CIS Benchmarks

The Center for Internet Security (CIS) provides the CIS Kubernetes Benchmarks for each Kubernetes release. These benchmarks comprise a comprehensive set of recommendations that is targeted to enhancing Kubernetes security configuration. Designed to align with industry regulations, CIS Benchmarks ensure standards that meet diverse compliance requirements, and their universal applicability across Kubernetes distributions ensures the fortification of such environments and while fostering a robust security posture.

Note

  • The CIS Benchmark results detailed herein are verified against MKE 3.7.2.

  • Mirantis has based its handling of Kubernetes benchmarks on CIS Kubernetes Benchmark v1.7.0.

1 Control Plane Components

Section 1 is comprised of security recommendations for the direct configuration of Kubernetes control plane processes. It is broken out into four subsections:

1.1 Control Node Plane Configuration Files

Recommendation designation

Recommendation

Level

Result

1.1.1

Ensure that the API server pod specification file permissions are set to 600 or more restrictive.

Level 1 - Master Node

Pass

1.1.2

Ensure that the API server pod specification file ownership is set to root:root.

Level 1 - Master Node

Pass

1.1.3

Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive.

Level 1 - Master Node

Pass

1.1.4

Ensure that the controller manager pod specification file ownership is set to root:root.

Level 1 - Master Node

Pass

1.1.5

Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive.

Level 1 - Master Node

Pass

1.1.6

Ensure that the scheduler pod specification file ownership is set to root:root.

Level 1 - Master Node

Pass

1.1.7

Ensure that the etcd pod specification file permissions are set to 600 or more restrictive.

Level 1 - Master Node

Pass

1.1.8

Ensure that the etcd pod specification file ownership is set to root:root.

Level 1 - Master Node

Pass

1.1.9

Ensure that the Container Network Interface file permissions are set to 600 or more restrictive.

Level 1 - Master Node

Pass

1.1.10

Ensure that the Container Network Interface file ownership is set to root:root.

Level 1 - Master Node

Pass

1.1.11

Ensure that the etcd data directory permissions are set to 700 or more restrictive.

Level 1 - Master Node

Pass

1.1.12

Ensure that the etcd data directory ownership is set to etcd:etcd.

Level 1 - Master Node

Fail

MKE runs etcd in a container, and thus it does not create an etcd user on the host. Access to the etcd data directory is instead controlled through a docker volume.

1.1.13

Ensure that the admin.conf file permissions are set to 600 or more restrictive.

Level 1 - Master Node

Pass

1.1.14

Ensure that the admin.conf file ownership is set to root:root.

Level 1 - Master Node

Pass

1.1.15

Ensure that the scheduler.conf file permissions are set to 600 or more restrictive.

Level 1 - Master Node

Pass

1.1.16

Ensure that the scheduler.conf file ownership is set to root:root.

Level 1 - Master Node

Pass

1.1.17

Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive.

Level 1 - Master Node

Pass

1.1.18

Ensure that the controller-manager.conf file ownership is set to root:root.

Level 1 - Master Node

Pass

1.1.19

Ensure that the Kubernetes PKI directory and file ownership is set to root:root.

Level 1 - Master Node

Pass

1.1.20

Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive.

Level 1 - Master Node

Pass

1.1.21

Ensure that the Kubernetes PKI key file permissions are set to 600.

Level 1 - Master Node

Pass

1.2 API Server

Recommendation designation

Recommendation

Level

Result

1.2.1

Ensure that the --anonymous-auth argument is set to false.

Level 1 - Master Node

Pass

1.2.2

Ensure that the --token-auth-file parameter is not set.

Level 1 - Master Node

Pass

1.2.3

Ensure that the -DenyServiceExternalIPs argument is set.

Level 1 - Master Node

Pass

1.2.4

Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate.

Level 1 - Master Node

Pass

1.2.5

Ensure that the --kubelet-certificate-authority argument is set as appropriate.

Level 1 - Master Node

Pass

1.2.6

Ensure that the --authorization-mode argument is not set to AlwaysAllow.

Level 1 - Master Node

Pass

1.2.7

Ensure that the --authorization-mode argument includes Node.

Level 1 - Master Node

Pass

1.2.8

Ensure that the --authorization-mode argument includes RBAC.

Level 1 - Master Node

Pass

1.2.9

Ensure that the admission control plugin EventRateLimit is set.

Level 1 - Master Node

Fail

Optionally, MKE can configure the EventRateLimit admission controller plugin.

1.2.10

Ensure that the admission control plugin AlwaysAdmit is not set.

