CIS Kubernetes V1.20 Benchmark V1.0.0 L1 Master

Details Ensure that the etcd data directory has permissions of 700 or more restrictive. Rationale: etcd is a highly-available key-value...

Details Ensure that the /etc/kubernetes/manifests/etcd.yaml file ownership is set to root:root. Rationale: The etcd pod specification file /etc/kubernetes/manifests/etcd.yaml controls various...

Details Do not bind the insecure API service. Rationale: If you bind the apiserver to an insecure address, basically anyone...

Details Do not bind to insecure port. Rationale: Setting up the apiserver to serve on an insecure port would allow...

Details Verify kubelet’s certificate before establishing connection. Rationale: The connections from the apiserver to the kubelet are used for fetching...

Details Enable certificate based kubelet authentication. Rationale: The apiserver, by default, does not authenticate itself to the kubelet’s HTTPS endpoints....

Details Enable certificate based kubelet authentication. Rationale: The apiserver, by default, does not authenticate itself to the kubelet’s HTTPS endpoints....

Details Use https for kubelet connections. Rationale: Connections from apiserver to kubelets could potentially carry sensitive data such as secrets...

Details Ensure that Kubernetes PKI certificate files have permissions of 644 or more restrictive. Rationale: Kubernetes makes use of a...

Details Ensure that the Kubernetes PKI directory and file ownership is set to root:root. Rationale: Kubernetes makes use of a...