The Entrust PKI Hub K3s (Lightweight Kubernetes) is hardened to meet the following recommendations.
- Document: CIS Kubernetes Benchmark v1.6.0
- Profiles: Level 2 - Master Node and Level 2 - Worker Node
Specifically, the Entrust PKI Hub K3s meets all recommendations marked 
in the following table.
CIS recommendation | Description | Compliance |
|---|---|---|
1.1.1 | Ensure that the API server pod specification file permissions are set to 644 or more restrictive |
|
1.1.2 | Ensure that the API server pod specification file ownership is set to root:root |
|
1.1.3 | Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive |
|
1.1.4 | Ensure that the controller manager pod specification file ownership is set to root:root |
|
1.1.5 | Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive |
|
1.1.6 | Ensure that the scheduler pod specification file ownership is set to root:root |
|
1.1.7 | Ensure that the etcd pod specification file permissions are set to 644 or more restrictive |
|
1.1.8 | Ensure that the etcd pod specification file ownership is set to root:root |
|
1.1.9 | Ensure that the Container Network Interface file permissions are set to 644 or more restrictive |
|
1.1.10 | Ensure that the Container Network Interface file ownership is set to root:root |
|
1.1.11 | Ensure that the etcd data directory permissions are set to 700 or more restrictive if etcd is used |
|
1.1.12 | Ensure that the etcd data directory ownership is set to etcd:etcd if etcd is used |
|
1.1.13 | Ensure that the admin.kubeconfig file permissions are set to 644 or more restrictive |
|
1.1.14 | Ensure that the admin.kubeconfig file ownership is set to root:root |
|
1.1.15 | Ensure that the scheduler.kubeconfig file permissions are set to 644 or more restrictive |
|
1.1.16 | Ensure that the scheduler.kubeconfig file ownership is set to root:root |
|
1.1.17 | Ensure that the cloud-controller.kubeconfig file permissions are set to 644 or more restrictive |
|
1.1.18 | Ensure that the /var/lib/rancher/k3s/server/cred/cloud-controller.kubeconfig file ownership is set to root:root |
|
1.1.19 | Ensure that the Kubernetes PKI directory and file ownership is set to root:root |
|
1.1.20 | Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive |
|
1.1.21 | Ensure that the Kubernetes PKI key file permissions are set to 600 |
|
1.2.1 | Ensure that the --anonymous-auth argument is set to false |
|
1.2.2 | Ensure that the --basic-auth-file argument is not set |
|
1.2.3 | Ensure that the --token-auth-file parameter is not set |
|
1.2.4 | Ensure that the --kubelet-https argument is set to true |
|
1.2.5 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate |
|
1.2.6 | Ensure that the --kubelet-certificate-authority argument is set as appropriate |
|
1.2.7 | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
|
1.2.8 | Ensure that the --authorization-mode argument includes Node |
|
1.2.9 | Ensure that the --authorization-mode argument includes RBAC |
|
1.2.10 | Ensure that the admission control plugin EventRateLimit is set |
|
1.2.11 | Ensure that the admission control plugin AlwaysAdmit is not set |
|
1.2.12 | Ensure that the admission control plugin AlwaysPullImages is set |
|
1.2.13 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used |
|
1.2.14 | Ensure that the admission control plugin ServiceAccount is set |
|
1.2.15 | Ensure that the admission control plugin NamespaceLifecycle is set |
|
1.2.16 | Ensure that the admission control plugin PodSecurityPolicy is set |
|
1.2.17 | Ensure that the admission control plugin NodeRestriction is set |
|
1.2.18 | Ensure that the --insecure-bind-address argument is not set |
|
1.2.19 | Ensure that the --insecure-port argument is set to 0 |
|
1.2.20 | Ensure that the --secure-port argument is not set to 0 |
|
1.2.21 | Ensure that the --profiling argument is set to false |
|
1.2.22 | Ensure that the --audit-log-path argument is set |
|
1.2.23 | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate |
|
1.2.24 | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate |
|
1.2.25 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate |
|
1.2.26 | Ensure that the --request-timeout argument is set as appropriate |
|
1.2.27 | Ensure that the --service-account-lookup argument is set to true |
|
1.2.28 | Ensure that the --service-account-key-file argument is set as appropriate |
|
1.2.29 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate |
|
1.2.30 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
|
1.2.31 | Ensure that the --client-ca-file argument is set as appropriate |
|
1.2.32 | Ensure that the --etcd-cafile argument is set as appropriate |
|
1.2.33 | Ensure that the --encryption-provider-config argument is set as appropriate |
|
1.2.34 | Ensure that encryption providers are appropriately configured |
|
1.2.35 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers |
|