Level 1 - Master Node

Pass

1.2.11

Ensure that the admission control plugin AlwaysPullImages is set.

Level 1 - Master Node

Fail

Optionally, MKE can configure the AlwaysPullImages admission controller plugin.

1.2.12

Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used.

Level 1 - Master Node

Pass

1.2.13

Ensure that the admission control plugin ServiceAccount is set.

Level 1 - Master Node

Pass

1.2.14

Ensure that the admission control plugin NamespaceLifecycle is set.

Level 1 - Master Node

Pass

1.2.15

Ensure that the admission control plugin NodeRestriction is set.

Level 1 - Master Node

Pass

1.2.16

Ensure that the --secure-port option is not set to 0. Note: This recommendation is obsolete and will be deleted per the consensus process.

Level 1 - Master Node

Pass

1.2.17

Ensure that the --profiling option is set to false.

Level 1 - Master Node

Pass

1.2.18

Ensure that the --audit-log-path option is set.

Level 1 - Master Node

Pass

1.2.19

Ensure that the --audit-log-maxage argument is set to 30 or as appropriate.

Level 1 - Master Node

Pass

1.2.20

Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate.

Level 1 - Master Node

Pass

1.2.21

Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate.

Level 1 - Master Node

Pass

1.2.22

Ensure that the --request-timeout argument is set as appropriate.

Level 1 - Master Node

Fail

Optionally, MKE can configure the Kubernetes API server –-request-timeout argument value.

1.2.23

Ensure that the --service-account-lookup argument is set to true.

Level 1 - Master Node

Pass

1.2.24

Ensure that the --service-account-key-file argument is set as appropriate.

Level 1 - Master Node

Pass

1.2.25

Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate.

Level 1 - Master Node

Pass

1.2.26

Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate.

Level 1 - Master Node

Pass

1.2.27

Ensure that the --client-ca-file argument is set as appropriate.

Level 1 - Master Node

Pass

1.2.28

Ensure that the --etcd-cafile argument is set as appropriate.

Level 1 - Master Node

Pass

1.2.29

Ensure that the --encryption-provider-config argument is set as appropriate.

Level 1 - Master Node

Pass

1.2.30

Ensure that encryption providers are appropriately configured.

Level 1 - Master Node

Pass

1.2.31

Ensure that the API Server only makes use of Strong Cryptographic Ciphers.

Level 1 - Master Node

Fail

Optionally, MKE can be configured to support a list of compliant TLS ciphers.

1.3 Controller Manager

Recommendation designation

Recommendation

Level

Result

1.3.1

Ensure that the --terminated-pod-gc-threshold argument is set as appropriate.

Level 1 - Master Node

Fail

Optionally, MKE can be configured to use a compliant terminated-pod-gc-threshold value.

1.3.2

Ensure that the --profiling argument is set to false.

Level 1 - Master Node

Pass

1.3.3

Ensure that the --use-service-account-credentials argument is set to true.

Level 1 - Master Node

Pass

1.3.4

Ensure that the --service-account-private-key-file argument is set as appropriate.

Level 1 - Master Node

Pass

1.3.5

Ensure that the --root-ca-file argument is set as appropriate.

Level 1 - Master Node

Pass

1.3.6

Ensure that the RotateKubeletServerCertificate argument is set to true.

Level 1 - Master Node

Pass

1.3.7

Ensure that the --bind-address argument is set to 127.0.0.1.

Level 1 - Master Node

Pass

1.4 Scheduler

Recommendation designation

Recommendation

Level

Result

1.4.1

Ensure that the --profiling ``argument is set to ``false.

Level 1 - Master Node

Pass

1.4.2

Ensure that the --bind-address argument is set to 127.0.0.1.

Level 1 - Master Node

Pass

2 etcd

Section 2 details recommendations for etcd configuration, under the assumption that you are running etcd in a Kubernetes Pod.

2 etcd

Recommendation designation

Recommendation

Level

Result

2.1

Ensure that the --cert-file and --key-file arguments are set as appropriate.

Level 1 - Master Node

Pass

2.2

Ensure that the --client-cert-auth argument is set to true.

Level 1 - Master Node

Pass

2.3

Ensure that the --auto-tls argument is not set to true.

Level 1 - Master Node

Pass

2.4

Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate.

Level 1 - Master Node

Pass

2.5

Ensure that the --peer-client-cert-auth argument is set to true.

Level 1 - Master Node

Pass

2.6

Ensure that the --peer-auto-tls argument is not set to true.

