Last active
October 11, 2017 14:49
-
-
Save mattymo/6853e0c2b6f6d62de952b95fddee6af2 to your computer and use it in GitHub Desktop.
kube bench results
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ./kube-bench master --config config.yml | |
| [INFO] 1 Master Node Security Configuration | |
| [INFO] 1.1 API Server | |
| [FAIL] 1.1.1 Ensure that the --allow-privileged argument is set to false (Scored) | |
| [FAIL] 1.1.2 Ensure that the --anonymous-auth argument is set to false (Scored) | |
| [FAIL] 1.1.3 Ensure that the --basic-auth-file argument is not set (Scored) | |
| [PASS] 1.1.4 Ensure that the --insecure-allow-any-token argument is not set (Scored) | |
| [PASS] 1.1.5 Ensure that the --kubelet-https argument is set to true (Scored) | |
| [FAIL] 1.1.6 Ensure that the --insecure-bind-address argument is not set (Scored) | |
| [FAIL] 1.1.7 Ensure that the --insecure-port argument is set to 0 (Scored) | |
| [PASS] 1.1.8 Ensure that the --secure-port argument is not set to 0 (Scored) | |
| [FAIL] 1.1.9 Ensure that the --profiling argument is set to false (Scored) | |
| [FAIL] 1.1.10 Ensure that the --repair-malformed-updates argument is set to false (Scored) | |
| [PASS] 1.1.11 Ensure that the admission control policy is not set to AlwaysAdmit (Scored) | |
| [FAIL] 1.1.12 Ensure that the admission control policy is set to AlwaysPullImages (Scored) | |
| [FAIL] 1.1.13 Ensure that the admission control policy is set to DenyEscalatingExec (Scored) | |
| [FAIL] 1.1.14 Ensure that the admission control policy is set to SecurityContextDeny (Scored) | |
| [PASS] 1.1.15 Ensure that the admission control policy is set to NamespaceLifecycle (Scored) | |
| [FAIL] 1.1.16 Ensure that the --audit-log-path argument is set as appropriate (Scored) | |
| [FAIL] 1.1.17 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored) | |
| [FAIL] 1.1.18 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored) | |
| [FAIL] 1.1.19 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored) | |
| [PASS] 1.1.20 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) | |
| [FAIL] 1.1.21 Ensure that the --token-auth-file parameter is not set (Scored) | |
| [FAIL] 1.1.22 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored) | |
| [FAIL] 1.1.23 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored) | |
| [FAIL] 1.1.24 Ensure that the --service-account-lookup argument is set to true (Scored) | |
| [FAIL] 1.1.25 Ensure that the admission control policy is set to PodSecurityPolicy (Scored) | |
| [PASS] 1.1.26 Ensure that the --service-account-key-file argument is set as appropriate (Scored) | |
| [PASS] 1.1.27 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored | |
| [PASS] 1.1.28 Ensure that the admission control policy is set to ServiceAccount (Scored) | |
| [PASS] 1.1.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) | |
| [PASS] 1.1.30 Ensure that the --client-ca-file argument is set as appropriate (Scored) | |
| [PASS] 1.1.31 Ensure that the --etcd-cafile argument is set as appropriate (Scored) | |
| [PASS] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored) | |
| [FAIL] 1.1.33 Ensure that the admission control policy is set to NodeRestriction (Scored) | |
| [FAIL] 1.1.34 1.1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored) | |
| [WARN] 1.1.35 Ensure that the encryption provider is set to aescbc (Scored) | |
| [INFO] 1.2 Scheduler | |
| [FAIL] 1.2.1 Ensure that the --profiling argument is set to false (Scored) | |
| [INFO] 1.3 Controller Manager | |
| [FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) | |
| [FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored) | |
| [FAIL] 1.3.3 Ensure that the --use-service-account-credentials argument is set | |
| [PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored) | |
| [PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Scored) | |
| [WARN] 1.3.6 Apply Security Context to Your Pods and Containers (Not Scored) | |
| [FAIL] 1.3.7 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) | |
| [INFO] 1.4 Configure Files | |
| [PASS] 1.4.1 Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored) | |
| [PASS] 1.4.2 Ensure that the apiserver file ownership is set to root:root (Scored) | |
| [PASS] 1.4.3 Ensure that the config file permissions are set to 644 or more restrictive (Scored) | |
| [PASS] 1.4.4 Ensure that the config file ownership is set to root:root (Scored) | |
| [PASS] 1.4.5 Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored) | |
| [PASS] 1.4.6 Ensure that the scheduler file ownership is set to root:root (Scored) | |
| [PASS] 1.4.7 Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored) | |
