Update to benchmark version 1.1.0

Signed-off-by: Kristian Vlaardingerbroek <[email protected]>

Author: rarenerd

README.md

@@ -1,7 +1,7 @@
 # CIS Kubernetes Benchmark - InSpec Profile
 
 ## Description
-This profile implements [CIS Kubernetes 1.6 Benchmark v1.0.0](https://www.cisecurity.org/benchmark/kubernetes/).
+This profile implements the [CIS Kubernetes 1.1.0 Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
 
 ## License and Author
 

controls/1_1_master_node_api_server.rb

@@ -317,7 +317,7 @@
   tag level: 1
 
   describe processes('kube-apiserver').commands.to_s do
-    it { should_not match(/--authorization-mode=AlwaysAllow/) }
+    it { should_not match(/--authorization-mode=(?:.)*AlwaysAllow,*(?:.)*/) }
     it { should match(/--authorization-mode=/) }
   end
 end
@@ -467,3 +467,55 @@
     it { should match(/--etcd-cafile/) }
   end
 end
+
+control 'cis-kubernetes-benchmark-1.1.32' do
+  title 'Ensure that the --authorization-mode argument is set to Node'
+  desc "Restrict kubelet nodes to reading only objects associated with them.\n\nRationale: The Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes."
+  impact 1.0
+
+  tag cis: 'kubernetes:1.1.32'
+  tag level: 1
+
+  describe processes('kube-apiserver').commands.to_s do
+    it { should match(/--authorization-mode=(?:.)*Node,*(?:.)*/) }
+  end
+end
+
+control 'cis-kubernetes-benchmark-1.1.33' do
+  title 'Ensure that the admission control policy is set to NodeRestriction'
+  desc "Limit the Node and Pod objects that a kubelet could modify.\n\nRationale: Using the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node."
+  impact 1.0
+
+  tag cis: 'kubernetes:1.1.33'
+  tag level: 1
+
+  describe processes('kube-apiserver').commands.to_s do
+    it { should match(/--admission-control=(?:.)*NodeRestriction,*(?:.)*/) }
+  end
+end
+
+control 'cis-kubernetes-benchmark-1.1.34' do
+  title 'Ensure that the --experimental-encryption-provider-config argument is set as appropriate'
+  desc "Encrypt etcd key-value store.\n\nRationale: etcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures."
+  impact 1.0
+
+  tag cis: 'kubernetes:1.1.34'
+  tag level: 1
+
+  describe processes('kube-apiserver').commands.to_s do
+    it { should match(/--experimental-encryption-provider-config=/) }
+  end
+end
+
+control 'cis-kubernetes-benchmark-1.1.35' do
+  title 'Ensure that the encryption provider is set to aescbc'
+  desc "Use aescbc encryption provider.\n\nRationale: aescbc is currently the strongest encryption provider, It should be preferred over other providers."
+  impact 1.0
+
+  tag cis: 'kubernetes:1.1.35'
+  tag level: 1
+
+  describe 'cis-kubernetes-benchmark-1.1.35' do
+    skip 'Review the `EncryptionConfig` file and verify that `aescbc` is used as the encryption provider.'
+  end
+end

controls/1_3_master_node_controller_manager.rb

@@ -48,53 +48,66 @@
 end
 
 control 'cis-kubernetes-benchmark-1.3.3' do
-  title 'Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set'
-  desc "Do not accept all certificates.\n\nRationale: Setting the `--insecure-experimental-approve-all-kubelet-csrs-for-group` flag circumvents the desired “approval” process. All the certificates are auto-approved without checking their integrity. This flag is meant to be used for development and testing purposes only and hence should not be used in the production."
+  title 'Ensure that the --use-service-account-credentials argument is set to true'
+  desc "Use individual service account credentials for each controller.\n\nRationale: The controller manager creates a service account per controller in the `kube-system` namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to `true` runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks."
   impact 1.0
 
   tag cis: 'kubernetes:1.3.3'
   tag level: 1
 
   describe processes('kube-controller-manager').commands.to_s do
-    it { should_not match(/--insecure-experimental-approve-all-kubelet-csrs-for-group/) }
+    it { should match(/--use-service-account-credentials=true/) }
   end
 end
 
 control 'cis-kubernetes-benchmark-1.3.4' do
-  title 'Ensure that the --use-service-account-credentials argument is set to true'
-  desc "Use individual service account credentials for each controller.\n\nRationale: The controller manager creates a service account per controller in the `kube-system` namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to `true` runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks."
+  title 'Ensure that the --service-account-private-key-file argument is set as appropriate'
+  desc "Explicitly set a service account private key file for service accounts on the controller manager.\n\nRationale: To ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate."
   impact 1.0
 
   tag cis: 'kubernetes:1.3.4'
   tag level: 1
 
   describe processes('kube-controller-manager').commands.to_s do
-    it { should match(/--use-service-account-credentials=true/) }
+    it { should match(/--service-account-private-key-file=/) }
   end
 end
 
