Skip to content

Instantly share code, notes, and snippets.

@bergerx
Last active January 20, 2020 21:54
Show Gist options
  • Save bergerx/f8144c205a9d109ae3910b5b40fef503 to your computer and use it in GitHub Desktop.
Save bergerx/f8144c205a9d109ae3910b5b40fef503 to your computer and use it in GitHub Desktop.
kube-bench on AKS 1.15.7
kube-bench: (master u=) $ kubectl node-shell aks-cpuworkers-18754171-vmss000000
spawning "nsenter-kru76j" on "aks-cpuworkers-18754171-vmss000000"
If you don't see a command prompt, try pressing enter.
root@aks-cpuworkers-18754171-vmss000000:/#
root@aks-cpuworkers-18754171-vmss000000:/# docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
===============================================
kube-bench is now installed on your host
Run ./kube-bench to perform a security check
===============================================
root@aks-cpuworkers-18754171-vmss000000:/# ./kube-bench node
[INFO] 2 Worker Node Security Configuration
[INFO] 2.1 Kubelet
[FAIL] 2.1.1 Ensure that the --allow-privileged argument is set to false (Scored)
[PASS] 2.1.2 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 2.1.3 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[PASS] 2.1.4 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[FAIL] 2.1.5 Ensure that the --read-only-port argument is set to 0 (Scored)
[PASS] 2.1.6 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
[PASS] 2.1.7 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
[PASS] 2.1.8 Ensure that the --make-iptables-util-chains argument is set to true (Scored)
[PASS] 2.1.9 Ensure that the --hostname-override argument is not set (Scored)
[PASS] 2.1.10 Ensure that the --event-qps argument is set to 0 (Scored)
[PASS] 2.1.11 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[PASS] 2.1.12 Ensure that the --cadvisor-port argument is set to 0 (Scored)
[PASS] 2.1.13 Ensure that the --rotate-certificates argument is not set to false (Scored)
[PASS] 2.1.14 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
[PASS] 2.1.15 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
[INFO] 2.2 Configuration Files
[PASS] 2.2.1 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.2 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
[PASS] 2.2.3 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
[PASS] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
== Remediations ==
2.1.1 Edit the kubelet service file /etc/systemd/system/kubelet.service
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
2.1.5 If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
2.2.7 Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
== Summary ==
22 checks PASS
2 checks FAIL
1 checks WARN
0 checks INFO
root@aks-cpuworkers-18754171-vmss000000:/#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment