oracle-quickstart
kubernetes monitoring solution not CIS compliant
It looks like the current monitoring solution does not comply with CIS Benchmark for Kubernetes. I understand that this was not the primary goal of the monitoring solution, but would be nice to cover this. I would appreciate if this can be taken as enhancement to make the Kubernetes monitoring solution also (more) secure and CIS compliant (my customer requires a secure and CIS compliant Kubernetes environment, and currently we're not allowed to deploy this solution)
I have deployed the Kubernetes Monitoring solution.
Once deployed, I've used kubescape (https://kubescape.io/) to check for security issues based on CIS benchmark for Kubernetes. But there are other tools available as well to check security compliance.
I used the check for framework cis-v1.23-t1.0.1 (generic kubernetes, since there is currently no check for OKE, although there is a OCI Kubernetes benchmark as well). The command below will focus on the oci-onm namespace only:
kubescape scan framework cis-v1.23-t1.0.1 --include-namespaces oci-onm
This will give the following result as shown below. Detailed recommendations and remediations can be obtained by running
kubescape scan framework cis-v1.23-t1.0.1 -v --include-namespaces oci-onm
Framework scanned: cis-v1.23-t1.0.1
┌─────────────────┬─────┐ `│ Controls │ 121 │ │ Passed │ 68 │ │ Failed │ 5 │ │ Action Required │ 48 │ └─────────────────┴─────┘
Failed resources by severity:
┌──────────┬───┐ │ Critical │ 0 │ │ High │ 3 │ │ Medium │ 8 │ │ Low │ 0 │ └──────────┴───┘
Run with '--verbose'/'-v' to see control failures for each resource.
┌───────┬─────────────────────────────────┬─────────┬───────┬────────────┐ │ Severity │ Control name │ Failed │ All │ Compliance score │ | | | resources │ Resources │ Compliance score │ ├───────┼─────────────────────────────────┼────────┼────────┼────────────┤ │ High │ CIS-1.1.11 Ensure that the etcd data directory per... │ 0 │ 0 │ Action Required * │ │ High │ CIS-1.1.12 Ensure that the etcd data directory own... │ 0 │ 0 │ Action Required * │ │ High │ CIS-1.1.13 Ensure that the admin.conf file permiss... │ 0 │ 0 │ Action Required * │ │ High │ CIS-1.1.14 Ensure that the admin.conf file ownersh... │ 0 │ 0 │ Action Required * │ │ High │ CIS-1.1.19 Ensure that the Kubernetes PKI director... │ 0 │ 0 │ Action Required * │ │ High │ CIS-1.1.20 Ensure that the Kubernetes PKI certific... │ 0 │ 0 │ Action Required * │ │ High │ CIS-1.1.21 Ensure that the Kubernetes PKI key file... │ 0 │ 0 │ Action Required * │ │ High │ CIS-1.2.29 Ensure that the API Server --encryption... │ 0 │ 0 │ Action Required * │ │ High │ CIS-1.2.30 Ensure that encryption providers are ap... │ 0 │ 0 │ Action Required * │ │ High │ CIS-4.1.7 Ensure that the certificate authorities ... │ 0 │ 0 │ Action Required * │ │ High │ CIS-4.1.8 Ensure that the client certificate autho... │ 0 │ 0 │ Action Required * │ │ High │ CIS-4.1.9 If the kubelet config.yaml configuration... │ 0 │ 0 │ Action Required * │ │ High │ CIS-4.1.10 If the kubelet config.yaml configuratio... │ 0 │ 0 │ Action Required * │ │ High │ CIS-4.2.1 Ensure that the --anonymous-auth argumen│ 0 │ 0 │ Action Required * │ │ High │ CIS-4.2.10 Ensure that the --tls-cert-file and --t... │ 0 │ 0 │ Action Required * │ │ High │ CIS-5.7.3 Apply Security Context to Your Pods and ... │ 3 │ 3 │ 0% │ │ Medium │ CIS-1.1.1 Ensure that the API server pod specifica... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.2 Ensure that the API server pod specifica... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.3 Ensure that the controller manager pod s... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.4 Ensure that the controller manager pod s... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.5 Ensure that the scheduler pod specificat... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.6 Ensure that the scheduler pod specificat... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.7 Ensure that the etcd pod specification f... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.8 Ensure that the etcd pod specification f... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.9 Ensure that the Container Network Interf... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.10 Ensure that the Container Network Inter... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.15 Ensure that the scheduler.conf file per... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.16 Ensure that the scheduler.conf file own... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.17 Ensure that the controller-manager.conf... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-1.1.18 Ensure that the controller-manager.conf... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.1.1 Ensure that the kubelet service file per... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.1.2 Ensure that the kubelet service file own... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.1.3 If proxy kubeconfig file exists ensure p... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.1.4 If proxy kubeconfig file exists ensure o... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.1.5 Ensure that the --kubeconfig kubelet.con... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.1.6 Ensure that the --kubeconfig kubelet.con... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.2.2 Ensure that the --authorization-mode arg... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.2.3 Ensure that the --client-ca-file argumen... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.2.4 Verify that the --read-only-port argumen... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.2.11 Ensure that the --rotate-certificates a... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.2.12 Verify that the RotateKubeletServerCert... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-4.2.13 Ensure that the Kubelet only makes use ... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-5.1.2 Minimize access to secrets │ 1 │ 2 │ 50% │ │ Medium │ CIS-5.1.5 Ensure that default service accounts are... │ 1 │ 1 │ 0% │ │ Medium │ CIS-5.1.6 Ensure that Service Account Tokens are o... │ 3 │ 5 │ 40% │ │ Medium │ CIS-5.3.1 Ensure that the CNI in use supports Netw... │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-5.4.2 Consider external secret storage │ 0 │ 0 │ Action Required * │ │ Medium │ CIS-5.7.2 Ensure that the seccomp profile is set t... │ 3 │ 3 │ 0% │ │ Low │ CIS-4.2.5 Ensure that the --streaming-connection-i... │ 0 │ 0 │ Action Required * │ │ Low │ CIS-4.2.6 Ensure that the --protect-kernel-default... │ 0 │ 0 │ Action Required * │ │ Low │ CIS-4.2.7 Ensure that the --make-iptables-util-cha... │ 0 │ 0 │ Action Required * │ │ Low │ CIS-4.2.8 Ensure that the --hostname-override argu...│ 0 │ 0 │ Action Required * │ │ Low │ CIS-4.2.9 Ensure that the --event-qps argument is ... │ 0 │ 0 │ Action Required * │ ├──────┼──────────────────────────────────┼───────┼───────┼────────────┤ │ │ Resource Summary │ 6 │ 20 │ 56.94% │ └──────┴──────────────────────────────────┴───────┴───────┴────────────┘
