CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Worker

Audit Details

Name: CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Worker

Updated: 4/12/2023

Authority: CIS

Plugin: Unix

Revision: 1.4

Estimated Item Count: 26

File Details

Filename: CIS_Kubernetes_v1.24_v1.0.0_Level_1_Worker.audit

Size: 130 kB

MD5: 50f9b578bb3103ac0039d295076f3dfe
SHA256: 10f5fb734c9e7daa5560d53ea0225d73884d3edc415c0bc431ff796435d429da

Audit Changelog

 
Revision 1.4

Apr 12, 2023

Functional Update
  • 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive
  • 4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root
  • 4.1.2 Ensure that the kubelet service file ownership is set to root:root
  • 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive
  • 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root
  • 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive
  • 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root
  • 4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive
  • 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root
  • 4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive
  • 4.2.1 Ensure that the --anonymous-auth argument is set to false
  • 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert
  • 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key
  • 4.2.11 Ensure that the --rotate-certificates argument is not set to false
  • 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true
  • 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
  • 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow
  • 4.2.3 Ensure that the --client-ca-file argument is set as appropriate
  • 4.2.4 Verify that the --read-only-port argument is set to 0
  • 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0
  • 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true
  • 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true
  • 4.2.8 Ensure that the --hostname-override argument is not set
  • 5.1.3 Minimize wildcard use in Roles and ClusterRoles - clusterroles
  • 5.1.3 Minimize wildcard use in Roles and ClusterRoles - roles
Miscellaneous
  • Metadata updated.
  • Platform check updated.
Removed
  • CIS_Kubernetes_v1.24_v1.0.0_Level_1_Worker.audit from CIS Kubernetes v1.24 Benchmark v1.0.0
Revision 1.3

Mar 7, 2023

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.2

Jan 4, 2023

Miscellaneous
  • Metadata updated.
Revision 1.1

Dec 7, 2022

Miscellaneous
  • Variables updated.