1.3.1 | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate |
|
1.3.2 | Ensure that the --profiling argument is set to false |
|
1.3.3 | Ensure that the --use-service-account-credentials argument is set to true |
|
1.3.4 | Ensure that the --service-account-private-key-file argument is set as appropriate |
|
1.3.5 | Ensure that the --root-ca-file argument is set as appropriate |
|
1.3.6 | Ensure that the RotateKubeletServerCertificate argument is set to true |
|
1.3.7 | Ensure that the --bind-address argument is set to 127.0.0.1 |
|
1.4.1 | Ensure that the --profiling argument is set to false |
|
1.4.2 | Ensure that the --bind-address argument is set to 127.0.0.1 |
|
2.1 | Ensure that the --cert-file and --key-file arguments are set as appropriate if use etcd as database |
|
2.2 | Ensure that the --client-cert-auth argument is set to true |
|
2.3 | Ensure that the --auto-tls argument is not set to true |
|
2.4 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate |
|
2.5 | Ensure that the --peer-client-cert-auth argument is set to true |
|
2.6 | Ensure that the --peer-auto-tls argument is not set to true |
|
2.7 | Ensure that a unique Certificate Authority is used for etcd |
|
3.1.1 | Client certificate authentication should not be used for users |
|
3.2.1 | Ensure that a minimal audit policy is created |
|
3.2.2 | Ensure that the audit policy covers key security concerns |
|
4.1.1 | Ensure that the kubelet service file permissions are set to 644 or more restrictive |
|
4.1.2 | Ensure that the kubelet service file ownership is set to root:root |
|
4.1.3 | If proxy kubeproxy.kubeconfig file exists ensure permissions are set to 644 or more restrictive |
|
4.1.4 | Ensure that the proxy kubeconfig file ownership is set to root:root |
|
4.1.5 | Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive |
|
4.1.6 | Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root |
|
4.1.7 | Ensure that the certificate authorities file permissions are set to 644 or more restrictive |
|
4.1.8 | Ensure that the client certificate authorities file ownership is set to root:root |
|
4.1.9 | Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive |
|
4.1.10 | Ensure that the kubelet --config configuration file ownership is set to root:root |
|
4.2.1 | Ensure that the anonymous-auth argument is set to false |
|
4.2.2 | Ensure that the --authorization-mode argument is not set to AlwaysAllow |
|
4.2.3 | Ensure that the --client-ca-file argument is set as appropriate |
|
4.2.4 | Ensure that the --read-only-port argument is set to 0 |
|
4.2.5 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 |
|
4.2.6 | Ensure that the --protect-kernel-defaults argument is set to true |
|
4.2.7 | Ensure that the --make-iptables-util-chains argument is set to true |
|
4.2.8 | Ensure that the --hostname-override argument is not set |
|
4.2.9 | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture |
|
4.2.10 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
|
4.2.11 | Ensure that the --rotate-certificates argument is not set to false |
|
4.2.12 | Verify that the RotateKubeletServerCertificate argument is set to true |
|
4.2.13 | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers |
|
5.1.1 | Ensure that the cluster-admin role is only used where required |
|
5.1.2 | Minimize access to secrets |
|
5.1.3 | Minimize wildcard use in Roles and ClusterRoles |
|
5.1.4 | Minimize access to create pods |
|
5.1.5 | Ensure that default service accounts are not actively used. |
|
5.1.6 | Ensure that Service Account Tokens are only mounted where necessary |
|
5.2.1 | Minimize the admission of privileged containers |
|
5.2.2 | Minimize the admission of containers wishing to share the host process ID namespace |
|
5.2.3 | Minimize the admission of containers wishing to share the host IPC namespace |
|
5.2.4 | Minimize the admission of containers wishing to share the host network namespace |
|
5.2.5 | Minimize the admission of containers with allowPrivilegeEscalation |
|
5.2.6 | Minimize the admission of root containers |
|
5.2.7 | Minimize the admission of containers with the NET_RAW capability |
|
5.2.8 | Minimize the admission of containers with added capabilities |
|
5.2.9 | Minimize the admission of containers with capabilities assigned |
|
5.3.1 | Ensure that the CNI in use supports Network Policies |
|
5.3.2 | Ensure that all Namespaces have Network Policies defined |
|
5.4.1 | Prefer using secrets as files over secrets as environment variables |
|
5.4.2 | Consider external secret storage |
|
5.5.1 | Configure Image Provenance using ImagePolicyWebhook admission controller |
|
5.7.1 | Create administrative boundaries between resources using namespaces |
|
5.7.2 | Ensure that the seccomp profile is set to docker/default in your pod definitions |
|
5.7.3 | Apply Security Context to Your Pods and Containers |
|
5.7.4 | The default namespace should not be used |
|
