CIS Benchmarks¶

The Center for Internet Security (CIS) provides the CIS Kubernetes Benchmarks for each Kubernetes release. These benchmarks comprise a comprehensive set of recommendations that is targeted to enhancing Kubernetes security configuration. Designed to align with industry regulations, CIS Benchmarks ensure standards that meet diverse compliance requirements, and their universal applicability across Kubernetes distributions ensures the fortification of such environments and while fostering a robust security posture.

Note

The CIS Benchmark results detailed herein are verified against MKE 3.7.2.
Mirantis has based its handling of Kubernetes benchmarks on CIS Kubernetes Benchmark v1.7.0.

1 Control Plane Components¶

Section 1 is comprised of security recommendations for the direct configuration of Kubernetes control plane processes. It is broken out into four subsections:

1.1 Control Node Plane Configuration Files

Recommendation designation	Recommendation	Level	Result
1.1.1	Ensure that the API server pod specification file permissions are set to `600` or more restrictive.	Level 1 - Master Node	Pass
1.1.2	Ensure that the API server pod specification file ownership is set to `root:root`.	Level 1 - Master Node	Pass
1.1.3	Ensure that the controller manager pod specification file permissions are set to `600` or more restrictive.	Level 1 - Master Node	Pass
1.1.4	Ensure that the controller manager pod specification file ownership is set to `root:root`.	Level 1 - Master Node	Pass
1.1.5	Ensure that the scheduler pod specification file permissions are set to `600` or more restrictive.	Level 1 - Master Node	Pass
1.1.6	Ensure that the scheduler pod specification file ownership is set to `root:root`.	Level 1 - Master Node	Pass
1.1.7	Ensure that the etcd pod specification file permissions are set to `600` or more restrictive.	Level 1 - Master Node	Pass
1.1.8	Ensure that the etcd pod specification file ownership is set to `root:root`.	Level 1 - Master Node	Pass
1.1.9	Ensure that the Container Network Interface file permissions are set to `600` or more restrictive.	Level 1 - Master Node	Pass
1.1.10	Ensure that the Container Network Interface file ownership is set to `root:root`.	Level 1 - Master Node	Pass
1.1.11	Ensure that the etcd data directory permissions are set to `700` or more restrictive.	Level 1 - Master Node	Pass
1.1.12	Ensure that the etcd data directory ownership is set to `etcd:etcd`.	Level 1 - Master Node	Fail MKE runs etcd in a container, and thus it does not create an etcd user on the host. Access to the etcd data directory is instead controlled through a docker volume.
1.1.13	Ensure that the `admin.conf` file permissions are set to `600` or more restrictive.	Level 1 - Master Node	Pass
1.1.14	Ensure that the `admin.conf` file ownership is set to `root:root`.	Level 1 - Master Node	Pass
1.1.15	Ensure that the `scheduler.conf` file permissions are set to `600` or more restrictive.	Level 1 - Master Node	Pass
1.1.16	Ensure that the `scheduler.conf` file ownership is set to `root:root`.	Level 1 - Master Node	Pass
1.1.17	Ensure that the `controller-manager.conf` file permissions are set to `600` or more restrictive.	Level 1 - Master Node	Pass
1.1.18	Ensure that the `controller-manager.conf` file ownership is set to `root:root`.	Level 1 - Master Node	Pass
1.1.19	Ensure that the Kubernetes PKI directory and file ownership is set to `root:root`.	Level 1 - Master Node	Pass
1.1.20	Ensure that the Kubernetes PKI certificate file permissions are set to `600` or more restrictive.	Level 1 - Master Node	Pass
1.1.21	Ensure that the Kubernetes PKI key file permissions are set to `600`.	Level 1 - Master Node	Pass

