-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathk8s-cis-1.23.yaml
909 lines (909 loc) · 32.1 KB
/
k8s-cis-1.23.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
---
spec:
id: k8s-cis-1.23
title: CIS Kubernetes Benchmarks v1.23
description: CIS Kubernetes Benchmarks
version: "1.23"
platfrom: k8s
type: cis
relatedResources:
- https://www.cisecurity.org/benchmark/kubernetes
controls:
- id: 1.1.1
name: Ensure that the API server pod specification file permissions are set to
600 or more restrictive
description: Ensure that the API server pod specification file has permissions
of 600 or more restrictive
checks:
- id: AVD-KCV-0048
commands:
- id: CMD-0001
severity: HIGH
- id: 1.1.2
name: Ensure that the API server pod specification file ownership is set to
root:root
description: Ensure that the API server pod specification file ownership is set
to root:root
checks:
- id: AVD-KCV-0049
commands:
- id: CMD-0002
severity: HIGH
- id: 1.1.3
name: Ensure that the controller manager pod specification file permissions are
set to 600 or more restrictive
description: Ensure that the controller manager pod specification file has
permissions of 600 or more restrictive
checks:
- id: AVD-KCV-0050
commands:
- id: CMD-0003
severity: HIGH
- id: 1.1.4
name: Ensure that the controller manager pod specification file ownership is set
to root:root
description: Ensure that the controller manager pod specification file ownership
is set to root:root
checks:
- id: AVD-KCV-0051
commands:
- id: CMD-0004
severity: HIGH
- id: 1.1.5
name: Ensure that the scheduler pod specification file permissions are set to
600 or more restrictive
description: Ensure that the scheduler pod specification file has permissions of
600 or more restrictive
checks:
- id: AVD-KCV-0052
commands:
- id: CMD-0005
severity: HIGH
- id: 1.1.6
name: Ensure that the scheduler pod specification file ownership is set to
root:root
description: Ensure that the scheduler pod specification file ownership is set
to root:root
checks:
- id: AVD-KCV-0053
commands:
- id: CMD-0006
severity: HIGH
- id: 1.1.7
name: Ensure that the etcd pod specification file permissions are set to 600 or
more restrictive
description: Ensure that the etcd pod specification file has permissions of 600
or more restrictive
checks:
- id: AVD-KCV-0054
commands:
- id: CMD-0007
severity: HIGH
- id: 1.1.8
name: Ensure that the etcd pod specification file ownership is set to root:root
description: Ensure that the etcd pod specification file ownership is set to
root:root.
checks:
- id: AVD-KCV-0055
commands:
- id: CMD-0008
severity: HIGH
- id: 1.1.9
name: Ensure that the Container Network Interface file permissions are set to
600 or more restrictive
description: Ensure that the Container Network Interface files have permissions
of 600 or more restrictive
checks:
- id: AVD-KCV-0056
commands:
- id: CMD-0009
severity: HIGH
- id: 1.1.10
name: Ensure that the Container Network Interface file ownership is set to
root:root
description: Ensure that the Container Network Interface files have ownership
set to root:root
checks:
- id: AVD-KCV-0057
commands:
- id: CMD-0010
severity: HIGH
- id: 1.1.11
name: Ensure that the etcd data directory permissions are set to 700 or more
restrictive
description: Ensure that the etcd data directory has permissions of 700 or more
restrictive
checks:
- id: AVD-KCV-0058
commands:
- id: CMD-0011
severity: HIGH
- id: 1.1.12
name: Ensure that the etcd data directory ownership is set to etcd:etcd
description: Ensure that the etcd data directory ownership is set to etcd:etcd
checks:
- id: AVD-KCV-0059
commands:
- id: CMD-0012
severity: LOW
- id: 1.1.13
name: Ensure that the admin.conf file permissions are set to 600
description: Ensure that the admin.conf file has permissions of 600
checks:
- id: AVD-KCV-0060
commands:
- id: CMD-0013
severity: CRITICAL
- id: 1.1.14
name: Ensure that the admin.conf file ownership is set to root:root
description: Ensure that the admin.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0061
commands:
- id: CMD-0014
severity: CRITICAL
- id: 1.1.15
name: Ensure that the scheduler.conf file permissions are set to 600 or more
restrictive
description: Ensure that the scheduler.conf file has permissions of 600 or more
restrictive
checks:
- id: AVD-KCV-0062
commands:
- id: CMD-0015
severity: HIGH
- id: 1.1.16
name: Ensure that the scheduler.conf file ownership is set to root:root
description: Ensure that the scheduler.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0063
commands:
- id: CMD-0016
severity: HIGH
- id: 1.1.17
name: Ensure that the controller-manager.conf file permissions are set to 600 or
more restrictive
description: Ensure that the controller-manager.conf file has permissions of 600
or more restrictive
checks:
- id: AVD-KCV-0064
commands:
- id: CMD-0017
severity: HIGH
- id: 1.1.18
name: Ensure that the controller-manager.conf file ownership is set to root:root
description: Ensure that the controller-manager.conf file ownership is set to
root:root.
