Skip to content

Commit

Permalink
feat: add commands to k8s cis spec
Browse files Browse the repository at this point in the history 
Signed-off-by: chenk <[email protected]>
  • Loading branch information
@chen-keinan
chen-keinan committed May 29, 2024
1 parent 4eceae3 commit 013ba52
Showing 1 changed file with 90 additions and 1 deletion.
91 changes: 90 additions & 1 deletion specs/compliance/k8s-cis-1.23.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ spec:
of 600 or more restrictive
checks:
- id: AVD-KCV-0048
commands:
- id: CMD-0001
severity: HIGH
- id: 1.1.2
name: Ensure that the API server pod specification file ownership is set to
Expand All @@ -22,6 +24,8 @@ spec:
to root:root
checks:
- id: AVD-KCV-0049
commands:
- id: CMD-0002
severity: HIGH
- id: 1.1.3
name: Ensure that the controller manager pod specification file permissions are
Expand All @@ -30,6 +34,8 @@ spec:
permissions of 600 or more restrictive
checks:
- id: AVD-KCV-0050
commands:
- id: CMD-0003
severity: HIGH
- id: 1.1.4
name: Ensure that the controller manager pod specification file ownership is set
Expand All @@ -38,6 +44,8 @@ spec:
is set to root:root
checks:
- id: AVD-KCV-0051
commands:
- id: CMD-0004
severity: HIGH
- id: 1.1.5
name: Ensure that the scheduler pod specification file permissions are set to
Expand All @@ -46,6 +54,8 @@ spec:
600 or more restrictive
checks:
- id: AVD-KCV-0052
commands:
- id: CMD-0005
severity: HIGH
- id: 1.1.6
name: Ensure that the scheduler pod specification file ownership is set to
Expand All @@ -54,6 +64,8 @@ spec:
to root:root
checks:
- id: AVD-KCV-0053
commands:
- id: CMD-0006
severity: HIGH
- id: 1.1.7
name: Ensure that the etcd pod specification file permissions are set to 600 or
Expand All @@ -62,13 +74,17 @@ spec:
or more restrictive
checks:
- id: AVD-KCV-0054
commands:
- id: CMD-0007
severity: HIGH
- id: 1.1.8
name: Ensure that the etcd pod specification file ownership is set to root:root
description: Ensure that the etcd pod specification file ownership is set to
root:root.
checks:
- id: AVD-KCV-0055
commands:
- id: CMD-0008
severity: HIGH
- id: 1.1.9
name: Ensure that the Container Network Interface file permissions are set to
Expand All @@ -77,6 +93,8 @@ spec:
of 600 or more restrictive
checks:
- id: AVD-KCV-0056
commands:
- id: CMD-0009
severity: HIGH
- id: 1.1.10
name: Ensure that the Container Network Interface file ownership is set to
Expand All @@ -85,6 +103,8 @@ spec:
set to root:root
checks:
- id: AVD-KCV-0057
commands:
- id: CMD-0010
severity: HIGH
- id: 1.1.11
name: Ensure that the etcd data directory permissions are set to 700 or more
Expand All @@ -93,24 +113,32 @@ spec:
restrictive
checks:
- id: AVD-KCV-0058
commands:
- id: CMD-0011
severity: HIGH
- id: 1.1.12
name: Ensure that the etcd data directory ownership is set to etcd:etcd
description: Ensure that the etcd data directory ownership is set to etcd:etcd
checks:
- id: AVD-KCV-0059
commands:
- id: CMD-0012
severity: LOW
- id: 1.1.13
name: Ensure that the admin.conf file permissions are set to 600
description: Ensure that the admin.conf file has permissions of 600
checks:
- id: AVD-KCV-0060
commands:
- id: CMD-0013
severity: CRITICAL
- id: 1.1.14
name: Ensure that the admin.conf file ownership is set to root:root
description: Ensure that the admin.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0061
commands:
- id: CMD-0014
severity: CRITICAL
- id: 1.1.15
name: Ensure that the scheduler.conf file permissions are set to 600 or more
Expand All @@ -119,12 +147,16 @@ spec:
restrictive
checks:
- id: AVD-KCV-0062
commands:
- id: CMD-0015
severity: HIGH
- id: 1.1.16
name: Ensure that the scheduler.conf file ownership is set to root:root
description: Ensure that the scheduler.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0063
commands:
- id: CMD-0016
severity: HIGH
- id: 1.1.17
name: Ensure that the controller-manager.conf file permissions are set to 600 or
Expand All @@ -133,13 +165,17 @@ spec:
or more restrictive
checks:
- id: AVD-KCV-0064
commands:
- id: CMD-0017
severity: HIGH
- id: 1.1.18
name: Ensure that the controller-manager.conf file ownership is set to root:root
description: Ensure that the controller-manager.conf file ownership is set to
root:root.
