Detections
Analytics

CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Worker

Audit Details

Name: CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Worker

Updated: 4/12/2023

Authority: CIS

Plugin: Unix

Revision: 1.4

Estimated Item Count: 26

File Details

Filename: CIS_Kubernetes_v1.20_v1.0.1_Level_1_Worker.audit

Size: 130 kB

MD5: 2ae575a8cfdf75b290c30a366cf5d5a3
SHA256: 3c8cbc1786d790c311636fc3b9e0cec1fbdee35b637258a97e32d332bab90639

Audit Changelog

 
Revision 1.4

Apr 12, 2023

Functional Update
  • 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive
  • 4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root
  • 4.1.2 Ensure that the kubelet service file ownership is set to root:root
  • 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive
  • 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root
  • 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive
  • 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root
  • 4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive
  • 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root
  • 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive
  • 4.2.1 Ensure that the --anonymous-auth argument is set to false
  • 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert
  • 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key
  • 4.2.11 Ensure that the --rotate-certificates argument is not set to false
  • 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true
  • 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
  • 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow
  • 4.2.3 Ensure that the --client-ca-file argument is set as appropriate
  • 4.2.4 Verify that the --read-only-port argument is set to 0
  • 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0
  • 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true
  • 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true
  • 4.2.8 Ensure that the --hostname-override argument is not set
  • 5.1.3 Minimize wildcard use in Roles and ClusterRoles - clusterroles
  • 5.1.3 Minimize wildcard use in Roles and ClusterRoles - roles
Miscellaneous
  • Metadata updated.
  • Platform check updated.
Removed
  • CIS_Kubernetes_v1.20_v1.0.1_Level_1_Worker.audit from CIS Kubernetes v1.20 Benchmark v1.0.1
Revision 1.3

Mar 7, 2023

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.2

Jan 4, 2023

Miscellaneous
  • Metadata updated.
Revision 1.1

Dec 7, 2022

Miscellaneous
  • Variables updated.