mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-25 17:38:21 +00:00
a15e8acaa3
* Add config entries for GKE 1.6 controls * Add gke1.6 control plane recommendations * Add gke-1.6.0 worker node recommendations * Add gke-1.6.0 policy recommendations * Add managed services and policy recommendation * Add master recommendations * Fix formatting across gke-1.6.0 files * Add gke-1.6.0 benchmark selection based on k8s version * Workaround: hardcode kubelet config path for gke-1.6.0 * Fix tests for makeIPTablesUtilChaings * Change scored field for all node tests to true * Fix kubelet file permission to check for --------- Co-authored-by: afdesk <work@afdesk.com>
239 lines
9.5 KiB
YAML
239 lines
9.5 KiB
YAML
---
|
|
controls:
|
|
version: "gke-1.6.0"
|
|
id: 4
|
|
text: "Kubernetes Policies"
|
|
type: "policies"
|
|
groups:
|
|
- id: 4.1
|
|
text: "RBAC and Service Accounts"
|
|
checks:
|
|
- id: 4.1.1
|
|
text: "Ensure that the cluster-admin role is only used where required (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
|
|
if they need this role or if they could use a role with fewer privileges.
|
|
|
|
Where possible, first bind users to a lower privileged role and then remove the
|
|
clusterrolebinding to the cluster-admin role :
|
|
|
|
kubectl delete clusterrolebinding [name]
|
|
scored: false
|
|
|
|
- id: 4.1.2
|
|
text: "Minimize access to secrets (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible, remove get, list and watch access to secret objects in the cluster.
|
|
scored: false
|
|
|
|
- id: 4.1.3
|
|
text: "Minimize wildcard use in Roles and ClusterRoles (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible replace any use of wildcards in clusterroles and roles with specific
|
|
objects or actions.
|
|
scored: false
|
|
|
|
- id: 4.1.4
|
|
text: "Ensure that default service accounts are not actively used (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Create explicit service accounts wherever a Kubernetes workload requires specific
|
|
access to the Kubernetes API server.
|
|
|
|
Modify the configuration of each default service account to include this value
|
|
|
|
automountServiceAccountToken: false
|
|
scored: false
|
|
|
|
- id: 4.1.5
|
|
text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Modify the definition of pods and service accounts which do not need to mount service
|
|
account tokens to disable it.
|
|
scored: false
|
|
|
|
- id: 4.1.6
|
|
text: "Avoid use of system:masters group (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Remove the system:masters group from all users in the cluster.
|
|
scored: false
|
|
|
|
- id: 4.1.7
|
|
text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible, remove the impersonate, bind and escalate rights from subjects.
|
|
scored: false
|
|
|
|
- id: 4.1.8
|
|
text: "Avoid bindings to system:anonymous (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Identify all clusterrolebindings and rolebindings to the user system:anonymous.
|
|
Check if they are used and review the permissions associated with the binding using the
|
|
commands in the Audit section above or refer to GKE documentation
|
|
(https://cloud.google.com/kubernetes-engine/docs/best-practices/rbac#detect-prevent-default).
|
|
|
|
Strongly consider replacing unsafe bindings with an authenticated, user-defined group.
|
|
Where possible, bind to non-default, user-defined groups with least-privilege roles.
|
|
|
|
If there are any unsafe bindings to the user system:anonymous, proceed to delete them
|
|
after consideration for cluster operations with only necessary, safer bindings.
|
|
|
|
kubectl delete clusterrolebinding [CLUSTER_ROLE_BINDING_NAME]
|
|
kubectl delete rolebinding [ROLE_BINDING_NAME] --namespace [ROLE_BINDING_NAMESPACE]
|
|
scored: false
|
|
|
|
- id: 4.1.9
|
|
text: "Avoid non-default bindings to system:unauthenticated (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Identify all non-default clusterrolebindings and rolebindings to the group
|
|
system:unauthenticated. Check if they are used and review the permissions
|
|
associated with the binding using the commands in the Audit section above or refer to
|
|
GKE documentation (https://cloud.google.com/kubernetes-engine/docs/best-practices/rbac#detect-prevent-default).
|
|
|
|
Strongly consider replacing non-default, unsafe bindings with an authenticated, user-
|
|
defined group. Where possible, bind to non-default, user-defined groups with least-
|
|
privilege roles.
|
|
|
|
If there are any non-default, unsafe bindings to the group system:unauthenticated,
|
|
proceed to delete them after consideration for cluster operations with only necessary,
|
|
safer bindings.
