Showing preview only (3,682K chars total). Download the full file or copy to clipboard to get everything.
Repository: aquasecurity/kube-bench
Branch: main
Commit: e4f7b7de225b
Files: 344
Total size: 3.5 MB
Directory structure:
gitextract_nozolvbr/
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.md
│ │ └── config.yml
│ ├── dependabot.yml
│ └── workflows/
│ ├── build.yml
│ ├── mkdocs-deploy.yaml
│ ├── publish.yml
│ └── release.yml
├── .gitignore
├── .golangci.yaml
├── .goreleaser.yml
├── .yamllint.yaml
├── CONTRIBUTING.md
├── Dockerfile
├── Dockerfile.fips.ubi
├── Dockerfile.ubi
├── LICENSE
├── NOTICE
├── OWNERS
├── README.md
├── cfg/
│ ├── ack-1.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── aks-1.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── aks-1.7/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── aks-1.8/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.10/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.11/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.12/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.20/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.23/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.24/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.24-microk8s/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.5/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.6/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.6-k3s/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.7/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.8/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── cis-1.9/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── config.yaml
│ ├── eks-1.0.1/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── eks-1.1.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── eks-1.2.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── eks-1.5.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── eks-1.7.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── eks-1.8.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── eks-stig-kubernetes-v1r6/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── gke-1.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── gke-1.2.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── gke-1.6.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── gke-1.8.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── managedservices.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── k3s-cis-1.23/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── k3s-cis-1.24/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── k3s-cis-1.7/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── k3s-cis-1.8/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── rh-0.7/
│ │ ├── config.yaml
│ │ ├── master.yaml
│ │ └── node.yaml
│ ├── rh-1.0/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── rh-1.4/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── rh-1.8/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── rke-cis-1.23/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── rke-cis-1.24/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── rke-cis-1.7/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── rke2-cis-1.23/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── rke2-cis-1.24/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── rke2-cis-1.7/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ ├── rke2-cis-1.8/
│ │ ├── config.yaml
│ │ ├── controlplane.yaml
│ │ ├── etcd.yaml
│ │ ├── master.yaml
│ │ ├── node.yaml
│ │ └── policies.yaml
│ └── tkgi-1.2.53/
│ ├── config.yaml
│ ├── controlplane.yaml
│ ├── etcd.yaml
│ ├── master.yaml
│ ├── node.yaml
│ └── policies.yaml
├── check/
│ ├── check.go
│ ├── check_test.go
│ ├── controls.go
│ ├── controls_test.go
│ ├── data
│ ├── test.go
│ └── test_test.go
├── cmd/
│ ├── common.go
│ ├── common_test.go
│ ├── database.go
│ ├── kubernetes_version.go
│ ├── kubernetes_version_test.go
│ ├── root.go
│ ├── run.go
│ ├── run_test.go
│ ├── securityHub.go
│ ├── testdata/
│ │ ├── controlsCollection.json
│ │ ├── passedControlsCollection.json
│ │ ├── result.json
│ │ └── result_no_totals.json
│ ├── util.go
│ ├── util_test.go
│ └── version.go
├── codecov.yml
├── docs/
│ ├── architecture.md
│ ├── asff.md
│ ├── controls.md
│ ├── flags-and-commands.md
│ ├── index.md
│ ├── installation.md
│ ├── platforms.md
│ └── running.md
├── entrypoint.sh
├── fipsonly.go
├── go.mod
├── go.sum
├── hack/
│ ├── debug.yaml
│ ├── kind-stig.test.yaml
│ ├── kind-stig.yaml
│ ├── kind.yaml
│ └── node_only.yaml
├── helper_scripts/
│ └── check_files_owner_in_dir.sh
├── hooks/
│ └── build
├── integration/
│ └── testdata/
│ ├── Expected_output.data
│ └── Expected_output_stig.data
├── internal/
│ └── findings/
│ ├── doc.go
│ └── publisher.go
├── job-ack.yaml
├── job-aks.yaml
├── job-eks-asff.yaml
├── job-eks-stig.yaml
├── job-eks.yaml
├── job-gke.yaml
├── job-iks.yaml
├── job-master.yaml
├── job-node.yaml
├── job-tkgi.yaml
├── job.yaml
├── main.go
├── makefile
└── mkdocs.yml
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/ISSUE_TEMPLATE/bug_report.md
================================================
---
name: Bug report
about: Tell us about a problem you are experiencing
---
**Overview**
[A clear and concise description of what the bug is]
**How did you run kube-bench?**
[Please specify exactly how you ran kube-bench, including details of command parameters and/or job file that you used to run it]
**What happened?**
[Please include output from the report to illustrate the problem. If possible please supply logs generated with the `-v 3` parameter.]
**What did you expect to happen:**
[Please describe what you expected to happen differently.]
**Environment**
[What is your version of kube-bench? (run `kube-bench version`)]
[What is your version of Kubernetes? (run `kubectl version` or `oc version` on OpenShift.)]
**Running processes**
[Please include the output from running `ps -eaf | grep kube` on the affected node. This will allow us to check what Kubernetes processes are running, and how this compares to what kube-bench detected.]
**Configuration files**
[If kube-bench is reporting an issue related to the settings defined in a config file, please attach the file, or include an extract showing the settings that are being detected incorrectly.]
**Anything else you would like to add:**
[Miscellaneous information that will assist in solving the issue.]
================================================
FILE: .github/ISSUE_TEMPLATE/config.yml
================================================
---
blank_issues_enabled: false
contact_links:
- name: Feature request
url: https://github.com/aquasecurity/kube-bench/discussions/new?category_id=19113743
about: Share ideas for new features
- name: Ask a question
url: https://github.com/aquasecurity/kube-bench/discussions/new?category_id=19113742
about: Ask questions and discuss with other community members
================================================
FILE: .github/dependabot.yml
================================================
---
version: 2
updates:
- package-ecosystem: gomod
directory: /
schedule:
interval: weekly
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
- package-ecosystem: docker
directory: /
schedule:
interval: weekly
================================================
FILE: .github/workflows/build.yml
================================================
---
name: Build
on:
push:
branches:
- main
paths-ignore:
- "*.md"
- "LICENSE"
- "NOTICE"
pull_request:
paths-ignore:
- "*.md"
- "LICENSE"
- "NOTICE"
env:
KIND_VERSION: "v0.11.1"
KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: go.mod
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
- name: Setup golangci-lint
uses: golangci/golangci-lint-action@v8
with:
version: v2.5.0
args: --verbose --timeout 2m
unit:
name: Unit tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: go.mod
- name: Run unit tests
run: make tests
- name: Upload code coverage
uses: codecov/codecov-action@v5
with:
file: ./coverage.txt
e2e:
name: E2e tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: go.mod
- name: Setup Kubernetes cluster (KIND)
uses: engineerd/setup-kind@v0.6.2
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
name: kube-bench
- name: Test connection to Kubernetes cluster
run: |
kubectl cluster-info
kubectl describe node
- name: Run integration tests
run: |
make integration-test
- name: Compare output with expected output
uses: GuillaumeFalourd/diff-action@v1
with:
first_file_path: ./test.data
second_file_path: integration/testdata/Expected_output.data
expected_result: PASSED
release:
name: Release snapshot
runs-on: ubuntu-latest
needs: [e2e, unit]
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: go.mod
- name: Dry-run release snapshot
uses: goreleaser/goreleaser-action@v7
with:
distribution: goreleaser
version: v1.7.0
args: release --snapshot --skip-publish --rm-dist
================================================
FILE: .github/workflows/mkdocs-deploy.yaml
================================================
---
# This is a manually triggered workflow to build and publish the MkDocs from the
# main branch to GitHub pages at https://aquasecurity.github.io/kube-bench.
name: Deploy documentation
on:
workflow_dispatch:
inputs:
version:
description: Version to be deployed
required: true
jobs:
deploy:
name: Deploy documentation
runs-on: ubuntu-latest
steps:
- name: Checkout main
uses: actions/checkout@v6
with:
fetch-depth: 0
persist-credentials: true
- uses: actions/setup-python@v6
with:
python-version: 3.x
- run: |
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
pip install mike
pip install mkdocs-macros-plugin
env:
# Note: It is not the same as ${{ secrets.GITHUB_TOKEN }} !
GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
- run: |
git config user.name "aqua-bot"
git config user.email "aqua-bot@users.noreply.github.com"
- run: |
mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest
================================================
FILE: .github/workflows/publish.yml
================================================
---
name: Publish
on:
workflow_dispatch:
push:
tags:
- "v*"
env:
ALIAS: aquasecurity
DOCKERHUB_ALIAS: aquasec
REP: kube-bench
jobs:
publish:
name: Publish
runs-on: ubuntu-latest
steps:
- name: Check Out Repo
uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v4
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v4
- name: Cache Docker layers
uses: actions/cache@v5
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildxarch-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildxarch-
- name: Login to Docker Hub
uses: docker/login-action@v4
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to ECR
uses: docker/login-action@v4
with:
registry: public.ecr.aws
username: ${{ secrets.ECR_ACCESS_KEY_ID }}
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Get version
id: get_version
uses: crazy-max/ghaction-docker-meta@v5
with:
images: ${{ env.REP }}
tag-semver: |
{{version}}
- name: Extract variables from makefile (kubectl)
id: extract_vars
run: |
echo "KUBECTL_VERSION=$(grep -oP '^KUBECTL_VERSION\s*\?=\s*\K.*' makefile)" >> $GITHUB_ENV
- name: Build and push - Docker/ECR
id: docker_build
uses: docker/build-push-action@v7
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
builder: ${{ steps.buildx.outputs.name }}
push: true
build-args: |
KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
tags: |
${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:latest
public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:latest
cache-from: type=local,src=/tmp/.buildx-cache/release
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache/release
- name: Build and push ubi image - Docker/ECR
id: docker_build_ubi
uses: docker/build-push-action@v7
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
builder: ${{ steps.buildx.outputs.name }}
push: true
file: Dockerfile.ubi
build-args: |
KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
tags: |
${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
cache-from: type=local,src=/tmp/.buildx-cache/release
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache/release
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}
- name: Build and push fips ubi image - Docker/ECR
id: docker_build_fips_ubi
uses: docker/build-push-action@v7
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
builder: ${{ steps.buildx.outputs.name }}
push: true
file: Dockerfile.fips.ubi
build-args: |
KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
tags: |
${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips
public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips
cache-from: type=local,src=/tmp/.buildx-cache/release
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache/release
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}
================================================
FILE: .github/workflows/release.yml
================================================
---
name: Release
on:
push:
tags:
- "v*"
env:
KIND_VERSION: "v0.11.1"
KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: go.mod
- name: Run unit tests
run: make tests
- name: Setup Kubernetes cluster (KIND)
uses: engineerd/setup-kind@v0.6.2
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
name: kube-bench
- name: Test connection to Kubernetes cluster
run: |
kubectl cluster-info
kubectl describe node
- name: Run integration tests
run: |
make integration-test
- name: Compare output with expected output
uses: GuillaumeFalourd/diff-action@v1
with:
first_file_path: ./test.data
second_file_path: integration/testdata/Expected_output.data
expected_result: PASSED
- name: Release
uses: goreleaser/goreleaser-action@v7
with:
distribution: goreleaser
version: v1.7.0
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
================================================
FILE: .gitignore
================================================
kube-bench
*.swp
vendor
dist
.vscode/
hack/kind.test.yaml
coverage.txt
.idea/
# Directory junk file
.DS_Store
thumbs.db
/kubeconfig.kube-bench
/test.data
*.iml
================================================
FILE: .golangci.yaml
================================================
version: "2"
linters:
default: none
enable:
- gocyclo
- govet
- misspell
exclusions:
generated: lax
presets:
- comments
- common-false-positives
- legacy
- std-error-handling
paths:
- third_party$
- builtin$
- examples$
formatters:
enable:
- gofmt
- goimports
exclusions:
generated: lax
paths:
- third_party$
- builtin$
- examples$
================================================
FILE: .goreleaser.yml
================================================
---
project_name: kube-bench
env:
- GO111MODULE=on
- CGO_ENABLED=0
- KUBEBENCH_CFG=/etc/kube-bench/cfg
builds:
- main: .
binary: kube-bench
tags:
- osusergo
- netgo
- static_build
goos:
- linux
- darwin
goarch:
- amd64
- arm
- arm64
- ppc64le
- s390x
goarm:
- 6
- 7
ldflags:
- "-s"
- "-w"
- "-extldflags '-static'"
- "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion={{.Version}}"
- "-X github.com/aquasecurity/kube-bench/cmd.cfgDir={{.Env.KUBEBENCH_CFG}}"
# Archive customization
archives:
- id: default
format: tar.gz
name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}'
files:
- "cfg/**/*"
- "cfg/config.yaml"
nfpms:
-
vendor: Aqua Security
description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"
maintainer: Yoav Rotem <yoav.rotem@aquasec.com>
license: Apache-2.0
homepage: https://github.com/aquasecurity/kube-bench
file_name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}'
contents:
- src: "cfg/**/*"
dst: "/etc/kube-bench/cfg"
- src: "cfg/config.yaml"
dst: "/etc/kube-bench/cfg/config.yaml"
formats:
- deb
- rpm
changelog:
sort: asc
filters:
exclude:
- '^docs'
- '^test'
- '^release'
================================================
FILE: .yamllint.yaml
================================================
---
extends: default
rules:
line-length: disable
truthy: disable
================================================
FILE: CONTRIBUTING.md
================================================
Thank you for taking an interest in contributing to kube-bench !
## Contributing, bug reporting, openning issues and starting discussions
### Issues
- Feel free to open an issue for any reason as long as you make it clear if the issue is about a bug/feature/question/comment.
- Please spend some time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
- Remember, users might be searching for your issue in the future. So please give it a meaningful title to help others.
- The issue should clearly explain the reason for opening the proposal if you have any, along with any relevant technical information.
- For questions and bug reports, please include the following information:
- version of kube-bench you are running (from kube-bench version) along with the command line options you are using.
- version of Kubernetes you are running (from kubectl version or oc version for Openshift).
- Verbose log output, by setting the `-v 3` command line option.
### Bugs
If you think you have found a bug please follow the instructions below.
- Open a [new bug](https://github.com/aquasecurity/kube-bench/issues/new?assignees=&labels=&template=bug_report.md) if a duplicate doesn't already exist.
- Make sure to give as much information as possible in the following questions
- Overview
- How did you run kube-bench?
- What happened?
- What did you expect to happen
- Environment
- Running processes
- Configuration files
- Anything else you would like to add
- Set `-v 3` command line option and save the log output. Please paste this into your issue.
### Features
We also use the GitHub discussions to track feature requests. If you have an idea to make kube-bench even more awesome follow the steps below.
- Open a [new discussion](https://github.com/aquasecurity/kube-bench/discussions/new?category_id=19113743) if a duplicate doesn't already exist.
- Remember users might be searching for your discussion in the future, so please give it a meaningful title to helps others.
- Clearly define the use case, using concrete examples. For example, I type `this` and kube-bench does `that`.
- If you would like to include a technical design for your feature please feel free to do so.
### Questions
We also use the GitHub discussions to Q&A.
- Open a [new discussion](https://github.com/aquasecurity/kube-bench/discussions/new) if a duplicate doesn't already exist.
- Remember users might be searching for your discussion in the future, so please give it a meaningful title to helps others.
### Pull Requests
We welcome pull requests!
- Every Pull Request should have an associated Issue, unless you are fixing a trivial documentation issue.
- We will not accept changes to LICENSE, NOTICE or CONTRIBUTING from outside the Aqua Security team. Please raise an Issue if you believe there is a problem with any of these files.
- Your PR is more likely to be accepted if it focuses on just one change.
- Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that start with "fix"/"add"/"improve"/"remove" are good examples.
- Please add the associated Issue in the PR description.
- Please include a comment with the results before and after your change.
- There's no need to add or tag reviewers.
- If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
- Please include a comment with the results before and after your change.
- Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
- You're welcome to submit a draft PR if you would like early feedback on an idea or an approach.
- Happy coding!
## Testing locally with kind
Our makefile contains targets to test your current version of kube-bench inside a [Kind](https://kind.sigs.k8s.io/) cluster. This can be very handy if you don't want to run a real Kubernetes cluster for development purposes.
First, you'll need to create the cluster using `make kind-test-cluster` this will create a new cluster if it cannot be found on your machine. By default, the cluster is named `kube-bench` but you can change the name by using the environment variable `KIND_PROFILE`.
*If kind cannot be found on your system the target will try to install it using `go get`*
Next, you'll have to build the kube-bench docker image using `make build-docker`, then we will be able to push the docker image to the cluster using `make kind-push`.
Finally, we can use the `make kind-run` target to run the current version of kube-bench in the cluster and follow the logs of pods created. (Ctrl+C to exit)
Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` )
To run the STIG tests locally execute the following: `make build-docker kind-push kind-run-stig`
================================================
FILE: Dockerfile
================================================
FROM golang:1.26.1 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./
COPY main.go .
COPY check/ check/
COPY cmd/ cmd/
COPY internal/ internal/
ARG KUBEBENCH_VERSION
RUN make build && cp kube-bench /go/bin/kube-bench
# Add kubectl to run policies checks
ARG KUBECTL_VERSION TARGETARCH
RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
# Verify kubectl sha256sum
RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -'
RUN chmod +x /usr/local/bin/kubectl
FROM alpine:3.23.3 AS run
WORKDIR /opt/kube-bench/
# add GNU ps for -C, -o cmd, --no-headers support and add findutils to get GNU xargs
# https://github.com/aquasecurity/kube-bench/issues/109
# https://github.com/aquasecurity/kube-bench/issues/1656
RUN apk --no-cache add procps findutils
# Upgrading apk-tools to remediate CVE-2021-36159 - https://snyk.io/vuln/SNYK-ALPINE314-APKTOOLS-1533752
# https://github.com/aquasecurity/kube-bench/issues/943
RUN apk --no-cache upgrade apk-tools
# Openssl is used by OpenShift tests
# https://github.com/aquasecurity/kube-bench/issues/535
# Ensuring that we update/upgrade before installing openssl, to mitigate CVE-2021-3711 and CVE-2021-3712
RUN apk update && apk upgrade && apk --no-cache add openssl
# Add glibc for running oc command
RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
RUN apk add gcompat
RUN apk add jq
# Add bash for running helper scripts
RUN apk add bash
ENV PATH=$PATH:/usr/local/mount-from-host/bin:/go/bin
COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
COPY entrypoint.sh .
