Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS 1.6 K3s > Master Node Security Configuration >

API Server

N/A
Source
Kube Bench
ID
1.2
Version
cis-1.6-k3s

1.2 API Server

1.2.1 Ensure that the –anonymous-auth argument is set to false (Automated)

By default, K3s kube-apiserver is configured to run with –anonymous-auth=false flag and value.

1.2.2 Ensure that the –basic-auth-file argument is not set (Automated)

By default, K3s does not run with basic authentication enabled. No manual remediation is needed.

1.2.3 Ensure that the –token-auth-file parameter is not set (Automated)

By default, K3s does not run with basic authentication enabled. No manual remediation is needed.

1.2.4 Ensure that the –kubelet-https argument is set to true (Automated)

By default, K3s kube-apiserver doesn’t run with the –kubelet-https parameter as it runs with TLS. No manual remediation is needed.

1.2.5 Ensure that the –kubelet-client-certificate and –kubelet-client-key arguments are set as appropriate (Automated)

By default, K3s kube-apiserver is ran with these arguments for secure communication with kubelet. No manual remediation is needed.

1.2.6 Ensure that the –kubelet-certificate-authority argument is set as appropriate (Automated)

By default, K3s kube-apiserver is ran with this argument for secure communication with kubelet. No manual remediation is needed.

1.2.7 Ensure that the –authorization-mode argument is not set to AlwaysAllow (Automated)

By default, K3s sets Node,RBAC as the parameter to the –authorization-mode argument. No manual remediation is needed.

1.2.8 Ensure that the –authorization-mode argument includes Node (Automated)

By default, K3s sets Node,RBAC as the parameter to the –authorization-mode argument. No manual remediation is needed.

1.2.9 Ensure that the –authorization-mode argument includes RBAC (Automated)

By default, K3s sets Node,RBAC as the parameter to the –authorization-mode argument. No manual remediation is needed.

1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)

By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the –enable-admission-plugins argument. To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file. Then refer to K3s’s documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.

1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)

By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the –enable-admission-plugins argument. No manual remediation needed.

1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)

By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the –enable-admission-plugins argument. To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file. Then refer to K3s’s documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.

1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)

K3s would need to have the SecurityContextDeny admission plugin enabled by passing it as an argument to K3s. –kube-apiserver-arg=‘enable-admission-plugins=SecurityContextDeny

1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)

By default, K3s does not use this argument. If there’s a desire to use this argument, follow the documentation and create ServiceAccount objects as per your environment. Then refer to K3s’s documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.

1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)

By default, K3s does not use this argument. No manual remediation needed.

1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)

K3s would need to have the PodSecurityPolicy admission plugin enabled by passing it as an argument to K3s. –kube-apiserver-arg=‘enable-admission-plugins=PodSecurityPolicy.

1.2.17 Ensure that the admission control plugin NodeRestriction is set (Automated)

K3s would need to have the NodeRestriction admission plugin enabled by passing it as an argument to K3s. –kube-apiserver-arg=‘enable-admission-plugins=NodeRestriction.

1.2.18 Ensure that the –insecure-bind-address argument is not set (Automated)

By default, K3s explicitly excludes the use of the –insecure-bind-address parameter. No manual remediation is needed.

1.2.19 Ensure that the –insecure-port argument is set to 0 (Automated)

By default, K3s starts the kube-apiserver process with this argument’s parameter set to 0. No manual remediation is needed.

1.2.20 Ensure that the –secure-port argument is not set to 0 (Automated)

By default, K3s sets the parameter of 6444 for the –secure-port argument. No manual remediation is needed.

1.2.21 Ensure that the –profiling argument is set to false (Automated)

By default, K3s sets the –profiling flag parameter to false. No manual remediation needed.

1.2.22 Ensure that the –audit-log-path argument is set (Automated)

K3s server needs to be run with the following argument, –kube-apiserver-arg=‘audit-log-path=/path/to/log/file’

1.2.23 Ensure that the –audit-log-maxage argument is set to 30 or as appropriate (Automated)

K3s server needs to be run with the following argument, –kube-apiserver-arg=‘audit-log-maxage=30’

1.2.24 Ensure that the –audit-log-maxbackup argument is set to 10 or as appropriate (Automated)

K3s server needs to be run with the following argument, –kube-apiserver-arg=‘audit-log-maxbackup=10’

1.2.25 Ensure that the –audit-log-maxsize argument is set to 100 or as appropriate (Automated)

K3s server needs to be run with the following argument, –kube-apiserver-arg=‘audit-log-maxsize=100’

1.2.26 Ensure that the –request-timeout argument is set as appropriate (Automated)

By default, K3s does not set the –request-timeout argument. No manual remediation needed.

1.2.27 Ensure that the –service-account-lookup argument is set to true (Automated)

K3s server needs to be run with the following argument, –kube-apiserver-arg=‘service-account-lookup=true’

1.2.28 Ensure that the –service-account-key-file argument is set as appropriate (Automated)

By default, K3s sets the –service-account-key-file explicitly. No manual remediation needed.

1.2.29 Ensure that the –etcd-certfile and –etcd-keyfile arguments are set as appropriate (Automated)

By default, K3s sets the –etcd-certfile and –etcd-keyfile arguments explicitly. No manual remediation needed.

1.2.30 Ensure that the –tls-cert-file and –tls-private-key-file arguments are set as appropriate (Automated)

By default, K3s sets the –tls-cert-file and –tls-private-key-file arguments explicitly. No manual remediation needed.

1.2.31 Ensure that the –client-ca-file argument is set as appropriate (Automated)

By default, K3s sets the –client-ca-file argument explicitly. No manual remediation needed.

1.2.32 Ensure that the –etcd-cafile argument is set as appropriate (Automated)

By default, K3s sets the –etcd-cafile argument explicitly. No manual remediation needed.

1.2.33 Ensure that the –encryption-provider-config argument is set as appropriate (Manual)

K3s server needs to be ran with the follow, –kube-apiserver-arg=‘encryption-provider-config=/path/to/encryption_config’. This can be done by running k3s with the –secrets-encryptiuon argument which will configure the encryption provider.

1.2.34 Ensure that encryption providers are appropriately configured (Manual)

K3s server needs to be run with the following, –secrets-encryption=true, and verify that one of the allowed encryption providers is present. Run the below command on the master node. grep aescbc /path/to/encryption-config.json Verify that aescbc/kms/secretbox is set as the encryption provider for all the desired resources.

1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)

By default, K3s explicitly doesn’t set this flag. No manual remediation needed.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use