|
|
|
|
kubectl delete clusterrolebinding [CLUSTER_ROLE_BINDING_NAME]
|
|
kubectl delete rolebinding [ROLE_BINDING_NAME] --namespace [ROLE_BINDING_NAMESPACE]
|
|
scored: false
|
|
|
|
- id: 4.1.10
|
|
text: "Avoid non-default bindings to system:authenticated (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Identify all non-default clusterrolebindings and rolebindings to the group
|
|
system:authenticated. Check if they are used and review the permissions associated
|
|
with the binding using the commands in the Audit section above or refer to GKE
|
|
documentation.
|
|
|
|
Strongly consider replacing non-default, unsafe bindings with an authenticated, user-
|
|
defined group. Where possible, bind to non-default, user-defined groups with least-
|
|
privilege roles.
|
|
|
|
If there are any non-default, unsafe bindings to the group system:authenticated,
|
|
proceed to delete them after consideration for cluster operations with only necessary,
|
|
safer bindings.
|
|
|
|
kubectl delete clusterrolebinding [CLUSTER_ROLE_BINDING_NAME]
|
|
kubectl delete rolebinding [ROLE_BINDING_NAME] --namespace [ROLE_BINDING_NAMESPACE]
|
|
scored: false
|
|
|
|
- id: 4.2
|
|
text: "Pod Security Standards"
|
|
checks:
|
|
- id: 4.2.1
|
|
text: "Ensure that the cluster enforces Pod Security Standard Baseline profile or stricter for all namespaces. (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Ensure that Pod Security Admission is in place for every namespace which contains
|
|
user workloads.
|
|
Run the following command to enforce the Baseline profile in a namespace:
|
|
|
|
kubectl label namespace pod-security.kubernetes.io/enforce=baseline
|
|
scored: false
|
|
|
|
- id: 4.3
|
|
text: "Network Policies and CNI"
|
|
checks:
|
|
- id: 4.3.1
|
|
text: "Ensure that the CNI in use supports Network Policies (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
To use a CNI plugin with Network Policy, enable Network Policy in GKE, and the CNI plugin
|
|
will be updated. See Recommendation 5.6.7.
|
|
scored: false
|
|
|
|
- id: 4.3.2
|
|
text: "Ensure that all Namespaces have Network Policies defined (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Follow the documentation and create NetworkPolicy objects as needed.
|
|
See: https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy#creating_a_network_policy
|
|
for more information.
|
|
scored: false
|
|
|
|
- id: 4.4
|
|
text: "Secrets Management"
|
|
checks:
|
|
- id: 4.4.1
|
|
text: "Prefer using secrets as files over secrets as environment variables (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
if possible, rewrite application code to read secrets from mounted secret files, rather than
|
|
from environment variables.
|
|
scored: false
|
|
|
|
- id: 4.4.2
|
|
text: "Consider external secret storage (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Refer to the secrets management options offered by your cloud provider or a third-party
|
|
secrets management solution.
|
|
scored: false
|
|
|
|
- id: 4.5
|
|
text: "Extensible Admission Control"
|
|
checks:
|
|
- id: 4.5.1
|
|
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Follow the Kubernetes documentation and setup image provenance.
|
|
Also see recommendation 5.10.4.
|
|
scored: false
|
|
|
|
- id: 4.6
|
|
text: "General Policies"
|
|
checks:
|
|
- id: 4.6.1
|
|
text: "Create administrative boundaries between resources using namespaces (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Follow the documentation and create namespaces for objects in your deployment as you need
|
|
them.
|
|
scored: false
|
|
|
|
- id: 4.6.2
|
|
text: "Ensure that the seccomp profile is set to RuntimeDefault in your pod definitions (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Use security context to enable the RuntimeDefault seccomp profile in your pod
|
|
definitions. An example is as below:
|
|
|
|
{
|
|
"namespace": "kube-system",
|
|
"name": "metrics-server-v0.7.0-dbcc8ddf6-gz7d4",
|
|
"seccompProfile": "RuntimeDefault"
|
|
}
|
|
scored: false
|
|
|
|
- id: 4.6.3
|
|
text: "Apply Security Context to Your Pods and Containers (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
|
suggested list of security contexts, you may refer to the CIS Google Container-
|
|
Optimized OS Benchmark.
|
|
scored: false
|
|
|
|
- id: 4.6.4
|
|
text: "The default namespace should not be used (Automated)"
|
|
type: "manual"
|
|
remediation: |
|
|
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
|
|
resources and that all new resources are created in a specific namespace.
|
|
scored: false
|