COPY cfg/ cfg/
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin/
RUN chmod a+x /go/bin/check_files_owner_in_dir.sh
ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"]
# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE
ARG VCS_REF
ARG KUBEBENCH_VERSION
LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.name="kube-bench" \
org.label-schema.vendor="Aqua Security Software Ltd." \
org.label-schema.version=$KUBEBENCH_VERSION \
org.label-schema.release=$KUBEBENCH_VERSION \
org.label-schema.summary="Aqua security server" \
org.label-schema.maintainer="admin@aquasec.com" \
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0"
================================================
FILE: Dockerfile.fips.ubi
================================================
FROM golang:1.26.1 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./
COPY main.go .
COPY check/ check/
COPY cmd/ cmd/
COPY internal/ internal/
ARG KUBEBENCH_VERSION
RUN make build-fips && cp kube-bench /go/bin/kube-bench
# Add kubectl to run policies checks
ARG KUBECTL_VERSION TARGETARCH
RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
# Verify kubectl sha256sum
RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -'
RUN chmod +x /usr/local/bin/kubectl
# ubi8-minimal base image for build with ubi standards
FROM registry.access.redhat.com/ubi9/ubi-minimal as run
RUN microdnf install -y yum findutils openssl \
&& yum -y update-minimal --security --sec-severity=Moderate --sec-severity=Important --sec-severity=Critical \
&& yum update -y \
&& yum install -y glibc \
&& yum update -y glibc \
&& yum install -y procps \
&& yum update -y procps \
&& yum install jq -y \
&& yum clean all \
&& microdnf remove yum || rpm -e -v yum \
&& microdnf clean all
WORKDIR /opt/kube-bench/
ENV PATH=$PATH:/usr/local/mount-from-host/bin
COPY LICENSE /licenses/LICENSE
COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
COPY entrypoint.sh .
COPY cfg/ cfg/
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"]
# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE
ARG VCS_REF
ARG KUBEBENCH_VERSION
LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.name="kube-bench" \
org.label-schema.vendor="Aqua Security Software Ltd." \
org.label-schema.version=$KUBEBENCH_VERSION \
org.label-schema.release=$KUBEBENCH_VERSION \
org.label-schema.summary="Aqua security server" \
org.label-schema.maintainer="admin@aquasec.com" \
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0"
================================================
FILE: Dockerfile.ubi
================================================
FROM golang:1.26.1 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./
COPY main.go .
COPY check/ check/
COPY cmd/ cmd/
COPY internal/ internal/
ARG KUBEBENCH_VERSION
RUN make build && cp kube-bench /go/bin/kube-bench
# Add kubectl to run policies checks
ARG KUBECTL_VERSION TARGETARCH
RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
# Verify kubectl sha256sum
RUN /bin/bash -c 'echo "$(<kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c -'
RUN chmod +x /usr/local/bin/kubectl
# ubi8-minimal base image for build with ubi standards
FROM registry.access.redhat.com/ubi9/ubi-minimal as run
RUN microdnf install -y yum findutils openssl \
&& yum -y update-minimal --security --sec-severity=Moderate --sec-severity=Important --sec-severity=Critical \
&& yum update -y \
&& yum install -y glibc \
&& yum update -y glibc \
&& yum install -y procps \
&& yum update -y procps \
&& yum install jq -y \
&& yum clean all \
&& microdnf remove yum || rpm -e -v yum \
&& microdnf clean all
WORKDIR /opt/kube-bench/
ENV PATH=$PATH:/usr/local/mount-from-host/bin
COPY LICENSE /licenses/LICENSE
COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
COPY entrypoint.sh .
COPY cfg/ cfg/
COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"]
# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE
ARG VCS_REF
ARG KUBEBENCH_VERSION
LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0" \
vendor="Aqua Security Software Ltd." \
maintainer="Aqua Security Software Ltd." \
version=$KUBEBENCH_VERSION \
release=$KUBEBENCH_VERSION \
summary="Aqua Security Kube-bench." \
description="Run the CIS Kubernetes Benchmark tests"
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: NOTICE
================================================
kube-bench
Copyright 2017-2019 Aqua Security Software Ltd.
This product includes software developed by Aqua Security (https://aquasec.com).
================================================
FILE: OWNERS
================================================
approvers:
- lizrice
- jerbia
================================================
FILE: README.md
================================================
[![GitHub Release][release-img]][release]
[![Downloads][download]][release]
[![Docker Pulls][docker-pull]][docker]
[![Go Report Card][report-card-img]][report-card]
[](https://github.com/aquasecurity/kube-bench/actions)
[](https://github.com/aquasecurity/kube-bench/blob/main/LICENSE)
[![Coverage Status][cov-img]][cov]
[download]: https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github
[release-img]: https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github
[release]: https://github.com/aquasecurity/kube-bench/releases
[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench
[docker]: https://hub.docker.com/r/aquasec/kube-bench
[cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg
[cov]: https://codecov.io/github/aquasecurity/kube-bench
[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kube-bench
[report-card]: https://goreportcard.com/report/github.com/aquasecurity/kube-bench
<img src="docs/images/kube-bench.png" width="200" alt="kube-bench logo">
kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
## CIS Scanning as part of Trivy and the Trivy Operator
[Trivy](https://github.com/aquasecurity/trivy), the all in one cloud native security scanner, can be deployed as a [Kubernetes Operator](https://github.com/aquasecurity/trivy-operator) inside a cluster.
Both, the [Trivy CLI](https://github.com/aquasecurity/trivy), and the [Trivy Operator](https://github.com/aquasecurity/trivy-operator) support CIS Kubernetes Benchmark scanning among several other features.
## Quick start
There are multiple ways to run kube-bench.
You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
The supplied `job.yaml` [file](job.yaml) can be applied to run the tests as a job. For example:
```bash
$ kubectl apply -f job.yaml
job.batch/kube-bench created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 0/1 ContainerCreating 0 3s
# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 0/1 Completed 0 11s
# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...
```
For more information and different ways to run kube-bench see [documentation](docs/running.md)
### Please Note
1. kube-bench implements the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the [CIS community](https://cisecurity.org).
1. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See [CIS Kubernetes Benchmark support](docs/platforms.md#cis-kubernetes-benchmark-support) to see which releases of Kubernetes are covered by different releases of the benchmark.
By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
- see the following documentation on [Running kube-bench](docs/running.md#running-kube-bench) for more details.
## Contributing
Kindly read [Contributing](CONTRIBUTING.md) before contributing.
We welcome PRs and issue reports.
## Roadmap
Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.
================================================
FILE: cfg/ack-1.0/config.yaml
================================================
---
## Version-specific settings that override the values in cfg/config.yaml
================================================
FILE: cfg/ack-1.0/controlplane.yaml
================================================
---
controls:
version: "ack-1.0"
id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 3.1
text: "Authentication and Authorization"
checks:
- id: 3.1.1
text: "Revoke client certificate when possible leakage (Manual)"
type: "manual"
remediation: |
Kubernetes provides the option to use client certificates for user authentication.
ACK issues kubeconfig with its client certificates as the user credentials for connecing to target cluster.
User should revoke his/her issued kubeconfig when possible leakage.
scored: false
- id: 3.2
text: "Logging"
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-policy-file"
remediation: |
Create an audit policy file for your cluster.
scored: false
- id: 3.2.2
text: "Ensure that the audit policy covers key security concerns (Manual)"
type: "manual"
remediation: |
Consider modification of the audit policy in use on the cluster to include these items, at a
minimum.
scored: false
================================================
FILE: cfg/ack-1.0/etcd.yaml
================================================
---
controls:
version: "ack-1.0"
id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
- id: 2
text: "Etcd Node Configuration Files"
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--cert-file"
env: "ETCD_CERT_FILE"
- flag: "--key-file"
env: "ETCD_KEY_FILE"
remediation: |
Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters.
--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>
scored: true
- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
test_items:
- flag: "--client-cert-auth"
env: "ETCD_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--client-cert-auth="true"
scored: true
- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
set: false
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
compare:
op: eq
value: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false
scored: true
- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
set as appropriate (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--peer-cert-file"
env: "ETCD_PEER_CERT_FILE"
- flag: "--peer-key-file"
env: "ETCD_PEER_KEY_FILE"
remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
scored: true
- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
test_items:
- flag: "--peer-client-cert-auth"
env: "ETCD_PEER_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--peer-client-cert-auth=true
scored: true
- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
set: false
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
compare:
op: eq
value: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false
scored: true
- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
test_items:
- flag: "--trusted-ca-file"
env: "ETCD_TRUSTED_CA_FILE"
remediation: |
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file>
scored: false
================================================
FILE: cfg/ack-1.0/managedservices.yaml
================================================
---
controls:
version: "ack-1.0"
id: 6
text: "Managed Services"
type: "managedservices"
groups:
- id: 6.1
text: "Image Registry and Image Scanning"
checks:
- id: 6.1.1
text: "Ensure Image Vulnerability Scanning using ACR image scanning or a third party provider (Manual)"
type: "manual"
remediation: |
Ensure Image Vulnerability Scanning using ACR image scanning or a third party provider by follow the ACR document: https://www.alibabacloud.com/help/doc-detail/160146.htm
scored: false
- id: 6.1.2
text: "Minimize user access to ACR (Manual)"
type: "manual"
remediation: |
Minimize user access to ACR by follow the ACR document to setup network access control: https://www.alibabacloud.com/help/doc-detail/142179.htm
And follow the ACR document to setup Resource Access Management (RAM) policies for ACR: https://www.alibabacloud.com/help/doc-detail/144229.htm
scored: false
- id: 6.1.3
text: "Minimize cluster access to read-only for ACR (Manual)"
type: "manual"
remediation: Minimize cluster access to read-only for ACR
scored: false
- id: 6.1.4
text: "Minimize Container Registries to only those approved (Manual)"
type: "manual"
remediation: Minimize Container Registries to only those approved
scored: false
- id: 6.2
text: "Key Management Service (KMS)"
checks:
- id: 6.2.1
text: "Ensure Kubernetes Secrets are encrypted using keys managed in KMS (Manual)"
type: "manual"
remediation: |
Ensure Kubernetes Secrets are encrypted using keys managed in KMS by follow The ACK document: https://www.alibabacloud.com/help/zh/doc-detail/177372.htm
scored: false
- id: 6.3
text: "Cluster Networking"
checks:
- id: 6.3.1
text: "Restrict Access to the Control Plane Endpoint (Manual)"
type: "manual"
remediation: Restrict Access to the Control Plane Endpoint
scored: false
- id: 6.3.2
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
type: "manual"
remediation: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
scored: false
- id: 6.3.3
text: "Ensure clusters are created with Private Nodes (Manual)"
type: "manual"
remediation: Ensure clusters are created with Private Nodes
scored: false
- id: 6.3.4
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
type: "manual"
remediation: Ensure Network Policy is Enabled and set as appropriate
scored: false
- id: 6.3.5
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
type: "manual"
remediation: Encrypt traffic to HTTPS load balancers with TLS certificates
scored: false
- id: 6.4
text: "Storage"
checks:
- id: 6.4.1
text: "Enable data disk encryption for Alibaba Cloud Disks (Manual)"
type: "manual"
remediation: Enable data disk encryption for Alibaba Cloud Disks
scored: false
- id: 6.5
text: "Logging"
checks:
- id: 6.5.1
text: "Ensure Cluster Auditing is Enabled (Manual)"
type: "manual"
remediation: Ensure Cluster Auditing is Enabled
scored: false
- id: 6.6
text: "Other Cluster Configurations"
checks:
- id: 6.6.1
text: "Ensure Pod Security Policy is Enabled and set as appropriate (Manual)"
type: "manual"
remediation: Ensure Pod Security Policy is Enabled and set as appropriate
scored: false
- id: 6.6.2
text: "Enable Cloud Security Center (Manual)"
type: "manual"
remediation: Enable Cloud Security Center
scored: false
- id: 6.6.3
text: "Consider ACK Sandboxed-Container for running untrusted workloads (Manual)"
type: "manual"
remediation: Consider ACK Sandboxed-Container for running untrusted workloads
- id: 6.6.4
text: "Consider ACK TEE-based when running confidential computing (Manual)"
type: "manual"
remediation: Consider ACK TEE-based when running confidential computing
- id: 6.6.5
text: "Consider use service account token volume projection (Manual)"
type: "manual"
remediation: Consider use service account token volume projection
================================================
FILE: cfg/ack-1.0/master.yaml
================================================
---
controls:
version: "ack-1.0"
id: 1
text: "Master Node Security Configuration"
type: "master"
groups:
- id: 1.1
text: "Master Node Configuration Files"
checks:
- id: 1.1.1
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the
master node.
For example, chmod 644 $apiserverconf
scored: true
- id: 1.1.2
text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $apiserverconf
scored: true
- id: 1.1.3
text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $controllermanagerconf
scored: true
- id: 1.1.4
text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $controllermanagerconf
scored: true
- id: 1.1.5
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $schedulerconf
scored: true
- id: 1.1.6
text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $schedulerconf
scored: true
- id: 1.1.7
text: "Ensure that the etcd service file permissions are set to 644 or more restrictive (Automated)"
audit: |
stat -c permissions=%a /usr/lib/systemd/system/etcd.service || \
if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $etcdconf
scored: true
- id: 1.1.8
text: "Ensure that the etcd service file ownership is set to root:root (Automated)"
audit: |
stat -c %U:%G /usr/lib/systemd/system/etcd.service || \
if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c %U:%G; fi
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $etcdconf
scored: true
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
audit: "stat -c permissions=%a <path/to/cni/files>"
type: "manual"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 <path/to/cni/files>
scored: false
- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
audit: "stat -c %U:%G <path/to/cni/files>"
type: "manual"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root <path/to/cni/files>
scored: false
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: |
stat -c permissions=%a /var/lib/etcd/data.etcd || \
ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "700"
remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the below command:
ps -ef | grep etcd
Run the below command (based on the etcd data directory found above). For example,
chmod 700 /var/lib/etcd
scored: true
- id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
audit: |
stat -c %U:%G /var/lib/etcd/data.etcd || \
ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
tests:
test_items:
- flag: "etcd:etcd"
remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the below command:
ps -ef | grep etcd
Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd
scored: true
- id: 1.1.13
text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 /etc/kubernetes/admin.conf
scored: true
- id: 1.1.14
text: "Ensure that the admin.conf file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root /etc/kubernetes/admin.conf
scored: true
- id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $schedulerkubeconfig
scored: true
- id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $schedulerkubeconfig
scored: true
- id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $controllermanagerkubeconfig
scored: true
- id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $controllermanagerkubeconfig
scored: true
- id: 1.1.19
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
audit: "find /etc/kubernetes/pki/ | xargs stat -c %U:%G"
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown -R root:root /etc/kubernetes/pki/
scored: true
- id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)"
audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a"
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 644 /etc/kubernetes/pki/*.crt
scored: false
- id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"
audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a"
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.key
scored: false
- id: 1.2
text: "API Server"
checks:
- id: 1.2.1
text: "Ensure that the --basic-auth-file argument is not set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--basic-auth-file"
set: false
remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the API server pod specification file $apiserverconf
on the master node and remove the --basic-auth-file=<filename> parameter.
scored: true
- id: 1.2.2
text: "Ensure that the --token-auth-file parameter is not set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--token-auth-file"
set: false
remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the API server pod specification file $apiserverconf
on the master node and remove the --token-auth-file=<filename> parameter.
scored: true
- id: 1.2.3
text: "Ensure that the --kubelet-https argument is set to true (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--kubelet-https"
compare:
op: eq
value: true
- flag: "--kubelet-https"
set: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and remove the --kubelet-https parameter.
scored: true
- id: 1.2.4
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--kubelet-client-certificate"
- flag: "--kubelet-client-key"
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and kubelets. Then, edit API server pod specification file
$apiserverconf on the master node and set the
kubelet client certificate and key parameters as below.
--kubelet-client-certificate=<path/to/client-certificate-file>
--kubelet-client-key=<path/to/client-key-file>
scored: true
- id: 1.2.5
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: nothave
value: "AlwaysAllow"
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --authorization-mode parameter to values other than AlwaysAllow.
One such example could be as below.
--authorization-mode=RBAC
scored: true
- id: 1.2.6
text: "Ensure that the --authorization-mode argument includes Node (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: has
value: "Node"
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --authorization-mode parameter to a value that includes Node.
--authorization-mode=Node,RBAC
scored: true
- id: 1.2.7
text: "Ensure that the --authorization-mode argument includes RBAC (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: has
value: "RBAC"
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --authorization-mode parameter to a value that includes RBAC,
for example:
--authorization-mode=Node,RBAC
scored: true
- id: 1.2.8
text: "Ensure that the admission control plugin EventRateLimit is set (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "EventRateLimit"
remediation: |
Follow the Kubernetes documentation and set the desired limits in a configuration file.
Then, edit the API server pod specification file $apiserverconf
and set the below parameters.
--enable-admission-plugins=...,EventRateLimit,...
--admission-control-config-file=<path/to/configuration/file>
scored: false
- id: 1.2.9
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: nothave
value: AlwaysAdmit
- flag: "--enable-admission-plugins"
set: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and either remove the --enable-admission-plugins parameter, or set it to a
value that does not include AlwaysAdmit.
scored: true
- id: 1.2.10
text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "AlwaysPullImages"
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --enable-admission-plugins parameter to include
AlwaysPullImages.
