Get My Score

CIS Kubernetes 1.8 Security Benchmark Released

CIS Controls

The CIS Benchmark for Kubernetes 1.8 release continues to bring security enhancements to the core orchestration platform. The CIS Kubernetes community has been busy working on refreshing the benchmark to align with the new released features and narrow the gap between the announcement of the GA version of the product and the benchmark release. Download your copy of the benchmark from the CIS website today (NOTE:  Actual benchmark title aligned to the new release is ‘CIS Kubernetes Benchmark v1.2.0).

This version of the benchmark has undergone significant changes. The most awaited and subtle change is that the entire benchmark is re-factored to consider kubeadm based deployments. Kubeadm is increasingly becoming the developer’s choice of deployment rather than individual installation of various Kubernetes components. This standardization also helps any other deployment mechanisms to map and adopt the procedures easily.

Apart from the refactoring, below are the changes to the benchmark recommendations:

 New Recommendations

  • 1.35 Ensure that the admission control policy is set to EventRateLimit
  • 1.36 Ensure that the AdvancedAuditing argument is set to true
  • 1.37 Ensure that the --request-timeout argument is set as appropriate
  • 4.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive
  • 4.14 Ensure that the admin.conf file ownership is set to root:root
  • 4.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive
  • 4.16 Ensure that the scheduler.conf file ownership is set to root:root
  • 4.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive
  • 4.18 Ensure that the controller-manager.conf file ownership is set to root:root

 Modified Recommendations

  • 1.1 Ensure that the --allow-privileged argument is set to false moved to 1.6.9

Deleted Recommendations - None

The first three additions are directly included from the release features.

Advanced Auditing is now in Beta and is enabled by default. The benchmark suggests that it is not disabled and also ensure that a site-specific audit policy is defined. Advanced Auditing enables a much more general API auditing pipeline, which includes support for pluggable output backends and an audit policy specifying how different requests should be audited. Additionally, this enables auditing of failed authentication, authorization and login attempts which could prove crucial for protecting your production clusters.

Other recommendations were added to reflect kubeadm alignment in the benchmark.

Cavirin is continuing to lead and maintain the Kubernetes benchmark release after release. It recognizes and appreciates the CIS Kubernetes community for its collaboration and outstanding contribution to this release.

 

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.