NSA, CISA Kubernetes Hardening Guidance v1.0 cybersecurity technical report is produced by trivy-operator and validate the following control checks :
NAME | DESCRIPTION |
---|---|
Non-root containers | Check that container is not running as root |
Immutable container file systems | Check that container root file system is immutable |
Preventing privileged containers | Controls whether Pods can run privileged containers |
Share containers process namespaces | Controls whether containers can share process namespaces |
Share host process namespaces | Controls whether share host process namespaces |
Use the host network | Controls whether containers can use the host network |
Run with root privileges or with root group membership | Controls whether container applications can run with root privileges or with root group membership |
Restricts escalation to root privileges | Control check restrictions escalation to root privileges |
Sets the SELinux context of the container | Control checks if pod sets the SELinux context of the container |
Restrict a container's access to resources with AppArmor | Control checks the restriction of containers access to resources with AppArmor |
Sets the seccomp profile used to sandbox containers | Control checks the sets the seccomp profile used to sandbox containers |
Protecting Pod service account tokens | Control check whether disable secret token been mount ,automountServiceAccountToken: false |
Namespace kube-system should not be used by users | Control check whether Namespace kube-system is not be used by users |
Pod and/or namespace Selectors usage | Control check validate the pod and/or namespace Selectors usage |
Use CNI plugin that supports NetworkPolicy API | Control check whether check cni plugin installed |
Use ResourceQuota policies to limit resources | Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace |
Use LimitRange policies to limit resources | Control check the use of LimitRange policy limit resource usage for namespaces or nodes |
Control plan disable insecure port | Control check whether control plan disable insecure port |
Encrypt etcd communication | Control check whether etcd communication is encrypted |
Ensure kube config file permission | Control check whether kube config file permissions |
Check that encryption resource has been set | Control checks whether encryption resource has been set |
Check encryption provider | Control checks whether encryption provider has been set |
Make sure anonymous-auth is unset | Control checks whether anonymous-auth is unset |
Make sure -authorization-mode=RBAC | Control check whether RBAC permission is in use |
Audit policy is configure | Control check whether audit policy is configure |
Audit log path is configure | Control check whether audit log path is configure |
Audit log aging | Control check whether audit log aging is configure |
NSA, CISA Kubernetes Hardening Guidance v1.1 report will be generated every three hours by default.
The NSA compliance report is composed of two parts :
-
spec
: represents the NSA compliance control checks specification, check details, and the mapping to the security scanner -
status
: represents the NSA compliance control checks results -
report types
: compliance report can be produced in two formats , summary and detail (all)
Spec can be customized by amending the control checks report type (summary / all)
, severity
and cron
expression (report execution interval).
As an example, let's enter vi
edit mode and change the cron
expression.
kubectl edit compliance
kubectl get compliance nsa -o=jsonpath='{.status}' | jq .