checks:
- id: AVD-KCV-0065
commands:
- id: CMD-0018
severity: HIGH
- id: 1.1.19
name: Ensure that the Kubernetes PKI directory and file ownership is set to
root:root
description: Ensure that the Kubernetes PKI directory and file ownership is set
to root:root
checks:
- id: AVD-KCV-0066
commands:
- id: CMD-0019
severity: CRITICAL
- id: 1.1.20
name: Ensure that the Kubernetes PKI certificate file permissions are set to 600
or more restrictive
description: Ensure that Kubernetes PKI certificate files have permissions of
600 or more restrictive
checks:
- id: AVD-KCV-0068
commands:
- id: CMD-0020
severity: CRITICAL
- id: 1.1.21
name: Ensure that the Kubernetes PKI key file permissions are set to 600
description: Ensure that Kubernetes PKI key files have permissions of 600
checks:
- id: AVD-KCV-0067
commands:
- id: CMD-0021
severity: CRITICAL
- id: 1.2.1
name: Ensure that the --anonymous-auth argument is set to false
description: Disable anonymous requests to the API server
checks:
- id: AVD-KCV-0001
severity: MEDIUM
- id: 1.2.2
name: Ensure that the --token-auth-file parameter is not set
description: Do not use token based authentication
checks:
- id: AVD-KCV-0002
severity: LOW
- id: 1.2.3
name: Ensure that the --DenyServiceExternalIPs is not set
description: This admission controller rejects all net-new usage of the Service
field externalIPs
checks:
- id: AVD-KCV-0003
severity: LOW
- id: 1.2.4
name: Ensure that the --kubelet-https argument is set to true
description: Use https for kubelet connections
checks:
- id: AVD-KCV-0004
severity: LOW
- id: 1.2.5
name: Ensure that the --kubelet-client-certificate and --kubelet-client-key
arguments are set as appropriate
description: Enable certificate based kubelet authentication
checks:
- id: AVD-KCV-0005
severity: HIGH
- id: 1.2.6
name: Ensure that the --kubelet-certificate-authority argument is set as
appropriate
description: Verify kubelets certificate before establishing connection
checks:
- id: AVD-KCV-0006
severity: HIGH
- id: 1.2.7
name: Ensure that the --authorization-mode argument is not set to AlwaysAllow
description: Do not always authorize all requests
checks:
- id: AVD-KCV-0007
severity: LOW
- id: 1.2.8
name: Ensure that the --authorization-mode argument includes Node
description: Restrict kubelet nodes to reading only objects associated with them
checks:
- id: AVD-KCV-0008
severity: HIGH
- id: 1.2.9
name: Ensure that the --authorization-mode argument includes RBAC
description: Turn on Role Based Access Control
checks:
- id: AVD-KCV-0009
severity: HIGH
- id: 1.2.10
name: Ensure that the admission control plugin EventRateLimit is set
description: Limit the rate at which the API server accepts requests
checks:
- id: AVD-KCV-0010
severity: HIGH
- id: 1.2.11
name: Ensure that the admission control plugin AlwaysAdmit is not set
description: Do not allow all requests
checks:
- id: AVD-KCV-0011
severity: LOW
- id: 1.2.12
name: Ensure that the admission control plugin AlwaysPullImages is set
description: Always pull images
checks:
- id: AVD-KCV-0012
severity: MEDIUM
- id: 1.2.13
name: Ensure that the admission control plugin SecurityContextDeny is set if
PodSecurityPolicy is not used
