CIS Kubernetes Benchmark v1.5.1 # 1.2/1.3/1.4

[hsy3418]

Details

1 Control Plane Components

1.2 API Server

Checklist

• 1.2.1 Ensure that the --anonymous-auth argument is set to false
• 1.2.2 Ensure that the --basic-auth-file argument is not set
• 1.2.3 Ensure that the --token-auth-file parameter is not set
• 1.2.4 Ensure that the --kubelet-https argument is set to true
• 1.2.5 Ensure that the --kubelet-client-certificate and --kubelet- client-key arguments are set as appropriate
• 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate
• 1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow
• 1.2.8 Ensure that the --authorization-mode argument includes Node
• 1.2.9 Ensure that the --authorization-mode argument includes RBAC
• 1.2.10 Ensure that the admission control plugin EventRateLimit is set
• 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set
• 1.2.12 Ensure that the admission control plugin AlwaysPullImages is set
• 1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
• 1.2.14 Ensure that the admission control plugin ServiceAccount is set
• 1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set
• 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set
• 1.2.17 Ensure that the admission control plugin NodeRestriction is set
• 1.2.18 Ensure that the --insecure-bind-address argument is not set
• 1.2.19 Ensure that the --insecure-port argument is set to 0

1.3 Controller Manager

• 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate
• 1.3.2 Ensure that the --profiling argument is set to false
• 1.3.3 Ensure that the --use-service-account-credentials argument is set to true
• 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate
• 1.3.5 Ensure that the --root-ca-file argument is set as appropriate
• 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true
• 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1  

1.4 Scheduler

• 1.4.1 Ensure that the --profiling argument is set to false
• 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1

[issue-label-bot]

Issue-Label Bot is automatically applying the label feature_request to this issue, with a confidence of 0.60. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

[issue-label-bot]

Issue Label Bot is not confident enough to auto-label this issue. See dashboard for more details.