Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance >

Kubernetes

Ensure that the --kubelet-https argument is set to true

Ensure that the --make-iptables-util-chains argument is set to true

Ensure that the --peer-auto-tls argument is not set to true

Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate

Ensure that the --peer-client-cert-auth argument is set to true

Ensure that the --profiling argument is set to false

Ensure that the --profiling argument is set to false

Ensure that the --protect-kernel-defaults argument is set to true

Ensure that the --root-ca-file argument is set as appropriate

Ensure that the --rotate-certificates argument is not set to false

Ensure that the --secure-port argument is not set to 0

Ensure that the --service-account-key-file argument is set as appropriate

Ensure that the --service-account-lookup argument is set to true

Ensure that the --service-account-private-key-file argument is set as appropriate

Ensure that the --streaming-connection-idle-timeout argument is not set to 0

Ensure that the --terminated-pod-gc-threshold argument is set as appropriate

Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate

Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate

Ensure that the --token-auth-file parameter is not set

Ensure that the --use-service-account-credentials argument is set to true

Ensure that the admin.conf file ownership is set to root:root

Ensure that the admin.conf file permissions are set to 600

Ensure that the admission control plugin AlwaysAdmit is not set

Ensure that the admission control plugin AlwaysPullImages is set

Ensure that the admission control plugin EventRateLimit is set

Ensure that the admission control plugin NamespaceLifecycle is set

Ensure that the admission control plugin NodeRestriction is set

Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used

Ensure that the admission control plugin ServiceAccount is set

Ensure that the API server pod specification file ownership is set to root:root

Ensure that the API server pod specification file permissions are set to 600 or more restrictive

Ensure that the audit policy covers key security concerns (Manual)

Ensure that the certificate authorities file permissions are set to 600 or more restrictive

Ensure that the client certificate authorities file ownership is set to root:root

Ensure that the cluster-admin role is only used where required

Ensure that the CNI in use supports Network Policies (Manual)

Ensure that the Container Network Interface file ownership is set to root:root

Ensure that the Container Network Interface file permissions are set to 600 or more restrictive

Ensure that the controller manager pod specification file ownership is set to root:root

Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive

Ensure that the controller-manager.conf file ownership is set to root:root

Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive

Ensure that the etcd data directory ownership is set to etcd:etcd

Ensure that the etcd data directory permissions are set to 700 or more restrictive

Ensure that the etcd pod specification file ownership is set to root:root

Ensure that the etcd pod specification file permissions are set to 600 or more restrictive

Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers

Ensure that the kubelet service file ownership is set to root:root

Ensure that the kubelet service file permissions are set to 600 or more restrictive

Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive

Ensure that the Kubernetes PKI directory and file ownership is set to root:root

Ensure that the Kubernetes PKI key file permissions are set to 600

Ensure that the RotateKubeletServerCertificate argument is set to true

Ensure that the scheduler pod specification file ownership is set to root:root

Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive

Ensure that the scheduler.conf file ownership is set to root:root

Ensure that the scheduler.conf file permissions are set to 600 or more restrictive

Ensure that the seccomp profile is set to docker/default in your pod definitions

Ensure unnecessary packages are not installed in the container (Manual)

Ensure update instructions are not use alone in the Dockerfile

Ensure verified packages are only Installed (Manual)

ensure-cloudwatch-integration

ensure-cloudwatch-integration

Host Namespaces

Host Namespaces

host ports

host ports

HostPath Volumes

HostPath Volumes

HostProcess

HostProcess

If proxy kubeconfig file exists ensure ownership is set to root:root

If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive

If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root

If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive

Immutable container file systems

Kubernetes Pod Security Standards Baseline 0.1

Kubernetes Pod Security Standards Restricted 0.1

Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster

limit-root-account-usage

limit-root-account-usage

limit-user-access-keys

Make sure -authorization-mode=RBAC

Make sure anonymous-auth is unset

Minimize access to secrets

Minimize the admission of containers which use HostPorts

Minimize the admission of containers wishing to share the host IPC namespace

Minimize the admission of containers wishing to share the host network namespace

Minimize the admission of containers wishing to share the host process ID namespace

Minimize the admission of containers with added capabilities

Minimize the admission of containers with allowPrivilegeEscalation

Minimize the admission of containers with capabilities assigned

Minimize the admission of containers with capabilities assigned

Minimize the admission of containers with the NET_RAW capability

Minimize the admission of HostPath volumes

Minimize the admission of privileged containers

Minimize the admission of root containers

Minimize wildcard use in Roles and ClusterRoles

Namespace kube-system should not be used by users

National Security Agency Kubernetes Hardening Guidance V1.0 1.0
<< Prev Next >>
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use