| [PASS] 1.4.8 Ensure that the etcd.conf file ownership is set to root:root (Scored) | |
| [FAIL] 1.4.9 Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored) | |
| [FAIL] 1.4.10 Ensure that the flanneld file ownership is set to root:root (Scored) | |
| [FAIL] 1.4.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored) | |
| [FAIL] 1.4.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) | |
| [INFO] 1.5 etcd | |
| [FAIL] 1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored) | |
| [FAIL] 1.5.2 Ensure that the --client-cert-auth argument is set to true (Scored) | |
| [PASS] 1.5.3 Ensure that the --auto-tls argument is not set to true (Scored) | |
| [FAIL] 1.5.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored) | |
| [FAIL] 1.5.5 Ensure that the --peer-client-cert-auth argument is set to true (Scored) | |
| [PASS] 1.5.6 Ensure that the --peer-auto-tls argument is not set to true (Scored) | |
| [FAIL] 1.5.7 Ensure that the --wal-dir argument is set as appropriate (Scored) | |
| [FAIL] 1.5.8 Ensure that the --max-wals argument is set to 0 (Scored) | |
| [FAIL] 1.5.9 Ensure that a unique Certificate Authority is used for etcd (Not Scored) | |
| [INFO] 1.6 General Security Primitives | |
| [WARN] 1.6.1 Ensure that the cluster-admin role is only used where required (Not Scored) | |
| [WARN] 1.6.2 Create Pod Security Policies for your cluster (Not Scored) | |
| [WARN] 1.6.3 Create administrative boundaries between resources using namespaces (Not Scored) | |
| [WARN] 1.6.4 Create network segmentation using Network Policies (Not Scored) | |
| [WARN] 1.6.5 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored) | |
| [WARN] 1.6.6 Apply Security Context to Your Pods and Containers (Not Scored) | |
| [WARN] 1.6.7 Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored) | |
| [WARN] 1.6.8 Configure Network policies as appropriate (Not Scored) | |
| == Remediations == | |
| 1.1.1 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_ALLOW_PRIV parameter to "--allow-privileged=false" | |
| 1.1.2 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--anonymous-auth=false" | |
| 1.1.3 Follow the documentation and configure alternate mechanisms for authentication. Then, edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and remove the "--basic-auth-file=<filename>" argument from the KUBE_API_ARGS parameter. | |
| 1.1.6 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and remove the --insecure-bind-address argument from the KUBE_API_ADDRESS parameter. | |
| 1.1.7 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set --insecure-port=0 in the KUBE_API_PORT parameter. | |
| 1.1.9 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--profiling=false" | |
| 1.1.10 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--repair-malformed-updates=false" | |
| 1.1.12 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_ADMISSION_CONTROL parameter to "--admission-control=...,AlwaysPullImages,..." | |
| 1.1.13 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_ADMISSION_CONTROL parameter to "--admission-control=...,DenyEscalatingExec,..." | |
| 1.1.14 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_ADMISSION_CONTROL parameter to "--admission-control=...,SecurityContextDeny,..." | |
| 1.1.16 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--audit-log-path=<filename>" | |
| 1.1.17 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--audit-log-maxage=30" | |
| 1.1.18 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--audit-log-maxbackup=10" | |
| 1.1.19 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--audit-log-maxsize=100" | |
| 1.1.21 Follow the documentation and configure alternate mechanisms for authentication. Then, edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and remove the "--tokenauth-file=<filename>" argument from the KUBE_API_ARGS parameter. | |
| 1.1.22 Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--kubelet-certificate-authority=<ca-string>" | |
| 1.1.23 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--kubelet-clientcertificate=<path/to/client-certificate-file>" and "--kubelet-clientkey=<path/to/client-key-file>" | |
| 1.1.24 Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--service-account-lookup=true" | |
| 1.1.25 Follow the documentation and create Pod Security Policy objects as per your environment. Then, edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_ADMISSION_CONTROL parameter to "--admission-control=...,PodSecurityPolicy,..." | |
| 1.1.33 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_ADMISSION_CONTROL parameter to "--admissioncontrol=...,NodeRestriction,..." | |
