AKS 1.5.0 CIS benchmark #1678
Open
AKS 1.5.0 CIS benchmark #1678
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: rootxrishabh <[email protected]>
Added yamls for OKE
Signed-off-by: rootxrishabh <[email protected]>
Fixed issues with oke cluster testing
Merge Add oke support to Main
This reverts commit 96a8081.
This reverts commit 75ead54.
|
|
Magier
reviewed
Sep 16, 2024
| scored: false | ||
|
|
||
| - id: 4.2 | ||
| text: "Pod Security Policies" |
There was a problem hiding this comment.
This was renamed to Pod Security Standards: https://workbench.cisecurity.org/benchmarks/15692/sections/2312375
Magier
reviewed
Sep 16, 2024
| - id: 4.2.1 | ||
| text: "Minimize the admission of privileged containers (Automated)" | ||
| remediation: | | ||
| Create a PSP as described in the Kubernetes documentation, ensuring that |
There was a problem hiding this comment.
New (full) remediation text:
Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.
To enable PSA for a namespace in your cluster, set the pod-security.kubernetes.io/enforce label with the policy value you want to enforce.
`kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted`
The above command enforces the restricted policy for the NAMESPACE namespace.
You can also enable Pod Security Admission for all your namespaces. For example:
`kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline`
Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
Magier
reviewed
Sep 16, 2024
| - id: 4.2.2 | ||
| text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" | ||
| remediation: | | ||
| Create a PSP as described in the Kubernetes documentation, ensuring that the |
There was a problem hiding this comment.
New (full) remediation text:
Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostPID` containers.
Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
Magier
reviewed
Sep 16, 2024
| - id: 4.2.3 | ||
| text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" | ||
| remediation: | | ||
| Create a PSP as described in the Kubernetes documentation, ensuring that the |
There was a problem hiding this comment.
New (full) remediation text:
Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostIPC` containers.
Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
Magier
reviewed
Sep 16, 2024
| - id: 4.2.4 | ||
| text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" | ||
| remediation: | | ||
| Create a PSP as described in the Kubernetes documentation, ensuring that the |
There was a problem hiding this comment.
New (full) remediation text:
Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostNetwork` containers.
Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
Magier
reviewed
Sep 16, 2024
| - id: 4.2.5 | ||
| text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" | ||
| remediation: | | ||
| Create a PSP as described in the Kubernetes documentation, ensuring that the |
There was a problem hiding this comment.
New (full) remediation text:
Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with `.spec.allowPrivilegeEscalation` set to `true`.
Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding AKS 1.5.0 benchmark
CIS_Azure_Kubernetes_Service_(AKS)_Benchmark_V1.5.0_PDF.pdf