mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-23 15:18:07 +00:00
d2d3e72271
This approach becomes time-consuming for larger clusters. As kube-bench is executed as a job on every node in the cluster, To enhance performance, Streamlined the commands to execute directly on current node where kube-bench operates. This change ensures that the time complexity remains constant, regardless of the cluster size. By running the necessary commands only once per node, regardless of how many nodes are in the cluster, this approach significantly boosts performance and efficiency.
288 lines
11 KiB
YAML
288 lines
11 KiB
YAML
---
|
|
controls:
|
|
version: rh-1.0
|
|
id: 5
|
|
text: "Kubernetes Policies"
|
|
type: "policies"
|
|
groups:
|
|
- id: 5.1
|
|
text: "RBAC and Service Accounts"
|
|
checks:
|
|
- id: 5.1.1
|
|
text: "Ensure that the cluster-admin role is only used where required (Manual)"
|
|
type: "manual"
|
|
audit: |
|
|
#To get a list of users and service accounts with the cluster-admin role
|
|
oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind |
|
|
grep cluster-admin
|
|
#To verity that kbueadmin is removed, no results should be returned
|
|
oc get secrets kubeadmin -n kube-system
|
|
remediation: |
|
|
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
|
|
if they need this role or if they could use a role with fewer privileges.
|
|
Where possible, first bind users to a lower privileged role and then remove the
|
|
clusterrolebinding to the cluster-admin role :
|
|
kubectl delete clusterrolebinding [name]
|
|
scored: false
|
|
|
|
- id: 5.1.2
|
|
text: "Minimize access to secrets (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible, remove get, list and watch access to secret objects in the cluster.
|
|
scored: false
|
|
|
|
- id: 5.1.3
|
|
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
|
|
type: "manual"
|
|
audit: |
|
|
#needs verification
|
|
oc get roles --all-namespaces -o yaml
|
|
for i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc
|
|
describe clusterrole ${i}; done
|
|
#Retrieve the cluster roles defined in the cluster and review for wildcards
|
|
oc get clusterroles -o yaml
|
|
for i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do
|
|
oc describe clusterrole ${i}; done
|
|
remediation: |
|
|
Where possible replace any use of wildcards in clusterroles and roles with specific
|
|
objects or actions.
|
|
scored: false
|
|
|
|
- id: 5.1.4
|
|
text: "Minimize access to create pods (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Where possible, remove create access to pod objects in the cluster.
|
|
scored: false
|
|
|
|
- id: 5.1.5
|
|
text: "Ensure that default service accounts are not actively used. (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
None required.
|
|
scored: false
|
|
|
|
- id: 5.1.6
|
|
text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Modify the definition of pods and service accounts which do not need to mount service
|
|
account tokens to disable it.
|
|
scored: false
|
|
|
|
- id: 5.2
|
|
text: "Pod Security Policies"
|
|
checks:
|
|
- id: 5.2.1
|
|
text: "Minimize the admission of privileged containers (Manual)"
|
|
audit: |
|
|
# needs verification
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,allowPrivilegedContainer:.allowPrivilegedContainer
|
|
tests:
|
|
test_items:
|
|
- flag: "false"
|
|
remediation: |
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Allow
|
|
Privileged field is set to false.
|
|
scored: false
|
|
|
|
- id: 5.2.2
|
|
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
|
|
audit: |
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,allowHostPID:.allowHostPID
|
|
tests:
|
|
test_items:
|
|
- flag: "false"
|
|
remediation: |
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host
|
|
PID field is set to false.
|
|
scored: false
|
|
|
|
- id: 5.2.3
|
|
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
|
|
audit: |
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,allowHostIPC:.allowHostIPC
|
|
tests:
|
|
test_items:
|
|
- flag: "false"
|
|
remediation: |
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host
|
|
IPC field is set to false.
|
|
scored: false
|
|
|
|
- id: 5.2.4
|
|
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
|
|
audit: |
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,allowHostNetwork:.allowHostNetwork
|
|
tests:
|
|
test_items:
|
|
- flag: "false"
|
|
remediation: |
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host
|
|
Network field is omitted or set to false.
|
|
scored: false
|
|
|
|
- id: 5.2.5
|
|
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
|
|
audit: |
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,allowPrivilegeEscalation:.allowPrivilegeEscalation
|
|
tests:
|
|
test_items:
|
|
- flag: "false"
|
|
remediation: |
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Allow
|
|
Privilege Escalation field is omitted or set to false.