| 1.1.34 Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS parameter to "--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>" | |
| 1.1.35 Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc as the encryption provider | |
| 1.2.1 Edit the /etc/kubernetes/manifests/kube-scheduler.manifest file on the master node and set the KUBE_SCHEDULER_ARGS parameter to "--profiling=false" | |
| 1.3.1 Edit the /etc/kubernetes/manifests/kube-controller-manager.manifest file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to "--terminated-pod-gcthreshold=<appropriate-number>" | |
| 1.3.2 Edit the /etc/kubernetes/manifests/kube-controller-manager.manifest file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to "--profiling=false" | |
| 1.3.3 Edit the /etc/kubernetes/manifests/kube-controller-manager.manifest file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true | |
| 1.3.6 Edit the /etc/kubernetes/controller-manager file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include "--feature-gates=RotateKubeletServerCertificate=true" | |
| 1.3.7 Edit the /etc/kubernetes/controller-manager file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include "--feature-gates=RotateKubeletServerCertificate=true" | |
| 1.4.9 Run the below command (based on the file location on your system) on the master node. | |
| For example, chmod 644 $flanneldconf | |
| 1.4.10 Run the below command (based on the file location on your system) on the master node. | |
| For example, chown root:root $flanneldconf | |
| 1.4.11 On the etcd server node, get the etcd data directory, passed as an argument --data-dir , from the below command: | |
| ps -ef | grep etcd | |
| Run the below command (based on the etcd data directory found above). For example, | |
| chmod 700 /var/lib/etcd/default.etcd | |
| 1.4.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir , from the below command: | |
| ps -ef | grep etcd | |
| Run the below command (based on the etcd data directory found above). For example, | |
| chown etcd:etcd /var/lib/etcd/default.etcd | |
| 1.5.1 Follow the etcd service documentation and configure TLS encryption. | |
| 1.5.2 Edit the etcd envrironment file (for example, /etc/etcd.env) on the etcd server node and set the ETCD_CLIENT_CERT_AUTH parameter to "true". Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for --clientcert-auth and set it to "${ETCD_CLIENT_CERT_AUTH}" | |
| 1.5.4 Note: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. Follow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. | |
| 1.5.5 Note: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. Edit the etcd environment file (for example, /etc/etcd.env) on the etcd server node and set the ETCD_PEER_CLIENT_CERT_AUTH parameter to "true". Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for --peer-client-cert-auth and set it to "${ETCD_PEER_CLIENT_CERT_AUTH}" | |
| 1.5.7 Edit the etcd environment file (for example, /etc/etcd.env) on the etcd server node and set the ETCD_WAL_DIR parameter as appropriate. Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for --wal-dir and set it to "${ETCD_WAL_DIR}" | |
| 1.5.8 Edit the etcd environment file (for example, /etc/etcd.env) on the etcd server node and set the ETCD_MAX_WALS parameter to 0. Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for --max-wals and set it to "${ETCD_MAX_WALS}". | |
| 1.5.9 Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. | |
| 1.6.1 Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name] | |
| 1.6.2 Follow the documentation and create and enforce Pod Security Policies for your cluster. Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the suggested Pod Security Policies for your environment. | |
| 1.6.3 Follow the documentation and create namespaces for objects in your deployment as you need them. | |
| 1.6.4 Follow the documentation and create NetworkPolicy objects as you need them. | |
| 1.6.5 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing "--feature- gates=AllAlpha=true" argument. | |
| Edit the /etc/kubernetes/manifests/kube-apiserver.manifest file on the master node and set the KUBE_API_ARGS parameter to "--feature-gates=AllAlpha=true" KUBE_API_ARGS="--feature-gates=AllAlpha=true" | |
| 1.6.6 Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers. | |
| 1.6.7 Follow the Kubernetes documentation and setup image provenance. | |
| 1.6.8 Follow the Kubernetes documentation and setup network policies as appropriate. | |
| == Summary == | |
| 25 checks PASS | |
| 37 checks FAIL | |
| 10 checks WARN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment