Benchmark: PodTemplate
Description
This section contains recommendations for configuring PodTemplate resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select PodTemplate.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.all_controls_pod_templateSnapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.all_controls_pod_template --shareControls
- PodTemplate containers should has admission capability restricted
- PodTemplate containers admission control plugin should be set to 'always pull images'
- PodTemplate containers admission control plugin should not be set to 'always admit'
- PodTemplate containers argument anonymous auth should be disabled
- PodTemplate containers argument etcd certfile and keyfile should be configured
- PodTemplate containers should have audit log max-age set to 30 or greater
- PodTemplate containers should have audit log max backup set to 10 or greater
- PodTemplate containers should have audit log max size set to 100 or greater
- PodTemplate containers should have audit log path configured appropriately
- PodTemplate containers argument authorization mode should not be set to 'always allow'
- PodTemplate containers argument authorization mode should have node
- PodTemplate containers argument authorization mode should have RBAC
- PodTemplate containers argument bind address should be set to 127.0.0.1
- PodTemplate containers argument etcd auto TLS should be disabled
- PodTemplate containers argument etcd cafile should be set
- PodTemplate containers should have etcd certfile and keyfile configured appropriately
- