From 20ec5d14f28d59368f88995479886ed217b44b9f Mon Sep 17 00:00:00 2001
From: Paavan <38864141+paavan98pm@users.noreply.github.com>
Date: Fri, 10 Jul 2020 10:14:41 -0500
Subject: [PATCH] added eks-1.0 cfg and modified job-eks.yaml for node checks
(#639)
* added eks-1.0 cfg and modified job-eks.yaml for node checks
* fixed yamllint errors and README updates
---
README.md | 2 +
cfg/eks-1.0/config.yaml | 2 +
cfg/eks-1.0/controlplane.yaml | 14 ++
cfg/eks-1.0/managedservices.yaml | 104 +++++++++
cfg/eks-1.0/master.yaml | 6 +
cfg/eks-1.0/node.yaml | 388 +++++++++++++++++++++++++++++++
cfg/eks-1.0/policies.yaml | 237 +++++++++++++++++++
job-eks.yaml | 2 +-
8 files changed, 754 insertions(+), 1 deletion(-)
create mode 100644 cfg/eks-1.0/config.yaml
create mode 100644 cfg/eks-1.0/controlplane.yaml
create mode 100644 cfg/eks-1.0/managedservices.yaml
create mode 100644 cfg/eks-1.0/master.yaml
create mode 100644 cfg/eks-1.0/node.yaml
create mode 100644 cfg/eks-1.0/policies.yaml
diff --git a/README.md b/README.md
index c11c164..4e30952 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,7 @@ kube-bench supports the tests for Kubernetes as defined in the [CIS Kubernetes B
| [1.4.1](https://workbench.cisecurity.org/benchmarks/2351) | cis-1.4 | 1.13-1.14 |
| [1.5.0](https://workbench.cisecurity.org/benchmarks/1370) | cis-1.5 | 1.15- |
| [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
+| [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS |
| Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine, but please note that kube-bench does not automatically detect OpenShift and GKE - see the section below on [Running kube-bench](https://github.com/aquasecurity/kube-bench#running-kube-bench).
@@ -120,6 +121,7 @@ The following table shows the valid targets based on the CIS Benchmark version.
| cis-1.4| master, node |
| cis-1.5| master, controlplane, node, etcd, policies |
| gke-1.0| master, controlplane, node, etcd, policies, managedservices |
+| eks-1.0| node, policies, managedservices |
If no targets are specified, `kube-bench` will determine the appropriate targets based on the CIS Benchmark version.
diff --git a/cfg/eks-1.0/config.yaml b/cfg/eks-1.0/config.yaml
new file mode 100644
index 0000000..b783945
--- /dev/null
+++ b/cfg/eks-1.0/config.yaml
@@ -0,0 +1,2 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml
diff --git a/cfg/eks-1.0/controlplane.yaml b/cfg/eks-1.0/controlplane.yaml
new file mode 100644
index 0000000..f3c971d
--- /dev/null
+++ b/cfg/eks-1.0/controlplane.yaml
@@ -0,0 +1,14 @@
+---
+controls:
+version: "eks-1.0"
+id: 2
+text: "Control Plane Configuration"
+type: "controlplane"
+groups:
+ - id: 2.1
+ text: "Logging"
+ checks:
+ - id: 2.1.1
+ text: "Enable audit logs"
+ remediation: "Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler."
