Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - RedHat 0.7 > Securing the OpenShift Master >

Protecting the API Server

N/A
Source
Kube Bench
ID
1
Version
rh-0.7

1 Protecting the API Server

1.1 Maintain default behavior for anonymous access

1.2 Verify that the basic-auth-file method is not enabled

Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the basic-auth-file entry.

kubernetesMasterConfig:  apiServerArguments:    basic-auth-file:    - /path/to/any/file

1.3 Insecure Tokens

1.4 Secure communications between the API server and master nodes

Edit the kubernetes master config file /etc/origin/master/master-config.yaml and change it to match the below.

kubeletClientInfo:  ca: ca-bundle.crt  certFile: master.kubelet-client.crt  keyFile: master.kubelet-client.key  port: 10250

1.5 Prevent insecure bindings

Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the insecure-bind-address entry.

kubernetesMasterConfig:  apiServerArguments:    insecure-bind-address:    - 127.0.0.1

1.6 Prevent insecure port access

Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the insecure-port entry.

kubernetesMasterConfig:  apiServerArguments:   insecure-port:  - 0

1.7 Use Secure Ports for API Server Traffic

Edit the kubernetes master config file /etc/origin/master/master-config.yaml and either remove the secure-port parameter or set it to a different (non-zero) desired port.

kubernetesMasterConfig:  apiServerArguments:   secure-port:  - 8443

1.8 Do not expose API server profiling data

1.9 Verify repair-malformed-updates argument for API compatibility

Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the repair-malformed-updates entry or set repair-malformed-updates=true.

1.10 Verify that the AlwaysAdmit admission controller is disabled

Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the entry below.

AlwaysAdmit: configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: false

1.11 Manage the AlwaysPullImages admission controller

Edit the kubernetes master config file /etc/origin/master/master-config.yaml and add the entry below.

admissionConfig: pluginConfig: AlwaysPullImages: configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: false

1.12 Use Security Context Constraints instead of DenyEscalatingExec admission

1.13 Use Security Context Constraints instead of the SecurityContextDeny admission controller

1.14 Manage the NamespaceLifecycle admission controller

Edit the kubernetes master config file /etc/origin/master/master-config.yaml and remove the following entry.

NamespaceLifecycle: configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: true

1.15 Configure API server auditing - audit log file path

Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the following entry and restart the API server.

auditConfig: auditFilePath: “"/etc/origin/master/audit-ocp.log”" enabled: true maximumFileRetentionDays: 30 maximumFileSizeMegabytes: 10 maximumRetainedFiles: 10

Make the same changes in the inventory/ansible variables so the changes are not lost when an upgrade occurs.

1.16 Configure API server auditing - audit log retention

Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileRetentionDays entry and restart the API server.

auditConfig: auditFilePath: “"/etc/origin/master/audit-ocp.log”" enabled: true maximumFileRetentionDays: 30 maximumFileSizeMegabytes: 10 maximumRetainedFiles: 10

Make the same changes in the inventory/ansible variables so the changes are not lost when an upgrade occurs.

1.17 Configure API server auditing - audit log backup retention

Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumRetainedFiles entry, set enabled to true and restart the API server.

auditConfig: auditFilePath: “"/etc/origin/master/audit-ocp.log”" enabled: true maximumFileRetentionDays: 30 maximumFileSizeMegabytes: 10 maximumRetainedFiles: 10

Make the same changes in the inventory/ansible variables so the changes are not lost when an upgrade occurs.

1.18 Configure audit log file size

Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileSizeMegabytes entry, set enabled to true and restart the API server.

auditConfig: auditFilePath: “"/etc/origin/master/audit-ocp.log”" enabled: true maximumFileRetentionDays: 30 maximumFileSizeMegabytes: 10 maximumRetainedFiles: 10

Make the same changes in the inventory/ansible variables so the changes are not lost when an upgrade occurs.

1.19 Verify that authorization-mode is not set to AlwaysAllow

Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the authorization-mode entry.

kubernetesMasterConfig:  apiServerArguments:    authorization-mode:    - AllowAll

1.20 Verify that the token-auth-file flag is not set

Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the token-auth-file entry under apiserverArguments section.

kubernetesMasterConfig:  apiServerArguments:    token-auth-file:    - /path/to/file

1.21 Verify the API server certificate authority

Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the following configuration under apiserverArguments section.

kubernetesMasterConfig:  apiServerArguments:    kubelet-certificat-authority:    - /path/to/ca

1.22 Verify the API server client certificate and client key

Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following configuration under kubeletClientInfo

kubeletClientInfo:  ca: ca-bundle.crt  certFile: master.kubelet-client.crt  keyFile: master.kubelet-client.key port: 10250

1.23 Verify that the service account lookup flag is not set

1.24 Verify the PodSecurityPolicy is disabled to ensure use of SecurityContextConstraints

1.25 Verify that the service account key file argument is not set

OpenShift API server does not use the service-account-key-file argument. Even if value is set in master-config.yaml, it will not be used to verify service account tokens, as it is in upstream Kubernetes. The ServiceAccount token authenticator is configured with serviceAccountConfig.publicKeyFiles in the master-config.yaml. OpenShift does not reuse the apiserver TLS key.

Edit the Openshift master config file /etc/origin/master/master-config.yaml and set the privateKeyFile and publicKeyFile configuration under serviceAccountConfig.

serviceAccountConfig:  limitSecretReferences: false  managedNames: - default  - builder  - deployer  masterCA: ca-bundle.crt   privateKeyFile: serviceaccounts.private.key  publicKeyFiles:  - serviceaccounts.public.key

Verify that privateKeyFile and publicKeyFile exist and set.

1.26 Verify the certificate and key used for communication with etcd

Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under etcdClientInfo like below.

etcdClientInfo:  ca: master.etcd-ca.crt certFile: master.etcd-client.crt keyFile: master.etcd-client.key

1.27 Verify that the ServiceAccount admission controller is enabled

Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount admission control policy.

ServiceAccount: configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: false

1.28 Verify the certificate and key used to encrypt API server traffic

Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo.

servingInfo:  bindAddress: 0.0.0.0:8443   bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key maxRequestsInFlight: 500 requestTimeoutSeconds: 3600

1.29 Verify that the –client-ca-file argument is not set

Edit the Openshift master config file /etc/origin/master/master-config.yaml and set clientCA under servingInfo.

servingInfo:  bindAddress: 0.0.0.0:8443   bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key maxRequestsInFlight: 500 requestTimeoutSeconds: 3600

1.30 Verify the CA used for communication with etcd

Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo.

etcdClientInfo:   ca: master.etcd-ca.crt certFile: master.etcd-client.crt keyFile: master.etcd-client.key

1.31 Verify that the authorization-mode argument is not set

1.32 Verify that the NodeRestriction admission controller is enabled

Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo.

NodeRestriction: configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: false

1.33 Configure encryption of data at rest in etcd datastore

Follow the instructions in the documentation to configure encryption. https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html

1.34 Set the encryption provider to aescbc for etcd data at rest

Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config. See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.

1.35 Enable the EventRateLimit plugin

Follow the documentation to enable the EventRateLimit plugin. https://docs.openshift.com/container-platform/3.10/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules

1.36 Configure advanced auditing

Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable AdvancedAuditing,

kubernetesMasterConfig:  apiServerArguments: feature-gates: - AdvancedAuditing=true

1.37 Adjust the request timeout argument for your cluster resources

[Manual test] change the request-timeout value in the  /etc/origin/master/master-config.yaml

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use