-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add YAML to Markdown conversion script and generated Markdown files (#…
…497)
- Loading branch information
1 parent
215ee0e
commit 7834a39
Showing
10 changed files
with
3,110 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| ## Control Plane Configuration | ||
|
|
||
| ### Authentication and Authorization | ||
|
|
||
| #### Control 3.1.1 | ||
|
|
||
| Description: Client certificate authentication should not be used for users | ||
| (Manual) | ||
|
|
||
| Remediation: | ||
|
|
||
| Alternative mechanisms provided by Kubernetes such as the use of | ||
| OIDC should be | ||
| implemented in place of client certificates. | ||
|
|
||
| ### Logging | ||
|
|
||
| #### Control 3.2.1 | ||
|
|
||
| Description: Ensure that a minimal audit policy is created (Manual) | ||
|
|
||
| Audit: | ||
|
|
||
| ``` | ||
| /bin/ps -ef | grep kube-apiserver | grep -v grep | ||
| ``` | ||
|
|
||
| Expected output: | ||
|
|
||
| ``` | ||
| --audit-policy-file=/var/snap/k8s/common/etc/audit-policy.yaml | ||
| ``` | ||
|
|
||
| Remediation: | ||
|
|
||
| Create an audit policy file for your cluster. | ||
|
|
||
| #### Control 3.2.2 | ||
|
|
||
| Description: Ensure that the audit policy covers key security concerns | ||
| (Manual) | ||
|
|
||
| Remediation: | ||
|
|
||
| Review the audit policy provided for the cluster and ensure that | ||
| it covers | ||
| at least the following areas, | ||
| - Access to Secrets managed by the cluster. Care should be taken | ||
| to only | ||
| log Metadata for requests to Secrets, ConfigMaps, and | ||
| TokenReviews, in | ||
| order to avoid risk of logging sensitive data. | ||
| - Modification of Pod and Deployment objects. | ||
| - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and | ||
| `services/proxy`. | ||
| For most requests, minimally logging at the Metadata level is | ||
| recommended | ||
| (the most basic level of logging). | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,188 @@ | ||
| ## Etcd Node Configuration | ||
|
|
||
| ### Etcd Node Configuration | ||
|
|
||
| #### Control 2.1 | ||
|
|
||
| Description: Ensure that the ETCD_CERT_FILE and ETCD_KEY_FILE environment | ||
| variables are set as appropriate (Automated) | ||
|
|
||
| Audit: | ||
|
|
||
| ``` | ||
| cat /proc/$(pidof /usr/bin/etcd)/environ | ||
| ``` | ||
|
|
||
| Expected output: | ||
|
|
||
| ``` | ||
| ETCD_CERT_FILE and ETCD_KEY_FILE are set | ||
| ``` | ||
|
|
||
| Remediation: | ||
|
|
||
| Follow the etcd service documentation and configure TLS | ||
| encryption. | ||
| Then, edit the etcd daemon configuration file /etc/default/etcd | ||
| on the master node and set the following variables. | ||
|
|
||
| ``` | ||
| ETCD_CERT_FILE=</path/to/ca-file> | ||
| ETCD_KEY_FILE=</path/to/key-file> | ||
| ``` | ||
|
|
||
| #### Control 2.2 | ||
|
|
||
| Description: Ensure that the ETCD_CLIENT_CERT_AUTH variable is set to true | ||
| (Automated) | ||
|
|
||
| Audit: | ||
|
|
||
| ``` | ||
| cat /proc/$(pidof /usr/bin/etcd)/environ | ||
| ``` | ||
|
|
||
| Expected output: | ||
|
|
||
| ``` | ||
| ETCD_CLIENT_CERT_AUTH is set to true | ||
| ``` | ||
|
|
||
| Remediation: | ||
|
|
||
| Edit the etcd daemon configuration file /etc/default/etcd on the master | ||