--enable-admission-plugins=...,AlwaysPullImages,...
scored: false
- id: 1.2.11
text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "SecurityContextDeny"
- flag: "--enable-admission-plugins"
compare:
op: has
value: "PodSecurityPolicy"
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --enable-admission-plugins parameter to include
SecurityContextDeny, unless PodSecurityPolicy is already in place.
--enable-admission-plugins=...,SecurityContextDeny,...
scored: false
- id: 1.2.12
text: "Ensure that the admission control plugin ServiceAccount is set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--disable-admission-plugins"
compare:
op: nothave
value: "ServiceAccount"
- flag: "--disable-admission-plugins"
set: false
remediation: |
Follow the documentation and create ServiceAccount objects as per your environment.
Then, edit the API server pod specification file $apiserverconf
on the master node and ensure that the --disable-admission-plugins parameter is set to a
value that does not include ServiceAccount.
scored: true
- id: 1.2.13
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--disable-admission-plugins"
compare:
op: nothave
value: "NamespaceLifecycle"
- flag: "--disable-admission-plugins"
set: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --disable-admission-plugins parameter to
ensure it does not include NamespaceLifecycle.
scored: true
- id: 1.2.14
text: "Ensure that the admission control plugin PodSecurityPolicy is set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "PodSecurityPolicy"
remediation: |
Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --enable-admission-plugins parameter to a
value that includes PodSecurityPolicy:
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
scored: true
- id: 1.2.15
text: "Ensure that the admission control plugin NodeRestriction is set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "NodeRestriction"
remediation: |
Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --enable-admission-plugins parameter to a
value that includes NodeRestriction.
--enable-admission-plugins=...,NodeRestriction,...
scored: true
- id: 1.2.16
text: "Ensure that the --insecure-bind-address argument is not set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-bind-address"
set: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and remove the --insecure-bind-address parameter.
scored: true
- id: 1.2.17
text: "Ensure that the --insecure-port argument is set to 0 (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--insecure-port"
compare:
op: eq
value: 0
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter.
--insecure-port=0
scored: true
- id: 1.2.18
text: "Ensure that the --secure-port argument is not set to 0 (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--secure-port"
compare:
op: gt
value: 0
- flag: "--secure-port"
set: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and either remove the --secure-port parameter or
set it to a different (non-zero) desired port.
scored: true
- id: 1.2.19
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter.
--profiling=false
scored: true
- id: 1.2.20
text: "Ensure that the --audit-log-path argument is set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-path"
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-path parameter to a suitable path and
file where you would like audit logs to be written, for example:
--audit-log-path=/var/log/apiserver/audit.log
scored: true
- id: 1.2.21
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxage"
compare:
op: gte
value: 30
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
--audit-log-maxage=30
scored: true
- id: 1.2.22
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxbackup"
compare:
op: gte
value: 10
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
value.
--audit-log-maxbackup=10
scored: true
- id: 1.2.23
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxsize"
compare:
op: gte
value: 100
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
For example, to set it as 100 MB:
--audit-log-maxsize=100
scored: true
- id: 1.2.24
text: "Ensure that the --request-timeout argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: manual
remediation: |
Edit the API server pod specification file $apiserverconf
and set the below parameter as appropriate and if needed.
For example,
--request-timeout=300s
scored: true
- id: 1.2.25
text: "Ensure that the --service-account-lookup argument is set to true (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--service-account-lookup"
set: false
- flag: "--service-account-lookup"
compare:
op: eq
value: true
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter.
--service-account-lookup=true
Alternatively, you can delete the --service-account-lookup parameter from this file so
that the default takes effect.
scored: true
- id: 1.2.26
text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-key-file"
remediation: |
Edit the API server pod specification file $apiserverconf
on the master node and set the --service-account-key-file parameter
to the public key file for service accounts:
--service-account-key-file=<filename>
scored: true
- id: 1.2.27
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--etcd-certfile"
- flag: "--etcd-keyfile"
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the etcd certificate and key file parameters.
--etcd-certfile=<path/to/client-certificate-file>
--etcd-keyfile=<path/to/client-key-file>
scored: true
- id: 1.2.28
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--tls-cert-file"
- flag: "--tls-private-key-file"
remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the TLS certificate and private key file parameters.
--tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file>
scored: true
- id: 1.2.29
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--client-ca-file"
remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the client certificate authority file.
--client-ca-file=<path/to/client-ca-file>
scored: true
- id: 1.2.30
text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--etcd-cafile"
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the etcd certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
scored: true
- id: 1.2.31
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--encryption-provider-config"
remediation: |
Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
scored: false
- id: 1.2.32
text: "Ensure that encryption providers are appropriately configured (Manual)"
audit: |
ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%')
if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi
tests:
test_items:
- flag: "provider"
compare:
op: valid_elements
value: "aescbc,kms,secretbox"
remediation: |
Follow the Kubernetes documentation and configure a EncryptionConfig file.
In this file, choose aescbc, kms or secretbox as the encryption provider.
scored: false
- id: 1.2.33
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--tls-cipher-suites"
compare:
op: valid_elements
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
remediation: |
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM
_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM
_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM
_SHA384
scored: false
- id: 1.3
text: "Controller Manager"
checks:
- id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--terminated-pod-gc-threshold"
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
for example:
--terminated-pod-gc-threshold=10
scored: false
- id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the below parameter.
--profiling=false
scored: true
- id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--use-service-account-credentials"
compare:
op: noteq
value: false
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the master node to set the below parameter.
--use-service-account-credentials=true
scored: true
- id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-private-key-file"
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --service-account-private-key-file parameter
to the private key file for service accounts.
--service-account-private-key-file=<filename>
scored: true
- id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--root-ca-file"
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --root-ca-file parameter to the certificate bundle file`.
--root-ca-file=<path/to/file>
scored: true
- id: 1.3.6
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "RotateKubeletServerCertificate=false"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.
--feature-gates=RotateKubeletServerCertificate=true
scored: true
- id: 1.3.7
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
- flag: "--bind-address"
set: false
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and ensure the correct value for the --bind-address parameter
scored: true
- id: 1.4
text: "Scheduler"
checks:
- id: 1.4.1
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
Edit the Scheduler pod specification file $schedulerconf file
on the master node and set the below parameter.
--profiling=false
scored: true
- id: 1.4.2
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
- flag: "--bind-address"
set: false
remediation: |
Edit the Scheduler pod specification file $schedulerconf
on the master node and ensure the correct value for the --bind-address parameter
scored: true
================================================
FILE: cfg/ack-1.0/node.yaml
================================================
---
controls:
version: "ack-1.0"
id: 4
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 4.1
text: "Worker Node Configuration Files"
checks:
- id: 4.1.1
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 644 $kubeletsvc
scored: true
- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
- flag: "File not found"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
scored: true
- id: 4.1.3
text: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
tests:
bin_op: or
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 644 $proxykubeconfig
scored: false
- id: 4.1.4
text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
tests:
bin_op: or
test_items:
- flag: root:root
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig
scored: false
- id: 4.1.5
text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 644 $kubeletkubeconfig
scored: true
- id: 4.1.6
text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletkubeconfig
scored: false
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the following command to modify the file permissions of the
--client-ca-file chmod 644 <filename>
scored: false
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
scored: false
- id: 4.1.9
text: "Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the following command (using the config file location identified in the Audit step)
chmod 644 $kubeletconf
scored: true
- id: 4.1.10
text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the following command (using the config file location identified in the Audit step)
chown root:root $kubeletconf
scored: true
- id: 4.2
text: "Kubelet"
checks:
- id: 4.2.1
text: "Ensure that the anonymous-auth argument is set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --client-ca-file
path: '{.authentication.x509.clientCAFile}'
remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
compare:
op: eq
value: 0
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: false
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
compare:
op: noteq
value: 0
- flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}'
compare:
op: eq
value: true
remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
compare:
op: eq
value: true
- flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.8
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --event-qps
path: '{.eventRecordQPS}'
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.9
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --tls-cert-file
path: '{.tlsCertFile}'
- flag: --tls-private-key-file
path: '{.tlsPrivateKeyFile}'
remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location
of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
to the location of the corresponding private key file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.10
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --tls-cipher-suites
path: '{range .tlsCipherSuites[:]}{}{'',''}{end}'
compare:
op: valid_elements
value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
remediation: |
If using a Kubelet config file, edit the file to set tlsCipherSuites: to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the --tls-cipher-suites parameter as follows, or to a subset of these values.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
================================================
FILE: cfg/ack-1.0/policies.yaml
================================================
---
controls:
version: "ack-1.0"
id: 5
text: "Kubernetes Policies"
type: "policies"
groups:
- id: 5.1
text: "RBAC and Service Accounts"
checks:
- id: 5.1.1
text: "Ensure that the cluster-admin role is only used where required (Manual)"
type: "manual"
remediation: |
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
if they need this role or if they could use a role with fewer privileges.
Where possible, first bind users to a lower privileged role and then remove the
clusterrolebinding to the cluster-admin role :
kubectl delete clusterrolebinding [name]
scored: false
- id: 5.1.2
text: "Minimize access to secrets (Manual)"
type: "manual"
remediation: |
Where possible, remove get, list and watch access to secret objects in the cluster.
scored: false
- id: 5.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
type: "manual"
remediation: |
Where possible replace any use of wildcards in clusterroles and roles with specific
objects or actions.
scored: false
- id: 5.1.4
text: "Minimize access to create pods (Manual)"
type: "manual"
remediation: |
Where possible, remove create access to pod objects in the cluster.
scored: false
- id: 5.1.5
text: "Ensure that default service accounts are not actively used. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
scored: false
- id: 5.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
type: "manual"
remediation: |
Modify the definition of pods and service accounts which do not need to mount service
account tokens to disable it.
scored: false
- id: 5.2
text: "Pod Security Policies"
checks:
- id: 5.2.1
text: "Minimize the admission of privileged containers (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that
the .spec.privileged field is omitted or set to false.
scored: false
- id: 5.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostPID field is omitted or set to false.
scored: false
- id: 5.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostIPC field is omitted or set to false.
scored: false
- id: 5.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostNetwork field is omitted or set to false.
scored: false
- id: 5.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.allowPrivilegeEscalation field is omitted or set to false.
scored: false
- id: 5.2.6
text: "Minimize the admission of root containers (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
UIDs not including 0.
scored: false
- id: 5.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false
- id: 5.2.8
text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual"
remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array.
scored: false
- id: 5.2.9
text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual"
remediation: |
Review the use of capabilites in applications runnning on your cluster. Where a namespace
contains applications which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false
- id: 5.3
text: "Network Policies and CNI"
checks:
- id: 5.3.1
text: "Ensure that the CNI in use supports Network Policies (Manual)"
type: "manual"
remediation: |
If the CNI plugin in use does not support network policies, consideration should be given to
making use of a different plugin, or finding an alternate mechanism for restricting traffic
in the Kubernetes cluster.
scored: false
- id: 5.3.2
text: "Ensure that all Namespaces have Network Policies defined (Manual)"
type: "manual"
remediation: |
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
- id: 5.4
text: "Secrets Management"
checks:
- id: 5.4.1
text: "Prefer using secrets as files over secrets as environment variables (Manual)"
type: "manual"
remediation: |
if possible, rewrite application code to read secrets from mounted secret files, rather than
from environment variables.
scored: false
- id: 5.4.2
text: "Consider external secret storage (Manual)"
type: "manual"
remediation: |
Refer to the secrets management options offered by your cloud provider or a third-party
secrets management solution.
scored: false
- id: 5.5
text: "Extensible Admission Control"
checks:
- id: 5.5.1
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and setup image provenance.
scored: false
- id: 5.6
text: "General Policies"
checks:
- id: 5.6.1
text: "Create administrative boundaries between resources using namespaces (Manual)"
type: "manual"
remediation: |
Follow the documentation and create namespaces for objects in your deployment as you need
them.
scored: false
- id: 5.6.2
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)"
type: "manual"
remediation: |
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
parameter to "--feature-gates=AllAlpha=true"
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
Based on your system, restart the kube-apiserver service. For example:
systemctl restart kube-apiserver.service
Use annotations to enable the docker/default seccomp profile in your pod definitions. An
example is as below:
apiVersion: v1
kind: Pod
metadata:
name: trustworthy-pod
annotations:
seccomp.security.alpha.kubernetes.io/pod: docker/default
spec:
containers:
- name: trustworthy-container
image: sotrustworthy:latest
scored: false
- id: 5.6.3
text: "Apply Security Context to Your Pods and Containers (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false
- id: 5.6.4
text: "The default namespace should not be used (Manual)"
type: "manual"
remediation: |
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace.
scored: false
================================================
FILE: cfg/aks-1.0/config.yaml
================================================
---
## Version-specific settings that override the values in cfg/config.yaml
================================================
FILE: cfg/aks-1.0/controlplane.yaml
================================================
---
controls:
version: "aks-1.0"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 2.1
text: "Logging"
checks:
- id: 2.1.1
text: "Enable audit Logs"
type: "manual"
remediation: |
Azure audit logs are enabled and managed in the Azure portal. To enable log collection for
the Kubernetes master components in your AKS cluster, open the Azure portal in a web
browser and complete the following steps:
1. Select the resource group for your AKS cluster, such as myResourceGroup. Don't
select the resource group that contains your individual AKS cluster resources, such
as MC_myResourceGroup_myAKSCluster_eastus.
2. On the left-hand side, choose Diagnostic settings.
3. Select your AKS cluster, such as myAKSCluster, then choose to Add diagnostic setting.
4. Enter a name, such as myAKSClusterLogs, then select the option to Send to Log Analytics.
5. Select an existing workspace or create a new one. If you create a workspace, provide
a workspace name, a resource group, and a location.
6. In the list of available logs, select the logs you wish to enable. For this example,
enable the kube-audit and kube-audit-admin logs. Common logs include the kube-
apiserver, kube-controller-manager, and kube-scheduler. You can return and change
the collected logs once Log Analytics workspaces are enabled.
7. When ready, select Save to enable collection of the selected logs.
scored: false
================================================
FILE: cfg/aks-1.0/managedservices.yaml
================================================
---
controls:
version: "aks-1.0"
id: 5
text: "Managed Services"
type: "managedservices"
groups:
- id: 5.1
text: "Image Registry and Image Scanning"
checks:
- id: 5.1.1
text: "Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.1.2
text: "Minimize user access to Azure Container Registry (ACR) (Manual)"
type: "manual"
remediation: |
Azure Container Registry
If you use Azure Container Registry (ACR) as your container image store, you need to grant
permissions to the service principal for your AKS cluster to read and pull images. Currently,
the recommended configuration is to use the az aks create or az aks update command to
integrate with a registry and assign the appropriate role for the service principal. For
detailed steps, see Authenticate with Azure Container Registry from Azure Kubernetes
Service.
To avoid needing an Owner or Azure account administrator role, you can configure a
service principal manually or use an existing service principal to authenticate ACR from
AKS. For more information, see ACR authentication with service principals or Authenticate
from Kubernetes with a pull secret.
scored: false
- id: 5.1.3
text: "Minimize cluster access to read-only for Azure Container Registry (ACR) (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.1.4
text: "Minimize Container Registries to only those approved (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.2
text: "Access and identity options for Azure Kubernetes Service (AKS)"
checks:
- id: 5.2.1
text: "Prefer using dedicated AKS Service Accounts (Manual)"
type: "manual"
remediation: |
Azure Active Directory integration
The security of AKS clusters can be enhanced with the integration of Azure Active Directory
(AD). Built on decades of enterprise identity management, Azure AD is a multi-tenant,
cloud-based directory, and identity management service that combines core directory
services, application access management, and identity protection. With Azure AD, you can
integrate on-premises identities into AKS clusters to provide a single source for account
management and security.
Azure Active Directory integration with AKS clusters
With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes
resources within a namespace or across the cluster. To obtain a kubectl configuration
context, a user can run the az aks get-credentials command. When a user then interacts
with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD
credentials. This approach provides a single source for user account management and
password credentials. The user can only access the resources as defined by the cluster
administrator.
Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect
is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID
Connect, see the Open ID connect documentation. From inside of the Kubernetes cluster,
Webhook Token Authentication is used to verify authentication tokens. Webhook token
authentication is configured and managed as part of the AKS cluster.
scored: false
- id: 5.3
text: "Key Management Service (KMS)"
checks:
- id: 5.3.1
text: "Ensure Kubernetes Secrets are encrypted (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4
text: "Cluster Networking"
checks:
- id: 5.4.1
text: "Restrict Access to the Control Plane Endpoint (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.2
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.3
text: "Ensure clusters are created with Private Nodes (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.4
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.5
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.5
text: "Authentication and Authorization"
checks:
- id: 5.5.1
text: "Manage Kubernetes RBAC users with Azure AD (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.5.2
text: "Use Azure RBAC for Kubernetes Authorization (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.6
text: "Other Cluster Configurations"
checks:
- id: 5.6.1
text: "Restrict untrusted workloads (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.6.2
text: "Hostile multi-tenant workloads (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
================================================
FILE: cfg/aks-1.0/master.yaml
================================================
---
controls:
version: "aks-1.0"
id: 1
text: "Control Plane Components"
type: "master"
================================================
FILE: cfg/aks-1.0/node.yaml
================================================
---
controls:
version: "aks-1.0"
id: 3
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 3.1
text: "Worker Node Configuration Files"
checks:
- id: 3.1.1
text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 644 $kubeletkubeconfig
scored: false
- id: 3.1.2
text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletkubeconfig
scored: false
- id: 3.1.3
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the following command (using the config file location identified in the Audit step)
chmod 644 $kubeletconf
scored: false
- id: 3.1.4
text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the following command (using the config file location identified in the Audit step)
chown root:root $kubeletconf
scored: false
- id: 3.2
text: "Kubelet"
checks:
- id: 3.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --client-ca-file
path: '{.authentication.x509.clientCAFile}'
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: true
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
set: true
compare:
op: noteq
value: 0
- flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}'
set: true
compare:
op: eq
value: true
remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Manual) "
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
set: true
compare:
op: eq
value: true
- flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.8
text: "Ensure that the --hostname-override argument is not set (Manual)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag: --hostname-override
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.9
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --event-qps
path: '{.eventRecordQPS}'
set: true
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.10
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --rotate-certificates
path: '{.rotateCertificates}'
set: true
compare:
op: eq
value: true
- flag: --rotate-certificates
path: '{.rotateCertificates}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true or
remove it altogether to use the default value.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.11
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
set: true
compare:
op: eq
value: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
================================================
FILE: cfg/aks-1.0/policies.yaml
================================================
---
controls:
version: "aks-1.0"
id: 4
text: "Policies"
type: "policies"
groups:
- id: 4.1
text: "RBAC and Service Accounts"
checks:
- id: 4.1.1
text: "Ensure that the cluster-admin role is only used where required (Manual)"
type: "manual"
remediation: |
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
if they need this role or if they could use a role with fewer privileges.
