| Overview |
|
|
| Testing controls
methodology |
|
|
| 1.1 Control Plane Node Configuration
Files |
|
|
| 1.1.1 Ensure that the API server pod
specification file permissions are set to 600 or more restrictive
(Automated) |
PASS |
|
| 1.1.2 Ensure that the API server pod
specification file ownership is set to root
(Automated) |
NA |
Not applicable for k3s. |
| 1.1.3 Ensure that the controller
manager pod specification file permissions are set to 600 or more
restrictive (Automated) |
NA |
Not applicable for k3s. |
| 1.1.4 Ensure that the controller
manager pod specification file ownership is set to root
(Automated) |
NA |
Not applicable for k3s. |
| 1.1.5 Ensure that the scheduler pod
specification file permissions are set to 600 or more restrictive
(Automated) |
NA |
Not applicable for k3s. |
| 1.1.6 Ensure that the scheduler pod
specification file ownership is set to root
(Automated) |
NA |
Not applicable for k3s. |
| 1.1.7 Ensure that the etcd pod
specification file permissions are set to 600 or more restrictive
(Automated) |
NA |
Not applicable for k3s. |
| 1.1.8 Ensure that the etcd pod
specification file ownership is set to root
(Automated) |
NA |
Not applicable for k3s. |
| 1.1.9 Ensure that the Container
Network Interface file permissions are set to 600 or more
restrictive (Automated) |
NA |
Not applicable for k3s. |
| 1.1.10 Ensure that the Container
Network Interface file ownership is set to root
(Manual) |
NA |
Not applicable for k3s. |
| 1.1.11 Ensure that the etcd data
directory permissions are set to 700 or more restrictive
(Automated) |
PASS |
|
| 1.1.12 Ensure that the etcd data
directory ownership is set to etcd (Automated) |
NA |
Not applicable for k3s. |
| 1.1.13 Ensure that the admin.conf
file permissions are set to 600 or more restrictive
(Automated) |
NA |
Not applicable for k3s. |
| 1.1.14 Ensure that the admin.conf
file ownership is set to root (Automated) |
PASS |
|
| 1.1.15 Ensure that the scheduler.conf
file permissions are set to 600 or more restrictive
(Automated) |
PASS |
|
| 1.1.16 Ensure that the scheduler.conf
file ownership is set to root (Automated) |
PASS |
|
| 1.1.17 Ensure that the
controller-manager.conf file permissions are set to 600 or more
restrictive (Automated) |
PASS |
|
| 1.1.18 Ensure that the
controller-manager.conf file ownership is set to root
(Automated) |
PASS |
|
| 1.1.19 Ensure that the Kubernetes PKI
directory and file ownership is set to root
(Automated) |
PASS |
|
| 1.1.20 Ensure that the Kubernetes PKI
certificate file permissions are set to 600 or more restrictive
(Manual) |
FAIL |
Currently permissions are set to 644. |
| 1.1.21 Ensure that the Kubernetes PKI
key file permissions are set to 600 (Manual) |
PASS |
|
| 1.2 API Server |
PASS |
|
| 1.2.1 Ensure that the
--anonymous-auth argument is set to false (Manual) |
PASS |
|
| 1.2.2 Ensure that the
--token-auth-file parameter is not set (Automated) |
PASS |
|
| 1.2.3 Ensure that the
--DenyServiceExternalIPs is not set (Automated) |
PASS |
|
| 1.2.4 Ensure that the
--kubelet-client-certificate and --kubelet-client-key arguments are
set as appropriate (Automated) |
PASS |
|
| 1.2.5 Ensure that the
--kubelet-certificate-authority argument is set as appropriate
(Automated) |
NA |
Not applicable for k3s. |
| 1.2.6 Ensure that the
--authorization-mode argument is not set to AlwaysAllow
(Automated) |
PASS |
|
| 1.2.7 Ensure that the
--authorization-mode argument includes Node
(Automated) |
PASS |
|
| 1.2.8 Ensure that the
--authorization-mode argument includes RBAC
(Automated) |
PASS |
|
| 1.2.9 Ensure that the admission
control plugin EventRateLimit is set (Manual) |
FAIL |
Not supported. |
| 1.2.10 Ensure that the admission
