forked from rancher/cis-operator
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rke2 cis 1.6 hardened & permissive (rancher#40)
* add rke2_cis_1.6_hardened * add rke2 CIS 1.6 permissive
- Loading branch information
1 parent
d8e247d
commit ca94c13
Showing
13 changed files
with
4,061 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| --- | ||
| ## Version-specific settings that override the values in cfg/config.yaml | ||
|
|
||
| master: | ||
| components: | ||
| - apiserver | ||
| - scheduler | ||
| - controllermanager | ||
| - etcd | ||
| - policies | ||
|
|
||
| apiserver: | ||
| bins: | ||
| - kube-apiserver | ||
| confs: | ||
| - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml | ||
| defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml | ||
|
|
||
| scheduler: | ||
| bins: | ||
| - kube-scheduler | ||
| confs: | ||
| - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml | ||
| defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml | ||
|
|
||
| controllermanager: | ||
| bins: | ||
| - kube-controller-manager | ||
| confs: | ||
| - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml | ||
| defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml | ||
|
|
||
| etcd: | ||
| bins: | ||
| - etcd | ||
| confs: | ||
| - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml | ||
| defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml | ||
|
|
||
| node: | ||
| components: | ||
| - kubelet | ||
| - proxy | ||
|
|
||
| kubelet: | ||
| defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig | ||
| defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt | ||
|
|
||
| proxy: | ||
| defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig | ||
|
|
||
| policies: | ||
| components: | ||
| - policies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| --- | ||
| controls: | ||
| version: 1.6 | ||
| id: 3 | ||
| text: "Control Plane Configuration" | ||
| type: "controlplane" | ||
| groups: | ||
| - id: 3.1 | ||
| text: "Authentication and Authorization" | ||
| checks: | ||
| - id: 3.1.1 | ||
| text: "Client certificate authentication should not be used for users (Manual)" | ||
| type: "manual" | ||
| remediation: | | ||
| Alternative mechanisms provided by Kubernetes such as the use of OIDC should be | ||
| implemented in place of client certificates. | ||
| scored: false | ||
|
|
||
| - id: 3.2 | ||
| text: "Logging" | ||
| checks: | ||
| - id: 3.2.1 | ||
| text: "Ensure that a minimal audit policy is created (Automated)" | ||
| audit: "/bin/ps -ef | grep kube-apiserver | grep -v grep | grep -o audit-policy-file" | ||
| tests: | ||
| test_items: | ||
| - flag: "audit-policy-file" | ||
| compare: | ||
| op: eq | ||
| value: "audit-policy-file" | ||
| set: true | ||
| remediation: | | ||
| Create an audit policy file for your cluster. | ||
| scored: true | ||
|
|
||
| - id: 3.2.2 | ||
| text: "Ensure that the audit policy covers key security concerns (Manual)" | ||
| type: "manual" | ||
| remediation: | | ||
| Consider modification of the audit policy in use on the cluster to include these items, at a | ||
| minimum. | ||
| scored: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,128 @@ | ||
| --- | ||
| controls: | ||
| version: 1.6 | ||
| id: 2 | ||
| text: "Etcd Node Configuration" | ||
| type: "etcd" | ||
| groups: | ||
| - id: 2 | ||
| text: "Etcd Node Configuration Files" | ||
| checks: | ||
| - id: 2.1 | ||
| text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" | ||
| audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" | ||
| tests: | ||
| bin_op: and | ||
| test_items: | ||
| - flag: "--cert-file" | ||
| - flag: "--key-file" | ||
| remediation: | | ||
| Follow the etcd service documentation and configure TLS encryption. | ||
| Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml | ||
| on the master node and set the below parameters. | ||
| --cert-file=</path/to/ca-file> | ||
| --key-file=</path/to/key-file> | ||
| scored: true | ||
| type: "skip" | ||
|
|
||
| - id: 2.2 | ||
| text: "Ensure that the --client-cert-auth argument is set to true (Automated)" | ||
| audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" | ||
| tests: | ||
| test_items: | ||
| - flag: "--client-cert-auth" | ||
| compare: | ||
| op: eq | ||
| value: true | ||
| type: "skip" | ||
| remediation: | | ||
| Edit the etcd pod specification file $etcdconf on the master | ||
| node and set the below parameter. | ||
| --client-cert-auth="true" | ||
| scored: true | ||
|
|
||
| - id: 2.3 | ||
| text: "Ensure that the --auto-tls argument is not set to true (Automated)" | ||
| audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" | ||
| tests: | ||
| bin_op: or | ||
| test_items: | ||
| - flag: "--auto-tls" | ||
| set: false | ||
| - flag: "--auto-tls" | ||
| compare: | ||
| op: eq | ||
| value: false | ||
| remediation: | | ||
| Edit the etcd pod specification file $etcdconf on the master | ||
| node and either remove the --auto-tls parameter or set it to false. | ||
| --auto-tls=false | ||
| scored: true | ||
|
|
||
| - id: 2.4 | ||
| text: "Ensure that the --peer-cert-file and --peer-key-file arguments are | ||
| set as appropriate (Automated)" | ||
| audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" | ||
| tests: | ||
| bin_op: and | ||
| test_items: | ||
| - flag: "--peer-cert-file" | ||
| - flag: "--peer-key-file" | ||
| remediation: | | ||
| Follow the etcd service documentation and configure peer TLS encryption as appropriate | ||
| for your etcd cluster. | ||
| Then, edit the etcd pod specification file $etcdconf on the | ||
| master node and set the below parameters. | ||
| --peer-client-file=</path/to/peer-cert-file> | ||
| --peer-key-file=</path/to/peer-key-file> | ||
| scored: true | ||
| type: skip | ||
|
|
||
| - id: 2.5 | ||
| text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" | ||
| audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" | ||
| tests: | ||
| test_items: | ||
| - flag: "--peer-client-cert-auth" | ||
| compare: | ||
| op: eq | ||
| value: true | ||
| remediation: | | ||
| Edit the etcd pod specification file $etcdconf on the master | ||
| node and set the below parameter. | ||
| --peer-client-cert-auth=true | ||
| scored: true | ||
| type: skip | ||
|
|
||
| - id: 2.6 | ||
| text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" | ||
| audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" | ||
| tests: | ||
| bin_op: or | ||
| test_items: | ||
| - flag: "--peer-auto-tls" | ||
| set: false | ||
| - flag: "--peer-auto-tls" | ||
| compare: | ||
| op: eq | ||
| value: false | ||
| remediation: | | ||
| Edit the etcd pod specification file $etcdconf on the master | ||
| node and either remove the --peer-auto-tls parameter or set it to false. | ||
| --peer-auto-tls=false | ||
| scored: true | ||
|
|
||
| - id: 2.7 | ||
| text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" | ||
| audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" | ||
| tests: | ||
| test_items: | ||
| - flag: "--trusted-ca-file" | ||
| remediation: | | ||
| [Manual test] | ||
| Follow the etcd documentation and create a dedicated certificate authority setup for the | ||
| etcd service. | ||
| Then, edit the etcd pod specification file $etcdconf on the | ||
| master node and set the below parameter. | ||
| --trusted-ca-file=</path/to/ca-file> | ||
| scored: false |
Oops, something went wrong.