CIS Kubernetes Benchmark 1.5 Configuration File Paths
This table displays all possible configuration file paths of compliance audits performed with CIS Kubernetes Benchmark version 1.5 on self hosted Kubernetes Clusters.
| ID | Audit Description | Audit Performed | All Possible Configuration File Paths |
|---|---|---|---|
| 1.1.1 | Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) | /bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi' | /etc/kubernetes/manifests/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yml /etc/kubernetes/manifests/kube-apiserver.manifest /var/snap/kube-apiserver/current/args /var/snap/microk8s/current/args/kube-apiserver /etc/origin/master/master-config.yaml |
| 1.1.2 | Ensure that the API server pod specification file ownership is set to root:root (Scored) | /bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi' | /etc/kubernetes/manifests/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yml /etc/kubernetes/manifests/kube-apiserver.manifest /var/snap/kube-apiserver/current/args /var/snap/microk8s/current/args/kube-apiserver /etc/origin/master/master-config.yaml |
| 1.1.3 | Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) | /bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi' | /etc/kubernetes/manifests/kube-controller-manager.yaml /etc/kubernetes/manifests/kube-controller-manager.yml /etc/kubernetes/manifests/kube-controller-manager.manifest /var/snap/kube-controller-manager/current/args /var/snap/microk8s/current/args/kube-controller-manager |
| 1.1.4 | Ensure that the controller manager pod specification file ownership is set to root:root (Scored) | /bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi' | /etc/kubernetes/manifests/kube-controller-manager.yaml /etc/kubernetes/manifests/kube-controller-manager.yml /etc/kubernetes/manifests/kube-controller-manager.manifest /var/snap/kube-controller-manager/current/args /var/snap/microk8s/current/args/kube-controller-manager |
| 1.1.5 | Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored) | /bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi' | /etc/kubernetes/manifests/kube-scheduler.yaml /etc/kubernetes/manifests/kube-scheduler.yml /etc/kubernetes/manifests/kube-scheduler.manifest /var/snap/kube-scheduler/current/args /var/snap/microk8s/current/args/kube-scheduler /etc/origin/master/scheduler.json |
| 1.1.6 | Ensure that the scheduler pod specification file ownership is set to root:root (Scored) | /bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi' | /etc/kubernetes/manifests/kube-scheduler.yaml /etc/kubernetes/manifests/kube-scheduler.yml /etc/kubernetes/manifests/kube-scheduler.manifest /var/snap/kube-scheduler/current/args /var/snap/microk8s/current/args/kube-scheduler /etc/origin/master/scheduler.json |
| 1.1.7 | Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored) | /bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi' | /etc/kubernetes/manifests/etcd.yaml /etc/kubernetes/manifests/etcd.yml /etc/kubernetes/manifests/etcd.manifest /etc/etcd/etcd.conf /var/snap/etcd/common/etcd.conf.yml /var/snap/etcd/common/etcd.conf.yaml /var/snap/microk8s/current/args/etcd /usr/lib/systemd/system/etcd.service |
| 1.1.8 | Ensure that the etcd pod specification file ownership is set to root:root (Scored) | /bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi | /etc/kubernetes/manifests/etcd.yaml /etc/kubernetes/manifests/etcd.yml /etc/kubernetes/manifests/etcd.manifest /etc/etcd/etcd.conf /var/snap/etcd/common/etcd.conf.yml /var/snap/etcd/common/etcd.conf.yaml /var/snap/microk8s/current/args/etcd /usr/lib/systemd/system/etcd.service |
| 1.1.11 | Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored) | ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a |
"etcd" "openshift start etcd" |
| 1.1.12 | Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) | ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G |
"etcd" "openshift start etcd" |
| 1.1.15 | Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored) | /bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi' |
/etc/kubernetes/scheduler.conf /var/lib/kube-scheduler/kubeconfig /var/lib/kube-scheduler/config.yaml |
| 1.1.16 | Ensure that the scheduler.conf file ownership is set to root:root (Scored) | /bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi' |
/etc/kubernetes/scheduler.conf /var/lib/kube-scheduler/kubeconfig /var/lib/kube-scheduler/config.yaml |
| 1.1.17 | Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored) | /bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi | /etc/kubernetes/controller-manager.conf /var/lib/kube-controller-manager/kubeconfig |
| 1.1.18 | Ensure that the controller-manager.conf file ownership is set to root:root (Scored) | /bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi | /etc/kubernetes/controller-manager.conf /var/lib/kube-controller-manager/kubeconfig |
| 1.2.1 | Ensure that the --anonymous-auth argument is set to false (Not Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.2 | Ensure that the --basic-auth-file argument is not set (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.3 | Ensure that the --token-auth-file parameter is not set (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.4 | Ensure that the --kubelet-https argument is set to true (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.5 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.6 | Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.7 | Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.8 | Ensure that the --authorization-mode argument includes Node (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.9 | Ensure that the --authorization-mode argument includes RBAC (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.10 | Ensure that the admission control plugin EventRateLimit is set (Not Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.11 | Ensure that the admission control plugin AlwaysAdmit is not set (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.12 | Ensure that the admission control plugin AlwaysPullImages is set (Not Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.13 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.14 | Ensure that the admission control plugin ServiceAccount is set (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.15 | Ensure that the admission control plugin NamespaceLifecycle is set (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.16 | Ensure that the admission control plugin PodSecurityPolicy is set (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.17 | Ensure that the admission control plugin NodeRestriction is set (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.18 | Ensure that the --insecure-bind-address argument is not set (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.19 | Ensure that the --insecure-port argument is set to 0 (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.20 | Ensure that the --secure-port argument is not set to 0 (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.21 | Ensure that the --profiling argument is set to false (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.22 | Ensure that the --audit-log-path argument is set (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.23 | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.24 | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.25 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.26 | Ensure that the --request-timeout argument is set as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.27 | Ensure that the --service-account-lookup argument is set to true (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.28 | Ensure that the --service-account-key-file argument is set as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.29 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.30 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.31 | Ensure that the --client-ca-file argument is set as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.32 | Ensure that the --etcd-cafile argument is set as appropriate (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.33 | Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.34 | Ensure that encryption providers are appropriately configured (Not Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.2.35 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 1.3.1 | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored) | /bin/ps -ef | grep $controllermanagerbin | grep -v grep |
"kube-controller-manager" "kube-controller" "hyperkube controller-manager" "hyperkube kube-controller-manager" "controller-manager" "openshift start master controllers" "hypershift openshift-controller-manager" |
| 1.3.2 | Ensure that the --profiling argument is set to false (Scored) | /bin/ps -ef | grep $controllermanagerbin | grep -v grep |
"kube-controller-manager" "kube-controller" "hyperkube controller-manager" "hyperkube kube-controller-manager" "controller-manager" "openshift start master controllers" "hypershift openshift-controller-manager" |
| 1.3.3 | Ensure that the --use-service-account-credentials argument is set to true (Scored) | /bin/ps -ef | grep $controllermanagerbin | grep -v grep |
"kube-controller-manager" "kube-controller" "hyperkube controller-manager" "hyperkube kube-controller-manager" "controller-manager" "openshift start master controllers" "hypershift openshift-controller-manager" |
| 1.3.4 | Ensure that the --service-account-private-key-file argument is set as appropriate (Scored) | /bin/ps -ef | grep $controllermanagerbin | grep -v grep |
"kube-controller-manager" "kube-controller" "hyperkube controller-manager" "hyperkube kube-controller-manager" "controller-manager" "openshift start master controllers" "hypershift openshift-controller-manager" |
| 1.3.5 | Ensure that the --root-ca-file argument is set as appropriate (Scored) | /bin/ps -ef | grep $controllermanagerbin | grep -v grep |
"kube-controller-manager" "kube-controller" "hyperkube controller-manager" "hyperkube kube-controller-manager" "controller-manager" "openshift start master controllers" "hypershift openshift-controller-manager" |
| 1.3.6 | Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) | /bin/ps -ef | grep $controllermanagerbin | grep -v grep |
"kube-controller-manager" "kube-controller" "hyperkube controller-manager" "hyperkube kube-controller-manager" "controller-manager" "openshift start master controllers" "hypershift openshift-controller-manager" |
| 1.3.7 | Ensure that the --bind-address argument is set to 127.0.0.1 (Scored) | /bin/ps -ef | grep $controllermanagerbin | grep -v grep |
"kube-controller-manager" "kube-controller" "hyperkube controller-manager" "hyperkube kube-controller-manager" "controller-manager" "openshift start master controllers" "hypershift openshift-controller-manager" |
| 1.4.1 | Ensure that the --profiling argument is set to false (Scored) | /bin/ps -ef | grep $schedulerbin | grep -v grep |
"kube-scheduler" "hyperkube scheduler" "hyperkube kube-scheduler" "scheduler" "openshift start master controllers" |
| 1.4.2 | Ensure that the --bind-address argument is set to 127.0.0.1 (Scored) | /bin/ps -ef | grep $schedulerbin | grep -v grep |
"kube-scheduler" "hyperkube scheduler" "hyperkube kube-scheduler" "scheduler" "openshift start master controllers" |
| 2.1 | Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored) | /bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep |
"etcd" "openshift start etcd" |
| 2.2 | Ensure that the --client-cert-auth argument is set to true (Scored) | /bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep |
"etcd" "openshift start etcd" |
| 2.3 | Ensure that the --auto-tls argument is not set to true (Scored) | /bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep |
"etcd" "openshift start etcd" |
| 2.4 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored) | /bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep |
"etcd" "openshift start etcd" |
| 2.5 | Ensure that the --peer-client-cert-auth argument is set to true (Scored) | /bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep |
"etcd" "openshift start etcd" |
| 2.6 | Ensure that the --peer-auto-tls argument is not set to true (Scored | /bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep |
"etcd" "openshift start etcd" |
| 2.7 | Ensure that a unique Certificate Authority is used for etcd (Not Scored) | /bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep |
"etcd" "openshift start etcd" |
| 3.2.1 | Ensure that a minimal audit policy is created (Scored) | /bin/ps -ef | grep $apiserverbin | grep -v grep |
"kube-apiserver" "hyperkube apiserver" "hyperkube kube-apiserver" "apiserver" "openshift start master api" "hypershift openshift-kube-apiserver" |
| 4.1.1 | Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored) | /bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' |
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf /etc/systemd/system/kubelet.service /lib/systemd/system/kubelet.service /etc/systemd/system/snap.kubelet.daemon.service /etc/systemd/system/snap.microk8s.daemon-kubelet.service /etc/systemd/system/atomic-openshift-node.service /etc/systemd/system/origin-node.service |
| 4.1.2 | nsure that the kubelet service file ownership is set to root:root (Scored) | /bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' |
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf /etc/systemd/system/kubelet.service /lib/systemd/system/kubelet.service /etc/systemd/system/snap.kubelet.daemon.service /etc/systemd/system/snap.microk8s.daemon-kubelet.service /etc/systemd/system/atomic-openshift-node.service /etc/systemd/system/origin-node.service |
| 4.1.3 | Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) | /bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' | /etc/kubernetes/kubelet-kubeconfig /var/lib/kubelet/kubeconfig /var/snap/microk8s/current/credentials/proxy.config |
| 4.1.4 | Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) | /bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' | /etc/kubernetes/kubelet-kubeconfig /var/lib/kubelet/kubeconfig /var/snap/microk8s/current/credentials/proxy.config |
| 4.1.5 | nsure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored) | /bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' | /etc/kubernetes/kubelet.conf /var/lib/kubelet/kubeconfig /etc/kubernetes/kubelet-kubeconfig /var/snap/microk8s/current/credentials/kubelet.config |
| 4.1.6 | Ensure that the kubelet.conf file ownership is set to root:root (Scored) | /bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' | /etc/kubernetes/kubelet.conf /var/lib/kubelet/kubeconfig /etc/kubernetes/kubelet-kubeconfig /var/snap/microk8s/current/credentials/kubelet.config |
| 4.1.7 | Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) | CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi | /etc/kubernetes/pki/ca.crt /etc/kubernetes/certs/ca.crt /etc/kubernetes/cert/ca.pem /var/snap/microk8s/current/certs/ca.crt |
| 4.1.8 | Ensure that the client certificate authorities file ownership is set to root:root (Scored) | CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi | /etc/kubernetes/pki/ca.crt /etc/kubernetes/certs/ca.crt /etc/kubernetes/cert/ca.pem /var/snap/microk8s/current/certs/ca.crt |
| 4.1.9 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) | /bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' | /var/lib/kubelet/config.yaml /var/lib/kubelet/config.yml /etc/kubernetes/kubelet/kubelet-config.json /home/kubernetes/kubelet-config.yaml /home/kubernetes/kubelet-config.yml /etc/default/kubeletconfig.json /etc/default/kubelet /var/lib/kubelet/kubeconfig /var/snap/kubelet/current/args /var/snap/microk8s/current/args/kubelet /etc/systemd/system/kubelet.service.d/10-kubeadm.conf /etc/systemd/system/kubelet.service /lib/systemd/system/kubelet.service /etc/systemd/system/snap.kubelet.daemon.service /etc/systemd/system/snap.microk8s.daemon-kubelet.service |
| 4.1.10 | Ensure that the kubelet configuration file ownership is set to root:root (Scored) | /bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' | /var/lib/kubelet/config.yaml /var/lib/kubelet/config.yml /etc/kubernetes/kubelet/kubelet-config.json /home/kubernetes/kubelet-config.yaml /home/kubernetes/kubelet-config.yml /etc/default/kubeletconfig.json /etc/default/kubelet /var/lib/kubelet/kubeconfig /var/snap/kubelet/current/args /var/snap/microk8s/current/args/kubelet /etc/systemd/system/kubelet.service.d/10-kubeadm.conf /etc/systemd/system/kubelet.service /lib/systemd/system/kubelet.service /etc/systemd/system/snap.kubelet.daemon.service /etc/systemd/system/snap.microk8s.daemon-kubelet.service |
| 4.2.1 | Ensure that the anonymous-auth argument is set to false (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.2 | Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.3 | Ensure that the --client-ca-file argument is set as appropriate (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.4 | Ensure that the --read-only-port argument is set to 0 (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.5 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.6 | Ensure that the --protect-kernel-defaults argument is set to true (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.7 | Ensure that the --make-iptables-util-chains argument is set to true (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.8 | Ensure that the --hostname-override argument is not set (Not Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.9 | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.10 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.11 | Ensure that the --rotate-certificates argument is not set to false (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.12 | Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |
| 4.2.13 | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored) | /bin/ps -fC $kubeletbin |
"hyperkube kubelet" "kubelet" |