starlingx/docs
Code Issues Proposed changes
Files
90135c84f371b9fcf2eb63b945b2adee9ddedcb1
docs/doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2.rst
Suzana Fernandes a9c0a0e472 Configuration for CIS Benchmark Containers and Hosts Standards 
Story: 2011337
Task: 52527

Story: 2011253
task: 52529

Change-Id: I6856a7194e103885e9bdf905a6eb7ecc34ee6fac
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2025-07-30 20:08:42 +00:00

95 lines
6.7 KiB
ReStructuredText
Raw Blame History

.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2:
==========================================================
Configure System to CIS Benchmark for Containers Standards
==========================================================
By default, |prod| complies with the |CIS| Benchmark for containers for most
specifications. Some specifications outlined in the |CIS| Benchmark that are
not met by default, |prod| can be configured to comply with these requirements.
However, these configurations may affect system performance. The relevant |CIS|
Benchmark specifications, along with the necessary |prod| configuration steps
to achieve compliance, are detailed below. Before applying these configurations
in a live deployment, carefully assess their performance implications in the
context of your specific security and operational needs.
CIS-1.2.11
Ensure that the admission control plugin AlwaysPullImages is set ``https://hub.armosec.io/docs/c-0123``
CIS-1.2.17
Ensure that the API Server ``--profiling`` argument is set to ``false`` ``https://hub.armosec.io/docs/c-0129``
CIS-1.2.19
Ensure that the API Server ``--audit-log-maxage`` argument is set to ``30`` or as appropriate ``https://hub.armosec.io/docs/c-0131``
CIS-3.2.1
Ensure that a minimal audit policy is created ``https://hub.armosec.io/docs/c-0160``
These |CIS| specifications are not applied by default in |prod| and require you
to configure them if you want to comply to these |CIS| specifications. The
configuration mentioned in the table below are example minimal configurations
required for |CIS| specifications; you should configure them according to your
actual needs.
.. table::
:widths: auto
+--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
| Specification | Attribute | Semantic | Configuration |
+==========================+===========================+========================================================================================================================================+==========================================================================+
| CIS- 1.2.11 | AlwaysPullImages | Forces the kubelet to always pull container images prior to starting containers, ensuring the latest image is used | --enable-admission-plugins=..., NodeRestriction,AlwaysPullImages |
+--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
| CIS- 1.2.17 | Profiling | Disabling profiling prevents exposure of sensitive performance data | --profiling=false |
+--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
| CIS- 1.2.19 | audit-log-maxage | Specifies the maximum number of days to retain old audit logs | --audit-log-maxage=30 |
+--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
| CIS- 3.2.1 | audit-policy-file | Defines minimal audit policy | --audit-policy-file= /etc/kubernetes/default-audit-policy.yaml |
+--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
An example of the |prod| commands used to configure these parameters is available
in the script located at ``/usr/local/bin/apiserver_cis_compliance.sh``. For
testing purposes only, this script can be executed from the active controller
to configure the ``kube-apiserver`` in accordance with the |CIS| Benchmark
specifications mentioned above.
.. warning::
**Critical Warning:**
- CIS-1.2.9 is not remediated.
To adhere to this control point, it is required to configure ``enable-admission-plugins="EventRateLimit"``.
But this configuration causes the API server to fail during startup due to a
longstanding issue in Kubernetes. This is a known Kubernetes bug tracked
(Kubernetes Issue #62861, https://github.com/kubernetes/kubernetes/issues/62861).
Therefore, it is not recommended to configure this until this bug is resolved.
**Minor Warning:**
- CIS-1.2.12 is not applicable to the current version.
To adhere to this control point, it is required to configure ``enable-admission-plugins= “SecurityContextDeny”``.
But this POD security policy is valid for Kubernetes versions prior to 1.24.
The minimum supported Kubernetes version in |prod| is v1.29, where ``SecurityContextDeny``
POD security policy is deprecated and removed from the API server.
- CIS-1.2.20 related Configuration (audit-log-maxbackup=10) is present, but not detected by CIS scanning tool.
The configuration required for this control point is already configured during
bootstrap, but the scanning tool may incorrectly flag it due to limitations in
runtime argument introspection.
- CIS-1.2.21 related Configuration (audit-log-maxsize=100) is present, but not detected by CIS scanning tool.
The configuration required for this control point is already configured during
bootstrap, but the scanning tool may incorrectly flag it due to limitations in
runtime argument introspection.
View Git Blame Copy Permalink