control plugin AlwaysAdmit is not set (Automated) |
PASS |
|
| 1.2.11 Ensure that the admission
control plugin AlwaysPullImages is set (Manual) |
FAIL |
The cloud connector does not directly import images from external
registries; instead, it imports all images into the local registry in
the node before consumption. |
| 1.2.12 Ensure that the admission
control plugin SecurityContextDeny is set if PodSecurityPolicy is
not used (Manual) |
NA |
Not applicable for k3s. |
| 1.2.13 Ensure that the admission
control plugin ServiceAccount is set (Automated) |
PASS |
|
| 1.2.14 Ensure that the admission
control plugin NamespaceLifecycle is set (Automated) |
PASS |
|
| 1.2.15 Ensure that the admission
control plugin NodeRestriction is set (Automated) |
PASS |
|
| 1.2.16 Ensure that the --profiling
argument is set to false (Automated) |
PASS |
|
| 1.2.17 Ensure that the
--audit-log-path argument is set (Automated) |
NA |
Not applicable for k3s. |
| 1.2.18 Ensure that the
--audit-log-maxage argument is set to 30 or as appropriate
(Automated) |
NA |
Not applicable for k3s. |
| 1.2.19 Ensure that the
--audit-log-maxbackup argument is set to 10 or as appropriate
(Automated) |
NA |
Not applicable for k3s. |
| 1.2.20 Ensure that the
--audit-log-maxsize argument is set to 100 or as appropriate
(Automated) |
NA |
Not applicable for . |
| 1.2.21 Ensure that the
--request-timeout argument is set as appropriate
(Manual) |
NA |
Not applicable for k3s. |
| 1.2.22 Ensure that the
--service-account-lookup argument is set to true
(Automated) |
PASS |
|
| 1.2.23 Ensure that the
--service-account-key-file argument is set as appropriate
(Automated) |
NA |
Not applicable for k3s. |
| 1.2.24 Ensure that the
--etcd-certfile and --etcd-keyfile arguments are set as appropriate
(Automated) |
FAIL |
The etcd is not used, instead SQLite is used for cloud connector
deployment. Not applicable for cloud connector deployment. |
| 1.2.25 Ensure that the
--tls-cert-file and --tls-private-key-file arguments are set as
appropriate (Automated) |
PASS |
|
| 1.2.26 Ensure that the
--client-ca-file argument is set as appropriate
(Automated) |
PASS |
|
| 1.2.27 Ensure that the --etcd-cafile
argument is set as appropriate (Automated) |
FAIL |
The etcd is not used, instead SQLite is used for cloud connector
deployment. Not applicable for cloud connector deployment. |
| 1.2.28 Ensure that the
--encryption-provider-config argument is set as appropriate
(Manual) |
NA |
Not applicable for k3s. |
| 1.2.29 Ensure that encryption
providers are appropriately configured (Manual) |
NA |
Not applicable for k3s. |
| 1.2.30 Ensure that the API Server
only makes use of Strong Cryptographic Ciphers
(Manual) |
PASS |
|
| 1.3 Controller Manager |
|
|
| 1.3.1 Ensure that the
--terminated-pod-gc-threshold argument is set as appropriate
(Manual) |
FAIL |
Not supported. |
| 1.3.2 Ensure that the --profiling
argument is set to false (Automated) |
PASS |
|
| 1.3.3 Ensure that the
--use-service-account-credentials argument is set to true
(Automated) |
PASS |
|
| 1.3.4 Ensure that the
--service-account-private-key-file argument is set as appropriate
(Automated) |
PASS |
|
| 1.3.5 Ensure that the --root-ca-file
argument is set as appropriate (Automated) |
PASS |
|
| 1.3.6 Ensure that the
RotateKubeletServerCertificate argument is set to true
(Automated) |
NA |
Not applicable for k3s. |
| 1.3.7 Ensure that the --bind-address
argument is set to 127.0.0.1 (Automated) |
PASS |
|
| 1.4 Scheduler |
PASS |
|
| 1.4.1 Ensure that the --profiling
argument is set to false (Automated) |
PASS |
|
| 1.4.2 Ensure that the --bind-address
argument is set to 127.0.0.1 (Automated) |
PASS |
|
| 2 Etcd Node