 control 'cis-kubernetes-benchmark-1.3.5' do
-  title 'Ensure that the --service-account-private-key-file  argument is set as appropriate'
-  desc "Explicitly set a service account private key file for service accounts on the controller manager.\n\nRationale: To ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate."
+  title 'Ensure that the --root-ca-file argument is set as appropriate'
+  desc "Allow pods to verify the API server's serving certificate before establishing connections.\n\nRationale: Processes running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server."
   impact 1.0
 
   tag cis: 'kubernetes:1.3.5'
   tag level: 1
 
   describe processes('kube-controller-manager').commands.to_s do
-    it { should match(/--service-account-private-key-file=/) }
+    it { should match(/--root-ca-file=/) }
   end
 end
 
 control 'cis-kubernetes-benchmark-1.3.6' do
-  title 'Ensure that the --root-ca-file argument is set as appropriate'
-  desc "Allow pods to verify the API server's serving certificate before establishing connections.\n\nRationale: Processes running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server."
-  impact 1.0
+  title 'Apply Security Context to Your Pods and Containers'
+  desc "Apply Security Context to Your Pods and Containers.\n\nRationale: A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context."
+  impact 0.0
 
   tag cis: 'kubernetes:1.3.6'
   tag level: 1
 
+  describe 'cis-kubernetes-benchmark-1.3.6' do
+    skip 'Review the pod definitions in your cluster and verify that you have security contexts defined as appropriate.'
+  end
+end
+
+control 'cis-kubernetes-benchmark-1.3.7' do
+  title 'Ensure that the RotateKubeletServerCertificate argument is set to true'
+  desc "Enable kubelet server certificate rotation on controller-manager.\n\nRationale: RotateKubeletServerCertificate causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. Note: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself."
+  impact 1.0
+
+  tag cis: 'kubernetes:1.3.7'
+  tag level: 1
+
   describe processes('kube-controller-manager').commands.to_s do
-    it { should match(/--root-ca-file=/) }
+    it { should match(/--feature-gates=(?:.)*RotateKubeletServerCertificate=true,*(?:.)*/) }
   end
 end

controls/1_6_master_node_general_security_primitives.rb

@@ -70,53 +70,53 @@
 end
 
 control 'cis-kubernetes-benchmark-1.6.5' do
-  title 'Avoid using Kubernetes Secrets'
-  desc "Avoid using Kubernetes `secret`.\n\nRationale: Kubernetes objects of type `secret` are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. Its current implementation is very basic. It has plenty of risks as highlighted in the reference links including storing secrets as plaintext. Avoid using Kubernetes secrets until you have devised a mechanism to protect them using your own means."
+  title 'Ensure that the seccomp profile is set to docker/default in your pod definitions'
+  desc "Enable `docker/default` seccomp profile in your pod definitions.\n\nRationale: Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container."
   impact 0.0
 
   tag cis: 'kubernetes:1.6.5'
   tag level: 2
 
   describe 'cis-kubernetes-benchmark-1.6.5' do
-    skip 'Review the output of `kubectl get secrets` and ensure they are the ones you need.'
+    skip 'Review all the pod definitions in your cluster and verify that `seccomp` is enabled.'
   end
 end
 
 control 'cis-kubernetes-benchmark-1.6.6' do
-  title 'Ensure that the seccomp profile is set to docker/default in your pod definitions'
-  desc "Enable `docker/default` seccomp profile in your pod definitions.\n\nRationale: Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container."
+  title 'Apply Security Context to Your Pods and Containers'
+  desc "Apply Security Context to Your Pods and Containers\n\nRationale: A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context."
   impact 0.0
 
   tag cis: 'kubernetes:1.6.6'
   tag level: 2
 
   describe 'cis-kubernetes-benchmark-1.6.6' do
-    skip 'Review all the pod definitions in your cluster and verify that `seccomp` is enabled.'
+    skip 'Review the pod definitions in your cluster and verify that you have security contexts defined as appropriate.'
   end
 end
 
 control 'cis-kubernetes-benchmark-1.6.7' do
-  title 'Apply Security Context to Your Pods and Containers'
-  desc "Apply Security Context to Your Pods and Containers\n\nRationale: A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context."
+  title 'Configure Image Provenance using ImagePolicyWebhook admission controller'
+  desc "Configure Image Provenance for your deployment.\n\nRationale: Kubernetes supports plugging in provenance rules to accept or reject the images in your deployments. You could configure such rules to ensure that only approved images are deployed in the cluster."
   impact 0.0
 
   tag cis: 'kubernetes:1.6.7'
   tag level: 2
 
   describe 'cis-kubernetes-benchmark-1.6.7' do
-    skip 'Review the pod definitions in your cluster and verify that you have security contexts defined as appropriate.'
+    skip 'Review the pod definitions in your cluster and verify that image provenance is configured as appropriate.'
   end
 end
 
