From 7ed58648a471a925959debc015587557a208f03d Mon Sep 17 00:00:00 2001 From: Homayoon Alimohammadi Date: Sat, 18 Jan 2025 00:35:37 +0400 Subject: [PATCH] docs: Improve security docs (#980) --- docs/src/snap/howto/restore-quorum.md | 23 +-- .../src/snap/howto/security/cis-assessment.md | 40 ++-- .../howto/security/disa-stig-assessment.md | 182 +++++++++--------- docs/src/snap/howto/security/hardening.md | 4 +- docs/src/snap/howto/security/index.md | 2 +- 5 files changed, 126 insertions(+), 125 deletions(-) diff --git a/docs/src/snap/howto/restore-quorum.md b/docs/src/snap/howto/restore-quorum.md index 9050797c7..f08389699 100755 --- a/docs/src/snap/howto/restore-quorum.md +++ b/docs/src/snap/howto/restore-quorum.md @@ -1,4 +1,4 @@ -# Recovering a Cluster After Quorum Loss +# Recovering a cluster after quorum loss Highly available {{product}} clusters can survive losing one or more nodes. [Dqlite], the default datastore, implements a [Raft] based protocol @@ -11,14 +11,14 @@ steps outlined in this document. ```{note} This guide can be used to recover the default {{product}} datastore, -dqlite. Persistent volumes on the lost nodes are *not* recovered. +Dqlite. Persistent volumes on the lost nodes are *not* recovered. ``` -## Dqlite Configuration +## Dqlite configuration -Be aware that {{product}} uses not one, but two dqlite databases: +Be aware that {{product}} uses not one, but two Dqlite databases: -* k8s-dqlite - used by Kubernetes itself +* k8s-dqlite - used by Kubernetes itself (as an ETCD replacement) * k8sd - Kubernetes cluster management data Each database has its own state directory: @@ -29,8 +29,8 @@ Each database has its own state directory: The state directory normally contains: * ``info.yaml`` - the id, address and cluster role of this node -* ``cluster.yaml`` - the state of the cluster, as seen by this dqlite node. - It includes the same information as info.yaml, but for all cluster nodes. +* ``cluster.yaml`` - the state of the cluster, as seen by this Dqlite node. + It includes the same information as info.yaml, but for all cluster nodes * ``00000abcxx-00000abcxx``, ``open-abc`` - database segments * ``cluster.crt``, ``cluster.key`` - node certificates * ``snapshot-abc-abc-abc.meta`` @@ -53,7 +53,7 @@ Dqlite cluster members have one of the following roles: | 1 | stand-by | yes | no | | 2 | spare | no | no | -## Stop {{product}} Services on All Nodes +## Stop {{product}} services on all nodes Before recovering the cluster, all remaining {{product}} services must be stopped. Use the following command on every node: @@ -62,7 +62,7 @@ must be stopped. Use the following command on every node: sudo snap stop k8s ``` -## Recover the Database +## Recover the database Choose one of the remaining alive cluster nodes that has the most recent version of the Raft log. @@ -73,7 +73,7 @@ Update the ``cluster.yaml`` files, changing the role of the lost nodes to files were moved across nodes. The following command guides us through the recovery process, prompting a text -editor with informative inline comments for each of the dqlite configuration +editor with informative inline comments for each of the Dqlite configuration files. ``` @@ -112,11 +112,12 @@ sudo snap start k8s ``` Ensure that the services started successfully by using -``sudo snap services k8s``. Use ``k8s status --wait-ready`` to wait for the +``sudo snap services k8s``. Use ``sudo k8s status --wait-ready`` to wait for the cluster to become ready. You may notice that we have not returned to an HA cluster yet: ``high availability: no``. This is expected as we need to recover +the remaining nodes. ## Recover the remaining nodes diff --git a/docs/src/snap/howto/security/cis-assessment.md b/docs/src/snap/howto/security/cis-assessment.md index 0cbd625f8..153657a9f 100644 --- a/docs/src/snap/howto/security/cis-assessment.md +++ b/docs/src/snap/howto/security/cis-assessment.md @@ -4,7 +4,7 @@ CIS Hardening refers to the process of implementing security configurations that align with the benchmarks set by the [Center for Internet Security (CIS)]. Out of the box {{product}} complies with the majority of the recommended CIS security configurations. Since implementing all security recommendations -would comes at the expense of compatibility and/or performance we expect +would come at the expense of compatibility and/or performance we expect cluster administrators to follow post deployment hardening steps based on their needs. This guide covers: @@ -38,7 +38,7 @@ Download the latest [kube-bench release] on your Kubernetes nodes. Make sure to select the appropriate binary version. For example, to download the Linux binary, use the following command. Replace -`KB` by the version listed in the releases page. +`KB` by the version listed in the releases page: ``` KB=8.0 @@ -54,7 +54,7 @@ tar -xvf kube-bench_0.