description: The SecurityContextDeny admission controller can be used to deny
pods which make use of some SecurityContext fields which could allow for
privilege escalation in the cluster. This should be used where
PodSecurityPolicy is not in place within the cluster
checks:
- id: AVD-KCV-0013
severity: MEDIUM
- id: 1.2.14
name: Ensure that the admission control plugin ServiceAccount is set
description: Automate service accounts management
checks:
- id: AVD-KCV-0014
severity: LOW
- id: 1.2.15
name: Ensure that the admission control plugin NamespaceLifecycle is set
description: Reject creating objects in a namespace that is undergoing termination
checks:
- id: AVD-KCV-0015
severity: LOW
- id: 1.2.16
name: Ensure that the admission control plugin NodeRestriction is set
description: Limit the Node and Pod objects that a kubelet could modify
checks:
- id: AVD-KCV-0016
severity: LOW
- id: 1.2.17
name: Ensure that the --secure-port argument is not set to 0
description: Do not disable the secure port
checks:
- id: AVD-KCV-0017
severity: HIGH
- id: 1.2.18
name: Ensure that the --profiling argument is set to false
description: Disable profiling, if not needed
checks:
- id: AVD-KCV-0018
severity: LOW
- id: 1.2.19
name: Ensure that the --audit-log-path argument is set
description: Enable auditing on the Kubernetes API Server and set the desired
audit log path.
checks:
- id: AVD-KCV-0019
severity: LOW
- id: 1.2.20
name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate
description: Retain the logs for at least 30 days or as appropriate
checks:
- id: AVD-KCV-0020
severity: LOW
- id: 1.2.21
name: Ensure that the --audit-log-maxbackup argument is set to 10 or as
appropriate
description: Retain 10 or an appropriate number of old log file
checks:
- id: AVD-KCV-0021
severity: LOW
- id: 1.2.22
name: Ensure that the --audit-log-maxsize argument is set to 100 or as
appropriate
description: Rotate log files on reaching 100 MB or as appropriate
checks:
- id: AVD-KCV-0022
severity: LOW
- id: 1.2.24
name: Ensure that the --service-account-lookup argument is set to true
description: Validate service account before validating token
checks:
- id: AVD-KCV-0024
severity: LOW
- id: 1.2.25
name: Ensure that the --service-account-key-file argument is set as appropriate
description: Explicitly set a service account public key file for service
accounts on the apiserver
checks:
- id: AVD-KCV-0025
severity: LOW
- id: 1.2.26
name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate
description: etcd should be configured to make use of TLS encryption for client
connections
checks:
- id: AVD-KCV-0026
severity: LOW
- id: 1.2.27
name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are
set as appropriate
description: Setup TLS connection on the API server
checks:
- id: AVD-KCV-0027
severity: MEDIUM
- id: 1.2.28
name: Ensure that the --client-ca-file argument is set appropriate
description: Setup TLS connection on the API server
checks:
- id: AVD-KCV-0028
severity: LOW
- id: 1.2.29
name: Ensure that the --etcd-cafile argument is set as appropriate
description: etcd should be configured to make use of TLS encryption for client
connections.