1.2 API Server

Recommendation designation	Recommendation	Level	Result
1.2.1	Ensure that the `--anonymous-auth` argument is set to `false`.	Level 1 - Master Node	Pass
1.2.2	Ensure that the `--token-auth-file` parameter is not set.	Level 1 - Master Node	Pass
1.2.3	Ensure that the -`DenyServiceExternalIPs` argument is set.	Level 1 - Master Node	Pass
1.2.4	Ensure that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments are set as appropriate.	Level 1 - Master Node	Pass
1.2.5	Ensure that the `--kubelet-certificate-authority` argument is set as appropriate.	Level 1 - Master Node	Pass
1.2.6	Ensure that the `--authorization-mode` argument is not set to `AlwaysAllow`.	Level 1 - Master Node	Pass
1.2.7	Ensure that the `--authorization-mode` argument includes `Node`.	Level 1 - Master Node	Pass
1.2.8	Ensure that the `--authorization-mode` argument includes `RBAC`.	Level 1 - Master Node	Pass
1.2.9	Ensure that the admission control plugin `EventRateLimit` is set.	Level 1 - Master Node	Fail Optionally, MKE can configure the `EventRateLimit` admission controller plugin.
1.2.10	Ensure that the admission control plugin `AlwaysAdmit` is not set.	Level 1 - Master Node	Pass
1.2.11	Ensure that the admission control plugin `AlwaysPullImages` is set.	Level 1 - Master Node	Fail Optionally, MKE can configure the `AlwaysPullImages` admission controller plugin.
1.2.12	Ensure that the admission control plugin `SecurityContextDeny` is set if `PodSecurityPolicy` is not used.	Level 1 - Master Node	Pass
1.2.13	Ensure that the admission control plugin `ServiceAccount` is set.	Level 1 - Master Node	Pass
1.2.14	Ensure that the admission control plugin `NamespaceLifecycle` is set.	Level 1 - Master Node	Pass
1.2.15	Ensure that the admission control plugin `NodeRestriction` is set.	Level 1 - Master Node	Pass
1.2.16	Ensure that the `--secure-port` option is not set to `0`. Note: This recommendation is obsolete and will be deleted per the consensus process.	Level 1 - Master Node	Pass
1.2.17	Ensure that the `--profiling` option is set to `false`.	Level 1 - Master Node	Pass
1.2.18	Ensure that the `--audit-log-path` option is set.	Level 1 - Master Node	Pass
1.2.19	Ensure that the `--audit-log-maxage` argument is set to `30` or as appropriate.	Level 1 - Master Node	Pass
1.2.20	Ensure that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.	Level 1 - Master Node	Pass
1.2.21	Ensure that the `--audit-log-maxsize` argument is set to `100` or as appropriate.	Level 1 - Master Node	Pass
1.2.22	Ensure that the `--request-timeout` argument is set as appropriate.	Level 1 - Master Node	Fail Optionally, MKE can configure the Kubernetes API server `–-request-timeout` argument value.
1.2.23	Ensure that the `--service-account-lookup` argument is set to `true`.	Level 1 - Master Node	Pass
1.2.24	Ensure that the `--service-account-key-file` argument is set as appropriate.	Level 1 - Master Node	Pass
1.2.25	Ensure that the `--etcd-certfile` and `--etcd-keyfile` arguments are set as appropriate.	Level 1 - Master Node	Pass
1.2.26	Ensure that the `--tls-cert-file` and `--tls-private-key-file` arguments are set as appropriate.	Level 1 - Master Node	Pass
1.2.27	Ensure that the `--client-ca-file` argument is set as appropriate.	Level 1 - Master Node	Pass
1.2.28	Ensure that the `--etcd-cafile` argument is set as appropriate.	Level 1 - Master Node	Pass
1.2.29	Ensure that the `--encryption-provider-config` argument is set as appropriate.	Level 1 - Master Node	Pass
1.2.30	Ensure that encryption providers are appropriately configured.	Level 1 - Master Node	Pass
1.2.31	Ensure that the API Server only makes use of Strong Cryptographic Ciphers.	Level 1 - Master Node	Fail Optionally, MKE can be configured to support a list of compliant TLS ciphers.

1.3 Controller Manager

Recommendation designation	Recommendation	Level	Result
1.3.1	Ensure that the `--terminated-pod-gc-threshold` argument is set as appropriate.	Level 1 - Master Node	Fail Optionally, MKE can be configured to use a compliant `terminated-pod-gc-threshold` value.
1.3.2	Ensure that the `--profiling` argument is set to `false`.	Level 1 - Master Node	Pass
1.3.3	Ensure that the `--use-service-account-credentials` argument is set to `true`.	Level 1 - Master Node	Pass
1.3.4	Ensure that the `--service-account-private-key-file` argument is set as appropriate.	Level 1 - Master Node	Pass
1.3.5	Ensure that the `--root-ca-file` argument is set as appropriate.	Level 1 - Master Node	Pass
1.3.6	Ensure that the `RotateKubeletServerCertificate` argument is set to `true`.	Level 1 - Master Node	Pass
1.3.7	Ensure that the `--bind-address` argument is set to `127.0.0.1`.	Level 1 - Master Node	Pass

1.4 Scheduler

Recommendation designation	Recommendation	Level	Result
1.4.1	Ensure that the --profiling ``argument is set to ``false.	Level 1 - Master Node	Pass
1.4.2	Ensure that the `--bind-address` argument is set to `127.0.0.1`.	Level 1 - Master Node	Pass

2 etcd¶

Section 2 details recommendations for etcd configuration, under the assumption that you are running etcd in a Kubernetes Pod.

2 etcd

Recommendation designation	Recommendation	Level	Result
2.1	Ensure that the `--cert-file` and `--key-file` arguments are set as appropriate.	Level 1 - Master Node	Pass
2.2	Ensure that the `--client-cert-auth` argument is set to `true`.	Level 1 - Master Node	Pass
2.3	Ensure that the `--auto-tls` argument is not set to `true`.	Level 1 - Master Node	Pass
2.4	Ensure that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate.	Level 1 - Master Node	Pass
2.5	Ensure that the `--peer-client-cert-auth` argument is set to `true`.	Level 1 - Master Node	Pass
2.6	Ensure that the `--peer-auto-tls` argument is not set to `true`.	Level 1 - Master Node	Pass
2.7	Ensure that a unique Certificate Authority is used for etcd.	Level 2 - Master Node	Pass

3 Control Plane Configuration¶

Section 3 details recommendations for cluster-wide areas, such as authentication and logging. It is broken out into two subsections:

3.1 Authentication and Authorization

Recommendation designation	Recommendation	Level	Result
3.1.1	Client certificate authentication should not be used for users	Level 1 - Master Node	Pass
3.1.2	Service account token authentication should not be used for users.	Level 1 - Master Node	Pass
3.1.3	Bootstrap token authentication should not be used for users.	Level 1 - Master Node	Pass

3.2 Logging

Recommendation designation	Recommendation	Level	Result
3.2.1	Ensure that a minimal audit policy is created.	Level 1 - Master Node	Pass
3.2.2	Ensure that the audit policy covers key security concerns.	Level 2 - Master Node	Pass

4 Worker Nodes¶

Section 4 details security recommendations for the components that run on Kubernetes worker nodes.

Note

Note that the components for Kubernetes worker nodes may also run on Kubernetes master nodes. Thus, the recommendations in Section 4 should be applied to master nodes as well as worker nodes where the master nodes make use of these components.

Section 4 is broken out into two subsections:

4.1 Worker Node Configuration Files

Recommendation designation	Recommendation	Level	Result
4.1.1	Ensure that the kubelet service file permissions are set to 600 or more restrictive.	Level 1 - Worker Node	Pass
4.1.2	Ensure that the kubelet service file ownership is set to `root:root`.	Level 1 - Worker Node	Pass
4.1.3	If proxy `kubeconfig` file exists, ensure permissions are set to `600` or more restrictive.	Level 1 - Worker Node	Pass
4.1.4	If proxy `kubeconfig` file exists, ensure ownership is set to `root:root`.	Level 1 - Worker Node	Pass
4.1.5	Ensure that the `--kubeconfig kubelet.conf` file permissions are set to `600` or more restrictive.	Level 1 - Worker Node	Pass
4.1.6	Ensure that the `--kubeconfig kubelet.conf` file ownership is set to `root:root`.	Level 1 - Worker Node	Pass
4.1.7	Ensure that the certificate authorities file permissions are set to `600` or more restrictive.	Level 1 - Worker Node	Fail MKE sets the CA cert file permission to `644`. This fulfills the control requirement of restricting write access to administrators, thus preventing non-root containers from accessing the file. Further restrictions to `600` are unnecessary and can potentially complicate the configuration.
4.1.8	Ensure that the client certificate authorities file ownership is set to `root:root`.	Level 1 - Worker Node	Pass
4.1.9	If the kubelet `config.yaml` configuration file is being used validate permissions set to `600` or more restrictive.	Level 1 - Worker Node	Pass
4.1.10	If the kubelet `config.yaml` configuration file is being used validate file ownership is set to `root:root`.	Level 1 - Worker Node	Pass

4.2 Kubelet

Recommendation designation	Recommendation	Level	Result
4.2.1	Ensure that the `--anonymous-auth` argument is set to `false`.	Level 1 - Worker Node	Pass
4.2.2	Ensure that the `--authorization-mode` argument is not set to `AlwaysAllow`.	Level 1 - Worker Node	Pass
4.2.3	Ensure that the `--client-ca-file` argument is set as appropriate.	Level 1 - Worker Node	Pass
4.2.4	Verify that the `--read-only-port` argument is set to `0`.	Level 1 - Worker Node	Pass
4.2.5	Ensure that the `--streaming-connection-idle-timeout` argument is not set to `0`.	Level 1 - Worker Node	Pass
4.2.6	Ensure that the `--make-iptables-util-chains` argument is set to `true`.	Level 1 - Worker Node	Pass
4.2.7	Ensure that the `--hostname-override` argument is not set.	Level 1 - Worker Node	Pass
4.2.8	Ensure that the `eventRecordQPS` argument is set to a level which ensures appropriate event capture.	Level 2 - Worker Node	Pass
4.2.9	Ensure that the `--tls-cert-file` and `--tls-private-key-file` arguments are set as appropriate.	Level 1 - Worker Node	Pass
4.2.10	Ensure that the `--rotate-certificates` argument is not set to `false`.	Level 1 - Worker Node	Fail Not applicable, as MKE has a certificate authority that issues TLS certificates for kubelet.
4.2.11	Verify that the `RotateKubeletServerCertificate` argument is set to `true`.	Level 1 - Worker Node	Fail Not applicable, as MKE has a certificate authority that issues TLS certificates for kubelet.
4.2.12	Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers.	Level 1 - Worker Node	Fail Optionally, MKE can be configured to support a list of compliant TLS ciphers.
4.2.13	Ensure that a limit is set on pod PIDs.	Level 1 - Worker Node	Pass

5 Policies¶

Section 5 details recommendations for various Kubernetes policies which are important to the security of the environment. Section 5 is broken out into six subsections, with 5.6 not in use:

