.. WARNING: Add no lines of text between the label immediately following .. and the title. .. _configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2: ========================================================== Configure System to CIS Benchmark for Containers Standards ========================================================== By default, |prod| complies with the |CIS| Benchmark for containers for most specifications. Some specifications outlined in the |CIS| Benchmark that are not met by default, |prod| can be configured to comply with these requirements. However, these configurations may affect system performance. The relevant |CIS| Benchmark specifications, along with the necessary |prod| configuration steps to achieve compliance, are detailed below. Before applying these configurations in a live deployment, carefully assess their performance implications in the context of your specific security and operational needs. CIS-1.2.11 Ensure that the admission control plugin AlwaysPullImages is set ``https://hub.armosec.io/docs/c-0123`` CIS-1.2.17 Ensure that the API Server ``--profiling`` argument is set to ``false`` ``https://hub.armosec.io/docs/c-0129`` CIS-1.2.19 Ensure that the API Server ``--audit-log-maxage`` argument is set to ``30`` or as appropriate ``https://hub.armosec.io/docs/c-0131`` CIS-3.2.1 Ensure that a minimal audit policy is created ``https://hub.armosec.io/docs/c-0160`` These |CIS| specifications are not applied by default in |prod| and require you to configure them if you want to comply to these |CIS| specifications. The configuration mentioned in the table below are example minimal configurations required for |CIS| specifications; you should configure them according to your actual needs. .. table:: :widths: auto +--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ | Specification | Attribute | Semantic | Configuration | +==========================+===========================+========================================================================================================================================+==========================================================================+ | CIS- 1.2.11 | AlwaysPullImages | Forces the kubelet to always pull container images prior to starting containers, ensuring the latest image is used | --enable-admission-plugins=..., NodeRestriction,AlwaysPullImages | +--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ | CIS- 1.2.17 | Profiling | Disabling profiling prevents exposure of sensitive performance data | --profiling=false | +--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ | CIS- 1.2.19 | audit-log-maxage | Specifies the maximum number of days to retain old audit logs | --audit-log-maxage=30 | +--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ | CIS- 3.2.1 | audit-policy-file | Defines minimal audit policy | --audit-policy-file= /etc/kubernetes/default-audit-policy.yaml | +--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ An example of the |prod| commands used to configure these parameters is available in the script located at ``/usr/local/bin/apiserver_cis_compliance.sh``. For testing purposes only, this script can be executed from the active controller to configure the ``kube-apiserver`` in accordance with the |CIS| Benchmark specifications mentioned above. .. warning:: **Critical Warning:** - CIS-1.2.9 is not remediated. To adhere to this control point, it is required to configure ``enable-admission-plugins="EventRateLimit"``. But this configuration causes the API server to fail during startup due to a longstanding issue in Kubernetes. This is a known Kubernetes bug tracked (Kubernetes Issue #62861, https://github.com/kubernetes/kubernetes/issues/62861). Therefore, it is not recommended to configure this until this bug is resolved. **Minor Warning:** - CIS-1.2.12 is not applicable to the current version. To adhere to this control point, it is required to configure ``enable-admission-plugins= “SecurityContextDeny”``. But this POD security policy is valid for Kubernetes versions prior to 1.24. The minimum supported Kubernetes version in |prod| is v1.29, where ``SecurityContextDeny`` POD security policy is deprecated and removed from the API server. - CIS-1.2.20 related Configuration (audit-log-maxbackup=10) is present, but not detected by CIS scanning tool. The configuration required for this control point is already configured during bootstrap, but the scanning tool may incorrectly flag it due to limitations in runtime argument introspection. - CIS-1.2.21 related Configuration (audit-log-maxsize=100) is present, but not detected by CIS scanning tool. The configuration required for this control point is already configured during bootstrap, but the scanning tool may incorrectly flag it due to limitations in runtime argument introspection.