Where possible, first bind users to a lower privileged role and then remove the
clusterrolebinding to the cluster-admin role :
kubectl delete clusterrolebinding [name]
scored: false
- id: 4.1.2
text: "Minimize access to secrets (Manual)"
type: "manual"
remediation: |
Where possible, remove get, list and watch access to secret objects in the cluster.
scored: false
- id: 4.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
type: "manual"
remediation: |
Where possible replace any use of wildcards in clusterroles and roles with specific
objects or actions.
scored: false
- id: 4.1.4
text: "Minimize access to create pods (Manual)"
type: "manual"
remediation: |
Where possible, remove create access to pod objects in the cluster.
scored: false
- id: 4.1.5
text: "Ensure that default service accounts are not actively used. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
scored: false
- id: 4.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
type: "manual"
remediation: |
Modify the definition of pods and service accounts which do not need to mount service
account tokens to disable it.
scored: false
- id: 4.2
text: "Pod Security Policies"
checks:
- id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that
the .spec.privileged field is omitted or set to false.
scored: false
- id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostPID field is omitted or set to false.
scored: false
- id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostIPC field is omitted or set to false.
scored: false
- id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostNetwork field is omitted or set to false.
scored: false
- id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.allowPrivilegeEscalation field is omitted or set to false.
scored: false
- id: 4.2.6
text: "Minimize the admission of root containers (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
UIDs not including 0.
scored: false
- id: 4.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false
- id: 4.2.8
text: "Minimize the admission of containers with added capabilities (Automated)"
type: "manual"
remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array.
scored: false
- id: 4.2.9
text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual"
remediation: |
Review the use of capabilities in applications running on your cluster. Where a namespace
contains applications which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false
- id: 4.3
text: "Azure Policy / OPA"
checks: []
- id: 4.4
text: "CNI Plugin"
checks:
- id: 4.4.1
text: "Ensure that the latest CNI version is used (Manual)"
type: "manual"
remediation: |
Review the documentation of AWS CNI plugin, and ensure latest CNI version is used.
scored: false
- id: 4.4.2
text: "Ensure that all Namespaces have Network Policies defined (Manual)"
type: "manual"
remediation: |
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
- id: 4.5
text: "Secrets Management"
checks:
- id: 4.5.1
text: "Prefer using secrets as files over secrets as environment variables (Manual)"
type: "manual"
remediation: |
If possible, rewrite application code to read secrets from mounted secret files, rather than
from environment variables.
scored: false
- id: 4.5.2
text: "Consider external secret storage (Manual)"
type: "manual"
remediation: |
Refer to the secrets management options offered by your cloud provider or a third-party
secrets management solution.
scored: false
- id: 4.6
text: "Extensible Admission Control"
checks:
- id: 4.6.1
text: "Verify that admission controllers are working as expected (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 4.7
text: "General Policies"
checks:
- id: 4.7.1
text: "Create administrative boundaries between resources using namespaces (Manual)"
type: "manual"
remediation: |
Follow the documentation and create namespaces for objects in your deployment as you need
them.
scored: false
- id: 4.7.2
text: "Apply Security Context to Your Pods and Containers (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false
- id: 4.7.3
text: "The default namespace should not be used (Manual)"
type: "manual"
remediation: |
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace.
scored: false
================================================
FILE: cfg/aks-1.7/config.yaml
================================================
---
## Version-specific settings that override the values in cfg/config.yaml
================================================
FILE: cfg/aks-1.7/controlplane.yaml
================================================
---
controls:
version: "aks-1.7"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 2.1
text: "Logging"
checks:
- id: 2.1.1
text: "Enable audit Logs"
type: "manual"
remediation: |
Azure audit logs are enabled and managed in the Azure portal. To enable log collection for
the Kubernetes master components in your AKS cluster, open the Azure portal in a web
browser and complete the following steps:
1. Select the resource group for your AKS cluster, such as myResourceGroup. Don't
select the resource group that contains your individual AKS cluster resources, such
as MC_myResourceGroup_myAKSCluster_eastus.
2. On the left-hand side, choose Diagnostic settings.
3. Select your AKS cluster, such as myAKSCluster, then choose to Add diagnostic setting.
4. Enter a name, such as myAKSClusterLogs, then select the option to Send to Log Analytics.
5. Select an existing workspace or create a new one. If you create a workspace, provide
a workspace name, a resource group, and a location.
6. In the list of available logs, select the logs you wish to enable. For this example,
enable the kube-audit and kube-audit-admin logs. Common logs include the kube-
apiserver, kube-controller-manager, and kube-scheduler. You can return and change
the collected logs once Log Analytics workspaces are enabled.
7. When ready, select Save to enable collection of the selected logs.
scored: false
================================================
FILE: cfg/aks-1.7/managedservices.yaml
================================================
---
controls:
version: "aks-1.7"
id: 5
text: "Managed Services"
type: "managedservices"
groups:
- id: 5.1
text: "Image Registry and Image Scanning"
checks:
- id: 5.1.1
text: "Ensure Image Vulnerability Scanning using Microsoft Defender for Cloud (MDC) image scanning or a third party provider (Manual)"
type: "manual"
remediation: |
Enable MDC for Container Registries by running the following Azure CLI command:
az security pricing create --name ContainerRegistry --tier Standard
Alternatively, use the following command to enable image scanning for your container registry:
az resource update --ids /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.ContainerRegistry/registries/{registry-name} --set properties.enabled=true
Replace `subscription-id`, `resource-group-name`, and `registry-name` with the correct values for your environment.
Please note that enabling MDC for Container Registries will incur additional costs, so be sure to review the pricing information provided in the Azure documentation before enabling it.
scored: false
- id: 5.1.2
text: "Minimize user access to Azure Container Registry (ACR) (Manual)"
type: "manual"
remediation: |
Azure Container Registry
If you use Azure Container Registry (ACR) as your container image store, you need to grant
permissions to the service principal for your AKS cluster to read and pull images. Currently,
the recommended configuration is to use the az aks create or az aks update command to
integrate with a registry and assign the appropriate role for the service principal. For
detailed steps, see Authenticate with Azure Container Registry from Azure Kubernetes
Service.
To avoid needing an Owner or Azure account administrator role, you can configure a
service principal manually or use an existing service principal to authenticate ACR from
AKS. For more information, see ACR authentication with service principals or Authenticate
from Kubernetes with a pull secret.
scored: false
- id: 5.1.3
text: "Minimize cluster access to read-only for Azure Container Registry (ACR) (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.1.4
text: "Minimize Container Registries to only those approved (Manual)"
type: "manual"
remediation: |
If you are using **Azure Container Registry**, you can restrict access using firewall rules as described in the official documentation:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-firewall-access-rules
For other non-AKS repositories, you can use **admission controllers** or **Azure Policy** to enforce registry access restrictions.
Limiting or locking down egress traffic to specific container registries is also recommended. For more information, refer to:
https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic
scored: false
- id: 5.2
text: "Access and identity options for Azure Kubernetes Service (AKS)"
checks:
- id: 5.2.1
text: "Prefer using dedicated AKS Service Accounts (Manual)"
type: "manual"
remediation: |
Azure Active Directory integration
The security of AKS clusters can be enhanced with the integration of Azure Active Directory
(AD). Built on decades of enterprise identity management, Azure AD is a multi-tenant,
cloud-based directory, and identity management service that combines core directory
services, application access management, and identity protection. With Azure AD, you can
integrate on-premises identities into AKS clusters to provide a single source for account
management and security.
Azure Active Directory integration with AKS clusters
With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes
resources within a namespace or across the cluster. To obtain a kubectl configuration
context, a user can run the az aks get-credentials command. When a user then interacts
with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD
credentials. This approach provides a single source for user account management and
password credentials. The user can only access the resources as defined by the cluster
administrator.
Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect
is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID
Connect, see the Open ID connect documentation. From inside of the Kubernetes cluster,
Webhook Token Authentication is used to verify authentication tokens. Webhook token
authentication is configured and managed as part of the AKS cluster.
scored: false
- id: 5.3
text: "Key Management Service (KMS)"
checks:
- id: 5.3.1
text: "Ensure Kubernetes Secrets are encrypted (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4
text: "Cluster Networking"
checks:
- id: 5.4.1
text: "Restrict Access to the Control Plane Endpoint (Manual)"
type: "manual"
remediation: |
By enabling private endpoint access to the Kubernetes API server, all communication between your nodes and the API server stays within your VPC. You can also limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server.
With this in mind, you can update your cluster accordingly using the AKS CLI to ensure that Private Endpoint Access is enabled.
If you choose to also enable Public Endpoint Access then you should also configure a list of allowable CIDR blocks, resulting in restricted access from the internet. If you specify no CIDR blocks, then the public API server endpoint is able to receive and process requests from all IP addresses by defaulting to ['0.0.0.0/0'].
Example:
az aks update --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --api-server-access-profile enablePrivateCluster=true --api-server-access-profile authorizedIpRanges=192.168.1.0/24
scored: false
- id: 5.4.2
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
type: "manual"
remediation: |
To use a private endpoint, create a new private endpoint in your virtual network, then create a link between your virtual network and a new private DNS zone.
You can also restrict access to the public endpoint by enabling only specific CIDR blocks to access it. For example:
az aks update --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --api-server-access-profile enablePublicFqdn=false
This command disables the public API endpoint for your AKS cluster.
scored: false
- id: 5.4.3
text: "Ensure clusters are created with Private Nodes (Manual)"
type: "manual"
remediation: |
To create a private cluster, use the following command:
az aks create \
--resource-group <private-cluster-resource-group> \
--name <private-cluster-name> \
--load-balancer-sku standard \
--enable-private-cluster \
--network-plugin azure \
--vnet-subnet-id <subnet-id> \
--docker-bridge-address <docker-bridge-address> \
--dns-service-ip <dns-service-ip> \
--service-cidr <service-cidr>
Ensure that --enable-private-cluster flag is set to enable private nodes in your cluster.
scored: false
- id: 5.4.4
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
type: "manual"
remediation: |
Utilize Calico or another network policy engine to segment and isolate your traffic.
Enable network policies on your AKS cluster by following the Azure documentation or using the `az aks` CLI to enable the network policy add-on.
scored: false
- id: 5.4.5
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.5
text: "Authentication and Authorization"
checks:
- id: 5.5.1
text: "Manage Kubernetes RBAC users with Azure AD (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.5.2
text: "Use Azure RBAC for Kubernetes Authorization (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
================================================
FILE: cfg/aks-1.7/master.yaml
================================================
---
controls:
version: "aks-1.7"
id: 1
text: "Control Plane Components"
type: "master"
================================================
FILE: cfg/aks-1.7/node.yaml
================================================
---
controls:
version: "aks-1.7"
id: 3
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 3.1
text: "Worker Node Configuration Files"
checks:
- id: 3.1.1
text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 644 $kubeletkubeconfig
scored: true
- id: 3.1.2
text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletkubeconfig
scored: true
- id: 3.1.3
text: "Ensure that the azure.json file has permissions set to 644 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e /etc/kubernetes/azure.json; then stat -c permissions=%a /etc/kubernetes/azure.json; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the following command (using the config file location identified in the Audit step)
chmod 644 $kubeletconf
scored: true
- id: 3.1.4
text: "Ensure that the azure.json file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the following command (using the config file location identified in the Audit step)
chown root:root $kubeletconf
scored: true
- id: 3.2
text: "Kubelet"
checks:
- id: 3.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 3.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 3.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --client-ca-file
path: '{.authentication.x509.clientCAFile}'
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 3.2.4
text: "Ensure that the --read-only-port is secured (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: true
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 3.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
set: true
compare:
op: noteq
value: 0
- flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 3.2.6
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) "
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
set: true
compare:
op: eq
value: true
- flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 3.2.7
text: "Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --event-qps
path: '{.eventRecordQPS}'
set: true
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set the 'eventRecordQPS' value to an appropriate level (e.g., 5).
If using executable arguments, check the Kubelet service file `$kubeletsvc` on each worker node, and add the following parameter to the `KUBELET_ARGS` variable:
--eventRecordQPS=5
Ensure that there is no conflicting `--eventRecordQPS` setting in the service file that overrides the config file.
After making the changes, restart the Kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
scored: true
- id: 3.2.8
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --rotate-certificates
path: '{.rotateCertificates}'
set: true
compare:
op: eq
value: true
- flag: --rotate-certificates
path: '{.rotateCertificates}'
set: false
bin_op: or
remediation: |
If modifying the Kubelet config file, edit the `kubelet-config.json` file located at `/etc/kubernetes/kubelet/kubelet-config.json` and set the following parameter to `true`:
"rotateCertificates": true
Ensure that the Kubelet service file located at `/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf` does not define the `--rotate-certificates` argument as `false`, as this would override the config file.
If using executable arguments, add the following line to the `KUBELET_CERTIFICATE_ARGS` variable:
--rotate-certificates=true
After making the necessary changes, restart the Kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
scored: true
- id: 3.2.9
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
set: true
compare:
op: eq
value: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
================================================
FILE: cfg/aks-1.7/policies.yaml
================================================
---
controls:
version: "aks-1.7"
id: 4
text: "Policies"
type: "policies"
groups:
- id: 4.1
text: "RBAC and Service Accounts"
checks:
- id: 4.1.1
text: "Ensure that the cluster-admin role is only used where required (Automated)"
audit: |
kubectl get clusterrolebindings -o json | jq -r '
.items[]
| select(.roleRef.name == "cluster-admin")
| .subjects[]?
| select(.kind != "Group" or (.name != "system:masters" and .name != "system:nodes"))
| "FOUND_CLUSTER_ADMIN_BINDING"
' || echo "NO_CLUSTER_ADMIN_BINDINGS"
tests:
test_items:
- flag: "NO_CLUSTER_ADMIN_BINDINGS"
set: true
compare:
op: eq
value: "NO_CLUSTER_ADMIN_BINDINGS"
remediation: |
Identify all clusterrolebindings to the cluster-admin role using:
kubectl get clusterrolebindings --no-headers | grep cluster-admin
Review if each of them actually needs this role. If not, remove the binding:
kubectl delete clusterrolebinding <binding-name>
Where possible, assign a less privileged ClusterRole.
scored: true
- id: 4.1.2
text: "Minimize access to secrets (Automated)"
audit: |
count=$(kubectl get roles --all-namespaces -o json | jq '
.items[]
| select(.rules[]?
| (.resources[]? == "secrets")
and ((.verbs[]? == "get") or (.verbs[]? == "list") or (.verbs[]? == "watch"))
)' | wc -l)
if [ "$count" -gt 0 ]; then
echo "SECRETS_ACCESS_FOUND"
fi
tests:
test_items:
- flag: "SECRETS_ACCESS_FOUND"
set: false
remediation: |
Identify all roles that grant access to secrets via get/list/watch verbs.
Use `kubectl edit role -n <namespace> <name>` to remove these permissions.
Alternatively, create a new least-privileged role that excludes secret access.
scored: true
- id: 4.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Automated)"
audit: |
wildcards=$(kubectl get roles --all-namespaces -o json | jq '
.items[] | select(
.rules[]? | (.verbs[]? == "*" or .resources[]? == "*" or .apiGroups[]? == "*")
)' | wc -l)
wildcards_clusterroles=$(kubectl get clusterroles -o json | jq '
.items[] | select(
.rules[]? | (.verbs[]? == "*" or .resources[]? == "*" or .apiGroups[]? == "*")
)' | wc -l)
total=$((wildcards + wildcards_clusterroles))
if [ "$total" -gt 0 ]; then
echo "wildcards_present"
fi
tests:
test_items:
- flag: wildcards_present
set: false
remediation: |
Identify roles and clusterroles using wildcards (*) in 'verbs', 'resources', or 'apiGroups'.
Replace wildcards with specific values to enforce least privilege access.
Use `kubectl edit role -n <namespace> <name>` or `kubectl edit clusterrole <name>` to update.
scored: true
- id: 4.1.4
text: "Minimize access to create pods (Automated)"
audit: |
echo "🔹 Roles and ClusterRoles with 'create' access on 'pods':"
access=$(kubectl get roles,clusterroles -A -o json | jq '
[.items[] |
select(
.rules[]? |
(.resources[]? == "pods" and .verbs[]? == "create")
)
] | length')
if [ "$access" -gt 0 ]; then
echo "pods_create_access"
fi
tests:
test_items:
- flag: pods_create_access
set: false
remediation: |
Review all roles and clusterroles that have "create" permission on "pods".
🔒 Where possible, remove or restrict this permission to only required service accounts.