Configuration |
|
|
| 2.1 Ensure that the --cert-file and
--key-file arguments are set as appropriate
(Automated) |
FAIL |
The etcd is not used, instead sqllite is used for cloud connector
deployment. Not applicable for cloud connector deployment. |
| 2.2 Ensure that the
--client-cert-auth argument is set to true
(Automated) |
FAIL |
The etcd is not used, instead sqllite is used for cloud connector
deployment. Not applicable for cloud connector deployment. |
| 2.3 Ensure that the --auto-tls
argument is not set to true (Automated) |
FAIL |
The etcd is not used, instead sqllite is used for cloud connector
deployment. Not applicable for cloud connector deployment. |
| 2.4 Ensure that the --peer-cert-file
and --peer-key-file arguments are set as appropriate
(Automated) |
FAIL |
The etcd is not used, instead sqllite is used for cloud connector
deployment. Not applicable for cloud connector deployment. |
| 2.5 Ensure that the
--peer-client-cert-auth argument is set to true
(Automated) |
FAIL |
The etcd is not used, instead sqllite is used for cloud connector
deployment. Not applicable for cloud connector deployment. |
| 2.6 Ensure that the --peer-auto-tls
argument is not set to true (Automated) |
FAIL |
The etcd is not used, instead sqllite is used for cloud connector
deployment. Not applicable for cloud connector deployment. |
| 2.7 Ensure that a unique Certificate
Authority is used for etcd (Automated) |
FAIL |
The etcd is not used, instead sqllite is used for cloud connector
deployment. Not applicable for cloud connector deployment. |
| 3 Control Plane Configuration |
|
|
| 3.1 Authentication and Authorization |
|
|
| 3.1.1 Client certificate authentication should not be used for users
(Manual) |
FAIL |
Since the cloud connector is a self-installed agent and upgrades are
managed over the air, no external user access is required. |
| 3.1.2 Service account token authentication should not be used for
users (Manual) |
FAIL |
Since the cloud connector is a self-installed agent and upgrades are
managed over the air, no external user access is required. |
| 3.1.3 Bootstrap token authentication should not be used for users
(Manual) |
PASS |
|
| 3.2 Logging |
|
|
| 3.2.1 Ensure that a minimal audit policy is created (Manual) |
PASS |
Audit policy is enabled (warn). |
| 3.2.2 Ensure that the audit policy covers key security concerns
(Manual) |
FAIL |
Not supported. |
| 4.1 Worker Node Configuration
Files |
|
|
| 4.1.1 Ensure that the kubelet service
file permissions are set to 600 or more restrictive
(Automated) |
NA |
Not applicable for k3s. |
| 4.1.2 Ensure that the kubelet service
file ownership is set to root (Automated) |
NA |
Not applicable for k3s. |
| 4.1.3 If proxy kubeconfig file exists
ensure permissions are set to 600 or more restrictive
(Manual) |
PASS |
|
| 4.1.4 If proxy kubeconfig file exists
ensure ownership is set to root (Manual) |
PASS |
|
| 4.1.5 Ensure that the --kubeconfig
kubelet.conf file permissions are set to 600 or more restrictive
(Automated) |
PASS |
|
| 4.1.6 Ensure that the --kubeconfig
kubelet.conf file ownership is set to root
(Automated) |
PASS |
|
| 4.1.7 Ensure that the certificate
authorities file permissions are set to 600 or more restrictive
(Manual) |
PASS |
|
| 4.1.8 Ensure that the client
certificate authorities file ownership is set to root
(Manual) |
PASS |
|
| 4.1.9 Ensure that the kubelet
--config configuration file has permissions set to 600 or more
restrictive (Automated) |
PASS |
|
| 4.1.10 Ensure that the kubelet
--config configuration file ownership is set to root
(Automated) |
PASS |
|
| 4.2 Kubelet |
|
|
| 4.2.1 Ensure that the
--anonymous-auth argument is set to false (Automated) |
