Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - RedHat 1.0 > Master Node Security Configuration >

API Server

N/A
Source
Kube Bench
ID
1.2
Version
rh-1.0

1.2 API Server

1.2.1 Ensure that anonymous requests are authorized (Manual)

None required. The default configuration should not be modified.

1.2.2 Ensure that the –basic-auth-file argument is not set (Manual)

None required. –basic-auth-file cannot be configured on OpenShift.

1.2.3 Ensure that the –token-auth-file parameter is not set (Manual)

None is required.

1.2.4 Use https for kubelet connections (Manual)

No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable.

1.2.5 Ensure that the kubelet uses certificates to authenticate (Manual)

No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable.

1.2.6 Verify that the kubelet certificate authority is set as appropriate (Manual)

No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable.

1.2.7 Ensure that the –authorization-mode argument is not set to AlwaysAllow (Manual)

None. RBAC is always on and the OpenShift API server does not use the values assigned to the flag authorization-mode.

1.2.8 Verify that the Node authorizer is enabled (Manual)

No remediation is required.

1.2.9 Verify that RBAC is enabled (Manual)

None. It is not possible to disable RBAC.

1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled (Manual)

No remediation is required

1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Manual)

No remediation is required. The AlwaysAdmit admission controller cannot be enabled in OpenShift.

1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)

None required.

1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set (Manual)

None required. The Security Context Constraint admission controller cannot be disabled in OpenShift 4.

1.2.14 Ensure that the admission control plugin ServiceAccount is set (Manual)

None required. OpenShift is configured to use service accounts by default.

1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Manual)

Ensure that the –disable-admission-plugins parameter does not include NamespaceLifecycle.

1.2.16 Ensure that the admission control plugin SecurityContextConstraint is set (Manual)

None required. Security Context Constraints are enabled by default in OpenShift and cannot be disabled.

1.2.17 Ensure that the admission control plugin NodeRestriction is set (Manual)

The NodeRestriction plugin cannot be disabled.

1.2.18 Ensure that the –insecure-bind-address argument is not set (Manual)

None required.

1.2.19 Ensure that the –insecure-port argument is set to 0 (Manual)

None required. The configuration is managed by the API server operator.

1.2.20 Ensure that the –secure-port argument is not set to 0 (Manual)

None required.

1.2.21 Ensure that the healthz endpoint is protected by RBAC (Manual)

None required as profiling data is protected by RBAC.

1.2.22 Ensure that the –audit-log-path argument is set (Manual)

None required. This is managed by the cluster apiserver operator.

1.2.23 Ensure that the audit logs are forwarded off the cluster for retention (Manual)

Follow the documentation for log forwarding. Forwarding logs to third party systems https://docs.openshift.com/container-platform/4.5/logging/cluster-logging-external.html

1.2.24 Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate (Manual)

Set the maximumRetainedFiles parameter to 10 or as an appropriate number of files. maximumRetainedFiles: 10

1.2.25 Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate (Manual)

Set the audit-log-maxsize parameter to 100 or as an appropriate number. maximumFileSizeMegabytes: 100

1.2.26 Ensure that the –request-timeout argument is set as appropriate (Manual)

TBD

1.2.27 Ensure that the –service-account-lookup argument is set to true (Manual)

TBD

1.2.28 Ensure that the –service-account-key-file argument is set as appropriate (Manual)

The OpenShift API server does not use the service-account-key-file argument. The ServiceAccount token authenticator is configured with serviceAccountConfig.publicKeyFiles. OpenShift does not reuse the apiserver TLS key. This is not configurable.

1.2.29 Ensure that the –etcd-certfile and –etcd-keyfile arguments are set as appropriate (Manual)

OpenShift automatically manages TLS and client certificate authentication for etcd. This is not configurable.

1.2.30 Ensure that the –tls-cert-file and –tls-private-key-file arguments are set as appropriate (Manual)

OpenShift automatically manages TLS authentication for the API server communication with the node/kublet. This is not configurable. You may optionally set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. Follow the directions in the OpenShift documentation User-provided certificates for the API server

1.2.31 Ensure that the –client-ca-file argument is set as appropriate (Manual)

OpenShift automatically manages TLS authentication for the API server communication with the node/kublet. This is not configurable. You may optionally set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients.

User-provided certificates must be provided in a kubernetes.io/tls type Secret in the openshift-config namespace. Update the API server cluster configuration, the apiserver/cluster resource, to enable the use of the user-provided certificate.

1.2.32 Ensure that the –etcd-cafile argument is set as appropriate (Manual)

None required. OpenShift generates the etcd-cafile and sets the arguments appropriately in the API server. Communication with etcd is secured by the etcd serving CA.

1.2.33 Ensure that the –encryption-provider-config argument is set as appropriate (Manual)

Follow the OpenShift documentation for Encrypting etcd data | Authentication | OpenShift Container Platform 4.5 https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html

1.2.34 Ensure that encryption providers are appropriately configured (Manual)

Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc, kms or secretbox as the encryption provider.

1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)

Verify that the tlsSecurityProfile is set to the value you chose. Note: The HAProxy Ingress controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use