$KB\_linux_amd64.tar.gz sudo mv kube-bench /usr/local/bin/ ``` -Verify kube-bench installation. +Verify kube-bench installation: ``` kube-bench version @@ -62,7 +62,7 @@ kube-bench version The output should list the version installed. -Install `kubectl` and configure it to interact with the cluster. +Install `kubectl` and configure it to interact with the cluster: ```{warning} This will override your ~/.kube/config if you already have kubectl installed in your cluster. @@ -144,9 +144,9 @@ and, when possible, provide information on how to comply with each one manually. This can be used for manually auditing the CIS hardening state of a cluster. -### Control Plane Security Configuration +### Control plane security configuration -#### Control Plane Node Configuration Files +#### Control plane node configuration files ##### CIS Control 1.1.1 @@ -1662,7 +1662,7 @@ AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES _256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 ``` -#### Controller Manager +#### Controller manager ##### CIS Control 1.3.1 @@ -1928,9 +1928,9 @@ and restart the kube-scheduler service ---bind-address=127.0.0.1 ``` -### Datastore Node Configuration +### Datastore node configuration -#### Datastore Node Configuration +#### Datastore node configuration ##### CIS Control 2.1 @@ -2065,9 +2065,9 @@ communication uses certificates created upon cluster setup. -### Control Plane Configuration +### Control plane configuration -#### Authentication and Authorization +#### Authentication and authorization ##### CIS Control 3.1.1 @@ -2137,9 +2137,9 @@ is recommended (the most basic level of logging). -### Worker Node Security Configuration +### Worker node security configuration -#### Worker Node Configuration Files +#### Worker node configuration files ##### CIS Control 4.1.1 @@ -2868,9 +2868,9 @@ H_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 ``` -### Kubernetes Policies +### Kubernetes policies -#### RBAC and Service Accounts +#### RBAC and service accounts ##### CIS Control 5.1.1 @@ -2991,7 +2991,7 @@ Where possible, remove the impersonate, bind and escalate rights from subjects. -#### Pod Security Standards +#### Pod security standards ##### CIS Control 5.2.1 / DISA STIG V-254800 @@ -3188,7 +3188,7 @@ workloads to restrict the admission of containers which use `hostPort` sections. -#### Network Policies and CNI +#### Network policies and CNI ##### CIS Control 5.3.1 @@ -3219,7 +3219,7 @@ Follow the documentation and create NetworkPolicy objects as you need them. -#### Secrets Management +#### Secrets management ##### CIS Control 5.4.1 @@ -3250,7 +3250,7 @@ cloud provider or a third-party secrets management solution. -#### Extensible Admission Control +#### Extensible admission control ##### CIS Control 5.5.1 @@ -3266,7 +3266,7 @@ Follow the Kubernetes documentation and setup image provenance. -#### General Policies +#### General policies ##### CIS Control 5.7.1 diff --git a/docs/src/snap/howto/security/disa-stig-assessment.md b/docs/src/snap/howto/security/disa-stig-assessment.md index 01d187e4b..d3a97f651 100644 --- a/docs/src/snap/howto/security/disa-stig-assessment.md +++ b/docs/src/snap/howto/security/disa-stig-assessment.md @@ -49,7 +49,7 @@ administrator or a user policy needs to be followed. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes Controller Manager is a background process that embeds core > control loops regulating cluster system state through the API Server. Every @@ -110,7 +110,7 @@ The final line of the output will be `PASS`. #### Class: Manual -#### Upstream Finding Description: +#### Upstream finding description: > Creating namespaces for user-managed resources is important when implementing > Role-Based Access Controls (RBAC). RBAC allows for the authorization of users @@ -142,7 +142,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > By default, the API server will listen on two ports. One port is the secure > port and the other port is called the "localhost port". This port is also @@ -179,7 +179,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubelet serves a small REST API with read access to port 10255. The read-only > port for Kubernetes provides no authentication or authorization security @@ -244,7 +244,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > By default, the API server will listen on two ports and addresses. One > address is the secure address and the other address is called the "insecure @@ -312,7 +312,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes API Server controls Kubernetes via an API interface. A user > who has access to the API essentially has root access to the entire @@ -377,7 +377,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > A user who has access to the Kubelet essentially has root access to the nodes > contained within the Kubernetes Control Plane. To control access, users must @@ -447,7 +447,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubelet is the primary agent on each node. The API server communicates with > each kubelet to perform tasks such as starting/stopping pods. By default, @@ -514,7 +514,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Allowing kubelet to set a staticPodPath gives containers with root access > permissions to traverse the hosting filesystem. The danger comes when the @@ -585,7 +585,7 @@ The final line of the output will be `PASS`. #### Class: Manual -#### Upstream Finding Description: +#### Upstream finding description: > Secrets, such as passwords, keys, tokens, and certificates should not be > stored as environment variables. These environment variables are accessible @@ -613,7 +613,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > System kernel is responsible for memory, disk, and task management. The > kernel provides a gateway between the system hardware and software. @@ -680,7 +680,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Enabling the admissions webhook allows for Kubernetes to apply policies > against objects that are to be created, read, updated, or deleted. By @@ -750,7 +750,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > Enabling the admissions webhook allows for Kubernetes to apply policies > against objects that are to be created, read, updated, or deleted. By @@ -782,7 +782,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes basic authentication sends and receives request containing > username, uid, groups, and other fields over a clear text HTTP communication. @@ -845,7 +845,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes token authentication uses password known as secrets in a plain > text file. This file contains sensitive information such as token, username @@ -911,7 +911,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes control plane and external communication is managed by API Server. > The main implementation of the API Server is to manage hardware resources for @@ -1036,7 +1036,7 @@ The final line of the output will be `PASS`. #### Class: Manual -#### Upstream Finding Description: +#### Upstream finding description: > An admission controller intercepts and processes requests to the Kubernetes > API prior to persistence of the object, but after the request is @@ -1072,7 +1072,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > PodSecurity admission controller is a component that validates and enforces > security policies for pods running within a Kubernetes cluster. It is @@ -1146,7 +1146,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes Controller Manager will prohibit the use of SSL and > unauthorized versions of TLS protocols to properly secure communication. @@ -1207,7 +1207,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes Scheduler will prohibit the use of SSL and unauthorized > versions of TLS protocols to properly secure communication. @@ -1267,7 +1267,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes API Server will prohibit the use of SSL and unauthorized > versions of TLS protocols to properly secure communication. @@ -1324,7 +1324,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes etcd will prohibit the use of SSL and unauthorized versions of TLS > protocols to properly secure communication. @@ -1464,7 +1464,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes API Server will prohibit the use of SSL and unauthorized > versions of TLS protocols to properly secure communication. @@ -1535,7 +1535,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > To mitigate the risk of unauthorized access to sensitive information by > entities that have been issued certificates by DOD-approved PKIs, all DOD @@ -1609,7 +1609,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Limiting the number of attack vectors and implementing authentication and > encryption on the endpoints available to external sources is paramount when @@ -1670,7 +1670,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Limiting the number of attack vectors and implementing authentication and > encryption on the endpoints available to external sources is paramount when @@ -1728,7 +1728,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > By default, the API server will listen on what is rightfully called the > secure port, port 6443. Any requests to this port will perform authentication @@ -1793,7 +1793,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > Worker Nodes are maintained and monitored by the Control Plane. Direct access > and manipulation of the nodes should not take place by administrators. Worker @@ -1822,7 +1822,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > Worker Nodes are maintained and monitored by the Control Plane. Direct access > and manipulation of the nodes must not take place by administrators. Worker @@ -1851,7 +1851,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > While the Kubernetes dashboard is not inherently insecure on its own, it is > often coupled with a misconfiguration of Role-Based Access control (RBAC) @@ -1883,7 +1883,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > One of the tools heavily used to interact with containers in the Kubernetes > cluster is