CIS Benchmarks¶
The Center for Internet Security (CIS) provides the CIS Kubernetes Benchmarks for each Kubernetes release. These benchmarks comprise a comprehensive set of recommendations that is targeted to enhancing Kubernetes security configuration. Designed to align with industry regulations, CIS Benchmarks ensure standards that meet diverse compliance requirements, and their universal applicability across Kubernetes distributions ensures the fortification of such environments and while fostering a robust security posture.
Note
The CIS Benchmark results detailed herein are verified against MKE 3.7.2.
Mirantis has based its handling of Kubernetes benchmarks on CIS Kubernetes Benchmark v1.7.0.
1 Control Plane Components¶
Section 1 is comprised of security recommendations for the direct configuration of Kubernetes control plane processes. It is broken out into four subsections:
1.1 Control Node Plane Configuration Files
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
1.1.1 |
Ensure that the API server pod specification file permissions are set
to |
Level 1 - Master Node |
Pass |
1.1.2 |
Ensure that the API server pod specification file ownership is set to
|
Level 1 - Master Node |
Pass |
1.1.3 |
Ensure that the controller manager pod specification file permissions
are set to |
Level 1 - Master Node |
Pass |
1.1.4 |
Ensure that the controller manager pod specification file ownership is
set to |
Level 1 - Master Node |
Pass |
1.1.5 |
Ensure that the scheduler pod specification file permissions are set
to |
Level 1 - Master Node |
Pass |
1.1.6 |
Ensure that the scheduler pod specification file ownership is set to
|
Level 1 - Master Node |
Pass |
1.1.7 |
Ensure that the etcd pod specification file permissions are set to
|
Level 1 - Master Node |
Pass |
1.1.8 |
Ensure that the etcd pod specification file ownership is set to
|
Level 1 - Master Node |
Pass |
1.1.9 |
Ensure that the Container Network Interface file permissions are set
to |
Level 1 - Master Node |
Pass |
1.1.10 |
Ensure that the Container Network Interface file ownership is set to
|
Level 1 - Master Node |
Pass |
1.1.11 |
Ensure that the etcd data directory permissions are set to |
Level 1 - Master Node |
Pass |
1.1.12 |
Ensure that the etcd data directory ownership is set to |
Level 1 - Master Node |
Fail MKE runs etcd in a container, and thus it does not create an etcd user on the host. Access to the etcd data directory is instead controlled through a docker volume. |
1.1.13 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.1.14 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.1.15 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.1.16 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.1.17 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.1.18 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.1.19 |
Ensure that the Kubernetes PKI directory and file ownership is set to
|
Level 1 - Master Node |
Pass |
1.1.20 |
Ensure that the Kubernetes PKI certificate file permissions are set to
|
Level 1 - Master Node |
Pass |
1.1.21 |
Ensure that the Kubernetes PKI key file permissions are set to
|
Level 1 - Master Node |
Pass |
1.2 API Server
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
1.2.1 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.2 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.3 |
Ensure that the - |
Level 1 - Master Node |
Pass |
1.2.4 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.5 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.6 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.7 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.8 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.9 |
Ensure that the admission control plugin |
Level 1 - Master Node |
Fail Optionally, MKE can configure the |
1.2.10 |
Ensure that the admission control plugin |
Level 1 - Master Node |
Pass |
1.2.11 |
Ensure that the admission control plugin |
Level 1 - Master Node |
Fail Optionally, MKE can configure the |
1.2.12 |
Ensure that the admission control plugin |
Level 1 - Master Node |
Pass |
1.2.13 |
Ensure that the admission control plugin |
Level 1 - Master Node |
Pass |
1.2.14 |
Ensure that the admission control plugin |
Level 1 - Master Node |
Pass |
1.2.15 |
Ensure that the admission control plugin |
Level 1 - Master Node |
Pass |
1.2.16 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.17 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.18 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.19 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.20 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.21 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.22 |
Ensure that the |
Level 1 - Master Node |
Fail Optionally, MKE can configure the Kubernetes API server
|
1.2.23 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.24 |
Ensure that the ``–service-account-key-file `` argument is set as appropriate. |
Level 1 - Master Node |
Pass |
1.2.25 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.26 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.27 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.28 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.29 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.2.30 |
Ensure that encryption providers are appropriately configured. |
Level 1 - Master Node |
Pass |
1.2.31 |
Ensure that the API Server only makes use of Strong Cryptographic Ciphers. |
Level 1 - Master Node |
Fail Optionally, MKE can be configured to support a list of compliant TLS ciphers. |
1.3 Controller Manager
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
1.3.1 |
Ensure that the |
Level 1 - Master Node |
Fail Optionally, MKE can be configured to use a compliant
|
1.3.2 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.3.3 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.3.4 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.3.5 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.3.6 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.3.7 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.4 Scheduler
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
1.4.1 |
Ensure that the |
Level 1 - Master Node |
Pass |
1.4.2 |
Ensure that the |
Level 1 - Master Node |
Pass |
2 etcd¶
Section 2 details recommendations for etcd configuration, under the assumption that you are running etcd in a Kubernetes Pod.
