-
kubernetes CIS 벤치마크 테스트 도구 kube-benchHOWTO 2021. 10. 14. 21:27
Kubernetes CIS 벤치마크는 비영리 조직인 CIS (Center for Internet Security) 에서 제공하는 kubernetes 환경에서 배포를 보호하는 방법에 대한 정보가 포함되어 있는 모범사례이다.
벤치마크 항목들에 대해서는 cis 홈페이지에서 개인정보와 맞바꿔 다운로드 받을 수 있는데 약 250페이지 정도 된다.
Kubernetes Control plane 과 Worker Node 로 나눠져 있고, 요약된 벤치마크 항목은 아래 내용을 참고하시라. (요약이지만 길다)
이 250 페이지의 내용을 하나하나 읽어보고 설정을 확인할 수 있다면 좋겠지만 바쁘다 바빠 현대사회를 사는 우리는 kube-bench 라는 도구를 이용하여 효율적으로 취약한 부분을 검토할 수 있다.
https://github.com/aquasecurity/kube-bench
1. kube-bench 설치
kube-bench 는 별도로 설치가 필요하지 않다. kubernetes job을 하나 띄우고 결과를 확인하면 된다. 하지만 NKS (Ncloud Kubernetes Service)와 같이 CSP에서 제공하는 Kubernetes 서비스는 control plane인 master node를 노출하지 않기때문에 worker node에 대한 검사 결과만 확인할 수 있다.
먼저 아래 job.yaml 파일을 복사해서 kubectl 을 수행할 서버에 저장해 두고 job.yaml 을 배포한다.
--- apiVersion: batch/v1 kind: Job metadata: name: kube-bench spec: template: metadata: labels: app: kube-bench spec: hostPID: true containers: - name: kube-bench image: aquasec/kube-bench:0.6.3 command: ["kube-bench"] volumeMounts: - name: var-lib-etcd mountPath: /var/lib/etcd readOnly: true - name: var-lib-kubelet mountPath: /var/lib/kubelet readOnly: true - name: var-lib-kube-scheduler mountPath: /var/lib/kube-scheduler readOnly: true - name: var-lib-kube-controller-manager mountPath: /var/lib/kube-controller-manager readOnly: true - name: etc-systemd mountPath: /etc/systemd readOnly: true - name: lib-systemd mountPath: /lib/systemd/ readOnly: true - name: srv-kubernetes mountPath: /srv/kubernetes/ readOnly: true - name: etc-kubernetes mountPath: /etc/kubernetes readOnly: true # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. # You can omit this mount if you specify --version as part of the command. - name: usr-bin mountPath: /usr/local/mount-from-host/bin readOnly: true - name: etc-cni-netd mountPath: /etc/cni/net.d/ readOnly: true - name: opt-cni-bin mountPath: /opt/cni/bin/ readOnly: true restartPolicy: Never volumes: - name: var-lib-etcd hostPath: path: "/var/lib/etcd" - name: var-lib-kubelet hostPath: path: "/var/lib/kubelet" - name: var-lib-kube-scheduler hostPath: path: "/var/lib/kube-scheduler" - name: var-lib-kube-controller-manager hostPath: path: "/var/lib/kube-controller-manager" - name: etc-systemd hostPath: path: "/etc/systemd" - name: lib-systemd hostPath: path: "/lib/systemd" - name: srv-kubernetes hostPath: path: "/srv/kubernetes" - name: etc-kubernetes hostPath: path: "/etc/kubernetes" - name: usr-bin hostPath: path: "/usr/bin" - name: etc-cni-netd hostPath: path: "/etc/cni/net.d/" - name: opt-cni-bin hostPath: path: "/opt/cni/bin/"kubectl apply -f job.yaml kubectl get pods | grep kube-bench kube-bench-4d4k6 0/1 Completed 0 31hkube-bench 는 job 으로 배포되기 때문에 한번 수행한 다음 Completed 로 종료된다.
2. kube-bench 결과 조회
kube-bench job pod 의 로그를 조회하면 검사 결과를 확인할 수 있다.