| node and set the following variable. | ||
|
|
||
| `ETCD_CLIENT_CERT_AUTH=true` | ||
|
|
||
| #### Control 2.3 | ||
|
|
||
| Description: Ensure that the ETCD_AUTO_TLS argument is not set to true | ||
| (Automated) | ||
|
|
||
| Audit: | ||
|
|
||
| ``` | ||
| cat /proc/$(pidof /usr/bin/etcd)/environ | ||
| ``` | ||
|
|
||
| Expected output: | ||
|
|
||
| ``` | ||
| ETCD_AUTO_TLS is not set | ||
| ``` | ||
|
|
||
| Remediation: | ||
|
|
||
| Edit the etcd daemon configuration file /etc/default/etcd on the master | ||
| node and either remove the ETCD_AUTO_TLS variable or set it to | ||
| false. | ||
|
|
||
| `ETCD_AUTO_TLS=false` | ||
|
|
||
| #### Control 2.4 | ||
|
|
||
| Description: Ensure that the ETCD_PEER_CERT_FILE and ETCD_PEER_KEY_FILE | ||
| variables are set as appropriate (Automated) | ||
|
|
||
| Audit: | ||
|
|
||
| ``` | ||
| cat /proc/$(pidof /usr/bin/etcd)/environ | ||
| ``` | ||
|
|
||
| Expected output: | ||
|
|
||
| ``` | ||
| ETCD_PEER_CERT_FILE and ETCD_PEER_KEY_FILE are set | ||
| ``` | ||
|
|
||
| Remediation: | ||
|
|
||
| Follow the etcd service documentation and configure peer TLS | ||
| encryption as appropriate | ||
| for your etcd cluster. | ||
| Then, edit the etcd daemon configuration file /etc/default/etcd on the | ||
| master node and set the following variables. | ||
|
|
||
| ``` | ||
| ETCD_PEER_CERT_FILE=</path/to/peer-cert-file> | ||
| ETCD_PEER_KEY_FILE=</path/to/peer-key-file> | ||
| ``` | ||
|
|
||
| #### Control 2.5 | ||
|
|
||
| Description: Ensure that the ETCD_PEER_CLIENT_CERT_AUTH variable is set to | ||
| true (Automated) | ||
|
|
||
| Audit: | ||
|
|
||
| ``` | ||
| cat /proc/$(pidof /usr/bin/etcd)/environ | ||
| ``` | ||
|
|
||
| Expected output: | ||
|
|
||
| ``` | ||
| ETCD_PEER_CLIENT_CERT_AUTH is set to true | ||
| ``` | ||
|
|
||
| Remediation: | ||
|
|
||
| Edit the etcd daemon configuration file /etc/default/etcd on the master | ||
| node and set the following argument. | ||
|
|
||
| `ETCD_PEER_CLIENT_CERT_AUTH=true` | ||
|
|
||
| #### Control 2.6 | ||
|
|
||
| Description: Ensure that the ETCD_PEER_AUTO_TLS argument is not set to true | ||
| (Automated) | ||
|
|
||
| Audit: | ||
|
|
||
| ``` | ||
| cat /proc/$(pidof /usr/bin/etcd)/environ | ||
| ``` | ||
|
|
||
| Expected output: | ||
|
|
||
| ``` | ||
| ETCD_PEER_AUTO_TLS is not set | ||
| ``` | ||
|
|
||
| Remediation: | ||
|
|
||
| Edit the etcd daemon configuration file /etc/default/etcd on the master | ||
| node and either remove the ETCD_PEER_AUTO_TLS parameter or set | ||
| it to false. | ||
|
|
||
| `ETCD_PEER_AUTO_TLS=false` | ||
|
|
||
| #### Control 2.7 | ||
|
|
||
| Description: Ensure that a unique Certificate Authority is used for etcd | ||
| (Manual) | ||
|
|
||
| Audit: | ||
|
|
||
| ``` | ||
| cat /proc/$(pidof /usr/bin/etcd)/environ | ||
| ``` | ||
|
|
||
| Expected output: | ||
|
|
||
| ``` | ||
| ETCD_TRUSTED_CA_FILE is set | ||
| ``` | ||
|
|
||
| Remediation: | ||
|
|
||
| Follow the etcd documentation and create a dedicated certificate | ||
| authority setup for the | ||
| etcd service. | ||
| Then, edit the etcd daemon configuration file /etc/default/etcd on the | ||
| master node and set the following argument. | ||
|
|
||
| `ETCD_TRUSTED_CA_FILE=</path/to/ca-file>` | ||
|
|
Oops, something went wrong.