Merge pull request #222055 from Nickomang/aks-update-cis-benchmark

BCS2022 · web-flow · commit cf02ee4efd23 · 2023-01-10T11:05:35.000-08:00
Update AKS benchmark for Kubernetes v1.24
diff --git a/articles/aks/cis-kubernetes.md b/articles/aks/cis-kubernetes.md
@@ -3,7 +3,7 @@ title: Center for Internet Security (CIS) Kubernetes benchmark
 description: Learn how AKS applies the CIS Kubernetes benchmark
 services: container-service
 ms.topic: article
-ms.date: 10/04/2022
+ms.date: 12/20/2022
 ---
 
 # Center for Internet Security (CIS) Kubernetes benchmark
@@ -12,7 +12,7 @@ As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI
 
 ## Kubernetes CIS benchmark
 
-The following are the results from the [CIS Kubernetes V1.20 Benchmark v1.0.0][cis-benchmark-kubernetes] recommendations on AKS.
+The following are the results from the [CIS Kubernetes V1.24 Benchmark v1.0.0][cis-benchmark-kubernetes] recommendations on AKS. These are applicable to AKS 1.21.x through AKS 1.24.x.
 
 *Scored* recommendations affect the benchmark score if they are not applied, while *Not Scored* recommendations don't.
 
