "NodeRestriction"
remediation: |
K3s would need to have the NodeRestriction admission plugin enabled by passing it as an argument to K3s.
--kube-apiserver-arg='enable-admission-plugins=NodeRestriction.
scored: true
- id: 1.2.18
text: "Ensure that the --insecure-bind-address argument is not set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
test_items:
- flag: "--insecure-bind-address"
set: false
remediation: |
By default, K3s explicitly excludes the use of the --insecure-bind-address parameter. No manual remediation is needed.
scored: true
- id: 1.2.19
text: "Ensure that the --insecure-port argument is set to 0 (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "insecure-port"
tests:
test_items:
- flag: "--insecure-port"
compare:
op: eq
value: 0
remediation: |
By default, K3s starts the kube-apiserver process with this argument's parameter set to 0. No manual remediation is needed.
scored: true
- id: 1.2.20
text: "Ensure that the --secure-port argument is not set to 0 (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "secure-port"
tests:
bin_op: or
test_items:
- flag: "--secure-port"
compare:
op: gt
value: 0
- flag: "--secure-port"
set: false
remediation: |
By default, K3s sets the parameter of 6444 for the --secure-port argument. No manual remediation is needed.
scored: true
- id: 1.2.21
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "profiling"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
By default, K3s sets the --profiling flag parameter to false. No manual remediation needed.
scored: true
- id: 1.2.22
text: "Ensure that the --audit-log-path argument is set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-path"
tests:
test_items:
- flag: "--audit-log-path"
remediation: |
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-path=/path/to/log/file'
scored: true
- id: 1.2.23
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxage"
tests:
test_items:
- flag: "--audit-log-maxage"
compare:
op: gte
value: 30
remediation: |
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxage=30'
scored: true
- id: 1.2.24
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxbackup"
tests:
test_items:
- flag: "--audit-log-maxbackup"
compare:
op: gte
value: 10
remediation: |
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxbackup=10'
scored: true
- id: 1.2.25
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxsize"
tests:
test_items:
- flag: "--audit-log-maxsize"
compare:
op: gte
value: 100
remediation: |
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxsize=100'
scored: true
- id: 1.2.26
text: "Ensure that the --request-timeout argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "request-timeout" | cat
tests:
bin_op: or
test_items:
- flag: "--request-timeout"
set: false
- flag: "--request-timeout"
compare:
op: lte
value: 60
remediation: |
By default, K3s does not set the --request-timeout argument. No manual remediation needed.
scored: true
- id: 1.2.27
text: "Ensure that the --service-account-lookup argument is set to true (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "service-account-lookup"
tests:
bin_op: or
test_items:
- flag: "--service-account-lookup"
set: false
- flag: "--service-account-lookup"
compare:
op: eq
value: true
remediation: |
K3s server needs to be run with the following argument, --kube-apiserver-arg='service-account-lookup=true'
scored: true
- id: 1.2.28
text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "service-account-key-file"
tests:
test_items:
- flag: "--service-account-key-file"
remediation: |
By default, K3s sets the --service-account-key-file explicitly. No manual remediation needed.
scored: true
- id: 1.2.29
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'etcd-certfile|etcd-keyfile'
tests:
bin_op: and
test_items:
- flag: "--etcd-certfile"
- flag: "--etcd-keyfile"
remediation: |
By default, K3s sets the --etcd-certfile and --etcd-keyfile arguments explicitly. No manual remediation needed.
scored: true
- id: 1.2.30
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'tls-cert-file|tls-private-key-file'
tests:
bin_op: and
test_items:
- flag: "--tls-cert-file"
- flag: "--tls-private-key-file"
remediation: |
By default, K3s sets the --tls-cert-file and --tls-private-key-file arguments explicitly. No manual remediation needed.
scored: true
- id: 1.2.31
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"
tests:
test_items:
- flag: "--client-ca-file"
remediation: |
By default, K3s sets the --client-ca-file argument explicitly. No manual remediation needed.
scored: true
- id: 1.2.32
text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'etcd-cafile'
tests:
test_items:
- flag: "--etcd-cafile"
remediation: |
By default, K3s sets the --etcd-cafile argument explicitly. No manual remediation needed.
scored: true
- id: 1.2.33
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E "encryption-provider-config"
tests:
test_items:
- flag: "--encryption-provider-config"
remediation: |
K3s server needs to be ran with the follow, --kube-apiserver-arg='encryption-provider-config=/path/to/encryption_config'.
This can be done by running k3s with the --secrets-encryptiuon argument which will configure the encryption provider.
scored: false
- id: 1.2.34
text: "Ensure that encryption providers are appropriately configured (Manual)"
type: manual
remediation: |
K3s server needs to be run with the following, --secrets-encryption=true, and verify that one of the allowed encryption providers is present.
Run the below command on the master node.
grep aescbc /path/to/encryption-config.json
Verify that aescbc/kms/secretbox is set as the encryption provider for all the desired resources.
scored: true
- id: 1.2.35
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "tls-cipher-suites"
tests:
test_items:
- flag: "--tls-cipher-suites"
compare:
op: valid_elements
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
remediation: |
By default, K3s explicitly doesn't set this flag. No manual remediation needed.
scored: false
- id: 1.3
text: "Controller Manager"
checks:
- id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"
audit: |
journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "terminated-pod-gc-threshold"
tests:
test_items:
- flag: "--terminated-pod-gc-threshold"
remediation: |
K3s server needs to be run with the following, --kube-controller-manager-arg='terminated-pod-gc-threshold=10.
scored: false
- id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "profiling"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
By default, K3s sets the --profiling flag parameter to false. No manual remediation needed.
scored: true
- id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "use-service-account-credentials"
tests:
test_items:
- flag: "--use-service-account-credentials"
compare:
op: noteq
value: false
remediation: |
K3s server needs to be run with the following, --kube-controller-manager-arg='use-service-account-credentials=true'
scored: true
- id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "service-account-private-key-file"
tests:
test_items:
- flag: "--service-account-private-key-file"
remediation: |
By default, K3s sets the --service-account-private-key-file argument with the service account key file. No manual remediation needed.
scored: true
- id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "root-ca-file"
tests:
test_items:
- flag: "--root-ca-file"
remediation: |
By default, K3s sets the --root-ca-file argument with the root ca file. No manual remediation needed.
scored: true
- id: 1.3.6
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "RotateKubeletServerCertificate" | cat
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "RotateKubeletServerCertificate=false"
set: true
- flag: "--feature-gates"
set: false
remediation: |
By default, K3s implements its own logic for certificate generation and rotation.
scored: true
- id: 1.3.7
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "bind-address"
tests:
bin_op: or
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
- flag: "--bind-address"
set: false
remediation: |
By default, K3s sets the --bind-address argument to 127.0.0.1. No manual remediation needed.
scored: true
- id: 1.4
text: "Scheduler"
checks:
- id: 1.4.1
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: journalctl -u k3s | grep "Running kube-scheduler" | tail -n1 | grep "profiling"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
By default, K3s sets the --profiling flag parameter to false. No manual remediation needed.
scored: true
- id: 1.4.2
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "bind-address"
tests:
bin_op: or
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
- flag: "--bind-address"
set: false
remediation: |
By default, K3s sets the --bind-address argument to 127.0.0.1. No manual remediation needed.
scored: true