Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS Kubernetes Benchmark v1.5.1 # 1.2/1.3/1.4 #1

Open
28 tasks done
hsy3418 opened this issue Jun 17, 2020 · 1 comment
Open
28 tasks done

CIS Kubernetes Benchmark v1.5.1 # 1.2/1.3/1.4 #1

hsy3418 opened this issue Jun 17, 2020 · 1 comment
Assignees
@hsy3418
Labels
enhancement New feature or request

Comments

@hsy3418
Copy link
Member

hsy3418 commented Jun 17, 2020
edited
Loading

Details

1 Control Plane Components

1.2 API Server

Checklist

  • 1.2.1 Ensure that the --anonymous-auth argument is set to false
  • 1.2.2 Ensure that the --basic-auth-file argument is not set
  • 1.2.3 Ensure that the --token-auth-file parameter is not set
  • 1.2.4 Ensure that the --kubelet-https argument is set to true
  • 1.2.5 Ensure that the --kubelet-client-certificate and --kubelet- client-key arguments are set as appropriate
  • 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate
  • 1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow
  • 1.2.8 Ensure that the --authorization-mode argument includes Node
  • 1.2.9 Ensure that the --authorization-mode argument includes RBAC
  • 1.2.10 Ensure that the admission control plugin EventRateLimit is set
  • 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set
  • 1.2.12 Ensure that the admission control plugin AlwaysPullImages is set
  • 1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
  • 1.2.14 Ensure that the admission control plugin ServiceAccount is set
  • 1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set
  • 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set
  • 1.2.17 Ensure that the admission control plugin NodeRestriction is set
  • 1.2.18 Ensure that the --insecure-bind-address argument is not set
  • 1.2.19 Ensure that the --insecure-port argument is set to 0

1.3 Controller Manager

  • 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate
  • 1.3.2 Ensure that the --profiling argument is set to false
  • 1.3.3 Ensure that the --use-service-account-credentials argument is set to true
  • 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate
  • 1.3.5 Ensure that the --root-ca-file argument is set as appropriate
  • 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true
  • 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1  

1.4 Scheduler

  • 1.4.1 Ensure that the --profiling argument is set to false
  • 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1
@hsy3418 hsy3418 added the enhancement New feature or request label Jun 17, 2020
@issue-label-bot
Copy link

Issue Label Bot is not confident enough to auto-label this issue. See dashboard for more details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsy3418 hsy3418

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hsy3418