checks:
- id: AVD-KCV-0029
severity: LOW
- id: 1.2.30
name: Ensure that the --encryption-provider-config argument is set as
appropriate
description: Encrypt etcd key-value store
checks:
- id: AVD-KCV-0030
severity: LOW
- id: 1.3.1
name: Ensure that the --terminated-pod-gc-threshold argument is set as
appropriate
description: Activate garbage collector on pod termination, as appropriate
checks:
- id: AVD-KCV-0033
severity: MEDIUM
- id: 1.3.3
name: Ensure that the --use-service-account-credentials argument is set to true
description: Use individual service account credentials for each controller
checks:
- id: AVD-KCV-0035
severity: MEDIUM
- id: 1.3.4
name: Ensure that the --service-account-private-key-file argument is set as
appropriate
description: Explicitly set a service account private key file for service
accounts on the controller manager
checks:
- id: AVD-KCV-0036
severity: MEDIUM
- id: 1.3.5
name: Ensure that the --root-ca-file argument is set as appropriate
description: Allow pods to verify the API servers serving certificate before
establishing connections
checks:
- id: AVD-KCV-0037
severity: MEDIUM
- id: 1.3.6
name: Ensure that the RotateKubeletServerCertificate argument is set to true
description: Enable kubelet server certificate rotation on controller-manager
checks:
- id: AVD-KCV-0038
severity: MEDIUM
- id: 1.3.7
name: Ensure that the --bind-address argument is set to 127.0.0.1
description: Do not bind the scheduler service to non-loopback insecure addresses
checks:
- id: AVD-KCV-0039
severity: LOW
- id: 1.4.1
name: Ensure that the --profiling argument is set to false
description: Disable profiling, if not needed
checks:
- id: AVD-KCV-0034
severity: MEDIUM
- id: 1.4.2
name: Ensure that the --bind-address argument is set to 127.0.0.1
description: Do not bind the scheduler service to non-loopback insecure addresses
checks:
- id: AVD-KCV-0041
severity: CRITICAL
- id: 2.1
name: Ensure that the --cert-file and --key-file arguments are set as
appropriate
description: Configure TLS encryption for the etcd service
checks:
- id: AVD-KCV-0042
severity: MEDIUM
- id: 2.2
name: Ensure that the --client-cert-auth argument is set to true
description: Enable client authentication on etcd service
checks:
- id: AVD-KCV-0043
severity: CRITICAL
- id: 2.3
name: Ensure that the --auto-tls argument is not set to true
description: Do not use self-signed certificates for TLS
checks:
- id: AVD-KCV-0044
severity: CRITICAL
- id: 2.4
name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as
appropriate
description: etcd should be configured to make use of TLS encryption for peer
connections.
checks:
- id: AVD-KCV-0045
severity: CRITICAL
- id: 2.5
name: Ensure that the --peer-client-cert-auth argument is set to true
description: etcd should be configured for peer authentication
checks:
- id: AVD-KCV-0046
severity: CRITICAL
- id: 2.6
name: Ensure that the --peer-auto-tls argument is not set to true
description: Do not use self-signed certificates for TLS
checks:
- id: AVD-KCV-0047
severity: HIGH
- id: 3.1.1
name: Client certificate authentication should not be used for users (Manual)
description: Kubernetes provides the option to use client certificates for user
authentication. However as there is no way to revoke these certificates
when a user leaves an organization or loses their credential, they are
not suitable for this purpose
checks: null
severity: HIGH
- id: 3.2.1
name: Ensure that a minimal audit policy is created (Manual)
description: Kubernetes can audit the details of requests made to the API
server. The --audit- policy-file flag must be set for this logging to be
enabled.
checks: null
severity: HIGH
- id: 3.2.2
name: Ensure that the audit policy covers key security concerns (Manual)
description: Ensure that the audit policy created for the cluster covers key
security concerns
checks: null
severity: HIGH
- id: 4.1.1
name: Ensure that the kubelet service file permissions are set to 600 or more
restrictive
description: Ensure that the kubelet service file has permissions of 600 or more
restrictive.