🛠 Use:
- `kubectl edit role -n <namespace> <role>`
- `kubectl edit clusterrole <name>`
✅ Apply least privilege principle across the cluster.
scored: true
- id: 4.1.5
text: "Ensure that default service accounts are not actively used (Automated)"
audit: |
echo "🔹 Default Service Accounts with automountServiceAccountToken enabled:"
default_sa_count=$(kubectl get serviceaccounts --all-namespaces -o json | jq '
[.items[] | select(.metadata.name == "default" and (.automountServiceAccountToken != false))] | length')
if [ "$default_sa_count" -gt 0 ]; then
echo "default_sa_not_auto_mounted"
fi
echo "\n🔹 Pods using default ServiceAccount:"
pods_using_default_sa=$(kubectl get pods --all-namespaces -o json | jq '
[.items[] | select(.spec.serviceAccountName == "default")] | length')
if [ "$pods_using_default_sa" -gt 0 ]; then
echo "default_sa_used_in_pods"
fi
tests:
test_items:
- flag: default_sa_not_auto_mounted
set: false
- flag: default_sa_used_in_pods
set: false
remediation: |
1. Avoid using default service accounts for workloads.
2. Set `automountServiceAccountToken: false` on all default SAs:
kubectl patch serviceaccount default -n <namespace> -p '{"automountServiceAccountToken": false}'
3. Use custom service accounts with only the necessary permissions.
scored: true
- id: 4.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)"
audit: |
echo "🔹 Pods with automountServiceAccountToken enabled:"
pods_with_token_mount=$(kubectl get pods --all-namespaces -o json | jq '
[.items[] | select(.spec.automountServiceAccountToken != false)] | length')
if [ "$pods_with_token_mount" -gt 0 ]; then
echo "automountServiceAccountToken"
fi
tests:
test_items:
- flag: automountServiceAccountToken
set: false
remediation: |
Pods that do not need access to the Kubernetes API should not mount service account tokens.
✅ To disable token mounting in a pod definition:
```yaml
spec:
automountServiceAccountToken: false
```
✅ Or patch an existing pod's spec (recommended via workload template):
Patch not possible for running pods — update the deployment YAML or recreate pods with updated spec.
scored: true
- id: 4.2
text: "Pod Security Policies"
checks:
- id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)"
audit: |
kubectl get pods --all-namespaces -o json | \
jq -r 'if any(.items[]?.spec.containers[]?; .securityContext?.privileged == true) then "PRIVILEGED_FOUND" else "NO_PRIVILEGED" end'
tests:
test_items:
- flag: "NO_PRIVILEGED"
set: true
compare:
op: eq
value: "NO_PRIVILEGED"
remediation: |
Add a Pod Security Admission (PSA) policy to each namespace in the cluster to restrict the admission of privileged containers.
To enforce a restricted policy for a specific namespace, use the following command:
kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted
You can also enforce PSA for all namespaces:
kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline
Additionally, review the namespaces that should be excluded (e.g., `kube-system`, `gatekeeper-system`, `azure-arc`, `azure-extensions-usage-system`) and adjust your filtering if necessary.
To enable Pod Security Policies, refer to the detailed documentation for Kubernetes and Azure integration at:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
scored: true
- id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
audit: |
kubectl get pods --all-namespaces -o json | \
jq -r 'if any(.items[]?; .spec.hostPID == true) then "HOSTPID_FOUND" else "NO_HOSTPID" end'
tests:
test_items:
- flag: "NO_HOSTPID"
set: true
compare:
op: eq
value: "NO_HOSTPID"
remediation: |
Add a policy to each namespace in the cluster that restricts the admission of containers with hostPID. For namespaces that need it, ensure RBAC controls limit access to a specific service account.
You can label your namespaces as follows to restrict or enforce the policy:
kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted
You can also use the following to warn about policies:
kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline
For more information, refer to the official Kubernetes and Azure documentation on policies:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
scored: true
- id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
audit: |
kubectl get pods --all-namespaces -o json | jq -r 'if any(.items[]?; .spec.hostIPC == true) then "HOSTIPC_FOUND" else "NO_HOSTIPC" end'
tests:
test_items:
- flag: "NO_HOSTIPC"
set: true
compare:
op: eq
value: "NO_HOSTIPC"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostIPC containers.
You can label your namespaces as follows to restrict or enforce the policy:
kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted
You can also use the following to warn about policies:
kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline
For more information, refer to the official Kubernetes and Azure documentation on policies:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
scored: true
- id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
audit: |
kubectl get pods --all-namespaces -o json | jq -r 'if any(.items[]?; .spec.hostNetwork == true) then "HOSTNETWORK_FOUND" else "NO_HOSTNETWORK" end'
tests:
test_items:
- flag: "NO_HOSTNETWORK"
set: true
compare:
op: eq
value: "NO_HOSTNETWORK"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostNetwork containers.
You can label your namespaces as follows to restrict or enforce the policy:
kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted
You can also use the following to warn about policies:
kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline
For more information, refer to the official Kubernetes and Azure documentation on policies:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
scored: true
- id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
audit: |
kubectl get pods --all-namespaces -o json | \
jq -r 'if any(.items[]?.spec.containers[]?; .securityContext?.allowPrivilegeEscalation == true) then "ALLOWPRIVILEGEESCALTION_FOUND" else "NO_ALLOWPRIVILEGEESCALTION" end'
tests:
test_items:
- flag: "NO_ALLOWPRIVILEGEESCALTION"
set: true
compare:
op: eq
value: "NO_ALLOWPRIVILEGEESCALTION"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.
You can label your namespaces as follows to restrict or enforce the policy:
kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted
You can also use the following to warn about policies:
kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline
For more information, refer to the official Kubernetes and Azure documentation on policies:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
scored: true
- id: 4.3
text: "Azure Policy / OPA"
checks: []
- id: 4.4
text: "CNI Plugin"
checks:
- id: 4.4.1
text: "Ensure latest CNI version is used (Manual)"
type: "manual"
remediation: |
Review the documentation of AWS CNI plugin, and ensure latest CNI version is used.
scored: false
- id: 4.4.2
text: "Ensure that all Namespaces have Network Policies defined (Automated)"
audit: |
ns_without_np=$(comm -23 \
<(kubectl get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | sort) \
<(kubectl get networkpolicy --all-namespaces -o jsonpath='{.items[*].metadata.namespace}' | tr ' ' '\n' | sort))
if [ -z "$ns_without_np" ]; then echo "ALL_NAMESPACES_HAVE_NETWORKPOLICIES"; else echo "MISSING_NETWORKPOLICIES"; fi
tests:
test_items:
- flag: "ALL_NAMESPACES_HAVE_NETWORKPOLICIES"
set: true
compare:
op: eq
value: "ALL_NAMESPACES_HAVE_NETWORKPOLICIES"
remediation: |
Define at least one NetworkPolicy in each namespace to control pod-level traffic. Example:
kubectl apply -n <namespace> -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
EOF
This denies all traffic unless explicitly allowed. Review and adjust policies per namespace as needed.
scored: true
- id: 4.5
text: "Secrets Management"
checks:
- id: 4.5.1
text: "Prefer using secrets as files over secrets as environment variables (Automated)"
audit: |
output=$(kubectl get all --all-namespaces -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}')
if [ -z "$output" ]; then echo "NO_ENV_SECRET_REFERENCES"; else echo "ENV_SECRET_REFERENCES_FOUND"; fi
tests:
test_items:
- flag: "NO_ENV_SECRET_REFERENCES"
set: true
compare:
op: eq
value: "NO_ENV_SECRET_REFERENCES"
remediation: |
Refactor application deployments to mount secrets as files instead of passing them as environment variables.
Avoid using `envFrom` or `env` with `secretKeyRef` in container specs.
scored: true
- id: 4.5.2
text: "Consider external secret storage (Manual)"
type: "manual"
remediation: |
Refer to the secrets management options offered by your cloud provider or a third-party
secrets management solution.
scored: false
- id: 4.6
text: "General Policies"
checks:
- id: 4.6.1
text: "Create administrative boundaries between resources using namespaces (Manual)"
type: "manual"
remediation: |
Follow the documentation and create namespaces for objects in your deployment as you need
them.
scored: false
- id: 4.6.2
text: "Apply Security Context to Your Pods and Containers (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false
- id: 4.6.3
text: "The default namespace should not be used (Automated)"
audit: |
output=$(kubectl get all -n default --no-headers 2>/dev/null | grep -v '^service\s\+kubernetes\s' || true)
if [ -z "$output" ]; then echo "DEFAULT_NAMESPACE_UNUSED"; else echo "DEFAULT_NAMESPACE_IN_USE"; fi
tests:
test_items:
- flag: "DEFAULT_NAMESPACE_UNUSED"
set: true
compare:
op: eq
value: "DEFAULT_NAMESPACE_UNUSED"
remediation: |
Avoid using the default namespace for user workloads.
- Create separate namespaces for your applications and infrastructure components.
- Move any user-defined resources out of the default namespace.
Example to create a namespace:
kubectl create namespace my-namespace
Example to move resources:
kubectl get deployment my-app -n default -o yaml | sed 's/namespace: default/namespace: my-namespace/' | kubectl apply -f -
kubectl delete deployment my-app -n default
scored: true
================================================
FILE: cfg/aks-1.8/config.yaml
================================================
---
## Version-specific settings that override the values in cfg/config.yaml
================================================
FILE: cfg/aks-1.8/controlplane.yaml
================================================
---
controls:
version: "aks-1.8"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 2.1
text: "Logging"
checks:
- id: 2.1.1
text: "Enable audit Logs"
type: "manual"
remediation: |
Azure audit logs are enabled and managed in the Azure portal. To enable log collection for
the Kubernetes master components in your AKS cluster, open the Azure portal in a web
browser and complete the following steps:
1. Select the resource group for your AKS cluster, such as myResourceGroup. Don't
select the resource group that contains your individual AKS cluster resources, such
as MC_myResourceGroup_myAKSCluster_eastus.
2. On the left-hand side, choose Diagnostic settings.
3. Select your AKS cluster, such as myAKSCluster, then choose to Add diagnostic setting.
4. Enter a name, such as myAKSClusterLogs, then select the option to Send to Log Analytics.
5. Select an existing workspace or create a new one. If you create a workspace, provide
a workspace name, a resource group, and a location.
6. In the list of available logs, select the logs you wish to enable. For this example,
enable the kube-audit and kube-audit-admin logs. Common logs include the kube-
apiserver, kube-controller-manager, and kube-scheduler. You can return and change
the collected logs once Log Analytics workspaces are enabled.
7. When ready, select Save to enable collection of the selected logs.
scored: false
================================================
FILE: cfg/aks-1.8/managedservices.yaml
================================================
---
controls:
version: "aks-1.8"
id: 5
text: "Managed Services"
type: "managedservices"
groups:
- id: 5.1
text: "Image Registry and Image Scanning"
checks:
- id: 5.1.1
text: "Ensure Image Vulnerability Scanning using Microsoft Defender for Cloud (MDC) image scanning or a third party provider (Manual)"
type: "manual"
remediation: |
Enable MDC for Container Registries by running the following Azure CLI command:
az security pricing create --name ContainerRegistry --tier Standard
Alternatively, use the following command to enable image scanning for your container registry:
az resource update --ids /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.ContainerRegistry/registries/{registry-name} --set properties.enabled=true
Replace `subscription-id`, `resource-group-name`, and `registry-name` with the correct values for your environment.
Please note that enabling MDC for Container Registries will incur additional costs, so be sure to review the pricing information provided in the Azure documentation before enabling it.
scored: false
- id: 5.1.2
text: "Minimize user access to Azure Container Registry (ACR) (Manual)"
type: "manual"
remediation: |
Azure Container Registry
If you use Azure Container Registry (ACR) as your container image store, you need to grant
permissions to the service principal for your AKS cluster to read and pull images. Currently,
the recommended configuration is to use the az aks create or az aks update command to
integrate with a registry and assign the appropriate role for the service principal. For
detailed steps, see Authenticate with Azure Container Registry from Azure Kubernetes
Service.
To avoid needing an Owner or Azure account administrator role, you can configure a
service principal manually or use an existing service principal to authenticate ACR from
AKS. For more information, see ACR authentication with service principals or Authenticate
from Kubernetes with a pull secret.
scored: false
- id: 5.1.3
text: "Minimize cluster access to read-only for Azure Container Registry (ACR) (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.1.4
text: "Minimize Container Registries to only those approved (Manual)"
type: "manual"
remediation: |
If you are using **Azure Container Registry**, you can restrict access using firewall rules as described in the official documentation:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-firewall-access-rules
For other non-AKS repositories, you can use **admission controllers** or **Azure Policy** to enforce registry access restrictions.
Limiting or locking down egress traffic to specific container registries is also recommended. For more information, refer to:
https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic
scored: false
- id: 5.2
text: "Access and identity options for Azure Kubernetes Service (AKS)"
checks:
- id: 5.2.1
text: "Prefer using dedicated AKS Service Accounts (Manual)"
type: "manual"
remediation: |
Azure Active Directory integration
The security of AKS clusters can be enhanced with the integration of Azure Active Directory
(AD). Built on decades of enterprise identity management, Azure AD is a multi-tenant,
cloud-based directory, and identity management service that combines core directory
services, application access management, and identity protection. With Azure AD, you can
integrate on-premises identities into AKS clusters to pr
gitextract_nozolvbr/ ├── .github/ │ ├── ISSUE_TEMPLATE/ │ │ ├── bug_report.md │ │ └── config.yml │ ├── dependabot.yml │ └── workflows/ │ ├── build.yml │ ├── mkdocs-deploy.yaml │ ├── publish.yml │ └── release.yml ├── .gitignore ├── .golangci.yaml ├── .goreleaser.yml ├── .yamllint.yaml ├── CONTRIBUTING.md ├── Dockerfile ├── Dockerfile.fips.ubi ├── Dockerfile.ubi ├── LICENSE ├── NOTICE ├── OWNERS ├── README.md ├── cfg/ │ ├── ack-1.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── aks-1.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── aks-1.7/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── aks-1.8/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.10/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.11/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.12/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.20/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.23/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.24/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.24-microk8s/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.5/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.6/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.6-k3s/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.7/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.8/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── cis-1.9/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── config.yaml │ ├── eks-1.0.1/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── eks-1.1.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── eks-1.2.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── eks-1.5.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── eks-1.7.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── eks-1.8.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── eks-stig-kubernetes-v1r6/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── gke-1.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── gke-1.2.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── gke-1.6.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── gke-1.8.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── managedservices.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── k3s-cis-1.23/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── k3s-cis-1.24/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── k3s-cis-1.7/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── k3s-cis-1.8/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── rh-0.7/ │ │ ├── config.yaml │ │ ├── master.yaml │ │ └── node.yaml │ ├── rh-1.0/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── rh-1.4/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── rh-1.8/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── rke-cis-1.23/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── rke-cis-1.24/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── rke-cis-1.7/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── rke2-cis-1.23/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── rke2-cis-1.24/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── rke2-cis-1.7/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ ├── rke2-cis-1.8/ │ │ ├── config.yaml │ │ ├── controlplane.yaml │ │ ├── etcd.yaml │ │ ├── master.yaml │ │ ├── node.yaml │ │ └── policies.yaml │ └── tkgi-1.2.53/ │ ├── config.yaml │ ├── controlplane.yaml │ ├── etcd.yaml │ ├── master.yaml │ ├── node.yaml │ └── policies.yaml ├── check/ │ ├── check.go │ ├── check_test.go │ ├── controls.go │ ├── controls_test.go │ ├── data │ ├── test.go │ └── test_test.go ├── cmd/ │ ├── common.go │ ├── common_test.go │ ├── database.go │ ├── kubernetes_version.go │ ├── kubernetes_version_test.go │ ├── root.go │ ├── run.go │ ├── run_test.go │ ├── securityHub.go │ ├── testdata/ │ │ ├── controlsCollection.json │ │ ├── passedControlsCollection.json │ │ ├── result.json │ │ └── result_no_totals.json │ ├── util.go │ ├── util_test.go │ └── version.go ├── codecov.yml ├── docs/ │ ├── architecture.md │ ├── asff.md │ ├── controls.md │ ├── flags-and-commands.md │ ├── index.md │ ├── installation.md │ ├── platforms.md │ └── running.md ├── entrypoint.sh ├── fipsonly.go ├── go.mod ├── go.sum ├── hack/ │ ├── debug.yaml │ ├── kind-stig.test.yaml │ ├── kind-stig.yaml │ ├── kind.yaml │ └── node_only.yaml ├── helper_scripts/ │ └── check_files_owner_in_dir.sh ├── hooks/ │ └── build ├── integration/ │ └── testdata/ │ ├── Expected_output.data │ └── Expected_output_stig.data ├── internal/ │ └── findings/ │ ├── doc.go │ └── publisher.go ├── job-ack.yaml ├── job-aks.yaml ├── job-eks-asff.yaml ├── job-eks-stig.yaml ├── job-eks.yaml ├── job-gke.yaml ├── job-iks.yaml ├── job-master.yaml ├── job-node.yaml ├── job-tkgi.yaml ├── job.yaml ├── main.go ├── makefile └── mkdocs.yml
SYMBOL INDEX (244 symbols across 20 files)
FILE: check/check.go
type NodeType (line 27) | type NodeType
type State (line 30) | type State
constant PASS (line 34) | PASS State = "PASS"
constant FAIL (line 36) | FAIL State = "FAIL"
constant WARN (line 38) | WARN State = "WARN"
constant INFO (line 40) | INFO State = "INFO"
constant SKIP (line 43) | SKIP = "skip"
constant MASTER (line 46) | MASTER NodeType = "master"
constant NODE (line 48) | NODE NodeType = "node"
constant FEDERATED (line 50) | FEDERATED NodeType = "federated"
constant ETCD (line 53) | ETCD NodeType = "etcd"
constant CONTROLPLANE (line 55) | CONTROLPLANE NodeType = "controlplane"
constant POLICIES (line 57) | POLICIES NodeType = "policies"
constant MANAGEDSERVICES (line 59) | MANAGEDSERVICES = "managedservices"
constant MANUAL (line 62) | MANUAL string = "manual"
type Check (line 67) | type Check struct
method run (line 109) | func (c *Check) run() State {
method runAuditCommands (line 195) | func (c *Check) runAuditCommands() (lastCommand string, err error) {
method execute (line 224) | func (c *Check) execute() (finalOutput *testOutput, err error) {
type Runner (line 91) | type Runner interface
function NewRunner (line 97) | func NewRunner() Runner {
type defaultRunner (line 101) | type defaultRunner struct
method Run (line 103) | func (r *defaultRunner) Run(c *Check) State {
function runAudit (line 291) | func runAudit(audit string) (output string, err error) {
FILE: check/check_test.go
function TestCheck_Run (line 22) | func TestCheck_Run(t *testing.T) {
function TestCheckAuditEnv (line 109) | func TestCheckAuditEnv(t *testing.T) {
function TestCheckAuditConfig (line 142) | func TestCheckAuditConfig(t *testing.T) {
function Test_runAudit (line 185) | func Test_runAudit(t *testing.T) {
FILE: check/controls.go
constant UNKNOWN (line 34) | UNKNOWN = "Unknown"
constant ARN (line 36) | ARN = "arn:aws:securityhub:%s::product/aqua-security/kube-bench"
constant SCHEMA (line 38) | SCHEMA = "2018-10-08"
constant TYPE (line 40) | TYPE = "Software and Configuration Checks/Industry and Regulatory Standa...
