mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-16 04:49:19 +00:00
f8e0171c09
* Update aks-1.0 to match official CIS Azure Kubernetes Service (AKS) Benchmark v1.0.0 * fix typo * fix empty remediation Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
145 lines
5.7 KiB
YAML
145 lines
5.7 KiB
YAML
---
|
|
controls:
|
|
version: "aks-1.0"
|
|
id: 5
|
|
text: "Managed Services"
|
|
type: "managedservices"
|
|
groups:
|
|
- id: 5.1
|
|
text: "Image Registry and Image Scanning"
|
|
checks:
|
|
- id: 5.1.1
|
|
text: "Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.1.2
|
|
text: "Minimize user access to Azure Container Registry (ACR) (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Azure Container Registry
|
|
If you use Azure Container Registry (ACR) as your container image store, you need to grant
|
|
permissions to the service principal for your AKS cluster to read and pull images. Currently,
|
|
the recommended configuration is to use the az aks create or az aks update command to
|
|
integrate with a registry and assign the appropriate role for the service principal. For
|
|
detailed steps, see Authenticate with Azure Container Registry from Azure Kubernetes
|
|
Service.
|
|
To avoid needing an Owner or Azure account administrator role, you can configure a
|
|
service principal manually or use an existing service principal to authenticate ACR from
|
|
AKS. For more information, see ACR authentication with service principals or Authenticate
|
|
from Kubernetes with a pull secret.
|
|
scored: false
|
|
|
|
- id: 5.1.3
|
|
text: "Minimize cluster access to read-only for Azure Container Registry (ACR) (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.1.4
|
|
text: "Minimize Container Registries to only those approved (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.2
|
|
text: "Access and identity options for Azure Kubernetes Service (AKS)"
|
|
checks:
|
|
- id: 5.2.1
|
|
text: "Prefer using dedicated AKS Service Accounts (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Azure Active Directory integration
|
|
The security of AKS clusters can be enhanced with the integration of Azure Active Directory
|
|
(AD). Built on decades of enterprise identity management, Azure AD is a multi-tenant,
|
|
cloud-based directory, and identity management service that combines core directory
|
|
services, application access management, and identity protection. With Azure AD, you can
|
|
integrate on-premises identities into AKS clusters to provide a single source for account
|
|
management and security.
|
|
Azure Active Directory integration with AKS clusters
|
|
With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes
|
|
resources within a namespace or across the cluster. To obtain a kubectl configuration
|
|
context, a user can run the az aks get-credentials command. When a user then interacts
|
|
with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD
|
|
credentials. This approach provides a single source for user account management and
|
|
password credentials. The user can only access the resources as defined by the cluster
|
|
administrator.
|
|
Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect
|
|
is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID
|
|
Connect, see the Open ID connect documentation. From inside of the Kubernetes cluster,
|
|
Webhook Token Authentication is used to verify authentication tokens. Webhook token
|
|
authentication is configured and managed as part of the AKS cluster.
|
|
scored: false
|
|
|
|
- id: 5.3
|
|
text: "Key Management Service (KMS)"
|
|
checks:
|
|
- id: 5.3.1
|
|
text: "Ensure Kubernetes Secrets are encrypted (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.4
|
|
text: "Cluster Networking"
|
|
checks:
|
|
- id: 5.4.1
|
|
text: "Restrict Access to the Control Plane Endpoint (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.4.2
|
|
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.4.3
|
|
text: "Ensure clusters are created with Private Nodes (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.4.4
|
|
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.4.5
|
|
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
|
|
- id: 5.5
|
|
text: "Authentication and Authorization"
|
|
checks:
|
|
- id: 5.5.1
|
|
text: "Manage Kubernetes RBAC users with Azure AD (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
- id: 5.5.2
|
|
text: "Use Azure RBAC for Kubernetes Authorization (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
|
|
- id: 5.6
|
|
text: "Other Cluster Configurations"
|
|
checks:
|
|
- id: 5.6.1
|
|
text: "Restrict untrusted workloads (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|
|
- id: 5.6.2
|
|
text: "Hostile multi-tenant workloads (Manual)"
|
|
type: "manual"
|
|
remediation: "No remediation"
|
|
scored: false
|