K8s API Server security settings
Please execute this command at master node, to see the values of configuration parameters / flags for K8s API server
ps -ef | grep kube-apiserver
As per section 1.2 of CIS Benchmark below table describe (1) parameter (2) its default value and (3) its desired value
| Flags | Default | Value |
| --anonymous-auth | TRUE | FALSE |
| --basic-auth-file | ABSENT | ABSENT |
| --token-auth-file | ABSENT | ABSENT |
| --kubelet-https | TRUE | TRUE |
| --kubelet-client-certificate | Not Set | <path/to/client-certificate-file> |
| --kubelet-client-key | Not Set | <path/to/client-key-file> |
| --kubelet-certificate-authority | Not Set | <ca string> |
| --authorization-mode | NOT 'AlwaysAllow' | NOT 'AlwaysAllow' |
| --authorization-mode | Not enabled | ...,RBAC,Node,... |
| --insecure-bind-address | ABSENT | ABSENT |
| --insecure-port | 8080 | 0 //Must be 0 in k8s v1.20. Also used for bootstrap access. It will be removed in v1.24 |
| --secure-port | 6443 | 1 to 65535 |
| --profiling | TRUE | FALSE |
| --audit-log-maxage | Disable | Minimum 30 (days) |
| --audit-log-maxbackup | Disable | Minimum 10 (files) |
| --audit-log-maxsize | Disable | 100 (MB) or appropriate |
| --request-timeout | 60 s | Set appropriate. 300s |
| --service-account-lookup | TRUE | TRUE |
| --service-account-key-file | ABSENT | Public Key file for SA. Private key to controller manager |
| --etcd-certfile | Not Set | Appropriate |
| --etcd-keyfile | Not Set | Appropriate |
| --tls-cert-file | Not Set | Appropriate. Do not use self-signed certificate |
| --tls-private-key-file | Not Set | Appropriate |
| --client-ca-file | Not Set | Appropriate |
| --etcd-cafile | Not Set | Appropriate |
| --encryption-provider-config | Not Set | EncryptionConfig file |
* --tls-cipher-suites : K8s API server support a wide range of cipher suits : TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
One should select a stonger cipher suite
* --enable-admission-plugins: One should enable following admission plugins
EventRateLimit,AlwaysPullImages, SecurityContextDeny || PodSecurityPolicy,NodeRestriction
* --disable-admission-plugins: One should disable following admission plugins
ServiceAccount, NamespaceLifecycle, AlwaysAdmit
* --audit-log-path: By default it is absent. One should specify a path to secure storage with maxage, maxsize, and maxbackup Parameters. E.g. /var/log/apiserver/audit.log
* EncryptionConfig file: aesgcb, aescbc, kms OR secretbox. Specify provider with EncryptionConfiguration k8s object.
Additional tips not in CIS Benchmark
* --tls-min-version: Its value should be >= 1.2
* One should enable following feature gate: --feature-gates AdvancedAuditing=TRUE
0 comments:
Post a Comment