type OverallControls (line 43) | type OverallControls struct
type Controls (line 49) | type Controls struct
method RunChecks (line 99) | func (controls *Controls) RunChecks(runner Runner, filter Predicate, s...
method JSON (line 152) | func (controls *Controls) JSON() ([]byte, error) {
method JUnit (line 157) | func (controls *Controls) JUnit() ([]byte, error) {
method ASFF (line 209) | func (controls *Controls) ASFF() ([]types.AwsSecurityFinding, error) {
type Group (line 60) | type Group struct
type Summary (line 72) | type Summary struct
type Predicate (line 80) | type Predicate
function NewControls (line 83) | func NewControls(t NodeType, in []byte, detectedVersion string) (*Contro...
function getConfig (line 294) | func getConfig(name string) (string, error) {
function summarize (line 302) | func summarize(controls *Controls, state State) {
function summarizeGroup (line 317) | func summarizeGroup(group *Group, state State) {
FILE: check/controls_test.go
constant cfgDir (line 36) | cfgDir = "../cfg/"
type mockRunner (line 38) | type mockRunner struct
method Run (line 42) | func (m *mockRunner) Run(c *Check) State {
function TestYamlFiles (line 48) | func TestYamlFiles(t *testing.T) {
function TestNewControls (line 75) | func TestNewControls(t *testing.T) {
function TestControls_RunChecks_SkippedCmd (line 101) | func TestControls_RunChecks_SkippedCmd(t *testing.T) {
function TestControls_RunChecks_Skipped (line 141) | func TestControls_RunChecks_Skipped(t *testing.T) {
function TestControls_RunChecks (line 169) | func TestControls_RunChecks(t *testing.T) {
function TestControls_JUnitIncludesJSON (line 238) | func TestControls_JUnitIncludesJSON(t *testing.T) {
function assertEqualGroupSummary (line 357) | func assertEqualGroupSummary(t *testing.T, pass, fail, info, warn int, a...
function TestControls_ASFF (line 365) | func TestControls_ASFF(t *testing.T) {
FILE: check/test.go
type binOp (line 38) | type binOp
constant and (line 41) | and binOp = "and"
constant or (line 42) | or = "or"
constant defaultArraySeparator (line 43) | defaultArraySeparator = ","
type tests (line 46) | type tests struct
type AuditUsed (line 51) | type AuditUsed
constant AuditCommand (line 54) | AuditCommand AuditUsed = "auditCommand"
constant AuditConfig (line 55) | AuditConfig AuditUsed = "auditConfig"
constant AuditEnv (line 56) | AuditEnv AuditUsed = "auditEnv"
type testItem (line 59) | type testItem struct
method value (line 93) | func (t testItem) value() string {
method findValue (line 105) | func (t testItem) findValue(s string) (match bool, value string, err e...
method execute (line 195) | func (t testItem) execute(s string) *testOutput {
method evaluate (line 219) | func (t testItem) evaluate(s string) *testOutput {
method UnmarshalYAML (line 435) | func (t *testItem) UnmarshalYAML(unmarshal func(interface{}) error) er...
type envTestItem (line 72) | type envTestItem
method findValue (line 176) | func (t envTestItem) findValue(s string) (match bool, value string, er...
type pathTestItem (line 73) | type pathTestItem
method findValue (line 158) | func (t pathTestItem) findValue(s string) (match bool, value string, e...
type flagTestItem (line 74) | type flagTestItem
method findValue (line 120) | func (t flagTestItem) findValue(s string) (match bool, value string, e...
type compare (line 77) | type compare struct
type testOutput (line 82) | type testOutput struct
function failTestItem (line 89) | func failTestItem(s string) *testOutput {
function compareOp (line 259) | func compareOp(tCompareOp string, flagVal string, tCompareValue string, ...
function unmarshal (line 349) | func unmarshal(s string, jsonInterface *interface{}) error {
function executeJSONPath (line 361) | func executeJSONPath(path string, jsonInterface interface{}) (string, er...
function allElementsValid (line 378) | func allElementsValid(s, t []string) bool {
function splitAndRemoveLastSeparator (line 408) | func splitAndRemoveLastSeparator(s, sep string) []string {
function toNumeric (line 422) | func toNumeric(a, b string) (c, d int, err error) {
FILE: check/test_test.go
function init (line 29) | func init() {
function TestTestExecute (line 47) | func TestTestExecute(t *testing.T) {
function TestTestExecuteExceptions (line 305) | func TestTestExecuteExceptions(t *testing.T) {
function TestTestUnmarshal (line 346) | func TestTestUnmarshal(t *testing.T) {
function TestExecuteJSONPath (line 413) | func TestExecuteJSONPath(t *testing.T) {
function TestAllElementsValid (line 473) | func TestAllElementsValid(t *testing.T) {
function TestSplitAndRemoveLastSeparator (line 539) | func TestSplitAndRemoveLastSeparator(t *testing.T) {
function TestCompareOp (line 586) | func TestCompareOp(t *testing.T) {
function TestToNumeric (line 1241) | func TestToNumeric(t *testing.T) {
function TestExecuteJSONPathOnEncryptionConfig (line 1278) | func TestExecuteJSONPathOnEncryptionConfig(t *testing.T) {
FILE: cmd/common.go
function NewRunFilter (line 33) | func NewRunFilter(opts FilterOpts) (check.Predicate, error) {
function runChecks (line 66) | func runChecks(nodetype check.NodeType, testYamlFile, detectedVersion st...
function generateDefaultEnvAudit (line 126) | func generateDefaultEnvAudit(controls *check.Controls, binSubs []string) {
function parseSkipIds (line 150) | func parseSkipIds(skipIds string) map[string]bool {
function colorPrint (line 161) | func colorPrint(state check.State, s string) {
function prettyPrint (line 167) | func prettyPrint(r *check.Controls, summary check.Summary) {
function printSummary (line 214) | func printSummary(summary check.Summary, sectionName string) {
function loadConfig (line 233) | func loadConfig(nodetype check.NodeType, benchmarkVersion string) string {
function mergeConfig (line 263) | func mergeConfig(path string) error {
function mapToBenchmarkVersion (line 279) | func mapToBenchmarkVersion(kubeToBenchmarkMap map[string]string, kv stri...
function loadVersionMapping (line 298) | func loadVersionMapping(v *viper.Viper) (map[string]string, error) {
function loadTargetMapping (line 307) | func loadTargetMapping(v *viper.Viper) (map[string][]string, error) {
function getBenchmarkVersion (line 316) | func getBenchmarkVersion(kubeVersion, benchmarkVersion string, platform ...
function isMaster (line 356) | func isMaster() bool {
function isEtcd (line 361) | func isEtcd() bool {
function isThisNodeRunning (line 365) | func isThisNodeRunning(nodeType check.NodeType) bool {
function exitCodeSelection (line 387) | func exitCodeSelection(controlsCollection []*check.Controls) int {
function writeOutput (line 397) | func writeOutput(controlsCollection []*check.Controls) {
function writeJSONOutput (line 422) | func writeJSONOutput(controlsCollection []*check.Controls) {
function writeJunitOutput (line 439) | func writeJunitOutput(controlsCollection []*check.Controls) {
function writePgsqlOutput (line 455) | func writePgsqlOutput(controlsCollection []*check.Controls) {
function writeASFFOutput (line 465) | func writeASFFOutput(controlsCollection []*check.Controls) {
function writeStdoutOutput (line 477) | func writeStdoutOutput(controlsCollection []*check.Controls) {
function getSummaryTotals (line 487) | func getSummaryTotals(controlsCollection []*check.Controls) check.Summary {
function printRawOutput (line 499) | func printRawOutput(output string) {
function writeOutputToFile (line 505) | func writeOutputToFile(output string, outputFile string) error {
function printOutput (line 517) | func printOutput(output string, outputFile string) {
function validTargets (line 530) | func validTargets(benchmarkVersion string, targets []string, v *viper.Vi...
FILE: cmd/common_test.go
type JsonOutputFormat (line 33) | type JsonOutputFormat struct
type JsonOutputFormatNoTotals (line 38) | type JsonOutputFormatNoTotals struct
function TestParseSkipIds (line 42) | func TestParseSkipIds(t *testing.T) {
function TestNewRunFilter (line 54) | func TestNewRunFilter(t *testing.T) {
function TestIsMaster (line 143) | func TestIsMaster(t *testing.T) {
function TestMapToCISVersion (line 212) | func TestMapToCISVersion(t *testing.T) {
function TestLoadVersionMapping (line 285) | func TestLoadVersionMapping(t *testing.T) {
function TestGetBenchmarkVersion (line 331) | func TestGetBenchmarkVersion(t *testing.T) {
function TestValidTargets (line 403) | func TestValidTargets(t *testing.T) {
function TestIsEtcd (line 501) | func TestIsEtcd(t *testing.T) {
function TestWriteResultToJsonFile (line 570) | func TestWriteResultToJsonFile(t *testing.T) {
function TestWriteResultNoTotalsToJsonFile (line 600) | func TestWriteResultNoTotalsToJsonFile(t *testing.T) {
function TestExitCodeSelection (line 632) | func TestExitCodeSelection(t *testing.T) {
function TestGenerationDefaultEnvAudit (line 650) | func TestGenerationDefaultEnvAudit(t *testing.T) {
function TestGetSummaryTotals (line 685) | func TestGetSummaryTotals(t *testing.T) {
function TestPrintSummary (line 698) | func TestPrintSummary(t *testing.T) {
function TestPrettyPrintNoSummary (line 716) | func TestPrettyPrintNoSummary(t *testing.T) {
function TestPrettyPrintSummary (line 735) | func TestPrettyPrintSummary(t *testing.T) {
function TestWriteStdoutOutputNoTotal (line 754) | func TestWriteStdoutOutputNoTotal(t *testing.T) {
function TestWriteStdoutOutputTotal (line 772) | func TestWriteStdoutOutputTotal(t *testing.T) {
function parseControlsJsonFile (line 793) | func parseControlsJsonFile(filepath string) ([]*check.Controls, error) {
function parseResultJsonFile (line 808) | func parseResultJsonFile(filepath string) (JsonOutputFormat, error) {
function parseResultNoTotalsJsonFile (line 823) | func parseResultNoTotalsJsonFile(filepath string) ([]*check.Controls, er...
function loadConfigForTest (line 838) | func loadConfigForTest() (*viper.Viper, error) {
type restoreFn (line 847) | type restoreFn
function fakeExecutableInPath (line 849) | func fakeExecutableInPath(execFile, execCode string) (restoreFn, error) {
function prunePath (line 888) | func prunePath() (restoreFn, error) {
FILE: cmd/database.go
type PsqlConnInfo (line 14) | type PsqlConnInfo struct
method toString (line 67) | func (c *PsqlConnInfo) toString() string {
function getPsqlConnInfo (line 22) | func getPsqlConnInfo() (PsqlConnInfo, error) {
function savePgsql (line 77) | func savePgsql(jsonInfo string) {
FILE: cmd/kubernetes_version.go
type KubeVersion (line 17) | type KubeVersion struct
method BaseVersion (line 24) | func (k *KubeVersion) BaseVersion() string {
function getKubeVersionFromRESTAPI (line 35) | func getKubeVersionFromRESTAPI() (*KubeVersion, error) {
function getWebDataWithRetry (line 71) | func getWebDataWithRetry(k8sVersionURL, token string, cacert *tls.Certif...
type VersionResponse (line 86) | type VersionResponse struct
function extractVersion (line 98) | func extractVersion(data []byte) (*KubeVersion, error) {
function getWebData (line 114) | func getWebData(srvURL, token string, cacert *tls.Certificate) ([]byte, ...
function loadCertificate (line 149) | func loadCertificate(certFile string) (*tls.Certificate, error) {
function getKubernetesURL (line 166) | func getKubernetesURL() string {
FILE: cmd/kubernetes_version_test.go
function TestLoadCertificate (line 13) | func TestLoadCertificate(t *testing.T) {
function TestGetWebData (line 78) | func TestGetWebData(t *testing.T) {
function TestGetWebDataWithRetry (line 127) | func TestGetWebDataWithRetry(t *testing.T) {
function TestExtractVersion (line 176) | func TestExtractVersion(t *testing.T) {
function TestGetKubernetesURL (line 231) | func TestGetKubernetesURL(t *testing.T) {
FILE: cmd/root.go
type FilterOpts (line 28) | type FilterOpts struct
function Execute (line 145) | func Execute() {
function init (line 158) | func init() {
function initConfig (line 206) | func initConfig() {
FILE: cmd/run.go
function init (line 15) | func init() {
function run (line 69) | func run(targets []string, benchmarkVersion string) (err error) {
function getTestYamlFiles (line 87) | func getTestYamlFiles(targets []string, benchmarkVersion string) (yamlFi...
function translate (line 110) | func translate(target string) string {
FILE: cmd/run_test.go
function TestGetTestYamlFiles (line 9) | func TestGetTestYamlFiles(t *testing.T) {
function TestTranslate (line 85) | func TestTranslate(t *testing.T) {
FILE: cmd/securityHub.go
constant REGION (line 16) | REGION = "AWS_REGION"
function writeFinding (line 18) | func writeFinding(in []types.AwsSecurityFinding) error {
function print (line 35) | func print(out *findings.PublisherOutput) {
FILE: cmd/util.go
function init (line 46) | func init() {
type Platform (line 52) | type Platform struct
method String (line 57) | func (p Platform) String() string {
function exitWithError (line 61) | func exitWithError(err error) {
function cleanIDs (line 68) | func cleanIDs(list string) map[string]bool {
function ps (line 83) | func ps(proc string) string {
function getBinaries (line 99) | func getBinaries(v *viper.Viper, nodetype check.NodeType) (map[string]st...
function getConfigFilePath (line 132) | func getConfigFilePath(benchmarkVersion string, filename string) (path s...
function getYamlFilesFromDir (line 148) | func getYamlFilesFromDir(path string) (names []string, err error) {
function decrementVersion (line 167) | func decrementVersion(version string) string {
function getFiles (line 184) | func getFiles(v *viper.Viper, fileType string) map[string]string {
function verifyBin (line 217) | func verifyBin(bin string) bool {
function findConfigFile (line 244) | func findConfigFile(candidates []string) string {
function findExecutable (line 259) | func findExecutable(candidates []string) (string, error) {
function multiWordReplace (line 270) | func multiWordReplace(s string, subname string, sub string) string {
constant missingKubectlKubeletMessage (line 279) | missingKubectlKubeletMessage = `
function getKubeVersion (line 298) | func getKubeVersion() (*KubeVersion, error) {
function getKubeVersionFromKubectl (line 361) | func getKubeVersionFromKubectl() *KubeVersion {
function getKubeVersionFromKubelet (line 372) | func getKubeVersionFromKubelet() *KubeVersion {
function getVersionFromKubectlOutput (line 383) | func getVersionFromKubectlOutput(s string) *KubeVersion {
function getVersionFromKubeletOutput (line 406) | func getVersionFromKubeletOutput(s string) *KubeVersion {
function makeSubstitutions (line 417) | func makeSubstitutions(s string, ext string, m map[string]string) (strin...
function isEmpty (line 436) | func isEmpty(str string) bool {
function buildComponentMissingErrorMessage (line 440) | func buildComponentMissingErrorMessage(nodetype check.NodeType, componen...
function getPlatformInfo (line 471) | func getPlatformInfo() Platform {
function getPlatformInfoFromVersion (line 486) | func getPlatformInfoFromVersion(s string) Platform {
function IsAKS (line 498) | func IsAKS(ctx context.Context, k8sClient kubernetes.Interface) (bool, e...
function getPlatformBenchmarkVersion (line 521) | func getPlatformBenchmarkVersion(platform Platform) string {
function eksBenchmark (line 548) | func eksBenchmark(version string) string {
function aksBenchmark (line 561) | func aksBenchmark(version string) string {
function gkeBenchmark (line 572) | func gkeBenchmark(version string) string {
function ocpBenchmark (line 585) | func ocpBenchmark(version string) string {
function k3sBenchmark (line 600) | func k3sBenchmark(version string) string {
function rkeBenchmark (line 613) | func rkeBenchmark(version string) string {
function rke2Benchmark (line 626) | func rke2Benchmark(version string) string {
function getOpenShiftInfo (line 641) | func getOpenShiftInfo() Platform {
function getOcpValidVersion (line 676) | func getOcpValidVersion(ocpVer string) (string, error) {
function IsRKE (line 693) | func IsRKE(ctx context.Context, k8sClient kubernetes.Interface) (bool, e...