PASS |
|
| 4.2.2 Ensure that the
--authorization-mode argument is not set to AlwaysAllow
(Automated) |
PASS |
|
| 4.2.3 Ensure that the
--client-ca-file argument is set as appropriate
(Automated) |
PASS |
|
| 4.2.4 Verify that the
--read-only-port argument is set to 0 (Manual) |
PASS |
|
| 4.2.5 Ensure that the
--streaming-connection-idle-timeout argument is not set to 0
(Manual) |
PASS |
|
| 4.2.6 Ensure that the
--make-iptables-util-chains argument is set to true
(Automated) |
PASS |
|
| 4.2.7 Ensure that the
--hostname-override argument is not set (Manual) |
NA |
Not applicable for k3s. |
| 4.2.8 Ensure that the eventRecordQPS
argument is set to a level which ensures appropriate event capture
(Manual) |
PASS |
|
| 4.2.9 Ensure that the --tls-cert-file
and --tls-private-key-file arguments are set as appropriate
(Manual) |
NA |
Not applicable for k3s. |
| 4.2.10 Ensure that the
--rotate-certificates argument is not set to false
(Manual) |
PASS |
|
| 4.2.11 Verify that the
RotateKubeletServerCertificate argument is set to true
(Manual) |
FAIL |
Does not affect the operation of the cloud connector, as external
kube API access is required for any host level access for the cluster
alone. |
| 4.2.12 Ensure that the Kubelet only
makes use of Strong Cryptographic Ciphers (Manual) |
FAIL |
The cloud connector runs on a single host machine. |
| 4.2.13 Ensure that a limit is set on
pod PIDs (Manual) |
FAIL |
Will be implemented in the upcoming release. |
| 5.1 RBAC and Service
Accounts |
|
|
| 5.1.1 Ensure that the cluster-admin
role is only used where required (Manual) |
FAIL |
Since the cloud connector is a self-installed agent and upgrades are
managed over the air, these permissions must be maintained for
installation and upgrade functionality. |
| 5.1.2 Minimize access to secrets
(Manual) |
FAIL |
Since the cloud connector is a self-installed agent and upgrades are
managed over the air, these permissions must be maintained for
installation and upgrade functionality. Additionally CC doesn’t have
multiple users. |
| 5.1.3 Minimize wildcard use in Roles
and ClusterRoles (Manual) |
PASS |
|
| 5.1.4 Minimize access to create pods
(Manual) |
FAIL |
Since the cloud connector is a self-installed agent and upgrades are
managed over the air, these permissions must be maintained for
installation and upgrade functionality. Additionally CC doesn’t have
multiple users. |
| 5.1.5 Ensure that default service
accounts are not actively used. (Manual) |
PASS |
Separate service accounts are created for the cc namespace. |
| 5.1.6 Ensure that Service Account
Tokens are only mounted where necessary (Manual) |
FAIL |
Not supported. |
| 5.1.7 Avoid use of system group
(Manual) |
FAIL |
Since its a default feature, its not removed as of now |
| 5.1.8 Limit use of the Bind,
Impersonate and Escalate permissions in the Kubernetes cluster
(Manual) |
FAIL |
The cluster access to be restricted by creating a less permissive
user account. |
| 5.1.9 Minimize access to create
persistent volumes (Manual) |
FAIL |
Cloud connector uses persistent volumes for storing logs and
maintaining other external libraries such iControl jar. The new pods
should have the capability to support upgrade from GUI. |
| 5.1.10 Minimize access to the proxy
sub-resource of nodes (Manual) |
FAIL |
Not supported. |
| 5.1.11 Minimize access to the
approval sub-resource of certificatesigningrequests objects
(Manual) |
FAIL |
This is not relevant since the cloud connector operates exclusively
on Linux-based systems. |
| 5.1.12 Minimize access to webhook
configuration objects (Manual) |
FAIL |
Not supported. |
| 5.1.13 Minimize access to the service
account token creation (Manual) |
FAIL |