+ scored: false
diff --git a/cfg/eks-1.0/managedservices.yaml b/cfg/eks-1.0/managedservices.yaml
new file mode 100644
index 0000000..c8768e9
--- /dev/null
+++ b/cfg/eks-1.0/managedservices.yaml
@@ -0,0 +1,104 @@
+---
+controls:
+version: "eks-1.0"
+id: 5
+text: "Managed Services"
+type: "managedservices"
+groups:
+ - id: 5.1
+ text: "Image Registry and Image Scanning"
+ checks:
+ - id: 5.1.1
+ text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+ - id: 5.1.2
+ text: "Minimize user access to Amazon ECR (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+ - id: 5.1.3
+ text: "Minimize cluster access to read-only for Amazon ECR (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+ - id: 5.1.4
+ text: "Minimize Container Registries to only those approved (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+ - id: 5.2
+ text: "Identity and Access Management (IAM)"
+ checks:
+ - id: 5.2.1
+ text: "Prefer using dedicated Amazon EKS Service Accounts (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+ - id: 5.3
+ text: "AWS Key Management Service (AWS KMS)"
+ checks:
+ - id: 5.3.1
+ text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+ - id: 5.4
+ text: "Cluster Networking"
+ checks:
+ - id: 5.4.1
+ text: "Restrict Access to the Control Plane Endpoint (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+ - id: 5.4.2
+ text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+ - id: 5.4.3
+ text: "Ensure clusters are created with Private Nodes (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+ - id: 5.4.4
+ text: "Ensure Network Policy is Enabled and set as appropriate (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+ - id: 5.4.5
+ text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+
+ - id: 5.5
+ text: "Authentication and Authorization"
+ checks:
+ - id: 5.5.1
+ text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
+
+
+ - id: 5.6
+ text: "Other Cluster Configurations"
+ checks:
+ - id: 5.6.1
+ text: "Consider Fargate for running untrusted workloads (Not Scored)"
+ type: "manual"
+ remediation:
+ scored: false
diff --git a/cfg/eks-1.0/master.yaml b/cfg/eks-1.0/master.yaml
new file mode 100644
index 0000000..a598528
--- /dev/null
+++ b/cfg/eks-1.0/master.yaml
@@ -0,0 +1,6 @@
+---
+controls:
+version: "eks-1.0"
+id: 1
+text: "Control Plane Components"
+type: "master"
diff --git a/cfg/eks-1.0/node.yaml b/cfg/eks-1.0/node.yaml
new file mode 100644
index 0000000..29d2259
--- /dev/null
+++ b/cfg/eks-1.0/node.yaml
@@ -0,0 +1,388 @@
+---
+controls:
+version: "eks-1.0"
+id: 3
+text: "Worker Node Security Configuration"
+type: "node"
+groups:
+ - id: 3.1
+ text: "Worker Node Configuration Files"
+ checks:
+ - id: 3.1.1
+ text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
+ audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
+ tests:
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
+ bin_op: or
+ remediation: |
+ Run the below command (based on the file location on your system) on each worker node.
+ For example,
+ chmod 644 $proykubeconfig
+ scored: true
+
+ - id: 3.1.2
+ text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
+ audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
+ tests:
+ test_items:
+ - flag: root:root
+ set: true
+ remediation: |
+ Run the below command (based on the file location on your system) on each worker node.
+ For example, chown root:root $proxykubeconfig
+ scored: true
+
+ - id: 3.1.3
+ text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
+ audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
+ tests:
+ test_items:
+ - flag: "644"
+ set: true
+ compare:
+ op: eq
+ value: "644"
+ - flag: "640"
+ set: true
+ compare:
+ op: eq
+ value: "640"
+ - flag: "600"
+ set: true
+ compare:
+ op: eq
+ value: "600"
+ - flag: "444"
+ compare:
+ op: eq
+ value: "444"
+ set: true
+ - flag: "440"
+ compare:
+ op: eq
+ value: "440"
+ set: true
+ - flag: "400"
+ compare:
+ op: eq
+ value: "400"
+ set: true
+ - flag: "000"
+ compare:
+ op: eq
+ value: "000"
+ set: true
+ bin_op: or
+ remediation: |
+ Run the following command (using the config file location identied in the Audit step)
+ chmod 644 $kubeletconf
+ scored: true
+
+ - id: 3.1.4
+ text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
+ audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
+ tests:
+ test_items:
+ - flag: root:root
+ set: true
+ remediation: |
+ Run the following command (using the config file location identied in the Audit step)
+ chown root:root $kubeletconf
+ scored: true
+
+ - id: 3.2
+ text: "Kubelet"
+ checks:
+ - id: 3.2.1
+ text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: "--anonymous-auth"
+ path: '{.authentication.anonymous.enabled}'
+ set: true
+ compare:
+ op: eq
+ value: false
+ remediation: |
+ If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
+ false.
+ If using executable arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --anonymous-auth=false
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 3.2.2
+ text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --authorization-mode
+ path: '{.authorization.mode}'
+ set: true
+ compare:
+ op: nothave
+ value: AlwaysAllow
+ remediation: |
+ If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If
+ using executable arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_AUTHZ_ARGS variable.
+ --authorization-mode=Webhook
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 3.2.3
+ text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --client-ca-file
+ path: '{.authentication.x509.clientCAFile}'
+ set: true
+ remediation: |
+ If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
+ the location of the client CA file.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_AUTHZ_ARGS variable.
+ --client-ca-file=<path/to/client-ca-file>
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 3.2.4
+ text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: "--read-only-port"
+ path: '{.readOnlyPort}'
+ set: true
+ compare:
+ op: eq
+ value: 0
+ remediation: |
+ If using a Kubelet config file, edit the file to set readOnlyPort to 0.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --read-only-port=0
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 3.2.5
+ text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --streaming-connection-idle-timeout
+ path: '{.streamingConnectionIdleTimeout}'
+ set: true
+ compare:
+ op: noteq
+ value: 0
+ - flag: --streaming-connection-idle-timeout
+ path: '{.streamingConnectionIdleTimeout}'
+ set: false
+ bin_op: or
+ remediation: |
+ If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
+ value other than 0.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --streaming-connection-idle-timeout=5m
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 3.2.6
+ text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --protect-kernel-defaults
+ path: '{.protectKernelDefaults}'
+ set: true
+ compare:
+ op: eq
+ value: true
+ remediation: |
+ If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --protect-kernel-defaults=true
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 3.2.7
+ text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) "
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --make-iptables-util-chains
+ path: '{.makeIPTablesUtilChains}'
+ set: true
+ compare:
+ op: eq
+ value: true
+ - flag: --make-iptables-util-chains
+ path: '{.makeIPTablesUtilChains}'
+ set: false
+ bin_op: or
+ remediation: |
+ If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ remove the --make-iptables-util-chains argument from the
+ KUBELET_SYSTEM_PODS_ARGS variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 3.2.8
+ text: "Ensure that the --hostname-override argument is not set (Scored)"
+ # This is one of those properties that can only be set as a command line argument.
+ # To check if the property is set as expected, we need to parse the kubelet command
+ # instead reading the Kubelet Configuration file.
+ audit: "/bin/ps -fC $kubeletbin "
+ tests:
+ test_items:
+ - flag: --hostname-override
+ set: false
+ remediation: |
+ Edit the kubelet service file $kubeletsvc
+ on each worker node and remove the --hostname-override argument from the
+ KUBELET_SYSTEM_PODS_ARGS variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 3.2.9
+ text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --event-qps
+ path: '{.eventRecordQPS}'
+ set: true
+ compare:
+ op: eq
+ value: 0
+ remediation: |
+ If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: false
+
+ - id: 3.2.10
+ text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --rotate-certificates
+ path: '{.rotateCertificates}'
+ set: true
+ compare:
+ op: eq
+ value: true
+ - flag: --rotate-certificates
+ path: '{.rotateCertificates}'
+ set: false
+ bin_op: or
+ remediation: |
+ If using a Kubelet config file, edit the file to add the line rotateCertificates: true or
+ remove it altogether to use the default value.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
+ variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 3.2.11
+ text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: RotateKubeletServerCertificate
+ path: '{.featureGates.RotateKubeletServerCertificate}'
+ set: true
+ compare:
+ op: eq
+ value: true
+ remediation: |
+ Edit the kubelet service file $kubeletsvc
+ on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
+ --feature-gates=RotateKubeletServerCertificate=true
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
diff --git a/cfg/eks-1.0/policies.yaml b/cfg/eks-1.0/policies.yaml
new file mode 100644
index 0000000..98dbe28
--- /dev/null
+++ b/cfg/eks-1.0/policies.yaml
@@ -0,0 +1,237 @@
+---
+controls:
+version: "eks-1.0"
+id: 4
+text: "Policies"
+type: "policies"
+groups:
+ - id: 4.1
+ text: "RBAC and Service Accounts"
+ checks:
+ - id: 4.1.1
+ text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
+ type: "manual"
+ remediation: |
+ Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
+ if they need this role or if they could use a role with fewer privileges.
+ Where possible, first bind users to a lower privileged role and then remove the
+ clusterrolebinding to the cluster-admin role :
+ kubectl delete clusterrolebinding [name]
+ scored: false
+
+ - id: 4.1.2
+ text: "Minimize access to secrets (Not Scored)"
+ type: "manual"
+ remediation: |
+ Where possible, remove get, list and watch access to secret objects in the cluster.
+ scored: false
+
+ - id: 4.1.3
+ text: "Minimize wildcard use in Roles and ClusterRoles (Not Scored)"
+ type: "manual"
+ remediation: |
+ Where possible replace any use of wildcards in clusterroles and roles with specific
+ objects or actions.
+ scored: false
+
+ - id: 4.1.4
+ text: "Minimize access to create pods (Not Scored)"
+ type: "manual"
+ Remediation: |
+ Where possible, remove create access to pod objects in the cluster.
+ scored: false
+
+ - id: 4.1.5
+ text: "Ensure that default service accounts are not actively used. (Not Scored)"
+ type: "manual"
+ remediation: |
+ Create explicit service accounts wherever a Kubernetes workload requires specific access
+ to the Kubernetes API server.
+ Modify the configuration of each default service account to include this value
+ automountServiceAccountToken: false
+ scored: false
+
+ - id: 4.1.6
+ text: "Ensure that Service Account Tokens are only mounted where necessary (Not Scored)"
+ type: "manual"
+ remediation: |
+ Modify the definition of pods and service accounts which do not need to mount service
+ account tokens to disable it.
+ scored: false
+
+ - id: 4.2
+ text: "Pod Security Policies"
+ checks:
+ - id: 4.2.1
+ text: "Minimize the admission of privileged containers (Not Scored)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that
+ the .spec.privileged field is omitted or set to false.
+ scored: false
+
+ - id: 4.2.2
+ text: "Minimize the admission of containers wishing to share the host process ID namespace (Not Scored)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.hostPID field is omitted or set to false.
+ scored: false
+
+ - id: 4.2.3
+ text: "Minimize the admission of containers wishing to share the host IPC namespace (Not Scored)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.hostIPC field is omitted or set to false.
+ scored: false
+
+ - id: 4.2.4
+ text: "Minimize the admission of containers wishing to share the host network namespace (Not Scored)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.hostNetwork field is omitted or set to false.
+ scored: false
+
+ - id: 4.2.5
+ text: "Minimize the admission of containers with allowPrivilegeEscalation (Not Scored)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.allowPrivilegeEscalation field is omitted or set to false.
+ scored: false
+
+ - id: 4.2.6
+ text: "Minimize the admission of root containers (Not Scored)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
+ UIDs not including 0.
+ scored: false
+
+ - id: 4.2.7
+ text: "Minimize the admission of containers with the NET_RAW capability (Not Scored)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
+ scored: false
+
+ - id: 4.2.8
+ text: "Minimize the admission of containers with added capabilities (Not Scored)"
+ type: "manual"
+ remediation: |
+ Ensure that allowedCapabilities is not present in PSPs for the cluster unless
+ it is set to an empty array.
+ scored: false
+
+ - id: 4.2.9
+ text: "Minimize the admission of containers with capabilities assigned (Not Scored)"
+ type: "manual"
+ remediation: |
+ Review the use of capabilites in applications runnning on your cluster. Where a namespace
+ contains applications which do not require any Linux capabities to operate consider adding
+ a PSP which forbids the admission of containers which do not drop all capabilities.
+ scored: false
+
+ - id: 4.3
+ text: "CNI Plugin"
+ checks:
+ - id: 4.3.1
+ text: "Ensure that the latest CNI version is used (Not Scored)"
+ type: "manual"
+ remediation: |
+ Review the documentation of AWS CNI plugin, and ensure latest CNI version is used.
+ scored: false
+
+ - id: 4.3.2
+ text: "Ensure that all Namespaces have Network Policies defined (Not Scored)"
+ type: "manual"
+ remediation: |
+ Follow the documentation and create NetworkPolicy objects as you need them.
+ scored: false
+
+ - id: 4.4
+ text: "Secrets Management"
+ checks:
+ - id: 4.4.1
+ text: "Prefer using secrets as files over secrets as environment variables (Not Scored)"
+ type: "manual"
+ remediation: |
+ If possible, rewrite application code to read secrets from mounted secret files, rather than
+ from environment variables.
+ scored: false
+
+ - id: 4.4.2
+ text: "Consider external secret storage (Not Scored)"
+ type: "manual"
+ remediation: |
+ Refer to the secrets management options offered by your cloud provider or a third-party
+ secrets management solution.
+ scored: false
+
+ - id: 4.5
+ text: "Extensible Admission Control"
+ checks:
+ - id: 4.5.1
+ text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
+ type: "manual"
+ remediation: |
+ Follow the Kubernetes documentation and setup image provenance.
+ scored: false
+
+ - id: 4.6
+ text: "General Policies"
+ checks:
+ - id: 4.6.1
+ text: "Create administrative boundaries between resources using namespaces (Not Scored)"
+ type: "manual"
+ remediation: |
+ Follow the documentation and create namespaces for objects in your deployment as you need
+ them.
+ scored: false
+
+ - id: 4.6.2
+ text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
+ type: "manual"
+ remediation: |
+ Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
+ would need to enable alpha features in the apiserver by passing "--feature-
+ gates=AllAlpha=true" argument.
+ Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
+ parameter to "--feature-gates=AllAlpha=true"
+ KUBE_API_ARGS="--feature-gates=AllAlpha=true"
+ Based on your system, restart the kube-apiserver service. For example:
+ systemctl restart kube-apiserver.service
+ Use annotations to enable the docker/default seccomp profile in your pod definitions. An
+ example is as below:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: trustworthy-pod
+ annotations:
+ seccomp.security.alpha.kubernetes.io/pod: docker/default
+ spec:
+ containers:
+ - name: trustworthy-container
+ image: sotrustworthy:latest
+ scored: false
+
+ - id: 4.6.3
+ text: "Apply Security Context to Your Pods and Containers (Not Scored)"
+ type: "manual"
+ remediation: |
+ Follow the Kubernetes documentation and apply security contexts to your pods. For a
+ suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
+ Containers.
+ scored: false
+
+ - id: 4.6.4
+ text: "The default namespace should not be used (Not Scored)"
+ type: "manual"
+ remediation: |
+ Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
+ resources and that all new resources are created in a specific namespace.
+ scored: false
diff --git a/job-eks.yaml b/job-eks.yaml
index b0cac98..0e4b325 100644
--- a/job-eks.yaml
+++ b/job-eks.yaml
@@ -11,7 +11,7 @@ spec:
- name: kube-bench
# Push the image to your ECR and then refer to it here
image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
- command: ["kube-bench", "--version", "1.11"]
+ command: ["kube-bench", "node", "--benchmark", "eks-1.0"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
--
GitLab