FILE: cmd/util_test.go
function fakeps (line 38) | func fakeps(proc string) string {
function fakestat (line 42) | func fakestat(file string) (os.FileInfo, error) {
function TestVerifyBin (line 48) | func TestVerifyBin(t *testing.T) {
function TestFindExecutable (line 80) | func TestFindExecutable(t *testing.T) {
function TestGetBinaries (line 116) | func TestGetBinaries(t *testing.T) {
function TestMultiWordReplace (line 187) | func TestMultiWordReplace(t *testing.T) {
function Test_getVersionFromKubectlOutput (line 209) | func Test_getVersionFromKubectlOutput(t *testing.T) {
function TestFindConfigFile (line 227) | func TestFindConfigFile(t *testing.T) {
function TestGetConfigFiles (line 252) | func TestGetConfigFiles(t *testing.T) {
function TestGetServiceFiles (line 324) | func TestGetServiceFiles(t *testing.T) {
function TestGetDatadirFiles (line 399) | func TestGetDatadirFiles(t *testing.T) {
function TestMakeSubsitutions (line 451) | func TestMakeSubsitutions(t *testing.T) {
function TestGetConfigFilePath (line 474) | func TestGetConfigFilePath(t *testing.T) {
function TestDecrementVersion (line 520) | func TestDecrementVersion(t *testing.T) {
function TestGetYamlFilesFromDir (line 546) | func TestGetYamlFilesFromDir(t *testing.T) {
function Test_getPlatformNameFromKubectlOutput (line 581) | func Test_getPlatformNameFromKubectlOutput(t *testing.T) {
function Test_getPlatformBenchmarkVersion (line 644) | func Test_getPlatformBenchmarkVersion(t *testing.T) {
function Test_getOcpValidVersion (line 824) | func Test_getOcpValidVersion(t *testing.T) {
FILE: cmd/version.go
function init (line 21) | func init() {
FILE: internal/findings/publisher.go
type Publisher (line 12) | type Publisher struct
method PublishFinding (line 40) | func (p *Publisher) PublishFinding(finding []types.AwsSecurityFinding)...
type PublisherOutput (line 17) | type PublisherOutput struct
function New (line 33) | func New(client securityhub.Client) *Publisher {
FILE: main.go
function main (line 21) | func main() {
Condensed preview — 344 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (3,793K chars).
[
{
"path": ".github/ISSUE_TEMPLATE/bug_report.md",
"chars": 1293,
"preview": "---\nname: Bug report\nabout: Tell us about a problem you are experiencing\n---\n\n**Overview**\n\n[A clear and concise descrip"
},
{
"path": ".github/ISSUE_TEMPLATE/config.yml",
"chars": 382,
"preview": "---\nblank_issues_enabled: false\ncontact_links:\n - name: Feature request\n url: https://github.com/aquasecurity/kube-b"
},
{
"path": ".github/dependabot.yml",
"chars": 283,
"preview": "---\nversion: 2\nupdates:\n - package-ecosystem: gomod\n directory: /\n schedule:\n interval: weekly\n - package-e"
},
{
"path": ".github/workflows/build.yml",
"chars": 2836,
"preview": "---\nname: Build\non:\n push:\n branches:\n - main\n paths-ignore:\n - \"*.md\"\n - \"LICENSE\"\n - \"NOTIC"
},
{
"path": ".github/workflows/mkdocs-deploy.yaml",
"chars": 1156,
"preview": "---\n# This is a manually triggered workflow to build and publish the MkDocs from the\n# main branch to GitHub pages at ht"
},
{
"path": ".github/workflows/publish.yml",
"chars": 4283,
"preview": "---\nname: Publish\non:\n workflow_dispatch:\n push:\n tags:\n - \"v*\"\nenv:\n ALIAS: aquasecurity\n DOCKERHUB_ALIAS: "
},
{
"path": ".github/workflows/release.yml",
"chars": 1492,
"preview": "---\nname: Release\non:\n push:\n tags:\n - \"v*\"\nenv:\n KIND_VERSION: \"v0.11.1\"\n KIND_IMAGE: \"kindest/node:v1.21.1@"
},
{
"path": ".gitignore",
"chars": 161,
"preview": "kube-bench\n*.swp\nvendor\ndist\n.vscode/\nhack/kind.test.yaml\ncoverage.txt\n\n.idea/\n\n# Directory junk file\n.DS_Store\nthumbs.d"
},
{
"path": ".golangci.yaml",
"chars": 442,
"preview": "version: \"2\"\nlinters:\n default: none\n enable:\n - gocyclo\n - govet\n - misspell\n exclusions:\n generated: la"
},
{
"path": ".goreleaser.yml",
"chars": 1544,
"preview": "---\nproject_name: kube-bench\nenv:\n - GO111MODULE=on\n - CGO_ENABLED=0\n - KUBEBENCH_CFG=/etc/kube-bench/cfg\nbuilds:\n -"
},
{
"path": ".yamllint.yaml",
"chars": 70,
"preview": "---\nextends: default\n\nrules:\n line-length: disable\n truthy: disable\n"
},
{
"path": "CONTRIBUTING.md",
"chars": 5215,
"preview": "Thank you for taking an interest in contributing to kube-bench !\n\n## Contributing, bug reporting, openning issues and st"
},
{
"path": "Dockerfile",
"chars": 2862,
"preview": "FROM golang:1.26.1 AS build\nWORKDIR /go/src/github.com/aquasecurity/kube-bench/\nCOPY makefile makefile\nCOPY go.mod go.su"
},
{
"path": "Dockerfile.fips.ubi",
"chars": 2415,
"preview": "FROM golang:1.26.1 AS build\nWORKDIR /go/src/github.com/aquasecurity/kube-bench/\nCOPY makefile makefile\nCOPY go.mod go.su"
},
{
"path": "Dockerfile.ubi",
"chars": 2356,
"preview": "FROM golang:1.26.1 AS build\nWORKDIR /go/src/github.com/aquasecurity/kube-bench/\nCOPY makefile makefile\nCOPY go.mod go.su"
},
{
"path": "LICENSE",
"chars": 11358,
"preview": "\n Apache License\n Version 2.0, January 2004\n "
},
{
"path": "NOTICE",
"chars": 143,
"preview": "kube-bench\nCopyright 2017-2019 Aqua Security Software Ltd. \n\nThis product includes software developed by Aqua Security ("
},
{
"path": "OWNERS",
"chars": 32,
"preview": "approvers:\n - lizrice\n - jerbia\n"
},
{
"path": "README.md",
"chars": 4412,
"preview": "[![GitHub Release][release-img]][release]\n[![Downloads][download]][release]\n[![Docker Pulls][docker-pull]][docker]\n[![Go"
},
{
"path": "cfg/ack-1.0/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/ack-1.0/controlplane.yaml",
"chars": 1292,
"preview": "---\ncontrols:\nversion: \"ack-1.0\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/ack-1.0/etcd.yaml",
"chars": 4925,
"preview": "---\ncontrols:\nversion: \"ack-1.0\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd No"
},
{
"path": "cfg/ack-1.0/managedservices.yaml",
"chars": 4577,
"preview": "---\ncontrols:\nversion: \"ack-1.0\"\nid: 6\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 6.1\n text: \"I"
},
{
"path": "cfg/ack-1.0/master.yaml",
"chars": 39945,
"preview": "---\ncontrols:\nversion: \"ack-1.0\"\nid: 1\ntext: \"Master Node Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n "
},
{
"path": "cfg/ack-1.0/node.yaml",
"chars": 17021,
"preview": "---\ncontrols:\nversion: \"ack-1.0\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n t"
},
{
"path": "cfg/ack-1.0/policies.yaml",
"chars": 9398,
"preview": "---\ncontrols:\nversion: \"ack-1.0\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC "
},
{
"path": "cfg/aks-1.0/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/aks-1.0/controlplane.yaml",
"chars": 1629,
"preview": "---\ncontrols:\nversion: \"aks-1.0\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/aks-1.0/managedservices.yaml",
"chars": 5790,
"preview": "---\ncontrols:\nversion: \"aks-1.0\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: \"I"
},
{
"path": "cfg/aks-1.0/master.yaml",
"chars": 87,
"preview": "---\ncontrols:\nversion: \"aks-1.0\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/aks-1.0/node.yaml",
"chars": 13027,
"preview": "---\ncontrols:\nversion: \"aks-1.0\"\nid: 3\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 3.1\n t"
},
{
"path": "cfg/aks-1.0/policies.yaml",
"chars": 8010,
"preview": "---\ncontrols:\nversion: \"aks-1.0\"\nid: 4\ntext: \"Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBAC and Service"
},
{
"path": "cfg/aks-1.7/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/aks-1.7/controlplane.yaml",
"chars": 1629,
"preview": "---\ncontrols:\nversion: \"aks-1.7\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/aks-1.7/managedservices.yaml",
"chars": 9089,
"preview": "---\ncontrols:\nversion: \"aks-1.7\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: \"I"
},
{
"path": "cfg/aks-1.7/master.yaml",
"chars": 87,
"preview": "---\ncontrols:\nversion: \"aks-1.7\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/aks-1.7/node.yaml",
"chars": 11676,
"preview": "---\ncontrols:\nversion: \"aks-1.7\"\nid: 3\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 3.1\n t"
},
{
"path": "cfg/aks-1.7/policies.yaml",
"chars": 17897,
"preview": "---\ncontrols:\nversion: \"aks-1.7\"\nid: 4\ntext: \"Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBAC and Service"
},
{
"path": "cfg/aks-1.8/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/aks-1.8/controlplane.yaml",
"chars": 1629,
"preview": "---\ncontrols:\nversion: \"aks-1.8\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/aks-1.8/managedservices.yaml",
"chars": 9089,
"preview": "---\ncontrols:\nversion: \"aks-1.8\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: \"I"
},
{
"path": "cfg/aks-1.8/master.yaml",
"chars": 87,
"preview": "---\ncontrols:\nversion: \"aks-1.8\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/aks-1.8/node.yaml",
"chars": 11560,
"preview": "---\ncontrols:\nversion: \"aks-1.8\"\nid: 3\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 3.1\n t"
},
{
"path": "cfg/aks-1.8/policies.yaml",
"chars": 15940,
"preview": "---\ncontrols:\nversion: \"aks-1.8\"\nid: 4\ntext: \"Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBAC and Service"
},
{
"path": "cfg/cis-1.10/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.10/controlplane.yaml",
"chars": 2328,
"preview": "---\ncontrols:\nversion: \"cis-1.10\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.10/etcd.yaml",
"chars": 4920,
"preview": "---\ncontrols:\nversion: \"cis-1.10\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd N"
},
{
"path": "cfg/cis-1.10/master.yaml",
"chars": 39755,
"preview": "---\ncontrols:\nversion: \"cis-1.10\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n"
},
{
"path": "cfg/cis-1.10/node.yaml",
"chars": 20621,
"preview": "---\ncontrols:\nversion: \"cis-1.10\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n "
},
{
"path": "cfg/cis-1.10/policies.yaml",
"chars": 27176,
"preview": "---\ncontrols:\nversion: \"cis-1.10\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC"
},
{
"path": "cfg/cis-1.11/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.11/controlplane.yaml",
"chars": 2328,
"preview": "---\ncontrols:\nversion: \"cis-1.11\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.11/etcd.yaml",
"chars": 4920,
"preview": "---\ncontrols:\nversion: \"cis-1.11\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd N"
},
{
"path": "cfg/cis-1.11/master.yaml",
"chars": 40484,
"preview": "---\ncontrols:\nversion: \"cis-1.11\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n"
},
{
"path": "cfg/cis-1.11/node.yaml",
"chars": 22022,
"preview": "---\ncontrols:\nversion: \"cis-1.11\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n "
},
{
"path": "cfg/cis-1.11/policies.yaml",
"chars": 27159,
"preview": "---\ncontrols:\nversion: \"cis-1.11\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC"
},
{
"path": "cfg/cis-1.12/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.12/controlplane.yaml",
"chars": 2328,
"preview": "---\ncontrols:\nversion: \"cis-1.12\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.12/etcd.yaml",
"chars": 4920,
"preview": "---\ncontrols:\nversion: \"cis-1.12\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd N"
},
{
"path": "cfg/cis-1.12/master.yaml",
"chars": 40174,
"preview": "---\ncontrols:\nversion: \"cis-1.12\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n"
},
{
"path": "cfg/cis-1.12/node.yaml",
"chars": 20994,
"preview": "---\ncontrols:\nversion: \"cis-1.12\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n "
},
{
"path": "cfg/cis-1.12/policies.yaml",
"chars": 24708,
"preview": "---\ncontrols:\nversion: \"cis-1.12\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC"
},
{
"path": "cfg/cis-1.20/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.20/controlplane.yaml",
"chars": 1188,
"preview": "---\ncontrols:\nversion: \"cis-1.20\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.20/etcd.yaml",
"chars": 4926,
"preview": "---\ncontrols:\nversion: \"cis-1.20\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd N"
},
{
"path": "cfg/cis-1.20/master.yaml",
"chars": 41504,
"preview": "---\ncontrols:\nversion: \"cis-1.20\"\nid: 1\ntext: \"Master Node Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n "
},
{
"path": "cfg/cis-1.20/node.yaml",
"chars": 20037,
"preview": "---\ncontrols:\nversion: \"cis-1.20\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n "
},
{
"path": "cfg/cis-1.20/policies.yaml",
"chars": 9140,
"preview": "---\ncontrols:\nversion: \"cis-1.20\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC"
},
{
"path": "cfg/cis-1.23/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.23/controlplane.yaml",
"chars": 1688,
"preview": "---\ncontrols:\nversion: \"cis-1.23\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.23/etcd.yaml",
"chars": 4920,
"preview": "---\ncontrols:\nversion: \"cis-1.23\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd N"
},
{
"path": "cfg/cis-1.23/master.yaml",
"chars": 41692,
"preview": "---\ncontrols:\nversion: \"cis-1.23\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n"
},
{
"path": "cfg/cis-1.23/node.yaml",
"chars": 20064,
"preview": "---\ncontrols:\nversion: \"cis-1.23\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n "
},
{
"path": "cfg/cis-1.23/policies.yaml",
"chars": 10473,
"preview": "---\ncontrols:\nversion: \"cis-1.23\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC"
},
{
"path": "cfg/cis-1.24/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.24/controlplane.yaml",
"chars": 1688,
"preview": "---\ncontrols:\nversion: \"cis-1.24\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.24/etcd.yaml",
"chars": 4920,
"preview": "---\ncontrols:\nversion: \"cis-1.24\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd N"
},
{
"path": "cfg/cis-1.24/master.yaml",
"chars": 40934,
"preview": "---\ncontrols:\nversion: \"cis-1.24\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n"
},
{
"path": "cfg/cis-1.24/node.yaml",
"chars": 20212,
"preview": "---\ncontrols:\nversion: \"cis-1.24\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n "
},
{
"path": "cfg/cis-1.24/policies.yaml",
"chars": 10473,
"preview": "---\ncontrols:\nversion: \"cis-1.24\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC"
},
{
"path": "cfg/cis-1.24-microk8s/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.24-microk8s/controlplane.yaml",
"chars": 1674,
"preview": "---\ncontrols:\nversion: \"cis-1.24\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.24-microk8s/etcd.yaml",
"chars": 4677,
"preview": "---\ncontrols:\nversion: \"cis-1.24\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd N"
},
{
"path": "cfg/cis-1.24-microk8s/master.yaml",
"chars": 40714,
"preview": "---\ncontrols:\nversion: \"cis-1.24\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n"
},
{
"path": "cfg/cis-1.24-microk8s/node.yaml",
"chars": 19878,
"preview": "---\ncontrols:\nversion: \"cis-1.24\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n "
},
{
"path": "cfg/cis-1.24-microk8s/policies.yaml",
"chars": 10474,
"preview": "---\ncontrols:\nversion: \"cis-1.24\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC"
},
{
"path": "cfg/cis-1.5/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.5/controlplane.yaml",
"chars": 1194,
"preview": "---\ncontrols:\nversion: \"cis-1.5\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.5/etcd.yaml",
"chars": 4658,
"preview": "---\ncontrols:\nversion: \"cis-1.5\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd No"
},
{
"path": "cfg/cis-1.5/master.yaml",
"chars": 42775,
"preview": "---\ncontrols:\nversion: \"cis-1.5\"\nid: 1\ntext: \"Master Node Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n "
},
{
"path": "cfg/cis-1.5/node.yaml",
"chars": 20544,
"preview": "---\ncontrols:\nversion: \"cis-1.5\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n t"
},
{
"path": "cfg/cis-1.5/policies.yaml",
"chars": 9458,
"preview": "---\ncontrols:\nversion: \"cis-1.5\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC "
},
{
"path": "cfg/cis-1.6/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.6/controlplane.yaml",
"chars": 1187,
"preview": "---\ncontrols:\nversion: \"cis-1.6\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.6/etcd.yaml",
"chars": 4925,
"preview": "---\ncontrols:\nversion: \"cis-1.6\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd No"
},
{
"path": "cfg/cis-1.6/master.yaml",
"chars": 42064,
"preview": "---\ncontrols:\nversion: \"cis-1.6\"\nid: 1\ntext: \"Master Node Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n "
},
{
"path": "cfg/cis-1.6/node.yaml",
"chars": 20153,
"preview": "---\ncontrols:\nversion: \"cis-1.6\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n t"
},
{
"path": "cfg/cis-1.6/policies.yaml",
"chars": 9397,
"preview": "---\ncontrols:\nversion: \"cis-1.6\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC "
},
{
"path": "cfg/cis-1.6-k3s/config.yaml",
"chars": 1165,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n\nmaster:\n components:\n - scheduler\n "
