You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/operator-nexus/concepts-security.md
+42-10Lines changed: 42 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -57,47 +57,79 @@ Industry standard security benchmarking tools are used to scan the Azure Operato
57
57
58
58
Some controls are not technically feasible to implement in the Azure Operator Nexus environment, and these excepoted controls are documented below for the applicable Nexus layers.
59
59
60
-
Environmental controls such as RBAC and Service Account tests are not evaluated by these tools, as they may be differ based on customer requirements.
60
+
Environmental controls such as RBAC and Service Account tests are not evaluated by these tools, as the outcomes may differ based on customer requirements.
61
61
62
62
**NTF = Not Technically Feasible**
63
63
64
64
### OpenSCAP STIG
65
65
66
66
*Undercloud*
67
67
68
-
:::image type="content" source="media/security/undercloud-openscap.png" alt-text="Screenshot of OpenSCAP STIG exceptions" lightbox="media/security/media/security/undercloud-openscap.png":::
68
+
:::image type="content" source="media/security/undercloud_openscap.png" alt-text="Screenshot of Undercloud OpenSCAP exceptions" lightbox="media/security/undercloud_openscap.png":::
69
69
70
-
|STIG ID|Recommendation description|Status|Issue|
70
+
|STIG ID|Recommendation description|Status|Issue|
71
71
|---|---|---|---|
72
72
|V-242386|The Kubernetes API server must have the insecure port flag disabled|NTF|This check is deprecated in v1.24.0 and greater|
73
73
|V-242397|The Kubernetes kubelet staticPodPath must not enable static pods|NTF|Only enabled for control nodes, required for kubeadm|
74
74
|V-242403|Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event|NTF|Certain API requests and responses contain secrets and therefore are not captured in the audit logs|
75
75
|V-242424|Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service|NTF|Kubelet SANS contains hostname only|
76
76
|V-242425|Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.|NTF|Kubelet SANS contains hostname only|
77
-
|V-242434|Kubernetes Kubelet must enable kernel protection.|NTF|Enabling kernel protection is not applicable for kubeadm in Nexus|
77
+
|V-242434|Kubernetes Kubelet must enable kernel protection.|NTF|Enabling kernel protection is not feasible for kubeadm in Nexus|
78
+
78
79
79
80
*Nexus Kubernetes/NAKS*
80
81
82
+
:::image type="content" source="media/security/naks_openscap.png" alt-text="Screenshot of NAKS OpenSCAP exceptions" lightbox="media/security/naks_openscap.png":::
83
+
84
+
|STIG ID|Recommendation description|Status|Issue|
85
+
|---|---|---|---|
86
+
|V-242386|The Kubernetes API server must have the insecure port flag disabled|NTF|This check is deprecated in v1.24.0 and greater|
87
+
|V-242397|The Kubernetes kubelet staticPodPath must not enable static pods|NTF|Only enabled for control nodes, required for kubeadm|
88
+
|V-242403|Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event|NTF|Certain API requests and responses contain secrets and therefore are not captured in the audit logs|
89
+
|V-242424|Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service|NTF|Kubelet SANS contains hostname only|
90
+
|V-242425|Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.|NTF|Kubelet SANS contains hostname only|
91
+
|V-242434|Kubernetes Kubelet must enable kernel protection.|NTF|Enabling kernel protection is not feasible for kubeadm in Nexus|
92
+
93
+
81
94
*Cluster Manager - Azure Kubernetes*
82
95
83
-
### Aquasec Kube-Bench
96
+
As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI DSS, and HIPAA standards. The following image shows the OpenSCAP file permission exceptions for the Cluster Manager AKS implementation.
97
+
98
+
:::image type="content" source="media/security/cm_openscap.png" alt-text="Screenshot of Cluster Manager OpenSCAP exceptions" lightbox="media/security/cm_openscap.png":::
99
+
100
+
101
+
### Aquasec Kube-Bench - CIS 1.9
84
102
85
103
*Undercloud*
86
104
87
-
:::image type="content" source="media/security/undercloud-kubebench.png" alt-text="Screenshot of Kube-Bench exceptions" lightbox="media/security/media/security/undercloud-kubebench.png":::
105
+
:::image type="content" source="media/security/undercloud_kubebench.png" alt-text="Screenshot of Undercloud Kube-Bench exceptions" lightbox="media/security/undercloud_kubebench.png":::
88
106
89
-
|CIS ID|Recommendation description|Status|Issue|
107
+
|CIS ID|Recommendation description|Status|Issue|
90
108
|---|---|---|---|
91
109
|1|Control Plane Components|||
92
110
|1.1|Control Plane Node Configuration Files|||
93
111
|1.1.12|Ensure that the etcd data directory ownership is set to etcd:etcd|NTF|Nexus is root:root, etcd user is not configured for kubeadm|
94
-
|1.2|API Server||||
112
+
|1.2|API Server|||
95
113
|1.1.12|Ensure that the --kubelet-certificate-authority argument is set as appropriate|NTF|Kubelet SANS includes hostname only|
96
114
97
115
98
116
*Nexus Kubernetes/NAKS*
99
117
100
-
*Cluster Manager*
118
+
:::image type="content" source="media/security/naks_kubebench.png" alt-text="Screenshot of NAKS Kube-Bench exceptions" lightbox="media/security/naks_kubebench.png":::
119
+
120
+
|CIS ID|Recommendation description|Status|Issue|
121
+
|---|---|---|---|
122
+
|1|Control Plane Components|||
123
+
|1.1|Control Plane Node Configuration Files|||
124
+
|1.1.12|Ensure that the etcd data directory ownership is set to etcd:etcd|NTF|Nexus is root:root, etcd user is not configured for kubeadm|
125
+
|1.2|API Server|||
126
+
|1.1.12|Ensure that the --kubelet-certificate-authority argument is set as appropriate|NTF|Kubelet SANS includes hostname only|
127
+
128
+
129
+
*Cluster Manager - Azure Kubernetes*
130
+
131
+
The Operator Nexus Cluster Manager is an AKS implementation. The full CIS benchmark report for AKS can be found [here](https://learn.microsoft.com/azure/aks/cis-kubernetes) to review the tested controls and results.
132
+
133
+
:::image type="content" source="media/security/cm_kubebench.png" alt-text="Screenshot of Cluster Manager Kube-Bench exceptions" lightbox="media/security/cm_kubebench.png":::
101
134
102
-
The Operator Nexus Cluster Manager is an AKS implementation. The CIS benchmark report for AKS can be found [here](https://learn.microsoft.com/en-us/azure/aks/cis-kubernetes) to review the tested controls and results.
0 commit comments