a9c0a0e472
Story: 2011337 Task: 52527 Story: 2011253 task: 52529 Change-Id: I6856a7194e103885e9bdf905a6eb7ecc34ee6fac Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
6.7 KiB
Configure System to CIS Benchmark for Containers Standards
By default, complies with the Benchmark for containers for most specifications. Some specifications outlined in the Benchmark that are not met by default, can be configured to comply with these requirements. However, these configurations may affect system performance. The relevant Benchmark specifications, along with the necessary configuration steps to achieve compliance, are detailed below. Before applying these configurations in a live deployment, carefully assess their performance implications in the context of your specific security and operational needs.
- CIS-1.2.11
-
Ensure that the admission control plugin AlwaysPullImages is set
https://hub.armosec.io/docs/c-0123 - CIS-1.2.17
-
Ensure that the API Server
--profilingargument is set tofalsehttps://hub.armosec.io/docs/c-0129 - CIS-1.2.19
-
Ensure that the API Server
--audit-log-maxageargument is set to30or as appropriatehttps://hub.armosec.io/docs/c-0131 - CIS-3.2.1
-
Ensure that a minimal audit policy is created
https://hub.armosec.io/docs/c-0160
These specifications are not applied by default in and require you to configure them if you want to comply to these specifications. The configuration mentioned in the table below are example minimal configurations required for specifications; you should configure them according to your actual needs.
| Specification | Attribute | Semantic | Configuration |
|---|---|---|---|
| CIS- 1.2.11 |
|
Forces the kubelet to always pull container images prior to starting containers, ensuring the latest image is used |
|
| CIS- 1.2.17 |
|
Disabling profiling prevents exposure of sensitive performance data |
|
| CIS- 1.2.19 |
|
Specifies the maximum number of days to retain old audit logs |
|
| CIS- 3.2.1 |
|
Defines minimal audit policy |
|
An example of the commands used to configure these parameters is
available in the script located at
/usr/local/bin/apiserver_cis_compliance.sh. For testing
purposes only, this script can be executed from the active controller to
configure the kube-apiserver in accordance with the
Benchmark specifications mentioned above.
Warning
Critical Warning:
CIS-1.2.9 is not remediated.
To adhere to this control point, it is required to configure
enable-admission-plugins="EventRateLimit". But this configuration causes the API server to fail during startup due to a longstanding issue in Kubernetes. This is a known Kubernetes bug tracked (Kubernetes Issue #62861, https://github.com/kubernetes/kubernetes/issues/62861). Therefore, it is not recommended to configure this until this bug is resolved.
Minor Warning:
CIS-1.2.12 is not applicable to the current version.
To adhere to this control point, it is required to configure
enable-admission-plugins= “SecurityContextDeny”. But this POD security policy is valid for Kubernetes versions prior to 1.24. The minimum supported Kubernetes version in is v1.29, whereSecurityContextDenyPOD security policy is deprecated and removed from the API server.CIS-1.2.20 related Configuration (audit-log-maxbackup=10) is present, but not detected by CIS scanning tool.
The configuration required for this control point is already configured during bootstrap, but the scanning tool may incorrectly flag it due to limitations in runtime argument introspection.
CIS-1.2.21 related Configuration (audit-log-maxsize=100) is present, but not detected by CIS scanning tool.
The configuration required for this control point is already configured during bootstrap, but the scanning tool may incorrectly flag it due to limitations in runtime argument introspection.