Ensure that the –anonymous-auth argument is set to false
Details Disable anonymous requests to the API server. Rationale: When enabled, requests that are not rejected by other configured authentication...
- Home
- Security Hardening
- CIS Kubernetes V1.20 Benchmark V1.0.0 L1 Master
CIS Kubernetes V1.20 Benchmark V1.0.0 L1 Master
Ensure that the API server pod specification file ownership is set to root:root
Details Ensure that the API server pod specification file ownership is set to root:root. Rationale: The API server pod specification...Ensure that the API server pod specification file permissions are set to 644 or more restrictive
Details Ensure that the API server pod specification file has permissions of 644 or more restrictive. Rationale: The API server...Ensure that the –audit-log-maxage argument is set to 30 or as appropriate
Details Retain the logs for at least 30 days or as appropriate. Rationale: Retaining logs for at least 30 days...Ensure that the –audit-log-maxbackup argument is set to 10 or as appropriate
Details Retain 10 or an appropriate number of old log files. Rationale: Kubernetes automatically rotates the log files. Retaining old...Ensure that the –audit-log-maxsize argument is set to 100 or as appropriate
Details Rotate log files on reaching 100 MB or as appropriate. Rationale: Kubernetes automatically rotates the log files. Retaining old...Ensure that the –audit-log-path argument is set
Details Enable auditing on the Kubernetes API Server and set the desired audit log path. Rationale: Auditing the Kubernetes API...Ensure that the –authorization-mode argument includes Node
Details Restrict kubelet nodes to reading only objects associated with them. Rationale: The Node authorization mode only allows kubelets to...Ensure that the –authorization-mode argument includes RBAC
Details Turn on Role Based Access Control. Rationale: Role Based Access Control (RBAC) allows fine-grained control over the operations that...Ensure that the –authorization-mode argument is not set to AlwaysAllow
Details Do not always authorize all requests. Rationale: The API Server, can be configured to allow all requests. This mode...