checks:
- id: AVD-KCV-0065
commands:
- id: CMD-0018
severity: HIGH
- id: 1.1.19
name: Ensure that the Kubernetes PKI directory and file ownership is set to
Expand All @@ -148,6 +184,8 @@ spec:
to root:root
checks:
- id: AVD-KCV-0066
commands:
- id: CMD-0019
severity: CRITICAL
- id: 1.1.20
name: Ensure that the Kubernetes PKI certificate file permissions are set to 600
Expand All @@ -156,12 +194,16 @@ spec:
600 or more restrictive
checks:
- id: AVD-KCV-0068
commands:
- id: CMD-0020
severity: CRITICAL
- id: 1.1.21
name: Ensure that the Kubernetes PKI key file permissions are set to 600
description: Ensure that Kubernetes PKI key files have permissions of 600
checks:
- id: AVD-KCV-0067
commands:
- id: CMD-0021
severity: CRITICAL
- id: 1.2.1
name: Ensure that the --anonymous-auth argument is set to false
Expand Down Expand Up @@ -472,12 +514,16 @@ spec:
restrictive.
checks:
- id: AVD-KCV-0069
commands:
- id: CMD-0022
severity: HIGH
- id: 4.1.2
name: Ensure that the kubelet service file ownership is set to root:root
description: Ensure that the kubelet service file ownership is set to root:root
checks:
- id: AVD-KCV-0070
commands:
- id: CMD-0023
severity: HIGH
- id: 4.1.3
name: If proxy kubeconfig file exists ensure permissions are set to 600 or more
Expand All @@ -487,13 +533,17 @@ spec:
of 600 or more restrictive
checks:
- id: AVD-KCV-0071
commands:
- id: CMD-0024
severity: HIGH
- id: 4.1.4
name: If proxy kubeconfig file exists ensure ownership is set to root:root
description: If kube-proxy is running, ensure that the file ownership of its
kubeconfig file is set to root:root
checks:
- id: AVD-KCV-0072
commands:
- id: CMD-0025
severity: HIGH
- id: 4.1.5
name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600
Expand All @@ -502,13 +552,17 @@ spec:
restrictive
checks:
- id: AVD-KCV-0073
commands:
- id: CMD-0026
severity: HIGH
- id: 4.1.6
name: Ensure that the --kubeconfig kubelet.conf file ownership is set to
root:root
description: Ensure that the kubelet.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0074
commands:
- id: CMD-0027
severity: HIGH
- id: 4.1.7
name: Ensure that the certificate authorities file permissions are set to 600 or
Expand All @@ -517,6 +571,8 @@ spec:
or more restrictive
checks:
- id: AVD-KCV-0075
commands:
- id: CMD-0028
severity: CRITICAL
- id: 4.1.8
name: Ensure that the client certificate authorities file ownership is set to
Expand All @@ -525,6 +581,8 @@ spec:
root:root
checks:
- id: AVD-KCV-0076
commands:
- id: CMD-0029
severity: CRITICAL
- id: 4.1.9
name: If the kubelet config.yaml configuration file is being used validate
Expand All @@ -533,6 +591,8 @@ spec:
--config argument, that file has permissions of 600 or more restrictive
checks:
- id: AVD-KCV-0077
commands:
- id: CMD-0030
severity: HIGH
- id: 4.1.10
name: If the kubelet config.yaml configuration file is being used validate file
Expand All @@ -541,56 +601,74 @@ spec:
--config argument, that file is owned by root:root
checks:
- id: AVD-KCV-0078