kubectl logs kube-bench-4d4k6 [INFO] 4 Worker Node Security Configuration [INFO] 4.1 Worker Node Configuration Files [PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated) [PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated) [PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual) [PASS] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Manual) [PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated) [PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual) [PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual) [PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual) [PASS] 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated) [PASS] 4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated) [INFO] 4.2 Kubelet [FAIL] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated) [FAIL] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) [FAIL] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated) [PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual) [PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual) [FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated) [PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated) [WARN] 4.2.8 Ensure that the --hostname-override argument is not set (Manual) [WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual) [WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual) [PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual) [PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual) [WARN] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual) == Remediations node == 4.2.1 If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --anonymous-auth=false Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 4.2.2 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --authorization-mode=Webhook Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 4.2.3 If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to the location of the client CA file. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --client-ca-file=<path/to/client-ca-file> Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 4.2.8 Edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 4.2.9 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 4.2.10 If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and set the below parameters in KUBELET_CERTIFICATE_ARGS variable. --tls-cert-file=<path/to/tls-certificate-file> --tls-private-key-file=<path/to/tls-key-file> Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 4.2.13 If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 or to a subset of these values. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and set the --tls-cipher-suites parameter as follows, or to a subset of these values. --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service == Summary node == 15 checks PASS 4 checks FAIL 4 checks WARN 0 checks INFO [INFO] 5 Kubernetes Policies [INFO] 5.1 RBAC and Service Accounts [WARN] 5.1.1 Ensure that the cluster-admin role is only used where required (Manual) [WARN] 5.1.2 Minimize access to secrets (Manual) [WARN] 5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual) [WARN] 5.1.4 Minimize access to create pods (Manual) [WARN] 5.1.5 Ensure that default service accounts are not actively used. (Manual) [WARN] 5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual) [INFO] 5.2 Pod Security Policies [WARN] 5.2.1 Minimize the admission of privileged containers (Manual) [WARN] 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Manual) [WARN] 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Manual) [WARN] 5.2.4 Minimize the admission of containers wishing to share the host network namespace (Manual) [WARN] 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Manual) [WARN] 5.2.6 Minimize the admission of root containers (Manual) [WARN] 5.2.7 Minimize the admission of containers with the NET_RAW capability (Manual) [WARN] 5.2.8 Minimize the admission of containers with added capabilities (Manual) [WARN] 5.2.9 Minimize the admission of containers with capabilities assigned (Manual) [INFO] 5.3 Network Policies and CNI [WARN] 5.3.1 Ensure that the CNI in use supports Network Policies (Manual) [WARN] 5.3.2 Ensure that all Namespaces have Network Policies defined (Manual) [INFO] 5.4 Secrets Management [WARN] 5.4.1 Prefer using secrets as files over secrets as environment variables (Manual) [WARN] 5.4.2 Consider external secret storage (Manual) [INFO] 5.5 Extensible Admission Control [WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual) [INFO] 5.7 General Policies [WARN] 5.7.1 Create administrative boundaries between resources using namespaces (Manual) [WARN] 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual) [WARN] 5.7.3 Apply Security Context to Your Pods and Containers (Manual) [WARN] 5.7.4 The default namespace should not be used (Manual) == Remediations policies == 5.1.1 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name] 5.1.2 Where possible, remove get, list and watch access to secret objects in the cluster. 5.1.3 Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions. 5.1.4 Where possible, remove create access to pod objects in the cluster. 5.1.5 Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value automountServiceAccountToken: false 5.1.6 Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it. 5.2.1 Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false. 5.2.2 Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false. 5.2.3 Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false. 5.2.4 Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false. 5.2.5 Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false. 5.2.6 Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0. 5.2.7 Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. 5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless it is set to an empty array. 5.2.9 Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities. 5.3.1 If the CNI plugin in use does not support network policies, consideration should be given to making use of a different plugin, or finding an alternate mechanism for restricting traffic in the Kubernetes cluster. 5.3.2 Follow the documentation and create NetworkPolicy objects as you need them. 5.4.1 if possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables. 5.4.2 Refer to the secrets management options offered by your cloud provider or a third-party secrets management solution. 5.5.1 Follow the Kubernetes documentation and setup image provenance. 5.7.1 Follow the documentation and create namespaces for objects in your deployment as you need them. 5.7.2 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing "--feature- gates=AllAlpha=true" argument. Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS parameter to "--feature-gates=AllAlpha=true" KUBE_API_ARGS="--feature-gates=AllAlpha=true" Based on your system, restart the kube-apiserver service. For example: systemctl restart kube-apiserver.service Use annotations to enable the docker/default seccomp profile in your pod definitions. An example is as below: apiVersion: v1 kind: Pod metadata: name: trustworthy-pod annotations: seccomp.security.alpha.kubernetes.io/pod: docker/default spec: containers: - name: trustworthy-container image: sotrustworthy:latest 5.7.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers. 5.7.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace. == Summary policies == 0 checks PASS 0 checks FAIL 24 checks WARN 0 checks INFO == Summary total == 15 checks PASS 4 checks FAIL 28 checks WARN 0 checks INFO반응형'HOWTO' 카테고리의 다른 글
squid http proxy 사용해서 aws ecr 에 docker image push 하기 (0) 2021.12.29 폐쇄망에서 kubectl 설치하기 (0) 2021.12.14 kubernetes 워크로드 구성 검사 실행 - Polaris by Fairwinds (0) 2021.10.08 kubernetes manifest 분석 도구 kube-score 사용법 (0) 2021.10.08 Installing CKAN with Docker Compose (ubuntu 16.04) (0) 2020.10.11