Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS 1.6 K3s > Master Node Security Configuration >

Master Node Configuration Files

N/A
Source
Kube Bench
ID
1.1
Version
cis-1.6-k3s

1.1 Master Node Configuration Files

1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Applicable)

1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Not Applicable)

1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Not Applicable)

1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Not Applicable)

1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Not Applicable)

1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Not Applicable)

1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Not Applicable)

1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Not Applicable)

1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Applicable)

1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Not Applicable)

1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive if etcd is used (Automated)

On the etcd server node, get the etcd data directory, passed as an argument –data-dir, from the below command: journalctl -u k3s | grep ‘Managed etcd’ | grep -v grep Run the below command (based on the etcd data directory found above). For example, chmod 700 /var/lib/rancher/k3s/server/db/etcd

1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd if etcd is used (Not Applicable)

1.1.13 Ensure that the admin.kubeconfig file permissions are set to 644 or more restrictive (Automated)

Run the below command (based on the file location on your system) on the k3s node. For example, chmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig

1.1.14 Ensure that the admin.kubeconfig file ownership is set to root:root (Automated)

Run the below command (based on the file location on your system) on the k3s node. For example, chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig

1.1.15 Ensure that the scheduler.kubeconfig file permissions are set to 644 or more restrictive (Automated)

Run the below command (based on the file location on your system) on the k3s node. For example, chmod 644 $schedulerkubeconfig

1.1.16 Ensure that the scheduler.kubeconfig file ownership is set to root:root (Automated)

Run the below command (based on the file location on your system) on the k3s node. For example, chown root:root $schedulerkubeconfig

1.1.17 Ensure that the cloud-controller.kubeconfig file permissions are set to 644 or more restrictive (Automated)

Run the below command (based on the file location on your system) on the master node. For example, chmod 644 $controllermanagerkubeconfig

1.1.18 Ensure that the $controllermanagerkubeconfig file ownership is set to root:root (Automated)

Run the below command (based on the file location on your system) on the master node. For example, chown root:root $controllermanagerkubeconfig

1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)

Run the below command (based on the file location on your system) on the k3s node. For example, chown -R root:root /var/lib/rancher/k3s/server/tls

1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated)

Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /var/lib/rancher/k3s/server/tls/*.crt

1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)

Run the below command (based on the file location on your system) on the master node. For example, chmod -R 600 /etc/kubernetes/pki/*.key

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use