2 etcd
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
2.1 |
Ensure that the |
Level 1 - Master Node |
Pass |
2.2 |
Ensure that the |
Level 1 - Master Node |
Pass |
2.3 |
Ensure that the |
Level 1 - Master Node |
Pass |
2.4 |
Ensure that the |
Level 1 - Master Node |
Pass |
2.5 |
Ensure that the |
Level 1 - Master Node |
Pass |
2.6 |
Ensure that the |
Level 1 - Master Node |
Pass |
2.7 |
Ensure that a unique Certificate Authority is used for etcd. |
Level 2 - Master Node |
Pass |
3 Control Plane Configuration¶
Section 3 details recommendations for cluster-wide areas, such as authentication and logging. It is broken out into two subsections:
3.1 Authentication and Authorization
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
3.1.1 |
Client certificate authentication should not be used for users |
Level 1 - Master Node |
Pass |
3.1.2 |
Service account token authentication should not be used for users. |
Level 1 - Master Node |
Pass |
3.1.3 |
Bootstrap token authentication should not be used for users. |
Level 1 - Master Node |
Pass |
3.2 Logging
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
3.2.1 |
Ensure that a minimal audit policy is created. |
Level 1 - Master Node |
Pass |
3.2.2 |
Ensure that the audit policy covers key security concerns. |
Level 2 - Master Node |
Pass |
4 Worker Nodes¶
Section 4 details security recommendations for the components that run on Kubernetes worker nodes.
Note
Note that the components for Kubernetes worker nodes may also run on Kubernetes master nodes. Thus, the recommendations in Section 4 should be applied to master nodes as well as worker nodes where the master nodes make use of these components.
Section 4 is broken out into two subsections:
4.1 Worker Node Configuration Files
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
4.1.1 |
Ensure that the kubelet service file permissions are set to 600 or more restrictive. |
Level 1 - Worker Node |
Pass |
4.1.2 |
Ensure that the kubelet service file ownership is set to
|
Level 1 - Worker Node |
Pass |
4.1.3 |
If proxy |
Level 1 - Worker Node |
Pass |
4.1.4 |
If proxy |
Level 1 - Worker Node |
Pass |
4.1.5 |
Ensure that the |
Level 1 - Worker Node |
Pass |
4.1.6 |
Ensure that the |
Level 1 - Worker Node |
Pass |
4.1.7 |
Ensure that the certificate authorities file permissions are set to
|
Level 1 - Worker Node |
Fail MKE sets the CA cert file permission to |
4.1.8 |
Ensure that the client certificate authorities file ownership is set
to |
Level 1 - Worker Node |
Pass |
4.1.9 |
If the kubelet |
Level 1 - Worker Node |
Pass |
4.1.10 |
If the kubelet |
Level 1 - Worker Node |
Pass |
4.2 Kubelet
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
4.2.1 |
Ensure that the |
Level 1 - Worker Node |
Pass |
4.2.2 |
Ensure that the |
Level 1 - Worker Node |
Pass |
4.2.3 |
Ensure that the |
Level 1 - Worker Node |
Pass |
4.2.4 |
Verify that the |
Level 1 - Worker Node |
Pass |
4.2.5 |
Ensure that the |
Level 1 - Worker Node |
Pass |
4.2.6 |
Ensure that the |
Level 1 - Worker Node |
Pass |
4.2.7 |
Ensure that the |
Level 1 - Worker Node |
Pass |
4.2.8 |
Ensure that the |
Level 2 - Worker Node |
Pass |
4.2.9 |
Ensure that the |
Level 1 - Worker Node |
Pass |
4.2.10 |
Ensure that the |
Level 1 - Worker Node |
Fail Not applicable, as MKE has a certificate authority that issues TLS certificates for kubelet. |
4.2.11 |
Verify that the |
Level 1 - Worker Node |
Fail Not applicable, as MKE has a certificate authority that issues TLS certificates for kubelet. |
4.2.12 |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers. |
Level 1 - Worker Node |
Fail Optionally, MKE can be configured to support a list of compliant TLS ciphers. |
4.2.13 |
Ensure that a limit is set on pod PIDs. |
Level 1 - Worker Node |
Pass |
5 Policies¶
Section 5 details recommendations for various Kubernetes policies which are important to the security of the environment. Section 5 is broken out into six subsections, with 5.6 not in use:
5.1 RBAC and Service Accounts
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
5.1.1 |
Ensure that the |
Level 1 - Master Node |