 control 'cis-kubernetes-benchmark-1.6.8' do
-  title 'Configure Image Provenance using ImagePolicyWebhook admission controller'
-  desc "Configure Image Provenance for your deployment.\n\nRationale: Kubernetes supports plugging in provenance rules to accept or reject the images in your deployments. You could configure such rules to ensure that only approved images are deployed in the cluster."
+  title 'Configure Network policies as appropriate'
+  desc "Configure Network policies as appropriate.\n\nRationale: The Network Policy API is now stable. Network policy, implemented through a network plug-in, allows users to set and enforce rules governing which pods can communicate with each other. You should leverage it as appropriate in your environment."
   impact 0.0
 
   tag cis: 'kubernetes:1.6.8'
   tag level: 2
 
   describe 'cis-kubernetes-benchmark-1.6.8' do
-    skip 'Review the pod definitions in your cluster and verify that image provenance is configured as appropriate.'
+    skip 'Review the network policies enforced and ensure that they are suitable for your requirements.'
   end
 end

controls/2_1_worker_node_kubelet.rb

@@ -56,7 +56,7 @@
   tag level: 1
 
   describe processes('kubelet').commands.to_s do
-    it { should_not match(/--authorization-mode=AlwaysAllow/) }
+    it { should_not match(/--authorization-mode=(?:.)*AlwaysAllow,*(?:.)*/) }
     it { should match(/--authorization-mode=/) }
   end
 end
@@ -191,3 +191,29 @@
     it { should match(/--cadvisor-port=0/) }
   end
 end
+
+control 'cis-kubernetes-benchmark-2.1.14' do
+  title 'Ensure that the RotateKubeletClientCertificate argument is set to true'
+  desc "Enable kubelet client certificate rotation.\n\nRationale: RotateKubeletClientCertificate causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. Note: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself."
+  impact 1.0
+
+  tag cis: 'kubernetes:2.1.14'
+  tag level: 1
+
+  describe processes('kubelet').commands.to_s do
+    it { should match(/--feature-gates=(?:.)*RotateKubeletClientCertificate=true,*(?:.)*/) }
+  end
+end
+
+control 'cis-kubernetes-benchmark-2.1.15' do
+  title 'Ensure that the RotateKubeletServerCertificate argument is set to true'
+  desc "Enable kubelet server certificate rotation.\n\nRationale: RotateKubeletServerCertificate causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. Note: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself."
+  impact 1.0
+
+  tag cis: 'kubernetes:2.1.15'
+  tag level: 1
+
+  describe processes('kube-controller-manager').commands.to_s do
+    it { should match(/--feature-gates=(?:.)*RotateKubeletServerCertificate=true,*(?:.)*/) }
+  end
+end

controls/2_2_worker_node_configuration_files.rb

@@ -121,3 +121,46 @@
     it { should be_grouped_into 'root' }
   end
 end
+
+control 'cis-kubernetes-benchmark-2.2.7' do
+  title 'Ensure that the certificate authorities file permissions are set to 644 or more restrictive'
+  desc "Ensure that the certificate authorities file has permissions of 644 or more restrictive.\n\nRationale: The certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
+  impact 1.0
+
+  tag cis: 'kubernetes:2.2.7'
+  tag level: 1
+
+  ca_cert_path = processes('kubelet').commands.to_s.scan(/--client-ca-file=(\S*)/)
+
+  if ca_cert_path.empty?
+    describe 'cis-kubernetes-benchmark-2.2.7' do
+      skip 'No client CA file specified for `kubelet` process'
+    end
+  else
+    describe file(ca_cert_path.last.first).mode.to_s do
+      it { should match(/[0246][024][024]/) }
+    end
+  end
+end
+
+control 'cis-kubernetes-benchmark-2.2.8' do
+  title 'Ensure that the client certificate authorities file ownership is set to root:root'
+  desc "Ensure that the certificate authorities file ownership is set to root:root.\n\nRationale: The certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root."
+  impact 1.0
+
+  tag cis: 'kubernetes:2.2.8'
+  tag level: 1
+
+  ca_cert_path = processes('kubelet').commands.to_s.scan(/--client-ca-file=(\S*)/)
+
+  if ca_cert_path.empty?
+    describe 'cis-kubernetes-benchmark-2.2.8' do
+      skip 'No client CA file specified for `kubelet` process'
+    end
+  else
+    describe file(ca_cert_path.last.first) do
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'root' }
+    end
+  end
+end

controls/3_1_federation_api_server.rb

@@ -234,7 +234,7 @@
   tag level: 1
 
   describe processes('federation-apiserver').commands.to_s do
-    it { should_not match(/--authorization-mode=AlwaysAllow/) }
+    it { should_not match(/--authorization-mode=(?:.)*AlwaysAllow,*(?:.)*/) }
     it { should match(/--authorization-mode=/) }
   end
 end