CIS Kubernetes Benchmark v1.5.1 # 1.2/1.3/1.4 #1
Description
Details
1 Control Plane Components
1.2 API Server
Checklist
- 1.2.1 Ensure that the --anonymous-auth argument is set to false
- 1.2.2 Ensure that the --basic-auth-file argument is not set
- 1.2.3 Ensure that the --token-auth-file parameter is not set
- 1.2.4 Ensure that the --kubelet-https argument is set to true
- 1.2.5 Ensure that the --kubelet-client-certificate and --kubelet- client-key arguments are set as appropriate
- 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate
- 1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow
- 1.2.8 Ensure that the --authorization-mode argument includes Node
- 1.2.9 Ensure that the --authorization-mode argument includes RBAC
- 1.2.10 Ensure that the admission control plugin EventRateLimit is set
- 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set
- 1.2.12 Ensure that the admission control plugin AlwaysPullImages is set
- 1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
- 1.2.14 Ensure that the admission control plugin ServiceAccount is set
- 1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set
- 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set
- 1.2.17 Ensure that the admission control plugin NodeRestriction is set
- 1.2.18 Ensure that the --insecure-bind-address argument is not set
- 1.2.19 Ensure that the --insecure-port argument is set to 0
1.3 Controller Manager
- 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate
- 1.3.2 Ensure that the --profiling argument is set to false
- 1.3.3 Ensure that the --use-service-account-credentials argument is set to true
- 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate
- 1.3.5 Ensure that the --root-ca-file argument is set as appropriate
- 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true
- 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1
1.4 Scheduler
- 1.4.1 Ensure that the --profiling argument is set to false
- 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1