checks:
- id: AVD-KCV-0069
commands:
- id: CMD-0022
severity: HIGH
- id: 4.1.2
name: Ensure that the kubelet service file ownership is set to root:root
description: Ensure that the kubelet service file ownership is set to root:root
checks:
- id: AVD-KCV-0070
commands:
- id: CMD-0023
severity: HIGH
- id: 4.1.3
name: If proxy kubeconfig file exists ensure permissions are set to 600 or more
restrictive
description: If kube-proxy is running, and if it is using a file-based
kubeconfig file, ensure that the proxy kubeconfig file has permissions
of 600 or more restrictive
checks:
- id: AVD-KCV-0071
commands:
- id: CMD-0024
severity: HIGH
- id: 4.1.4
name: If proxy kubeconfig file exists ensure ownership is set to root:root
description: If kube-proxy is running, ensure that the file ownership of its
kubeconfig file is set to root:root
checks:
- id: AVD-KCV-0072
commands:
- id: CMD-0025
severity: HIGH
- id: 4.1.5
name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600
or more restrictive
description: Ensure that the kubelet.conf file has permissions of 600 or more
restrictive
checks:
- id: AVD-KCV-0073
commands:
- id: CMD-0026
severity: HIGH
- id: 4.1.6
name: Ensure that the --kubeconfig kubelet.conf file ownership is set to
root:root
description: Ensure that the kubelet.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0074
commands:
- id: CMD-0027
severity: HIGH
- id: 4.1.7
name: Ensure that the certificate authorities file permissions are set to 600 or
more restrictive
description: Ensure that the certificate authorities file has permissions of 600
or more restrictive
checks:
- id: AVD-KCV-0075
commands:
- id: CMD-0028
severity: CRITICAL
- id: 4.1.8
name: Ensure that the client certificate authorities file ownership is set to
root:root
description: Ensure that the certificate authorities file ownership is set to
root:root
checks:
- id: AVD-KCV-0076
commands:
- id: CMD-0029
severity: CRITICAL
- id: 4.1.9
name: If the kubelet config.yaml configuration file is being used validate
permissions set to 600 or more restrictive
description: Ensure that if the kubelet refers to a configuration file with the
--config argument, that file has permissions of 600 or more restrictive
checks:
- id: AVD-KCV-0077
commands:
- id: CMD-0030
severity: HIGH
- id: 4.1.10
name: If the kubelet config.yaml configuration file is being used validate file
ownership is set to root:root
description: Ensure that if the kubelet refers to a configuration file with the
--config argument, that file is owned by root:root
checks:
- id: AVD-KCV-0078
commands:
- id: CMD-0031
severity: HIGH
- id: 4.2.1
name: Ensure that the --anonymous-auth argument is set to false
description: Disable anonymous requests to the Kubelet server
checks:
- id: AVD-KCV-0079
commands:
- id: CMD-0032
severity: CRITICAL
- id: 4.2.2
name: Ensure that the --authorization-mode argument is not set to AlwaysAllow
description: Do not allow all requests. Enable explicit authorization
checks:
- id: AVD-KCV-0080
commands:
- id: CMD-0033
severity: CRITICAL
- id: 4.2.3
name: Ensure that the --client-ca-file argument is set as appropriate
description: Enable Kubelet authentication using certificates
checks:
- id: AVD-KCV-0081
commands:
- id: CMD-0034
severity: CRITICAL
- id: 4.2.4
name: Verify that the --read-only-port argument is set to 0
description: Disable the read-only port
checks:
- id: AVD-KCV-0082
commands:
- id: CMD-0035
severity: HIGH
- id: 4.2.5
name: Ensure that the --streaming-connection-idle-timeout argument is not set to
0
description: Do not disable timeouts on streaming connections
checks:
- id: AVD-KCV-0085
commands:
- id: CMD-0036
severity: HIGH
- id: 4.2.6
name: Ensure that the --protect-kernel-defaults argument is set to true
