Overview
Kubernetes Controller Manager and Control Plane don’t leave many bells and whistles to harden. Binding to localhost so 0.0.0.0 doesn’t have privileges to interact with the manager. Routing the certificates, profiling disabled, & logs configured and sent to the proper non-repudiated collector. Proper file permissions on the controller manager yaml such that anything more restrictive than 644 is incentivized. Disable the auto mounting of the service account token (make sure to execute on every namespace.). Beware the Admission controller will create the default service account in a new namespace so adjust accordingly. There are a few configuration items like DenyEscalatingExec and ResourceQuota settings but how they are hardened greatly depends on the service mesh and multi-tenant architecture. I will leave those as an exercise to the reader for their architecture and technologies’ building blocks.
Please configure the AdmissionController to AlwaysPullImages. This will force other pods to provide credentials on every attempt to pull and access the image, instead of just accessing the locally stored image without authorization.
CIS Benchmark
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)
1.3.2 Ensure that the --profiling argument is set to false (Automated)
1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)
1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)
1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
Control Plane
3.1 Authentication and Authorization
3.1.1 Client certificate authentication should not be used for users (Manual)
3.2 Logging
3.2.1 Ensure that a minimal audit policy is created (Manual)
3.2.2 Ensure that the audit policy covers key security concerns (Manual)
5.5 Extensible Admission Control
5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller
5.7 General Policies
5.7.1 Create administrative boundaries between resources using namespaces (Manual)
5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)
5.7.3 Apply Security Context to Your Pods and Containers (Manual)
5.7.4 The default namespace should not be used (Manual)
5.1.1 Ensure that the cluster-admin role is only used where required (Manual)
5.1.2 Minimize access to secrets
5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)
5.1.4 Minimize access to create pods (Manual)
5.1.5 Ensure that default service accounts are not actively used. (Manual)
5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)