-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AKS 1.5.0 CIS benchmark #1678
base: main
Are you sure you want to change the base?
AKS 1.5.0 CIS benchmark #1678
Conversation
Signed-off-by: rootxrishabh <[email protected]>
Added yamls for OKE
Signed-off-by: rootxrishabh <[email protected]>
Fixed issues with oke cluster testing
Merge Add oke support to Main
This reverts commit 96a8081.
This reverts commit 75ead54.
|
scored: false | ||
|
||
- id: 4.2 | ||
text: "Pod Security Policies" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was renamed to Pod Security Standards: https://workbench.cisecurity.org/benchmarks/15692/sections/2312375
- id: 4.2.1 | ||
text: "Minimize the admission of privileged containers (Automated)" | ||
remediation: | | ||
Create a PSP as described in the Kubernetes documentation, ensuring that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New (full) remediation text:
Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.
To enable PSA for a namespace in your cluster, set the pod-security.kubernetes.io/enforce label with the policy value you want to enforce.
`kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted`
The above command enforces the restricted policy for the NAMESPACE namespace.
You can also enable Pod Security Admission for all your namespaces. For example:
`kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline`
Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
- id: 4.2.2 | ||
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)" | ||
remediation: | | ||
Create a PSP as described in the Kubernetes documentation, ensuring that the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New (full) remediation text:
Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostPID` containers.
Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
- id: 4.2.3 | ||
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)" | ||
remediation: | | ||
Create a PSP as described in the Kubernetes documentation, ensuring that the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New (full) remediation text:
Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostIPC` containers.
Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
- id: 4.2.4 | ||
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)" | ||
remediation: | | ||
Create a PSP as described in the Kubernetes documentation, ensuring that the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New (full) remediation text:
Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostNetwork` containers.
Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
- id: 4.2.5 | ||
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)" | ||
remediation: | | ||
Create a PSP as described in the Kubernetes documentation, ensuring that the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New (full) remediation text:
Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with `.spec.allowPrivilegeEscalation` set to `true`.
Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
Can you please update when we can expected thi PR to be merged? |
Hi guys! thanks for your efforts! |
Adding AKS 1.5.0 benchmark
CIS_Azure_Kubernetes_Service_(AKS)_Benchmark_V1.5.0_PDF.pdf