|
|
scored: false
|
|
|
|
- id: 5.2.6
|
|
text: "Minimize the admission of root containers (Manual)"
|
|
audit: |
|
|
# needs verification # | awk 'NR>1 {gsub("map\\[type:", "", $2); gsub("\\]$", "", $2); print $1 ":" $2}'
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,runAsUser:.runAsUser.type
|
|
#For SCCs with MustRunAs verify that the range of UIDs does not include 0
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,uidRangeMin:.runAsUser.uidRangeMin,uidRangeMax:.runAsUser.uidRangeMax
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "MustRunAsNonRoot"
|
|
- flag: "MustRunAs"
|
|
compare:
|
|
op: nothave
|
|
value: 0
|
|
remediation: |
|
|
None required. By default, OpenShift includes the non-root SCC with the the Run As User
|
|
Strategy is set to either MustRunAsNonRoot. If additional SCCs are appropriate, follow the
|
|
OpenShift documentation to create custom SCCs.
|
|
scored: false
|
|
|
|
- id: 5.2.7
|
|
text: "Minimize the admission of containers with the NET_RAW capability (Manual)"
|
|
audit: |
|
|
# needs verification
|
|
oc get scc -o=custom-columns=NAME:.metadata.name,requiredDropCapabilities:.requiredDropCapabilities
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "ALL"
|
|
- flag: "NET_RAW"
|
|
remediation: |
|
|
Create a SCC as described in the OpenShift documentation, ensuring that the Required
|
|
Drop Capabilities is set to include either NET_RAW or ALL.
|
|
scored: false
|
|
|
|
- id: 5.2.8
|
|
text: "Minimize the admission of containers with added capabilities (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Ensure that Allowed Capabilities is set to an empty array for every SCC in the cluster
|
|
except for the privileged SCC.
|
|
scored: false
|
|
|
|
- id: 5.2.9
|
|
text: "Minimize the admission of containers with capabilities assigned (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Review the use of capabilites in applications running on your cluster. Where a namespace
|
|
contains applicaions which do not require any Linux capabities to operate consider
|
|
adding a SCC which forbids the admission of containers which do not drop all capabilities.
|
|
scored: false
|
|
|
|
- id: 5.3
|
|
text: "Network Policies and CNI"
|
|
checks:
|
|
- id: 5.3.1
|
|
text: "Ensure that the CNI in use supports Network Policies (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
None required.
|
|
scored: false
|
|
|
|
- id: 5.3.2
|
|
text: "Ensure that all Namespaces have Network Policies defined (Manual)"
|
|
type: "manual"
|
|
audit: |
|
|
#Run the following command and review the NetworkPolicy objects created in the cluster.
|
|
oc -n all get networkpolicy
|
|
remediation: |
|
|
Follow the documentation and create NetworkPolicy objects as you need them.
|
|
scored: false
|
|
|
|
- id: 5.4
|
|
text: "Secrets Management"
|
|
checks:
|
|
- id: 5.4.1
|
|
text: "Prefer using secrets as files over secrets as environment variables (Manual)"
|
|
type: "manual"
|
|
audit: |
|
|
#Run the following command to find references to objects which use environment variables defined from secrets.
|
|
oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind}
|
|
{.metadata.name} {"\n"}{end}' -A
|
|
remediation: |
|
|
If possible, rewrite application code to read secrets from mounted secret files, rather than
|
|
from environment variables.
|
|
scored: false
|
|
|
|
- id: 5.4.2
|
|
text: "Consider external secret storage (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Refer to the secrets management options offered by your cloud provider or a third-party
|
|
secrets management solution.
|
|
scored: false
|
|
|
|
- id: 5.5
|
|
text: "Extensible Admission Control"
|
|
checks:
|
|
- id: 5.5.1
|
|
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Follow the OpenShift documentation: [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html
|
|
scored: false
|
|
|
|
- id: 5.7
|
|
text: "General Policies"
|
|
checks:
|
|
- id: 5.7.1
|
|
text: "Create administrative boundaries between resources using namespaces (Manual)"
|
|
type: "manual"
|
|
audit: |
|
|
#Run the following command and review the namespaces created in the cluster.
|
|
oc get namespaces
|
|
#Ensure that these namespaces are the ones you need and are adequately administered as per your requirements.
|
|
remediation: |
|
|
Follow the documentation and create namespaces for objects in your deployment as you need
|
|
them.
|
|
scored: false
|
|
|
|
- id: 5.7.2
|
|
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
To enable the default seccomp profile, use the reserved value /runtime/default that will
|
|
make sure that the pod uses the default policy available on the host.
|
|
scored: false
|
|
|
|
- id: 5.7.3
|
|
text: "Apply Security Context to Your Pods and Containers (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
|
Containers.
|
|
scored: false
|
|
|
|
- id: 5.7.4
|
|
text: "The default namespace should not be used (Manual)"
|
|
type: "manual"
|
|
audit: |
|
|
#Run this command to list objects in default namespace
|
|
oc project default
|
|
oc get all
|
|
#The only entries there should be system managed resources such as the kubernetes and openshift service
|
|
remediation: |
|
|
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
|
|
resources and that all new resources are created in a specific namespace.
|
|
scored: false
|