I’m happy to announce the availability of the latest benchmark addressing the container ecosystem – the Kubernetes 1.7 Security Benchmark. Kubernetes 1.7 brings tons of security improvements. We, at CIS Kubernetes community, have been busy to give you an updated benchmark quickly. Download your copy from the CIS website. For an additional perspective on the release and enterprise-scale capabilities, please check out the google blog.
This version of the benchmark has undergone changes to reflect the above improvements. Below is a quick summary.
New Recommendations
- 1.32 Ensure that the --authorization-mode argument is set to Node
- 1.33 Ensure that the admission control policy is set to NodeRestriction
- 1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate
- 1.35 Ensure that the encryption provider is set to aescbc
- 6.8 Configure Network policies as appropriate
- 1.14 Ensure that the RotateKubeletClientCertificate argument is set to true
- 1.15 Ensure that the RotateKubeletServerCertificate argument is set to true
- 2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive
- 2.8 Ensure that the client certificate authorities file ownership is set to root:rootModified Recommendations
Deleted Recommendations
- 3.3 Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set
- 6.5 Avoid using Kubernetes Secrets
Out of all the new recommendations, the ability to encrypt Kubernetes API objects in etcd key-value store is probably the most awaited one and impactful. Prior to this release there was no mechanism to store etcd data encrypted at rest. This also led to the deletion of “1.6.5 Avoid using Kubernetes Secrets”. You can now encrypt not only the secrets but other API objects as well. Such changes again make it extremely important to have updated benchmarks.
Another major change is restricted node authorization. Prior to this release, nodes had excessive permissions and could access several sensitive API objects. Now, the nodes can be restricted to only access the objects that belong to it thus tremendously enforcing least privilege principle.
I would again like to appreciate the CIS Kubernetes community for their outstanding contribution to this release.
Check out Cavirin's lifecycle container and Docker support.