@@ -33,74 +33,70 @@ Recommendations can have one of the following statuses:
 |---|---|---|---|---|
 |1|Control Plane Components||||
 |1.1|Control Plane Node Configuration Files||||
-|1.1.1|Ensure that the API server pod specification file permissions are set to 644 or more restrictive|Scored|L1|N/A|
+|1.1.1|Ensure that the API server pod specification file permissions are set to 600 or more restrictive|Scored|L1|N/A|
 |1.1.2|Ensure that the API server pod specification file ownership is set to root:root|Scored|L1|N/A|
-|1.1.3|Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive|Scored|L1|N/A|
+|1.1.3|Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive|Scored|L1|N/A|
 |1.1.4|Ensure that the controller manager pod specification file ownership is set to root:root|Scored|L1|N/A|
-|1.1.5|Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive|Scored|L1|N/A|
+|1.1.5|Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive|Scored|L1|N/A|
 |1.1.6|Ensure that the scheduler pod specification file ownership is set to root:root|Scored|L1|N/A|
-|1.1.7|Ensure that the etcd pod specification file permissions are set to 644 or more restrictive|Scored|L1|N/A|
+|1.1.7|Ensure that the etcd pod specification file permissions are set to 600 or more restrictive|Scored|L1|N/A|
 |1.1.8|Ensure that the etcd pod specification file ownership is set to root:root|Scored|L1|N/A|
-|1.1.9|Ensure that the Container Network Interface file permissions are set to 644 or more restrictive|Not Scored|L1|N/A|
+|1.1.9|Ensure that the Container Network Interface file permissions are set to 600 or more restrictive|Not Scored|L1|N/A|
 |1.1.10|Ensure that the Container Network Interface file ownership is set to root:root|Not Scored|L1|N/A|
 |1.1.11|Ensure that the etcd data directory permissions are set to 700 or more restrictive|Scored|L1|N/A|
 |1.1.12|Ensure that the etcd data directory ownership is set to etcd:etcd|Scored|L1|N/A|
-|1.1.13|Ensure that the admin.conf file permissions are set to 644 or more restrictive|Scored|L1|N/A|
+|1.1.13|Ensure that the admin.conf file permissions are set to 600 or more restrictive|Scored|L1|N/A|
 |1.1.14|Ensure that the admin.conf file ownership is set to root:root|Scored|L1|N/A|
-|1.1.15|Ensure that the scheduler.conf file permissions are set to 644 or more restrictive|Scored|L1|N/A|
+|1.1.15|Ensure that the scheduler.conf file permissions are set to 600 or more restrictive|Scored|L1|N/A|
 |1.1.16|Ensure that the scheduler.conf file ownership is set to root:root|Scored|L1|N/A|
-|1.1.17|Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive|Scored|L1|N/A|
+|1.1.17|Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive|Scored|L1|N/A|
 |1.1.18|Ensure that the controller-manager.conf file ownership is set to root:root|Scored|L1|N/A|
 |1.1.19|Ensure that the Kubernetes PKI directory and file ownership is set to root:root|Scored|L1|N/A|
-|1.1.20|Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive|Scored|L1|N/A|
+|1.1.20|Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive|Scored|L1|N/A|
 |1.1.21|Ensure that the Kubernetes PKI key file permissions are set to 600|Scored|L1|N/A|
 |1.2|API Server||||
 |1.2.1|Ensure that the `--anonymous-auth` argument is set to false|Not Scored|L1|Pass|
-|1.2.2|Ensure that the `--basic-auth-file` argument is not set|Scored|L1|Pass|
-|1.2.3|Ensure that the `--token-auth-file` parameter is not set|Scored|L1|Fail|
-|1.2.4|Ensure that the `--kubelet-https` argument is set to true|Scored|L1|Equivalent Control |
-|1.2.5|Ensure that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments are set as appropriate|Scored|L1|Pass|
-|1.2.6|Ensure that the `--kubelet-certificate-authority` argument is set as appropriate|Scored|L1|Equivalent Control|
-|1.2.7|Ensure that the `--authorization-mode` argument is not set to AlwaysAllow|Scored|L1|Pass|
-|1.2.8|Ensure that the `--authorization-mode` argument includes Node|Scored|L1|Pass|
-|1.2.9|Ensure that the `--authorization-mode` argument includes RBAC|Scored|L1|Pass|
-|1.2.10|Ensure that the admission control plugin EventRateLimit is set|Not Scored|L1|Fail|
-|1.2.11|Ensure that the admission control plugin AlwaysAdmit is not set|Scored|L1|Pass|
-|1.2.12|Ensure that the admission control plugin AlwaysPullImages is set|Not Scored|L1|Fail|
-|1.2.13|Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used|Not Scored|L1|Fail|
-|1.2.14|Ensure that the admission control plugin ServiceAccount is set|Scored|L1|Pass|
-|1.2.15|Ensure that the admission control plugin NamespaceLifecycle is set|Scored|L1|Pass|
-|1.2.16|Ensure that the admission control plugin PodSecurityPolicy is set|Scored|L1|Fail|
-|1.2.17|Ensure that the admission control plugin NodeRestriction is set|Scored|L1|Fail|
-|1.2.18|Ensure that the `--insecure-bind-address` argument is not set|Scored|L1|Fail|
-|1.2.19|Ensure that the `--insecure-port` argument is set to 0|Scored|L1|Pass|