commands:
- id: CMD-0031
severity: HIGH
- id: 4.2.1
name: Ensure that the --anonymous-auth argument is set to false
description: Disable anonymous requests to the Kubelet server
checks:
- id: AVD-KCV-0079
commands:
- id: CMD-0032
severity: CRITICAL
- id: 4.2.2
name: Ensure that the --authorization-mode argument is not set to AlwaysAllow
description: Do not allow all requests. Enable explicit authorization
checks:
- id: AVD-KCV-0080
commands:
- id: CMD-0033
severity: CRITICAL
- id: 4.2.3
name: Ensure that the --client-ca-file argument is set as appropriate
description: Enable Kubelet authentication using certificates
checks:
- id: AVD-KCV-0081
commands:
- id: CMD-0034
severity: CRITICAL
- id: 4.2.4
name: Verify that the --read-only-port argument is set to 0
description: Disable the read-only port
checks:
- id: AVD-KCV-0082
commands:
- id: CMD-0035
severity: HIGH
- id: 4.2.5
name: Ensure that the --streaming-connection-idle-timeout argument is not set to
0
description: Do not disable timeouts on streaming connections
checks:
- id: AVD-KCV-0085
- id:
commands:
- id: CMD-0036
severity: HIGH
- id: 4.2.6
name: Ensure that the --protect-kernel-defaults argument is set to true
description: Protect tuned kernel parameters from overriding kubelet default
kernel parameter values
checks:
- id: AVD-KCV-0083
commands:
- id: CMD-0037
severity: HIGH
- id: 4.2.7
name: Ensure that the --make-iptables-util-chains argument is set to true
description: Allow Kubelet to manage iptables
checks:
- id: AVD-KCV-0084
commands:
- id: CMD-0038
severity: HIGH
- id: 4.2.8
name: Ensure that the --hostname-override argument is not set
description: Do not override node hostnames
checks:
- id: AVD-KCV-0086
commands:
- id: CMD-0039
severity: HIGH
- id: 4.2.9
name: Ensure that the --event-qps argument is set to 0 or a level which ensures
Expand All @@ -600,6 +678,8 @@ spec:
gathered
checks:
- id: AVD-KCV-0087
commands:
- id: CMD-0040
severity: HIGH
- id: 4.2.10
name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are
Expand All @@ -608,25 +688,34 @@ spec:
checks:
- id: AVD-KCV-0088
- id: AVD-KCV-0089
commands:
- id: CMD-0041
- id: CMD-0042
severity: CRITICAL
- id: 4.2.11
name: Ensure that the --rotate-certificates argument is not set to false
description: Enable kubelet client certificate rotation
checks:
- id: AVD-KCV-0090
commands:
- id: CMD-0043
severity: CRITICAL
- id: 4.2.12
name: Verify that the RotateKubeletServerCertificate argument is set to true
description: Enable kubelet server certificate rotation
checks:
- id: AVD-KCV-0091
commands:
- id: CMD-0044
severity: CRITICAL
- id: 4.2.13
name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
description: Ensure that the Kubelet is configured to only use strong
cryptographic ciphers
checks:
- id: AVD-KCV-0092
commands:
- id: CMD-0045
severity: CRITICAL
- id: 5.1.1
name: Ensure that the cluster-admin role is only used where required
Expand Down

0 comments on commit 013ba52

Please sign in to comment.