Level 1 - Master Node

Pass

2.7

Ensure that a unique Certificate Authority is used for etcd.

Level 2 - Master Node

Pass

3 Control Plane Configuration

Section 3 details recommendations for cluster-wide areas, such as authentication and logging. It is broken out into two subsections:

3.1 Authentication and Authorization

Recommendation designation

Recommendation

Level

Result

3.1.1

Client certificate authentication should not be used for users

Level 1 - Master Node

Pass

3.1.2

Service account token authentication should not be used for users.

Level 1 - Master Node

Pass

3.1.3

Bootstrap token authentication should not be used for users.

Level 1 - Master Node

Pass

3.2 Logging

Recommendation designation

Recommendation

Level

Result

3.2.1

Ensure that a minimal audit policy is created.

Level 1 - Master Node

Pass

3.2.2

Ensure that the audit policy covers key security concerns.

Level 2 - Master Node

Pass

4 Worker Nodes

Section 4 details security recommendations for the components that run on Kubernetes worker nodes.

Note

Note that the components for Kubernetes worker nodes may also run on Kubernetes master nodes. Thus, the recommendations in Section 4 should be applied to master nodes as well as worker nodes where the master nodes make use of these components.

Section 4 is broken out into two subsections:

4.1 Worker Node Configuration Files

Recommendation designation

Recommendation

Level

Result

4.1.1

Ensure that the kubelet service file permissions are set to 600 or more restrictive.

Level 1 - Worker Node

Pass

4.1.2

Ensure that the kubelet service file ownership is set to root:root.

Level 1 - Worker Node

Pass

4.1.3

If proxy kubeconfig file exists, ensure permissions are set to 600 or more restrictive.

Level 1 - Worker Node

Pass

4.1.4

If proxy kubeconfig file exists, ensure ownership is set to root:root.

Level 1 - Worker Node

Pass

4.1.5

Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive.

Level 1 - Worker Node

Pass

4.1.6

Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root.

Level 1 - Worker Node

Pass

4.1.7

Ensure that the certificate authorities file permissions are set to 600 or more restrictive.

Level 1 - Worker Node

Fail

MKE sets the CA cert file permission to 644. This fulfills the control requirement of restricting write access to administrators, thus preventing non-root containers from accessing the file. Further restrictions to 600 are unnecessary and can potentially complicate the configuration.

4.1.8

Ensure that the client certificate authorities file ownership is set to root:root.

Level 1 - Worker Node

Pass

4.1.9

If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive.

Level 1 - Worker Node

Pass

4.1.10

If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root.

Level 1 - Worker Node

Pass

4.2 Kubelet

Recommendation designation

Recommendation

Level

Result

4.2.1

Ensure that the --anonymous-auth argument is set to false.

Level 1 - Worker Node

Pass

4.2.2

Ensure that the --authorization-mode argument is not set to AlwaysAllow.

Level 1 - Worker Node

Pass

4.2.3

Ensure that the --client-ca-file argument is set as appropriate.

Level 1 - Worker Node

Pass

4.2.4

Verify that the --read-only-port argument is set to 0.

Level 1 - Worker Node

Pass

4.2.5

Ensure that the --streaming-connection-idle-timeout argument is not set to 0.

Level 1 - Worker Node

Pass

4.2.6

Ensure that the --make-iptables-util-chains argument is set to true.

Level 1 - Worker Node

Pass

4.2.7

Ensure that the --hostname-override argument is not set.

Level 1 - Worker Node

Pass

4.2.8

Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture.

Level 2 - Worker Node

Pass

4.2.9

Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate.

Level 1 - Worker Node

Pass

4.2.10

Ensure that the --rotate-certificates argument is not set to false.

Level 1 - Worker Node

Fail

Not applicable, as MKE has a certificate authority that issues TLS certificates for kubelet.

4.2.11

Verify that the RotateKubeletServerCertificate argument is set to true.

Level 1 - Worker Node

Fail

Not applicable, as MKE has a certificate authority that issues TLS certificates for kubelet.

4.2.12

Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers.

Level 1 - Worker Node

Fail

Optionally, MKE can be configured to support a list of compliant TLS ciphers.

4.2.13

Ensure that a limit is set on pod PIDs.

Level 1 - Worker Node

Pass

5 Policies

Section 5 details recommendations for various Kubernetes policies which are important to the security of the environment. Section 5 is broken out into six subsections, with 5.6 not in use:

5.1 RBAC and Service Accounts

Recommendation designation

Recommendation

Level

Result

5.1.1

Ensure that the cluster-admin role is only used where required.