kubectl. The command is the tool System Administrators used to @@ -1918,7 +1918,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > Protecting the audit data from change or deletion is important when an attack > occurs. One way an attacker can cover their tracks is to change or delete @@ -1955,7 +1955,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes allows a user to configure kubelets with dynamic configurations. > When dynamic configuration is used, the kubelet will watch for changes to the @@ -1988,7 +1988,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes allows alpha API calls within the API server. The alpha features > are disabled by default since they are not ready for production and likely to @@ -2050,7 +2050,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > When Kubernetes is started, components and user services are started for > auditing startup events, and events for components and services, it is @@ -2112,7 +2112,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Within Kubernetes, audit data for all components is generated by the API > server. This audit data is important when there are issues, to include @@ -2193,7 +2193,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes allows for the overriding of hostnames. Allowing this feature to > be implemented within the kubelets may break the TLS setup between the @@ -2252,7 +2252,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The manifest files contain the runtime configuration of the API server, > proxy, scheduler, controller, and etcd. If an attacker can gain access to @@ -2322,7 +2322,7 @@ start with `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The kubelet configuration file contains the runtime configuration of the > kubelet service. If an attacker can gain access to this file, changes can be @@ -2428,7 +2428,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The kubelet configuration file contains the runtime configuration of the > kubelet service. If an attacker can gain access to this file, changes can be @@ -2535,7 +2535,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The manifest files contain the runtime configuration of the API server, > scheduler, controller, and etcd. If an attacker can gain access to these @@ -2597,7 +2597,7 @@ start with `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes profiling provides the ability to analyze and troubleshoot > Controller Manager events over a web interface on a host port. Enabling this @@ -2656,7 +2656,7 @@ The final line of the output will be `PASS`. #### Class: Manual -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes API Server PPSs must be controlled and conform to the PPSM CAL. > Those PPS that fall outside the PPSM CAL must be blocked. Instructions on the @@ -2682,7 +2682,7 @@ The final line of the output will be `PASS`. #### Class: Manual -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes Scheduler PPS must be controlled and conform to the PPSM CAL. > Those ports, protocols, and services that fall outside the PPSM CAL must be @@ -2709,7 +2709,7 @@ The final line of the output will be `PASS`. #### Class: Manual -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes Controller ports, protocols, and services must be controlled and > conform to the PPSM CAL. Those PPS that fall outside the PPSM CAL must be @@ -2736,7 +2736,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes etcd PPS must be controlled and conform to the PPSM CAL. Those PPS > that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can @@ -2765,7 +2765,7 @@ The final line of the output will be `PASS`. #### Class: Manual -#### Upstream Finding Description: +#### Upstream finding description: > Privileged ports are those ports below 1024 and that require system > privileges for their use. If containers can use these ports, the container @@ -2797,7 +2797,7 @@ The final line of the output will be `PASS`. #### Class: Manual -#### Upstream Finding Description: +#### Upstream finding description: > Separating user functionality from management functionality is a requirement > for all the components within the Kubernetes Control Plane. Without the @@ -2829,7 +2829,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes API server communicates to the kubelet service on the nodes to > deploy, update, and delete resources. If an attacker were able to get between @@ -2893,7 +2893,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes control plane and external communication are managed by API > Server. The main implementation of the API Server is to manage hardware @@ -2963,7 +2963,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes container and pod configuration are maintained by Kubelet. Kubelet > agents register nodes with the API Server, mount volume storage, and perform @@ -3036,7 +3036,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes Controller Manager is responsible for creating service > accounts and tokens for the API Server, maintaining