description: Protect tuned kernel parameters from overriding kubelet default
kernel parameter values
checks:
- id: AVD-KCV-0083
commands:
- id: CMD-0037
severity: HIGH
- id: 4.2.7
name: Ensure that the --make-iptables-util-chains argument is set to true
description: Allow Kubelet to manage iptables
checks:
- id: AVD-KCV-0084
commands:
- id: CMD-0038
severity: HIGH
- id: 4.2.8
name: Ensure that the --hostname-override argument is not set
description: Do not override node hostnames
checks:
- id: AVD-KCV-0086
commands:
- id: CMD-0039
severity: HIGH
- id: 4.2.9
name: Ensure that the --event-qps argument is set to 0 or a level which ensures
appropriate event capture
description: Security relevant information should be captured. The --event-qps
flag on the Kubelet can be used to limit the rate at which events are
gathered
checks:
- id: AVD-KCV-0087
commands:
- id: CMD-0040
severity: HIGH
- id: 4.2.10
name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are
set as appropriate
description: Setup TLS connection on the Kubelets
checks:
- id: AVD-KCV-0088
- id: AVD-KCV-0089
commands:
- id: CMD-0041
- id: CMD-0042
severity: CRITICAL
- id: 4.2.11
name: Ensure that the --rotate-certificates argument is not set to false
description: Enable kubelet client certificate rotation
checks:
- id: AVD-KCV-0090
commands:
- id: CMD-0043
severity: CRITICAL
- id: 4.2.12
name: Verify that the RotateKubeletServerCertificate argument is set to true
description: Enable kubelet server certificate rotation
checks:
- id: AVD-KCV-0091
commands:
- id: CMD-0044
severity: CRITICAL
- id: 4.2.13
name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
description: Ensure that the Kubelet is configured to only use strong
cryptographic ciphers
checks:
- id: AVD-KCV-0092
commands:
- id: CMD-0045
severity: CRITICAL
- id: 5.1.1
name: Ensure that the cluster-admin role is only used where required
description: The RBAC role cluster-admin provides wide-ranging powers over the
environment and should be used only where and when needed
checks:
- id: AVD-KSV-0111
severity: HIGH
- id: 5.1.2
name: Minimize access to secrets
description: The Kubernetes API stores secrets, which may be service account
tokens for the Kubernetes API or credentials used by workloads in the
cluster
checks:
- id: AVD-KSV-0041
severity: HIGH
- id: 5.1.3
name: Minimize wildcard use in Roles and ClusterRoles
description: Kubernetes Roles and ClusterRoles provide access to resources based
on sets of objects and actions that can be taken on those objects. It is
possible to set either of these to be the wildcard "*" which matches all
items
checks:
- id: AVD-KSV-0044
- id: AVD-KSV-0045
- id: AVD-KSV-0046
severity: HIGH
- id: 5.1.6
name: Ensure that Service Account Tokens are only mounted where necessary
description: Service accounts tokens should not be mounted in pods except where
the workload running in the pod explicitly needs to communicate with the
API server
checks:
- id: AVD-KSV-0036
severity: HIGH
- id: 5.1.8
name: Limit use of the Bind, Impersonate and Escalate permissions in the
Kubernetes cluster
description: Cluster roles and roles with the impersonate, bind or escalate
permissions should not be granted unless strictly required
checks:
- id: AVD-KSV-0043
severity: HIGH
- id: 5.2.2
name: Minimize the admission of privileged containers
description: Do not generally permit containers to be run with the
securityContext.privileged flag set to true
checks:
- id: AVD-KSV-0017
severity: HIGH
- id: 5.2.3
name: Minimize the admission of containers wishing to share the host process ID
namespace
description: Do not generally permit containers to be run with the hostPID flag
set to true.
