mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-24 23:48:26 +00:00
35cf28c140
* Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes
105 lines
6.2 KiB
Plaintext
105 lines
6.2 KiB
Plaintext
[INFO] 2 Worker Node Security Configuration
|
|
[INFO] 2.1 Kubelet
|
|
[FAIL] 2.1.1 Ensure that the --allow-privileged argument is set to false (Scored)
|
|
[PASS] 2.1.2 Ensure that the --anonymous-auth argument is set to false (Scored)
|
|
[PASS] 2.1.3 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
|
|
[PASS] 2.1.4 Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
|
[FAIL] 2.1.5 Ensure that the --read-only-port argument is set to 0 (Scored)
|
|
[PASS] 2.1.6 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
|
|
[FAIL] 2.1.7 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
|
|
[PASS] 2.1.8 Ensure that the --make-iptables-util-chains argument is set to true (Scored)
|
|
[PASS] 2.1.9 Ensure that the --hostname-override argument is not set (Scored)
|
|
[FAIL] 2.1.10 Ensure that the --event-qps argument is set to 0 (Scored)
|
|
[FAIL] 2.1.11 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
|
|
[PASS] 2.1.12 Ensure that the --cadvisor-port argument is set to 0 (Scored)
|
|
[PASS] 2.1.13 Ensure that the --rotate-certificates argument is not set to false (Scored)
|
|
[FAIL] 2.1.14 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
|
|
[WARN] 2.1.15 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
|
|
[INFO] 2.2 Configuration Files
|
|
[PASS] 2.2.1 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
|
[PASS] 2.2.2 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
|
[PASS] 2.2.3 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
|
|
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
|
|
[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
|
[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
|
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
|
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
|
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
|
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
|
|
|
== Remediations ==
|
|
2.1.1 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
--allow-privileged=false
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
|
|
2.1.5 If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
|
|
If using command line arguments, edit the kubelet service file
|
|
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
--read-only-port=0
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
|
|
2.1.7 If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
|
|
If using command line arguments, edit the kubelet service file
|
|
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
--protect-kernel-defaults=true
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
|
|
2.1.10 If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
|
|
If using command line arguments, edit the kubelet service file
|
|
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
--event-qps=0
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
|
|
2.1.11 If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
|
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
|
|
corresponding private key file.
|
|
If using command line arguments, edit the kubelet service file
|
|
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
|
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
|
|
--tls-cert-file=<path/to/tls-certificate-file>
|
|
file=<path/to/tls-key-file>
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
|
|
2.1.14 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
|
--feature-gates=RotateKubeletServerCertificate=true
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
|
|
2.1.15 If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter.
|
|
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
|
|
2.2.5 Run the below command (based on the file location on your system) on the each worker
|
|
node. For example,
|
|
chmod 644 /etc/kubernetes/proxy.conf
|
|
|
|
2.2.6 Run the below command (based on the file location on your system) on the each worker
|
|
node. For example,
|
|
chown root:root /etc/kubernetes/proxy.conf
|
|
|
|
2.2.7 Run the following command to modify the file permissions of the --client-ca-file
|
|
chmod 644 <filename>
|
|
|
|
|
|
== Summary ==
|
|
15 checks PASS
|
|
8 checks FAIL
|
|
2 checks WARN
|
|
0 checks INFO
|