Pass |
5.1.2 |
Minimize access to secrets. |
Level 1 - Master Node |
Pass |
5.1.3 |
Minimize wildcard use in Roles and ClusterRoles. |
Level 1 - Worker Node |
Pass |
5.1.4 |
Minimize access to create Pods. |
Level 1 - Master Node |
Pass |
5.1.5 |
Ensure that default service accounts are not actively used. |
Level 1 - Master Node |
Pass MKE installations are compliant starting with MKE 3.7.1. For customers upgrading from previous MKE versions, Mirantis offers a script that can be used to determine which service accounts are in violation and that offers an option for patching such accounts. |
5.1.6 |
Ensure that Service Account Tokens are only mounted where necessary. |
Level 1 - Master Node |
Fail MKE system service accounts set To have core MKE functionality, the following Pods must mount their respective service account tokens:
|
5.1.7 |
Avoid use of |
Level 1 - Master Node |
Pass |
5.1.8 |
Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster. |
Level 1 - Master Node |
Pass |
5.1.9 |
Minimize access to create persistent volumes. |
Level 1 - Master Node |
Pass |
5.1.10 |
Minimize access to the |
Level 1 - Master Node |
Pass |
5.1.11 |
Minimize access to the |
Level 1 - Master Node |
Pass |
5.1.12 |
Minimize access to webhook configuration objects. |
Level 1 - Master Node |
Pass |
5.1.13 |
Minimize access to the service account token creation. |
Level 1 - Master Node |
Pass |
5.2 Pod Security Standards
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
5.2.1 |
Ensure that the cluster has at least one active policy control mechanism in place. |
Level 1 - Master Node |
Pass |
5.2.2 |
Minimize the admission of privileged containers. |
Level 1 - Master Node |
Pass |
5.2.3 |
Minimize the admission of containers wishing to share the host process ID namespace. |
Level 1 - Master Node |
Pass |
5.2.4 |
Minimize the admission of containers wishing to share the host IPC namespace. |
Level 1 - Master Node |
Pass |
5.2.5 |
Minimize the admission of containers wishing to share the host network namespace. |
Level 1 - Master Node |
Pass |
5.2.6 |
Minimize the admission of containers with
|
Level 1 - Master Node |
Pass |
5.2.7 |
Minimize the admission of root containers. |
Level 2 - Master Node |
Pass |
5.2.8 |
Minimize the admission of containers with the NET_RAW capability. |
Level 1 - Master Node |
Pass MKE control plane containers no longer use NET_RAW, however policies must be added to restrict NET_RAW capability for user workloads. |
5.2.9 |
Minimize the admission of containers with added capabilities. |
Level 1 - Master Node |
Pass |
5.2.10 |
Minimize the admission of containers with capabilities assigned. |
Level 2 - Master Node |
Pass |
5.2.11 |
Minimize the admission of Windows HostProcess Containers. |
Level 1 - Master Node |
Pass |
5.2.12 |
Minimize the admission of HostPath volumes. |
Level 1 - Master Node |
Pass |
5.2.13 |
Minimize the admission of containers which use HostPorts. |
Level 1 - Master Node |
Pass |
5.3 Pod Network Policies and CNI
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
5.3.1 |
Ensure that the CNI in use supports Network Policies. |
Level 1 - Master Node |
Pass |
5.3.2 |
Ensure that all Namespaces have Network Policies defined. |
Level 2 - Master Node |
Pass |
5.4 Secrets Management
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
5.4.1 |
Prefer using secrets as files over secrets as environment variables. |
Level 2 - Master Node |
Pass |
5.4.2 |
Consider external secret storage. |
Level 2 - Master Node |
Pass |
5.5 Secrets Management
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
5.5.1 |
Configure Image Provenance using |
Level 2 - Master Node |
Pass |
5.7 General Policies
Recommendation designation |
Recommendation |
Level |
Result |
---|---|---|---|
5.7.1 |
Create administrative boundaries between resources using namespaces. |
Level 1 - Master Node |
Pass |
5.7.2 |
Ensure that the |
Level 2 - Master Node |
Pass |
5.7.3 |
Apply Security Context to Your Pods and Containers. |
Level 2 - Master Node |
Pass |
5.7.4 |
The default namespace should not be used. |
Level 2 - Master Node |
Pass |