},
{
"path": "cfg/cis-1.6-k3s/controlplane.yaml",
"chars": 1346,
"preview": "---\ncontrols:\nversion: \"cis-1.6-k3s\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n"
},
{
"path": "cfg/cis-1.6-k3s/etcd.yaml",
"chars": 4644,
"preview": "---\ncontrols:\nversion: \"cis-1.6-k3s\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etc"
},
{
"path": "cfg/cis-1.6-k3s/master.yaml",
"chars": 33754,
"preview": "---\ncontrols:\nversion: \"cis-1.6-k3s\"\nid: 1\ntext: \"Master Node Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1"
},
{
"path": "cfg/cis-1.6-k3s/node.yaml",
"chars": 9738,
"preview": "---\ncontrols:\nversion: \"cis-1.6-k3s\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n "
},
{
"path": "cfg/cis-1.6-k3s/policies.yaml",
"chars": 12240,
"preview": "---\ncontrols:\nversion: \"cis-1.6-k3s\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"R"
},
{
"path": "cfg/cis-1.7/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.7/controlplane.yaml",
"chars": 2325,
"preview": "---\ncontrols:\nversion: \"cis-1.7\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.7/etcd.yaml",
"chars": 4919,
"preview": "---\ncontrols:\nversion: \"cis-1.7\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd No"
},
{
"path": "cfg/cis-1.7/master.yaml",
"chars": 41140,
"preview": "---\ncontrols:\nversion: \"cis-1.7\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n "
},
{
"path": "cfg/cis-1.7/node.yaml",
"chars": 19789,
"preview": "---\ncontrols:\nversion: \"cis-1.7\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n t"
},
{
"path": "cfg/cis-1.7/policies.yaml",
"chars": 11812,
"preview": "---\ncontrols:\nversion: \"cis-1.7\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC "
},
{
"path": "cfg/cis-1.8/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.8/controlplane.yaml",
"chars": 2325,
"preview": "---\ncontrols:\nversion: \"cis-1.8\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.8/etcd.yaml",
"chars": 4919,
"preview": "---\ncontrols:\nversion: \"cis-1.8\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd No"
},
{
"path": "cfg/cis-1.8/master.yaml",
"chars": 40410,
"preview": "---\ncontrols:\nversion: \"cis-1.8\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n "
},
{
"path": "cfg/cis-1.8/node.yaml",
"chars": 19793,
"preview": "---\ncontrols:\nversion: \"cis-1.8\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n t"
},
{
"path": "cfg/cis-1.8/policies.yaml",
"chars": 11812,
"preview": "---\ncontrols:\nversion: \"cis-1.8\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC "
},
{
"path": "cfg/cis-1.9/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/cis-1.9/controlplane.yaml",
"chars": 2327,
"preview": "---\ncontrols:\nversion: \"cis-1.9\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/cis-1.9/etcd.yaml",
"chars": 4919,
"preview": "---\ncontrols:\nversion: \"cis-1.9\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd No"
},
{
"path": "cfg/cis-1.9/master.yaml",
"chars": 40152,
"preview": "---\ncontrols:\nversion: \"cis-1.9\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: 1.1\n "
},
{
"path": "cfg/cis-1.9/node.yaml",
"chars": 20620,
"preview": "---\ncontrols:\nversion: \"cis-1.9\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n t"
},
{
"path": "cfg/cis-1.9/policies.yaml",
"chars": 17875,
"preview": "---\ncontrols:\nversion: \"cis-1.9\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC "
},
{
"path": "cfg/config.yaml",
"chars": 15523,
"preview": "---\n## Controls Files.\n# These are YAML files that hold all the details for running checks.\n#\n## Uncomment to use differ"
},
{
"path": "cfg/eks-1.0.1/config.yaml",
"chars": 369,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n## These settings are required if you are u"
},
{
"path": "cfg/eks-1.0.1/controlplane.yaml",
"chars": 358,
"preview": "---\ncontrols:\nversion: \"eks-1.0.1\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/eks-1.0.1/managedservices.yaml",
"chars": 2945,
"preview": "---\ncontrols:\nversion: \"eks-1.0.1\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: "
},
{
"path": "cfg/eks-1.0.1/master.yaml",
"chars": 89,
"preview": "---\ncontrols:\nversion: \"eks-1.0.1\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/eks-1.0.1/node.yaml",
"chars": 13093,
"preview": "---\ncontrols:\nversion: \"eks-1.0.1\"\nid: 3\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/eks-1.0.1/policies.yaml",
"chars": 8033,
"preview": "---\ncontrols:\nversion: \"eks-1.0.1\"\nid: 4\ntext: \"Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBAC and Servi"
},
{
"path": "cfg/eks-1.1.0/config.yaml",
"chars": 369,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n## These settings are required if you are u"
},
{
"path": "cfg/eks-1.1.0/controlplane.yaml",
"chars": 358,
"preview": "---\ncontrols:\nversion: \"eks-1.1.0\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/eks-1.1.0/managedservices.yaml",
"chars": 5936,
"preview": "---\ncontrols:\nversion: \"eks-1.1.0\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: "
},
{
"path": "cfg/eks-1.1.0/master.yaml",
"chars": 89,
"preview": "---\ncontrols:\nversion: \"eks-1.1.0\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/eks-1.1.0/node.yaml",
"chars": 13305,
"preview": "---\ncontrols:\nversion: \"eks-1.1.0\"\nid: 3\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/eks-1.1.0/policies.yaml",
"chars": 7769,
"preview": "---\ncontrols:\nversion: \"eks-1.1.0\"\nid: 4\ntext: \"Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBAC and Servi"
},
{
"path": "cfg/eks-1.2.0/config.yaml",
"chars": 369,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n## These settings are required if you are u"
},
{
"path": "cfg/eks-1.2.0/controlplane.yaml",
"chars": 358,
"preview": "---\ncontrols:\nversion: \"eks-1.2.0\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/eks-1.2.0/managedservices.yaml",
"chars": 5936,
"preview": "---\ncontrols:\nversion: \"eks-1.2.0\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: "
},
{
"path": "cfg/eks-1.2.0/master.yaml",
"chars": 89,
"preview": "---\ncontrols:\nversion: \"eks-1.2.0\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/eks-1.2.0/node.yaml",
"chars": 13281,
"preview": "---\ncontrols:\nversion: \"eks-1.2.0\"\nid: 3\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/eks-1.2.0/policies.yaml",
"chars": 8102,
"preview": "---\ncontrols:\nversion: \"eks-1.2.0\"\nid: 4\ntext: \"Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBAC and Servi"
},
{
"path": "cfg/eks-1.5.0/config.yaml",
"chars": 369,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n## These settings are required if you are u"
},
{
"path": "cfg/eks-1.5.0/controlplane.yaml",
"chars": 1064,
"preview": "---\ncontrols:\nversion: \"eks-1.5.0\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/eks-1.5.0/managedservices.yaml",
"chars": 11850,
"preview": "---\ncontrols:\nversion: \"eks-1.5.0\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: "
},
{
"path": "cfg/eks-1.5.0/master.yaml",
"chars": 89,
"preview": "---\ncontrols:\nversion: \"eks-1.5.0\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/eks-1.5.0/node.yaml",
"chars": 21044,
"preview": "---\ncontrols:\nversion: \"eks-1.5.0\"\nid: 3\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/eks-1.5.0/policies.yaml",
"chars": 10103,
"preview": "---\ncontrols:\nversion: \"eks-1.5.0\"\nid: 4\ntext: \"Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBAC and Servi"
},
{
"path": "cfg/eks-1.7.0/config.yaml",
"chars": 369,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n## These settings are required if you are u"
},
{
"path": "cfg/eks-1.7.0/controlplane.yaml",
"chars": 2456,
"preview": "---\ncontrols:\nversion: \"eks-1.7.0\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/eks-1.7.0/managedservices.yaml",
"chars": 11832,
"preview": "---\ncontrols:\nversion: \"eks-1.7.0\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: "
},
{
"path": "cfg/eks-1.7.0/master.yaml",
"chars": 89,
"preview": "---\ncontrols:\nversion: \"eks-1.7.0\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/eks-1.7.0/node.yaml",
"chars": 21116,
"preview": "---\ncontrols:\nversion: \"eks-1.7.0\"\nid: 3\ntext: \"Worker Nodes\"\ntype: \"node\"\ngroups:\n - id: 3.1\n text: \"Worker Node Co"
},
{
"path": "cfg/eks-1.7.0/policies.yaml",
"chars": 14734,
"preview": "---\ncontrols:\nversion: \"eks-1.7.0\"\nid: 4\ntext: \"Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBAC and Servi"
},
{
"path": "cfg/eks-1.8.0/config.yaml",
"chars": 369,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n## These settings are required if you are u"
},
{
"path": "cfg/eks-1.8.0/controlplane.yaml",
"chars": 2456,
"preview": "---\ncontrols:\nversion: \"eks-1.8.0\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/eks-1.8.0/managedservices.yaml",
"chars": 11805,
"preview": "---\ncontrols:\nversion: \"eks-1.8.0\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: "
},
{
"path": "cfg/eks-1.8.0/master.yaml",
"chars": 89,
"preview": "---\ncontrols:\nversion: \"eks-1.8.0\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/eks-1.8.0/node.yaml",
"chars": 21118,
"preview": "---\ncontrols:\nversion: \"eks-1.8.0\"\nid: 3\ntext: \"Worker Nodes\"\ntype: \"node\"\ngroups:\n - id: 3.1\n text: \"Worker Node Co"
},
{
"path": "cfg/eks-1.8.0/policies.yaml",
"chars": 16612,
"preview": "---\ncontrols:\nversion: \"eks-1.8.0\"\nid: 4\ntext: \"Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBAC and Servi"
},
{
"path": "cfg/eks-stig-kubernetes-v1r6/config.yaml",
"chars": 369,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n## These settings are required if you are u"
},
{
"path": "cfg/eks-stig-kubernetes-v1r6/controlplane.yaml",
"chars": 5527,
"preview": "---\ncontrols:\nversion: \"eks-stig-kubernetes-v1r6\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:"
},
{
"path": "cfg/eks-stig-kubernetes-v1r6/managedservices.yaml",
"chars": 10571,
"preview": "---\ncontrols:\nversion: \"eks-stig-kubernetes-v1r6\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id:"
},
{
"path": "cfg/eks-stig-kubernetes-v1r6/master.yaml",
"chars": 104,
"preview": "---\ncontrols:\nversion: \"eks-stig-kubernetes-v1r6\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/eks-stig-kubernetes-v1r6/node.yaml",
"chars": 12394,
"preview": "---\ncontrols:\nversion: \"eks-stig-kubernetes-v1r6\"\nid: 3\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n"
},
{
"path": "cfg/eks-stig-kubernetes-v1r6/policies.yaml",
"chars": 1215,
"preview": "---\ncontrols:\nversion: \"eks-stig-kubernetes-v1r6\"\nid: 4\ntext: \"Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: "
},
{
"path": "cfg/gke-1.0/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/gke-1.0/controlplane.yaml",
"chars": 1051,
"preview": "---\ncontrols:\nversion: \"gke-1.0\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/gke-1.0/etcd.yaml",
"chars": 1555,
"preview": "---\ncontrols:\nversion: \"gke-1.0\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Etcd No"
},
{
"path": "cfg/gke-1.0/managedservices.yaml",
"chars": 27521,
"preview": "---\ncontrols:\nversion: \"gke-1.0\"\nid: 6\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 6.1\n text: \"I"
},
{
"path": "cfg/gke-1.0/master.yaml",
"chars": 14055,
"preview": "---\ncontrols:\nversion: \"gke-1.0\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\ngroups:\n - id: 1.1\n text: \"Ma"
},
{
"path": "cfg/gke-1.0/node.yaml",
"chars": 12355,
"preview": "---\ncontrols:\nversion: \"gke-1.0\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n t"
},
{
"path": "cfg/gke-1.0/policies.yaml",
"chars": 9413,
"preview": "---\ncontrols:\nversion: \"gke-1.0\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \"RBAC "
},
{
"path": "cfg/gke-1.2.0/config.yaml",
"chars": 77,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n"
},
{
"path": "cfg/gke-1.2.0/controlplane.yaml",
"chars": 1086,
"preview": "---\ncontrols:\nversion: \"gke-1.2.0\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/gke-1.2.0/managedservices.yaml",
"chars": 27738,
"preview": "---\ncontrols:\nversion: \"gke-1.2.0\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: "
},
{
"path": "cfg/gke-1.2.0/master.yaml",
"chars": 89,
"preview": "---\ncontrols:\nversion: \"gke-1.2.0\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/gke-1.2.0/node.yaml",
"chars": 13970,
"preview": "---\ncontrols:\nversion: \"gke-1.2.0\"\nid: 3\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/gke-1.2.0/policies.yaml",
"chars": 9397,
"preview": "---\ncontrols:\nversion: \"gke-1.2.0\"\nid: 4\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBA"
},
{
"path": "cfg/gke-1.6.0/config.yaml",
"chars": 221,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n\nnode:\n proxy:\n defaultkubeconfig: \"/va"
},
{
"path": "cfg/gke-1.6.0/controlplane.yaml",
"chars": 620,
"preview": "---\ncontrols:\nversion: \"gke-1.6.0\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 2.1\n "
},
{
"path": "cfg/gke-1.6.0/managedservices.yaml",
"chars": 25584,
"preview": "---\ncontrols:\nversion: \"gke-1.6.0\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: "
},
{
"path": "cfg/gke-1.6.0/master.yaml",
"chars": 89,
"preview": "---\ncontrols:\nversion: \"gke-1.6.0\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/gke-1.6.0/node.yaml",
"chars": 21866,
"preview": "---\ncontrols:\nversion: \"gke-1.6.0\"\nid: 3\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 3.1\n "
},
{
"path": "cfg/gke-1.6.0/policies.yaml",
"chars": 9751,
"preview": "---\ncontrols:\nversion: \"gke-1.6.0\"\nid: 4\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBA"
},
{
"path": "cfg/gke-1.8.0/config.yaml",
"chars": 213,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n\nnode:\n proxy:\n defaultkubeconfig: \"/va"
},
{
"path": "cfg/gke-1.8.0/controlplane.yaml",
"chars": 98,
"preview": "---\ncontrols:\nversion: \"gke-1.8.0\"\nid: 2\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\n"
},
{
"path": "cfg/gke-1.8.0/managedservices.yaml",
"chars": 33121,
"preview": "---\ncontrols:\nversion: \"gke-1.8.0\"\nid: 5\ntext: \"Managed Services\"\ntype: \"managedservices\"\ngroups:\n - id: 5.1\n text: "
},
{
"path": "cfg/gke-1.8.0/master.yaml",
"chars": 89,
"preview": "---\ncontrols:\nversion: \"gke-1.8.0\"\nid: 1\ntext: \"Control Plane Components\"\ntype: \"master\"\n"
},
{
"path": "cfg/gke-1.8.0/node.yaml",
"chars": 2229,
"preview": "---\ncontrols:\nversion: \"gke-1.8.0\"\nid: 3\ntext: \"Worker Nodes\"\ntype: \"node\"\ngroups:\n - id: 3.1\n text: \"Worker Node Co"
},
{
"path": "cfg/gke-1.8.0/policies.yaml",
"chars": 19960,
"preview": "---\ncontrols:\nversion: \"gke-1.8.0\"\nid: 4\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 4.1\n text: \"RBA"
},
{
"path": "cfg/k3s-cis-1.23/config.yaml",
"chars": 813,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n\nmaster:\n components:\n - apiserver\n "
},
{
"path": "cfg/k3s-cis-1.23/controlplane.yaml",
"chars": 1758,
"preview": "---\ncontrols:\nversion: \"k3s-cis-1.23\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1"
},
{
"path": "cfg/k3s-cis-1.23/etcd.yaml",
"chars": 5030,
"preview": "---\ncontrols:\nversion: \"k3s-cis-1.23\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Et"
},
{
"path": "cfg/k3s-cis-1.23/master.yaml",
"chars": 43215,
"preview": "---\ncontrols:\nversion: \"k3s-cis-1.23\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: "
},
{
"path": "cfg/k3s-cis-1.23/node.yaml",
"chars": 21216,
"preview": "---\ncontrols:\nversion: \"k3s-cis-1.23\"\nid: 4\ntext: \"Worker Node Security Configuration\"\ntype: \"node\"\ngroups:\n - id: 4.1\n"
},
{
"path": "cfg/k3s-cis-1.23/policies.yaml",
"chars": 10480,
"preview": "---\ncontrols:\nversion: \"k3s-cis-1.23\"\nid: 5\ntext: \"Kubernetes Policies\"\ntype: \"policies\"\ngroups:\n - id: 5.1\n text: \""
},
{
"path": "cfg/k3s-cis-1.24/config.yaml",
"chars": 977,
"preview": "---\n## Version-specific settings that override the values in cfg/config.yaml\n\nmaster:\n components:\n - apiserver\n "
},
{
"path": "cfg/k3s-cis-1.24/controlplane.yaml",
"chars": 1738,
"preview": "---\ncontrols:\nversion: \"k3s-cis-1.24\"\nid: 3\ntext: \"Control Plane Configuration\"\ntype: \"controlplane\"\ngroups:\n - id: 3.1"
},
{
"path": "cfg/k3s-cis-1.24/etcd.yaml",
"chars": 6191,
"preview": "---\ncontrols:\nversion: \"k3s-cis-1.24\"\nid: 2\ntext: \"Etcd Node Configuration\"\ntype: \"etcd\"\ngroups:\n - id: 2\n text: \"Et"
},
{
"path": "cfg/k3s-cis-1.24/master.yaml",
"chars": 46042,
"preview": "---\ncontrols:\nversion: \"k3s-cis-1.24\"\nid: 1\ntext: \"Control Plane Security Configuration\"\ntype: \"master\"\ngroups:\n - id: "
}
]
// ... and 144 more files (download for full content)
About this extraction
This page contains the full source code of the aquasecurity/kube-bench GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 344 files (3.5 MB), approximately 922.2k tokens, and a symbol index with 244 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.