Detections
Analytics

Revision 1.4

Apr 12, 2023
Functional Update
  • 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive
  • 4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root
  • 4.1.2 Ensure that the kubelet service file ownership is set to root:root
  • 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive
  • 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root
  • 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive
  • 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root
  • 4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive
  • 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root
  • 4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive
  • 4.2.1 Ensure that the --anonymous-auth argument is set to false
  • 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert
  • 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key
  • 4.2.11 Ensure that the --rotate-certificates argument is not set to false
  • 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true
  • 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
  • 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow
  • 4.2.3 Ensure that the --client-ca-file argument is set as appropriate
  • 4.2.4 Verify that the --read-only-port argument is set to 0
  • 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0
  • 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true
  • 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true
  • 4.2.8 Ensure that the --hostname-override argument is not set
  • 5.1.3 Minimize wildcard use in Roles and ClusterRoles - clusterroles
  • 5.1.3 Minimize wildcard use in Roles and ClusterRoles - roles
Miscellaneous
  • Metadata updated.
  • Platform check updated.
Removed
  • CIS_Kubernetes_v1.24_v1.0.0_Level_1_Worker.audit from CIS Kubernetes v1.24 Benchmark v1.0.0