Kubernetes Control Plane Charm

CIS hardening and kube-bench support

Bug #1841262 reported by Kevin W Monroe
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Etcd Charm
Fix Released
Undecided
Kevin W Monroe
Etcd Charm 1.17
Kubernetes Control Plane Charm
Fix Released
High
Kevin W Monroe
Kubernetes Control Plane Charm 1.17
Kubernetes Worker Charm
Fix Released
High
Kevin W Monroe
Kubernetes Worker Charm 1.17

Bug Description

The objective of this work is to have a default configuration of Charmed Kubernetes pass the CIS benchmark tests.

kube-bench is a convenient tool to check if K8s is deployed according to the CIS k8s benchmarks for security best practices:

https://blog.aquasec.com/kubernetes-security-cis-benchmarks

Currently, this tool makes assumptions about binary and config file locations that are not congruent with snap-based component installation. This leads to multiple false-positives, making it easy to miss actual configuration problems. There's an upstream PR to address this:

https://github.com/aquasecurity/kube-bench/pull/389

When a snap-based config is used, there are valid issues with the default configuration of k8s snaps used in charmed kubernetes. Let's use this bug to address those.

See original description
Kevin W Monroe (kwmonroe)
Changed in charm-kubernetes-master:
assignee: nobody → Kevin W Monroe (kwmonroe)
Changed in charm-kubernetes-worker:
assignee: nobody → Kevin W Monroe (kwmonroe)
Revision history for this message
Kevin W Monroe (kwmonroe) wrote :

k8s-master failures (4 etcd failures can be ignored given we use standalone etcd):

-----
$ ./kube-bench master --version 1.13-snap | grep FAIL
[FAIL] 1.1.2 Ensure that the --basic-auth-file argument is not set (Scored)
[FAIL] 1.1.5 Ensure that the --insecure-bind-address argument is not set (Scored)
[FAIL] 1.1.6 Ensure that the --insecure-port argument is set to 0 (Scored)
[FAIL] 1.1.8 Ensure that the --profiling argument is set to false (Scored)
[FAIL] 1.1.9 Ensure that the --repair-malformed-updates argument is set to false (Scored)
[FAIL] 1.1.11 Ensure that the admission control plugin AlwaysPullImages is set (Scored)
[FAIL] 1.1.16 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)
[FAIL] 1.1.17 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)
[FAIL] 1.1.19 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[FAIL] 1.1.20 Ensure that the --token-auth-file parameter is not set (Scored)
[FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
[FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
[FAIL] 1.1.36 Ensure that the admission control plugin EventRateLimit is set (Scored)
[FAIL] 1.1.39 Ensure that the --authorization-mode argument includes RBAC (Scored)
[FAIL] 1.2.1 Ensure that the --profiling argument is set to false (Scored)
[FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
[FAIL] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
[FAIL] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
[FAIL] 1.4.7 Ensure that the etcd snap config file permissions are set to 644 or more restrictive (Scored)
[FAIL] 1.4.8 Ensure that the etcd snap config file ownership is set to root:root (Scored)
[FAIL] 1.4.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)
[FAIL] 1.4.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)
[FAIL] 1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)
[FAIL] 1.5.2 Ensure that the --client-cert-auth argument is set to true (Scored)
26 checks FAIL
-----

Revision history for this message
Kevin W Monroe (kwmonroe) wrote :

k8s-worker failures:

-----
$ ./kube-bench node --version 1.13-snap | grep FAIL
[FAIL] 2.1.1 Ensure that the --anonymous-auth argument is set to false (Scored)
[FAIL] 2.1.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[FAIL] 2.1.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[FAIL] 2.1.4 Ensure that the --read-only-port argument is set to 0 (Scored)
[FAIL] 2.1.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
[FAIL] 2.1.9 Ensure that the --event-qps argument is set to 0 (Scored)
[FAIL] 2.1.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[FAIL] 2.1.12 Ensure that the --rotate-certificates argument is not set to false (Scored)
[FAIL] 2.1.13 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
9 checks FAIL
-----

Tim Van Steenburgh (tvansteenburgh)
Changed in charm-kubernetes-master:
importance: Undecided → High
Changed in charm-kubernetes-worker:
importance: Undecided → High
Kevin W Monroe (kwmonroe)
Changed in charm-kubernetes-master:
importance: High → Undecided
status: New → In Progress
Changed in charm-kubernetes-worker:
status: New → In Progress
Tim Van Steenburgh (tvansteenburgh)
Changed in charm-kubernetes-master:
importance: Undecided → High
Tim Van Steenburgh (tvansteenburgh)
summary: - snap config for kube-bench conformance
+ CIS hardening and kube-bench support
description: updated
Revision history for this message
Kevin W Monroe (kwmonroe) wrote :

Up for review in layer-kubernetes-master-worker-base:

https://github.com/charmed-kubernetes/layer-kubernetes-master-worker-base/pull/8

Tim Van Steenburgh (tvansteenburgh)
Changed in charm-kubernetes-master:
milestone: none → 1.17
Changed in charm-kubernetes-worker:
milestone: none → 1.17
Kevin W Monroe (kwmonroe)
Changed in charm-etcd:
assignee: nobody → Kevin W Monroe (kwmonroe)
milestone: none → 1.17
status: New → In Progress
Revision history for this message
Kevin W Monroe (kwmonroe) wrote :

PR from comment #3 has been superseded by the following, now up for review:

https://github.com/charmed-kubernetes/layer-etcd/pull/163
https://github.com/charmed-kubernetes/layer-kubernetes-master-worker-base/pull/9
https://github.com/charmed-kubernetes/layer-kubernetes-common/pull/9

Kevin W Monroe (kwmonroe)
Changed in charm-etcd:
status: In Progress → Fix Committed
Changed in charm-kubernetes-master:
status: In Progress → Fix Committed
Changed in charm-kubernetes-worker:
status: In Progress → Fix Committed
Tim Van Steenburgh (tvansteenburgh)
Changed in charm-etcd:
status: Fix Committed → Fix Released
Changed in charm-kubernetes-master:
status: Fix Committed → Fix Released
Changed in charm-kubernetes-worker:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.