checks:
- id: AVD-KSV-0010
severity: HIGH
- id: 5.2.4
name: Minimize the admission of containers wishing to share the host IPC
namespace
description: Do not generally permit containers to be run with the hostIPC flag
set to true
checks:
- id: AVD-KSV-0008
severity: HIGH
- id: 5.2.5
name: Minimize the admission of containers wishing to share the host network
namespace
description: Do not generally permit containers to be run with the hostNetwork
flag set to true
checks:
- id: AVD-KSV-0009
severity: HIGH
- id: 5.2.6
name: Minimize the admission of containers with allowPrivilegeEscalation
description: Do not generally permit containers to be run with the
allowPrivilegeEscalation flag set to true
checks:
- id: AVD-KSV-0001
severity: HIGH
- id: 5.2.7
name: Minimize the admission of root containers
description: Do not generally permit containers to be run as the root user
checks:
- id: AVD-KSV-0012
severity: MEDIUM
- id: 5.2.8
name: Minimize the admission of containers with the NET_RAW capability
description: Do not generally permit containers with the potentially dangerous
NET_RAW capability
checks:
- id: AVD-KSV-0022
severity: MEDIUM
- id: 5.2.9
name: Minimize the admission of containers with added capabilities
description: Do not generally permit containers with capabilities assigned
beyond the default set
checks:
- id: AVD-KSV-0004
severity: LOW
- id: 5.2.10
name: Minimize the admission of containers with capabilities assigned
description: Do not generally permit containers with capabilities
checks:
- id: AVD-KSV-0003
severity: LOW
- id: 5.2.11
name: Minimize the admission of containers with capabilities assigned
description: Do not generally permit containers with capabilities
checks:
- id: AVD-KSV-0103
severity: MEDIUM
- id: 5.2.12
name: Minimize the admission of HostPath volumes
description: Do not generally admit containers which make use of hostPath volumes
checks:
- id: AVD-KSV-0023
severity: MEDIUM
- id: 5.2.13
name: Minimize the admission of containers which use HostPorts
description: Do not generally permit containers which require the use of HostPorts
checks:
- id: AVD-KSV-0024
severity: MEDIUM
- id: 5.3.1
name: Ensure that the CNI in use supports Network Policies (Manual)
description: There are a variety of CNI plugins available for Kubernetes. If the
CNI in use does not support Network Policies it may not be possible to
effectively restrict traffic in the cluster
checks: null
severity: MEDIUM
- id: 5.3.2
name: Ensure that all Namespaces have Network Policies defined
description: Use network policies to isolate traffic in your cluster network
checks:
- id: AVD-KSV-0038
severity: MEDIUM
- id: 5.4.1
name: Prefer using secrets as files over secrets as environment variables
(Manual)
description: Kubernetes supports mounting secrets as data volumes or as
environment variables. Minimize the use of environment variable secrets
checks: null
severity: MEDIUM
- id: 5.4.2
name: Consider external secret storage (Manual)
description: Consider the use of an external secrets storage and management
system, instead of using Kubernetes Secrets directly, if you have more
complex secret management needs
checks: null
severity: MEDIUM
- id: 5.5.1
name: Configure Image Provenance using ImagePolicyWebhook admission controller
(Manual)
description: Configure Image Provenance for your deployment
checks: null
severity: MEDIUM
- id: 5.7.1
name: Create administrative boundaries between resources using namespaces
(Manual)
description: Use namespaces to isolate your Kubernetes objects
checks: null
severity: MEDIUM
- id: 5.7.2
name: Ensure that the seccomp profile is set to docker/default in your pod
definitions
description: Enable docker/default seccomp profile in your pod definitions
checks:
- id: AVD-KSV-0104
severity: MEDIUM
- id: 5.7.3
name: Apply Security Context to Your Pods and Containers
description: Apply Security Context to Your Pods and Containers
checks:
- id: AVD-KSV-0021
- id: AVD-KSV-0020
- id: AVD-KSV-0005
- id: AVD-KSV-0025
- id: AVD-KSV-0104
- id: AVD-KSV-0030
severity: HIGH
- id: 5.7.4
name: The default namespace should not be used
description: Kubernetes provides a default namespace, where objects are placed
if no namespace is specified for them
checks:
- id: AVD-KSV-0110
severity: MEDIUM