1. Control plane security configuration#
1.1 Control plane node configuration files#
| CIS ID | Recommendation | Resolution | Comments |
|---|---|---|---|
| 1.1.1 | Ensure that the API server pod specification file permissions are set to 600 or more restrictive. |
False Positive | In k0s, the API server launches as a process and not through a static pod manifest. Thus, there is no pod specification file to validate permissions against. |
| 1.1.2 | Ensure that the API server pod specification file ownership is set to root:root. |
False Positive | In k0s, the API server launches as a process and not through a static pod manifest. Thus, there is no pod specification file to validate permissions against. |
| 1.1.3 | Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive. |
False Positive | In k0s, the controller-manager launches as a process and not as a static pod. Thus, there is no pod specification file to permission check. |
| 1.1.4 | Ensure that the controller manager pod specification file ownership is set to root:root. |
False Positive | In k0s, the controller-manager launches as a process and not as a static pod. Thus, there is no pod specification file to permission-check. |
| 1.1.5 | Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive. |
False Positive | In k0s, the kube-scheduler runs directly as a process using /var/lib/k0s/pki/scheduler.conf and not from a static pod manifest. |
| 1.1.6 | Ensure that the scheduler pod specification file ownership is set to root:root. |
False Positive | In k0s, the kube-scheduler runs directly as a process using /var/lib/k0s/pki/scheduler.conf and not from a static pod manifest. |
| 1.1.7 | Ensure that the etcd pod specification file permissions are set to 600 or more restrictive. |
False Positive | In k0s, etcd is run as a process in k0s and not through a static pod manifest. Thus, no pod spec file exists for permission-check. |
| 1.1.8 | Ensure that the etcd pod specification file ownership is set to root:root. |
False Positive | In k0s, etcd is run as a process in k0s and not through a static pod manifest. Thus, no pod spec file exists for permission-check. |
| 1.1.9 | Ensure that the Container Network Interface file permissions are set to 600 or more restrictive. |
False Positive | The permissions for the CNI files in the MKE 4k cluster are set as desired: sudo ls -l /etc/cni/net.d/ total 8 -rw------- 1 root root 713 Oct 15 17:18 10-calico.conflist -rw------- 1 root root 2760 Oct 15 17:18 calico-kubeconfig |
| 1.1.10 | Ensure that the Container Network Interface file ownership is set to root:root. |
False Positive | The permissions for the CNI files in the MKE 4k cluster are set as desired: sudo ls -l /etc/cni/net.d/ total 8 -rw------- 1 root root 713 Oct 15 17:18 10-calico.conflist -rw------- 1 root root 2760 Oct 15 17:18 calico-kubeconfig |
| 1.1.11 | Ensure that the etcd data directory permissions are set to 700 or more restrictive. |
False Positive | Permissions for the etcd data dir are set to 700 --data-dir=/var/lib/k0s/etcd. |
| 1.1.12 | Ensure that the etcd data directory ownership is set to etcd:etcd. |
False Positive | Etcd data directory ownsership is set to etcd:root instead of etcd:etcd, as expected by control ID 1.1.12. This is a deviation from CIS. In k0s, however, this is intentional design, as the components run as dedicated Linux users instead of root, and their files are owned accordingly. |
| 1.1.13 | Ensure that the default administrative credential file permissions are set to 600. |
Pass | NA |
| 1.1.14 | Ensure that the default administrative credential file ownership is set to root:root. |
False Positive | In k0s, there is no admin.conf under /etc/kubernetes. Instead, k0s generates admin credentials at the /var/lib/k0s/pki/admin.conf path. The default admin credential file ownership is root:root, which is required by the CIS control. |
| 1.1.15 | Ensure that the scheduler.conf file permissions are set to 600 or more restrictive. |
Pass | NA |
| 1.1.16 | Ensure that the scheduler.conf file ownership is set to root:root. |
False Positive | The /var/lib/k0s/pki/scheduler.conf file ownership is set to kube-scheduler:root which is less strict than the CIS control requirement root:root. In k0s, this is apparently by design, as control-plane components run as dedicated Linux users (rather than root) and their config files are owned with those users in mind. |
| 1.1.17 | Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive. |
Pass | NA |
| 1.1.18 | Ensure that the controller-manager.conf file ownership is set to root:root. |
False Positive | k0s uses /var/lib/k0s/pki/ccm.conf. Ownership is set to kube-apiserver:root, which is less strict than the CIS control requirement (root:root). In k0s, however, this is by design, as the components run as dedicated Linux users instead of root, and their files are owned accordingly. |
| 1.1.19 | Ensure that the Kubernetes PKI directory and file ownership is set to root:root. |
False Positive | k0s uses /var/lib/k0s/pki/ccm.conf. Ownership is set to kube-apiserver:root, which is less strict than the CIS control requirement (root:root). In k0s, however, this is by design, as k0s runs control-plane components as dedicated Linux users instead of root, and the kube-controller-manager process runs under the kube-apiserver Linux user. So config files are owned by the respective component user. |
| 1.1.20 | Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive. |
False Positive | In an MKE 4k cluster, all the PKI cert files are set to 644 or more restrictive, which meets the control requirement. |
| 1.1.21 | Ensure that the Kubernetes PKI key file permissions are set to 600. |
Warn | NA |
1.2 API server#
| CIS ID | Recommendation | Resolution | Comments |