Not supported. |
| 5.2 Pod Security
Standards |
|
|
| 5.2.1 Ensure that the cluster has at
least one active policy control mechanism in place
(Manual) |
PASS |
Addressed as part of FP3.1 release* |
| 5.2.2 Minimize the admission of
privileged containers (Manual) |
FAIL |
Baseline policy will be enforced in FP3.1 (Tentative), restricted
policy not supported* |
| 5.2.3 Minimize the admission of
containers wishing to share the host process ID namespace
(Automated) |
FAIL |
Baseline policy will be enforced in FP3.1 (Tentative), restricted
policy not supported* |
| 5.2.4 Minimize the admission of
containers wishing to share the host IPC namespace
(Automated) |
FAIL |
Baseline policy will be enforced in FP3.1 (Tentative), restricted
policy not supported* |
| 5.2.5 Minimize the admission of
containers wishing to share the host network namespace
(Automated) |
FAIL |
Cloud connector uses host network for communicating outside with the
devices. |
| 5.2.6 Minimize the admission of
containers with allowPrivilegeEscalation (Automated) |
FAIL |
avx-mid-server-platform pod will have allowPriviegeEscalation as true
due to nmap command execution during network discovery use
cases. |
| 5.2.7 Minimize the admission of root
containers (Automated) |
FAIL |
All the business pods in the cc namespace will be running as
non-root. The pods are running using the host user id who installed the
CC (avxctl refresh all to be fired). The log clean up cronjob will be
running as root to support backward compatibility. |
| 5.2.8 Minimize the admission of
containers with the NET_RAW capability (Automated) |
FAIL |
Not supported. |
| 5.2.9 Minimize the admission of
containers with added capabilities (Automated) |
FAIL |
Not supported. |
| 5.2.10 Minimize the admission of
containers with capabilities assigned (Manual) |
FAIL |
Not supported. |
| 5.2.11 Minimize the admission of
Windows HostProcess containers (Manual) |
FAIL |
Not relevant since the cloud connector operates exclusively on
Linux-based systems. |
| 5.2.12 Minimize the admission of
HostPath volumes (Manual) |
FAIL |
The cloud connector requires mounting files from the host machine, so
hostPath volumes must be allowed. |
| 5.2.13 Minimize the admission of
containers which use HostPorts (Manual) |
FAIL |
The cloud connector uses host ports to expose services like IoT. Host
ports admission is required. |
| 5.3 Network Policies and
CNI |
|
|
| 5.3.1 Ensure that the CNI in use
supports NetworkPolicies (Manual) |
PASS |
Network policies has been added for cc namespace. |
| 5.3.2 Ensure that all Namespaces have
NetworkPolicies defined (Manual) |
FAIL |
Network policies will be available as part of FP3.1 release for the
cc namespace* |
| 5.4 Secrets Management |
|
|
| 5.4.1 Prefer using Secrets as files
over Secrets as environment variables (Manual) |
PASS |
No business specific secrets for the application are created. |
| 5.4.2 Consider external secret
storage (Manual) |
FAIL |
The cloud connector is a light weight agent installed on a single
host. So it uses the default secret management system provided by
k3s. |
| 5.5 Extensible Admission
Control |
|
|
| 5.5.1 Configure Image Provenance
using ImagePolicyWebhook admission controller
(Manual) |
FAIL |
No supported. |
| 5.7 General Policies |
|
|
| 5.7.1 Create administrative
boundaries between resources using namespaces
(Manual) |
PASS |
Separated namespace has been created |
| 5.7.2 Ensure that the seccomp profile
is set to docker/default in your Pod definitions
(Manual) |
PASS |
Addressed as port FP3.1. |
| 5.7.3 Apply SecurityContext to your
Pods and Containers (Manual) |
PASS |
|
| 5.7.4 The default namespace should
not be used (Manual) |
PASS |
|