the correct number of @@ -3106,7 +3106,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes control plane and external communication is managed by API Server. > The main implementation of the API Server is to manage hardware resources for @@ -3229,7 +3229,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes container and pod configuration are maintained by Kubelet. Kubelet > agents register nodes with the API Server, mount volume storage, and perform @@ -3378,7 +3378,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes container and pod configuration are maintained by Kubelet. Kubelet > agents register nodes with the API Server, mount volume storage, and perform @@ -3450,7 +3450,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes container and pod configuration are maintained by Kubelet. Kubelet > agents register nodes with the API Server, mount volume storage, and perform @@ -3520,7 +3520,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes container and pod configuration are maintained by Kubelet. Kubelet > agents register nodes with the API Server, mount volume storage, and perform @@ -3601,7 +3601,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes stores configuration and state information in a distributed > key-value store called etcd. Anyone who can write to etcd can effectively @@ -3745,7 +3745,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes stores configuration and state information in a distributed > key-value store called etcd. Anyone who can write to etcd can effectively @@ -3886,7 +3886,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes stores configuration and state information in a distributed > key-value store called etcd. Anyone who can write to etcd can effectively @@ -4022,7 +4022,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes stores configuration and state information in a distributed > key-value store called etcd. Anyone who can write to etcd can effectively @@ -4164,7 +4164,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes stores configuration and state information in a distributed > key-value store called etcd. Anyone who can write to etcd can effectively @@ -4305,7 +4305,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively @@ -4379,7 +4379,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively @@ -4450,7 +4450,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes API Server request timeouts sets the duration a request stays open before timing out. Since the API Server is the central component in the @@ -4505,7 +4505,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > Previous versions of Kubernetes components that are not removed after updates have been installed may be exploited by adversaries by allowing the @@ -4531,7 +4531,7 @@ always be at the desired security state. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes software must stay up to date with the latest patches, service packs, and hot fixes. Not updating the Kubernetes control plane will expose the @@ -4583,7 +4583,7 @@ authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes manifests are those files that contain the arguments and settings for the Control Plane services. These services are etcd, the api @@ -4652,7 +4652,7 @@ start with `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes etcd key-value store provides a way to store data to the Control Plane. If these files can be changed, data to API object and the @@ -4709,7 +4709,7 @@ start with `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes conf files contain the arguments and settings for the Control Plane services. These services are controller and scheduler. If these files can @@ -4754,7 +4754,7 @@ start with `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes Kube Proxy kubeconfig contain the argument and setting for the Control Planes. These settings contain network rules for restricting network @@ -4848,7 +4848,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes Kube Proxy kubeconfig contain the argument and setting for the Control Planes. These settings contain network rules for restricting network @@ -4937,7 +4937,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes kubelet certificate authority file contains settings for the Kubernetes Node TLS certificate authority. Any request presenting a client @@ -5031,7 +5031,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes kube proxy kubeconfig contain the argument and setting for the Control Planes. These settings contain network rules for restricting network @@ -5120,7 +5120,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes PKI directory contains all certificates (.crt files) supporting secure network communications in the Kubernetes Control Plane. If @@ -5181,7 +5181,7 @@ start with `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes kubelet agent registers nodes with the API Server, mounts volume storage for pods, and performs health checks to containers within pods. @@ -5265,7 +5265,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes kubelet agent registers nodes with the API server and performs health checks to containers within pods. If these files can be modified, the @@ -5348,7 +5348,7 @@ The final line of the output will be `PASS`. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes kubeeadm.conf contains sensitive information regarding the cluster nodes configuration. If this file can be modified, the Kubernetes @@ -5376,7 +5376,7 @@ the security settings within the document are implemented through this file. #### Class: Not Applicable -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes kubeadm.conf contains sensitive information regarding the cluster nodes configuration. If this file can be modified, the Kubernetes @@ -5404,7 +5404,7 @@ the security settings within the document are implemented through this file. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes kubelet agent registers nodes with the API server and performs health checks to containers within pods. If this file can be modified, the @@ -5507,7 +5507,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes kubelet agent registers nodes with the API Server and performs health checks to containers within pods. If this file can be modified, the @@ -5603,7 +5603,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes etcd key-value store provides a way to store data to the Control Plane. If these files can be changed, data to API object and Control @@ -5658,7 +5658,7 @@ start with `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes admin kubeconfig files contain the arguments and settings for the Control Plane services. These services are controller and scheduler. If @@ -5701,7 +5701,7 @@ start with `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes API Server validates and configures pods and services for the API object. The REST operation provides frontend functionality to the cluster share @@ -5758,7 +5758,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes API Server must be set for enough storage to retain log information over the period required. When audit logs are large in size, the @@ -5813,7 +5813,7 @@ equal to `100`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes API Server must set enough storage to retain logs for monitoring suspicious activity and system misconfiguration, and provide @@ -5867,7 +5867,7 @@ equal to `10`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes API Server must set enough storage to retain logs for monitoring suspicious activity and system misconfiguration, and provide @@ -5918,7 +5918,7 @@ The output should indicate a `audit-log-maxage` value of 30. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Kubernetes API Server validates and configures pods and services for the API object. The REST operation provides frontend functionality to the cluster share @@ -5972,7 +5972,7 @@ The final line of the output will be `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes PKI directory contains all certificates (.crt files) supporting secure network communications in the Kubernetes Control Plane. If @@ -6018,7 +6018,7 @@ start with `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > The Kubernetes PKI directory contains all certificate key files supporting secure network communications in the Kubernetes Control Plane. If these files @@ -6066,7 +6066,7 @@ start with `PASS`. #### Class: Deployment -#### Upstream Finding Description: +#### Upstream finding description: > Idle connections from the Kubelet can be used by unauthorized users to perform malicious activity to the nodes, pods, containers, and cluster within diff --git a/docs/src/snap/howto/security/hardening.md b/docs/src/snap/howto/security/hardening.md index eab1edc36..96fe7e59e 100644 --- a/docs/src/snap/howto/security/hardening.md +++ b/docs/src/snap/howto/security/hardening.md @@ -6,7 +6,7 @@ with industry-standard frameworks such as CIS and DISA STIG. {{product}} aligns with many security recommendations by default. However, since implementing all security recommendations -would comes at the expense of compatibility and/or performance we expect +would come at the expense of compatibility and/or performance we expect cluster administrators to follow post deployment hardening steps based on their needs. @@ -24,7 +24,7 @@ compliance. ``` -## CIS and DISA STIG Hardening +## CIS and DISA STIG hardening To assess compliance to DISA STIG recommendations, please see [DISA STIG assessment page]. diff --git a/docs/src/snap/howto/security/index.md b/docs/src/snap/howto/security/index.md index 90af2a517..aa693abeb 100644 --- a/docs/src/snap/howto/security/index.md +++ b/docs/src/snap/howto/security/index.md @@ -5,7 +5,7 @@ Hardening ``` -We provide administrators with detailed instructions and compliance guidance to +Administrators are provided with detailed instructions and compliance guidance to harden their clusters in accordance with DISA STIG and CIS recommendations. ```{toctree}