|---|---|---|---|
| 1.2.1 | Ensure that the --anonymous-auth argument is set to false. |
Pass | NA |
| 1.2.2 | Ensure that the --token-auth-file parameter is not set. |
Pass | NA |
| 1.2.3 | Ensure that the --DenyServiceExternalIPs is set. |
Warn | NA |
| 1.2.4 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate. |
Pass | NA |
| 1.2.5 | Ensure that the --kubelet-certificate-authority argument is set as appropriate. |
Pass | NA |
| 1.2.6 | Ensure that the --authorization-mode argument is not set to AlwaysAllow. |
Pass | NA |
| 1.2.7 | Ensure that the --authorization-mode argument includes Node. |
Pass | NA |
| 1.2.8 | Ensure that the --authorization-mode argument includes RBAC. |
Pass | NA |
| 1.2.9 | Ensure that the admission control plugin EventRateLimit is set. |
Warn | NA |
| 1.2.10 | Ensure that the admission control plugin AlwaysAdmit is not set. |
Pass | NA |
| 1.2.11 | Ensure that the admission control plugin AlwaysPullImages is set. |
False Positive | K0s does not enable the AlwaysPullImages admission plugin by default, since it follows the upstream Kubernetes defaults. This plugin is not enabled by default in Kubernetes either. Admission Control in Kubernetes. You can enable it in the mke4.yaml configuration file through the spec.apiServer.alwaysPullImages field. |
| 1.2.12 | Ensure that the admission control plugin ServiceAccount is set. |
Pass | NA |
| 1.2.13 | Ensure that the admission control plugin NamespaceLifecycle is set. |
Pass | NA |
| 1.2.14 | Ensure that the admission control plugin NodeRestriction is set. |
Pass | NA |
| 1.2.15 | Ensure that the --profiling argument is set to false. |
Pass | NA |
| 1.2.16 | Ensure that the --audit-log-path argument is set. |
False Positive | By default, audit logging is disabled in an MKE 4k cluster. When enabled, this control passes as the --audit-log-path=/var/log/mke4/audit/audit.log. |
| 1.2.17 | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate. |
False Positive | By default, audit logging is disabled in an MKE 4k cluster. When enabled, this control passes as the --audit-log-maxage argument is set to 30. |
| 1.2.18 | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate. |
False Positive | By default, audit logging is disabled in an MKE 4k cluster. When enabled, this control passes as --audit-log-maxbackup argument is set to 10 in kube-apiserver.conf. |
| 1.2.19 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate. |
False Positive | After enabling audit logging, the control continues to fail, as the default value set for --audit-log-maxsize is 10 while the control ID requires it to be 100. It is configurable in MKE 4k, though, and you can change the value as needed through the mke4.yaml configuration file apiServer.audit.maxSize field. |
| 1.2.20 | Ensure that the --request-timeout argument is set as appropriate. |
False Positive | K0s does not enable the --request-timeout admission plugin by default, as it follows the upstream Kubernetes defaults. Nor is the plugin enabled by default in Kubernetes. You can enable the plugin using the mke4.yaml configuration file through the spec.apiServer.requestTimeout field. |
| 1.2.21 | Ensure that the --service-account-lookup argument is set to true. |
Pass | NA |
| 1.2.22 | Ensure that the --service-account-key-file argument is set as appropriate. |
Pass | NA |
| 1.2.23 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate. |
Pass | NA |
| 1.2.24 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate. |
Pass | NA |
| 1.2.25 | Ensure that the --client-ca-file argument is set as appropriate. |
Pass | NA |
| 1.2.26 | Ensure that the --etcd-cafile argument is set as appropriate. |
Pass | NA |
| 1.2.27 | Ensure that the --encryption-provider-config argument is set as appropriate. |
Pass | NA |
| 1.2.28 | Ensure that encryption providers are appropriately configured. | False Positive | In MKE 4k, at-rest encryption is enabled by default, and cluster secrets are protected with a static secreet through the AES-CBC encryption provider. |
| 1.2.29 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers. | Pass | NA |
| 1.2.30 | Ensure that the --service-account-extend-token-expiration parameter is set to false. |
False Positive | CIS requires the --service-account-extend-token-expiration flag to be set to false. In k0s, this flag defaults to true, as we follow upstream Kubernetes defaults. Upstream has not standardized on a single “correct” default; some environments, such as AKS, request different behaviors. Thus, changing this in k0s would create divergence and potential compatibility issues, and for this reason, k0s intentionally retains the upstream setting. Users who need stricter compliance can explicitly set the flag through the spec.apiServer.extraArgs field. |
1.3 Controller manager#
| CIS ID | Recommendation | Resolution | Comments |
|---|---|---|---|
| 1.3.1 | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate. |
Pass | NA |
| 1.3.2 | Ensure that the --profiling argument is set to false. |
Pass | NA |
| 1.3.3 | Ensure that the --use-service-account-credentialsargument is set to true. |
Pass | NA |
| 1.3.4 | Ensure that the --service-account-private-key-fileargument is set as appropriate. |
Pass | NA |
| 1.3.5 | Ensure that the --root-ca-file argument is set as appropriate. |
Pass | NA |
| 1.3.6 | Ensure that the RotateKubeletServerCertificate argument is set to true. |
Pass | NA |
| 1.3.7 | Ensure that the --bind-address argument is set to 127.0.0.1. |
Pass | NA |
1.4 Scheduler#
| CIS ID | Recommendation | Resolution | Comments |
|---|---|---|---|
| 1.4.1 | Ensure that the --profiling argument is set to false. |
Pass | NA |
| 1.4.2 | Ensure that the --bind-address argument is set to 127.0.0.1. |
Pass | NA |