CIS hardening and kube-bench support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Etcd Charm |
Fix Released
|
Undecided
|
Kevin W Monroe | ||
Kubernetes Control Plane Charm |
Fix Released
|
High
|
Kevin W Monroe | ||
Kubernetes Worker Charm |
Fix Released
|
High
|
Kevin W Monroe |
Bug Description
The objective of this work is to have a default configuration of Charmed Kubernetes pass the CIS benchmark tests.
kube-bench is a convenient tool to check if K8s is deployed according to the CIS k8s benchmarks for security best practices:
https:/
Currently, this tool makes assumptions about binary and config file locations that are not congruent with snap-based component installation. This leads to multiple false-positives, making it easy to miss actual configuration problems. There's an upstream PR to address this:
https:/
When a snap-based config is used, there are valid issues with the default configuration of k8s snaps used in charmed kubernetes. Let's use this bug to address those.
Changed in charm-kubernetes-master: | |
assignee: | nobody → Kevin W Monroe (kwmonroe) |
Changed in charm-kubernetes-worker: | |
assignee: | nobody → Kevin W Monroe (kwmonroe) |
Changed in charm-kubernetes-master: | |
importance: | Undecided → High |
Changed in charm-kubernetes-worker: | |
importance: | Undecided → High |
Changed in charm-kubernetes-master: | |
importance: | High → Undecided |
status: | New → In Progress |
Changed in charm-kubernetes-worker: | |
status: | New → In Progress |
Changed in charm-kubernetes-master: | |
importance: | Undecided → High |
summary: |
- snap config for kube-bench conformance + CIS hardening and kube-bench support |
description: | updated |
Changed in charm-kubernetes-master: | |
milestone: | none → 1.17 |
Changed in charm-kubernetes-worker: | |
milestone: | none → 1.17 |
Changed in charm-etcd: | |
assignee: | nobody → Kevin W Monroe (kwmonroe) |
milestone: | none → 1.17 |
status: | New → In Progress |
Changed in charm-etcd: | |
status: | In Progress → Fix Committed |
Changed in charm-kubernetes-master: | |
status: | In Progress → Fix Committed |
Changed in charm-kubernetes-worker: | |
status: | In Progress → Fix Committed |
Changed in charm-etcd: | |
status: | Fix Committed → Fix Released |
Changed in charm-kubernetes-master: | |
status: | Fix Committed → Fix Released |
Changed in charm-kubernetes-worker: | |
status: | Fix Committed → Fix Released |
k8s-master failures (4 etcd failures can be ignored given we use standalone etcd):
----- bind-address argument is not set (Scored) malformed- updates argument is set to false (Scored) log-maxbackup argument is set to 10 or as appropriate (Scored) -mode argument is not set to AlwaysAllow (Scored) -mode argument is set to Node (Scored) -mode argument includes RBAC (Scored) pod-gc- threshold argument is set as appropriate (Scored) account- credentials argument is set to true (Scored) rverCertificate argument is set to true (Scored)
$ ./kube-bench master --version 1.13-snap | grep FAIL
[FAIL] 1.1.2 Ensure that the --basic-auth-file argument is not set (Scored)
[FAIL] 1.1.5 Ensure that the --insecure-
[FAIL] 1.1.6 Ensure that the --insecure-port argument is set to 0 (Scored)
[FAIL] 1.1.8 Ensure that the --profiling argument is set to false (Scored)
[FAIL] 1.1.9 Ensure that the --repair-
[FAIL] 1.1.11 Ensure that the admission control plugin AlwaysPullImages is set (Scored)
[FAIL] 1.1.16 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)
[FAIL] 1.1.17 Ensure that the --audit-
[FAIL] 1.1.19 Ensure that the --authorization
[FAIL] 1.1.20 Ensure that the --token-auth-file parameter is not set (Scored)
[FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
[FAIL] 1.1.32 Ensure that the --authorization
[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
[FAIL] 1.1.36 Ensure that the admission control plugin EventRateLimit is set (Scored)
[FAIL] 1.1.39 Ensure that the --authorization
[FAIL] 1.2.1 Ensure that the --profiling argument is set to false (Scored)
[FAIL] 1.3.1 Ensure that the --terminated-
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
[FAIL] 1.3.3 Ensure that the --use-service-
[FAIL] 1.3.6 Ensure that the RotateKubeletSe
[FAIL] 1.4.7 Ensure that the etcd snap config file permissions are set to 644 or more restrictive (Scored)
[FAIL] 1.4.8 Ensure that the etcd snap config file ownership is set to root:root (Scored)
[FAIL] 1.4.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)
[FAIL] 1.4.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)
[FAIL] 1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)
[FAIL] 1.5.2 Ensure that the --client-cert-auth argument is set to true (Scored)
26 checks FAIL
-----