-|1.2.20|Ensure that the `--secure-port` argument is not set to 0|Scored|L1|Pass|
-|1.2.21|Ensure that the `--profiling` argument is set to false|Scored|L1|Pass|
-|1.2.22|Ensure that the `--audit-log-path` argument is set|Scored|L1|Pass|
-|1.2.23|Ensure that the `--audit-log-maxage` argument is set to 30 or as appropriate|Scored|L1|Equivalent Control|
-|1.2.24|Ensure that the `--audit-log-maxbackup` argument is set to 10 or as appropriate|Scored|L1|Equivalent Control|
-|1.2.25|Ensure that the `--audit-log-maxsize` argument is set to 100 or as appropriate|Scored|L1|Pass|
-|1.2.26|Ensure that the `--request-timeout` argument is set as appropriate|Scored|L1|Pass|
-|1.2.27|Ensure that the `--service-account-lookup` argument is set to true|Scored|L1|Pass|
-|1.2.28|Ensure that the `--service-account-key-file` argument is set as appropriate|Scored|L1|Pass|
-|1.2.29|Ensure that the `--etcd-certfile` and `--etcd-keyfile` arguments are set as appropriate|Scored|L1|Pass|
-|1.2.30|Ensure that the `--tls-cert-file` and `--tls-private-key-file` arguments are set as appropriate|Scored|L1|Pass|
-|1.2.31|Ensure that the `--client-ca-file` argument is set as appropriate|Scored|L1|Pass|
-|1.2.32|Ensure that the `--etcd-cafile` argument is set as appropriate|Scored|L1|Pass|
-|1.2.33|Ensure that the `--encryption-provider-config` argument is set as appropriate|Scored|L1|Fail|
-|1.2.34|Ensure that encryption providers are appropriately configured|Scored|L1|Fail|
-|1.2.35|Ensure that the API Server only makes use of Strong Cryptographic Ciphers|Not Scored|L1|Pass|
+|1.2.2|Ensure that the `--token-auth-file` parameter is not set|Scored|L1|Fail|
+|1.2.3|Ensure that `--DenyServiceExternalIPs` is not set|Scored|L1|Pass|
+|1.2.4|Ensure that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments are set as appropriate|Scored|L1|Pass|
+|1.2.5|Ensure that the `--kubelet-certificate-authority` argument is set as appropriate|Scored|L1|Fail|
+|1.2.6|Ensure that the `--authorization-mode` argument is not set to AlwaysAllow|Scored|L1|Pass|
+|1.2.7|Ensure that the `--authorization-mode` argument includes Node|Scored|L1|Pass|
+|1.2.8|Ensure that the `--authorization-mode` argument includes RBAC|Scored|L1|Pass|
+|1.2.9|Ensure that the admission control plugin EventRateLimit is set|Not Scored|L1|Fail|
+|1.2.10|Ensure that the admission control plugin AlwaysAdmit is not set|Scored|L1|Pass|
+|1.2.11|Ensure that the admission control plugin AlwaysPullImages is set|Not Scored|L1|Fail|
+|1.2.12|Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used|Not Scored|L1|Fail|
+|1.2.13|Ensure that the admission control plugin ServiceAccount is set|Scored|L1|Pass|
+|1.2.14|Ensure that the admission control plugin NamespaceLifecycle is set|Scored|L1|Pass|
+|1.2.15|Ensure that the admission control plugin NodeRestriction is set|Scored|L1|Pass|
+|1.2.16|Ensure that the `--secure-port` argument is not set to 0|Scored|L1|Pass|
+|1.2.17|Ensure that the `--profiling` argument is set to false|Scored|L1|Pass|
+|1.2.18|Ensure that the `--audit-log-path` argument is set|Scored|L1|Pass|
+|1.2.19|Ensure that the `--audit-log-maxage` argument is set to 30 or as appropriate|Scored|L1|Equivalent Control|
+|1.2.20|Ensure that the `--audit-log-maxbackup` argument is set to 10 or as appropriate|Scored|L1|Equivalent Control|
+|1.2.21|Ensure that the `--audit-log-maxsize` argument is set to 100 or as appropriate|Scored|L1|Pass|
+|1.2.22|Ensure that the `--request-timeout` argument is set as appropriate|Scored|L1|Pass|
+|1.2.23|Ensure that the `--service-account-lookup` argument is set to true|Scored|L1|Pass|
+|1.2.24|Ensure that the `--service-account-key-file` argument is set as appropriate|Scored|L1|Pass|
+|1.2.25|Ensure that the `--etcd-certfile` and `--etcd-keyfile` arguments are set as appropriate|Scored|L1|Pass|
+|1.2.26|Ensure that the `--tls-cert-file` and `--tls-private-key-file` arguments are set as appropriate|Scored|L1|Pass|
+|1.2.27|Ensure that the `--client-ca-file` argument is set as appropriate|Scored|L1|Pass|
+|1.2.28|Ensure that the `--etcd-cafile` argument is set as appropriate|Scored|L1|Pass|
+|1.2.29|Ensure that the `--encryption-provider-config` argument is set as appropriate|Scored|L1|Depends on Environment|
+|1.2.30|Ensure that encryption providers are appropriately configured|Scored|L1|Depends on Environment|
+|1.2.31|Ensure that the API Server only makes use of Strong Cryptographic Ciphers|Not Scored|L1|Pass|
 |1.3|Controller Manager||||
 |1.3.1|Ensure that the `--terminated-pod-gc-threshold` argument is set as appropriate|Scored|L1|Pass|
 |1.3.2|Ensure that the `--profiling` argument is set to false|Scored|L1|Pass|
 |1.3.3|Ensure that the `--use-service-account-credentials` argument is set to true|Scored|L1|Pass|
 |1.3.4|Ensure that the `--service-account-private-key-file` argument is set as appropriate|Scored|L1|Pass|
 |1.3.5|Ensure that the `--root-ca-file` argument is set as appropriate|Scored|L1|Pass|
-|1.3.6|Ensure that the RotateKubeletServerCertificate argument is set to true|Scored|L2|Pass|
-|1.3.7|Ensure that the `--bind-address` argument is set to 127.0.0.1|Scored|L1|Fail|
+|1.3.6|Ensure that the RotateKubeletServerCertificate argument is set to true|Scored|L2|Fail|
+|1.3.7|Ensure that the `--bind-address` argument is set to 127.0.0.1|Scored|L1|Equivalent Control|
 |1.4|Scheduler||||
 |1.4.1|Ensure that the `--profiling` argument is set to false|Scored|L1|Pass|
-|1.4.2|Ensure that the `--bind-address` argument is set to 127.0.0.1|Scored|L1|Fail|
+|1.4.2|Ensure that the `--bind-address` argument is set to 127.0.0.1|Scored|L1|Equivalent Control|
 |2|etcd||||
 |2.1|Ensure that the `--cert-file` and `--key-file` arguments are set as appropriate|Scored|L1|Pass|
 |2.2|Ensure that the `--client-cert-auth` argument is set to true|Scored|L1|Pass|
@@ -117,16 +113,16 @@ Recommendations can have one of the following statuses:
 |3.2.2|Ensure that the audit policy covers key security concerns|Not Scored|L2|Pass|
 |4|Worker Nodes||||
 |4.1|Worker Node Configuration Files||||
-|4.1.1|Ensure that the kubelet service file permissions are set to 644 or more restrictive|Scored|L1|Pass|
+|4.1.1|Ensure that the kubelet service file permissions are set to 600 or more restrictive|Scored|L1|Pass|
 |4.1.2|Ensure that the kubelet service file ownership is set to root:root|Scored|L1|Pass|
-|4.1.3|Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive|Scored|L1|Pass|
-|4.1.4|Ensure that the proxy kubeconfig file ownership is set to root:root|Scored|L1|Pass|
-|4.1.5|Ensure that the kubelet.conf file permissions are set to 644 or more restrictive|Scored|L1|Pass|
-|4.1.6|Ensure that the kubelet.conf file ownership is set to root:root|Scored|L1|Pass|
-|4.1.7|Ensure that the certificate authorities file permissions are set to 644 or more restrictive|Scored|L1|Pass|
+|4.1.3|If a proxy kubeconfig file exists, ensure permissions are set to 600 or more restrictive|Scored|L1|N/A|
+|4.1.4|If a proxy kubeconfig file exists, ensure ownership is set to root:root|Scored|L1|N/A|
+|4.1.5|Ensure that the `--kubeconfig` kubelet.conf file permissions are set to 600 or more restrictive|Scored|L1|Pass|
+|4.1.6|Ensure that the `--kubeconfig` kubelet.conf file ownership is set to root:root|Scored|L1|Pass|
+|4.1.7|Ensure that the certificate authorities file permissions are set to 600 or more restrictive|Scored|L1|Pass|
 |4.1.8|Ensure that the client certificate authorities file ownership is set to root:root|Scored|L1|Pass|
-|4.1.9|Ensure that the kubelet configuration file has permissions set to 644 or more restrictive|Scored|L1|Pass|
-|4.1.10|Ensure that the kubelet configuration file ownership is set to root:root|Scored|L1|Pass|
+|4.1.9|If the kubelet config.yaml configuration file is being used, ensure permissions set to 600 or more restrictive|Scored|L1|Pass|
+|4.1.10|If the kubelet config.yaml configuration file is being used, ensure file ownership is set to root:root|Scored|L1|Pass|
 |4.2|Kubelet||||
 |4.2.1|Ensure that the `--anonymous-auth` argument is set to false|Scored|L1|Pass|
 |4.2.2|Ensure that the `--authorization-mode` argument is not set to AlwaysAllow|Scored|L1|Pass|
@@ -136,10 +132,10 @@ Recommendations can have one of the following statuses:
 |4.2.6|Ensure that the `--protect-kernel-defaults` argument is set to true|Scored|L1|Pass|
 |4.2.7|Ensure that the `--make-iptables-util-chains` argument is set to true|Scored|L1|Pass|
 |4.2.8|Ensure that the `--hostname-override` argument is not set|Not Scored|L1|Pass|
-|4.2.9|Ensure that the `--event-qps` argument is set to 0 or a level which ensures appropriate event capture|Not Scored|L2|Pass|
-|4.2.10|Ensure that the `--tls-cert-file`and `--tls-private-key-file` arguments are set as appropriate|Scored|L1|Equivalent Control|
+|4.2.9|Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture|Not Scored|L2|Pass|
+|4.2.10|Ensure that the `--tls-cert-file`and `--tls-private-key-file` arguments are set as appropriate|Scored|L1|Pass|
 |4.2.11|Ensure that the `--rotate-certificates` argument is not set to false|Scored|L1|Pass|
-|4.2.12|Ensure that the RotateKubeletServerCertificate argument is set to true|Scored|L1|Fail|
+|4.2.12|Ensure that the RotateKubeletServerCertificate argument is set to true|Scored|L1|Pass|
 |4.2.13|Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers|Not Scored|L1|Pass|
 |5|Policies||||
 |5.1|RBAC and Service Accounts||||
@@ -189,7 +185,6 @@ For more information about AKS security, see the following articles:
 * [AKS security considerations](./concepts-security.md)
 * [AKS best practices](./best-practices.md)
 
-
 [azure-update-management]: ../automation/update-management/overview.md
 [azure-file-integrity-monotoring]: ../security-center/security-center-file-integrity-monitoring.md
 [azure-time-sync]: ../virtual-machines/linux/time-sync.md