Level 1 - Master Node

Pass

5.1.2

Minimize access to secrets.

Level 1 - Master Node

Pass

5.1.3

Minimize wildcard use in Roles and ClusterRoles.

Level 1 - Worker Node

Pass

5.1.4

Minimize access to create Pods.

Level 1 - Master Node

Pass

5.1.5

Ensure that default service accounts are not actively used.

Level 1 - Master Node

Pass

MKE installations are compliant starting with MKE 3.7.1. For customers upgrading from previous MKE versions, Mirantis offers a script that can be used to determine which service accounts are in violation and that offers an option for patching such accounts.

5.1.6

Ensure that Service Account Tokens are only mounted where necessary.

Level 1 - Master Node

Fail

MKE system service accounts set automount to false at the service account level and override the automount flag on the system Pods that require it.

To have core MKE functionality, the following Pods must mount their respective service account tokens:

  • calico-kube-controllers

  • calico-node

  • coredns

  • ucp-metrics

  • ucp-node-feature-discovery

5.1.7

Avoid use of system:masters group.

Level 1 - Master Node

Pass

5.1.8

Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster.

Level 1 - Master Node

Pass

5.1.9

Minimize access to create persistent volumes.

Level 1 - Master Node

Pass

5.1.10

Minimize access to the proxy sub-resource of nodes.

Level 1 - Master Node

Pass

5.1.11

Minimize access to the approval sub-resource of certificatesigningrequests objects.

Level 1 - Master Node

Pass

5.1.12

Minimize access to webhook configuration objects.

Level 1 - Master Node

Pass

5.1.13

Minimize access to the service account token creation.

Level 1 - Master Node

Pass

5.2 Pod Security Standards

Recommendation designation

Recommendation

Level

Result

5.2.1

Ensure that the cluster has at least one active policy control mechanism in place.

Level 1 - Master Node

Pass

5.2.2

Minimize the admission of privileged containers.

Level 1 - Master Node

Pass

5.2.3

Minimize the admission of containers wishing to share the host process ID namespace.

Level 1 - Master Node

Pass

5.2.4

Minimize the admission of containers wishing to share the host IPC namespace.

Level 1 - Master Node

Pass

5.2.5

Minimize the admission of containers wishing to share the host network namespace.

Level 1 - Master Node

Pass

5.2.6

Minimize the admission of containers with allowPrivilegeEscalation.

Level 1 - Master Node

Pass

5.2.7

Minimize the admission of root containers.

Level 2 - Master Node

Pass

5.2.8

Minimize the admission of containers with the NET_RAW capability.

Level 1 - Master Node

Pass

MKE control plane containers no longer use NET_RAW, however policies must be added to restrict NET_RAW capability for user workloads.

5.2.9

Minimize the admission of containers with added capabilities.

Level 1 - Master Node

Pass

5.2.10

Minimize the admission of containers with capabilities assigned.

Level 2 - Master Node

Pass

5.2.11

Minimize the admission of Windows HostProcess Containers.

Level 1 - Master Node

Pass

5.2.12

Minimize the admission of HostPath volumes.

Level 1 - Master Node

Pass

5.2.13

Minimize the admission of containers which use HostPorts.

Level 1 - Master Node

Pass

5.3 Pod Network Policies and CNI

Recommendation designation

Recommendation

Level

Result

5.3.1

Ensure that the CNI in use supports Network Policies.

Level 1 - Master Node

Pass

5.3.2

Ensure that all Namespaces have Network Policies defined.

Level 2 - Master Node

Pass

5.4 Secrets Management

Recommendation designation

Recommendation

Level

Result

5.4.1

Prefer using secrets as files over secrets as environment variables.

Level 2 - Master Node

Pass

5.4.2

Consider external secret storage.

Level 2 - Master Node

Pass

5.5 Secrets Management

Recommendation designation

Recommendation

Level

Result

5.5.1

Configure Image Provenance using ImagePolicyWebhook admission controller.

Level 2 - Master Node

Pass

5.7 General Policies

Recommendation designation

Recommendation

Level

Result

5.7.1

Create administrative boundaries between resources using namespaces.

Level 1 - Master Node

Pass

5.7.2

Ensure that the seccomp profile is set to docker/default in your Pod definitions.

Level 2 - Master Node

Pass

5.7.3

Apply Security Context to Your Pods and Containers.

Level 2 - Master Node

Pass

5.7.4

The default namespace should not be used.

Level 2 - Master Node

Pass