5.1 RBAC and Service Accounts

Recommendation designation	Recommendation	Level	Result
5.1.1	Ensure that the `cluster-admin` role is only used where required.	Level 1 - Master Node	Pass
5.1.2	Minimize access to secrets.	Level 1 - Master Node	Pass
5.1.3	Minimize wildcard use in Roles and ClusterRoles.	Level 1 - Worker Node	Pass
5.1.4	Minimize access to create Pods.	Level 1 - Master Node	Pass
5.1.5	Ensure that default service accounts are not actively used.	Level 1 - Master Node	Pass MKE installations are compliant starting with MKE 3.7.1. For customers upgrading from previous MKE versions, Mirantis offers a script that can be used to determine which service accounts are in violation and that offers an option for patching such accounts.
5.1.6	Ensure that Service Account Tokens are only mounted where necessary.	Level 1 - Master Node	Fail MKE system service accounts set `automount` to `false` at the service account level and override the `automount` flag on the system Pods that require it. To have core MKE functionality, the following Pods must mount their respective service account tokens: `calico-kube-controllers` `calico-node` `coredns` `ucp-metrics` `ucp-node-feature-discovery`
5.1.7	Avoid use of `system:masters` group.	Level 1 - Master Node	Pass
5.1.8	Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster.	Level 1 - Master Node	Pass
5.1.9	Minimize access to create persistent volumes.	Level 1 - Master Node	Pass
5.1.10	Minimize access to the `proxy` sub-resource of nodes.	Level 1 - Master Node	Pass
5.1.11	Minimize access to the `approval` sub-resource of `certificatesigningrequests` objects.	Level 1 - Master Node	Pass
5.1.12	Minimize access to webhook configuration objects.	Level 1 - Master Node	Pass
5.1.13	Minimize access to the service account token creation.	Level 1 - Master Node	Pass

5.2 Pod Security Standards

Recommendation designation	Recommendation	Level	Result
5.2.1	Ensure that the cluster has at least one active policy control mechanism in place.	Level 1 - Master Node	Pass
5.2.2	Minimize the admission of privileged containers.	Level 1 - Master Node	Pass
5.2.3	Minimize the admission of containers wishing to share the host process ID namespace.	Level 1 - Master Node	Pass
5.2.4	Minimize the admission of containers wishing to share the host IPC namespace.	Level 1 - Master Node	Pass
5.2.5	Minimize the admission of containers wishing to share the host network namespace.	Level 1 - Master Node	Pass
5.2.6	Minimize the admission of containers with `allowPrivilegeEscalation`.	Level 1 - Master Node	Pass
5.2.7	Minimize the admission of root containers.	Level 2 - Master Node	Pass
5.2.8	Minimize the admission of containers with the NET_RAW capability.	Level 1 - Master Node	Pass MKE control plane containers no longer use NET_RAW, however policies must be added to restrict NET_RAW capability for user workloads.
5.2.9	Minimize the admission of containers with added capabilities.	Level 1 - Master Node	Pass
5.2.10	Minimize the admission of containers with capabilities assigned.	Level 2 - Master Node	Pass
5.2.11	Minimize the admission of Windows HostProcess Containers.	Level 1 - Master Node	Pass
5.2.12	Minimize the admission of HostPath volumes.	Level 1 - Master Node	Pass
5.2.13	Minimize the admission of containers which use HostPorts.	Level 1 - Master Node	Pass

5.3 Pod Network Policies and CNI

Recommendation designation	Recommendation	Level	Result
5.3.1	Ensure that the CNI in use supports Network Policies.	Level 1 - Master Node	Pass
5.3.2	Ensure that all Namespaces have Network Policies defined.	Level 2 - Master Node	Pass

5.4 Secrets Management

Recommendation designation	Recommendation	Level	Result
5.4.1	Prefer using secrets as files over secrets as environment variables.	Level 2 - Master Node	Pass
5.4.2	Consider external secret storage.	Level 2 - Master Node	Pass

5.5 Secrets Management

Recommendation designation	Recommendation	Level	Result
5.5.1	Configure Image Provenance using `ImagePolicyWebhook` admission controller.	Level 2 - Master Node	Pass

5.7 General Policies

Recommendation designation	Recommendation	Level	Result
5.7.1	Create administrative boundaries between resources using namespaces.	Level 1 - Master Node	Pass
5.7.2	Ensure that the `seccomp` profile is set to `docker/default` in your Pod definitions.	Level 2 - Master Node	Pass
5.7.3	Apply Security Context to Your Pods and Containers.	Level 2 - Master Node	Pass
5.7.4	The default namespace should not be used.	Level 2 - Master Node	Pass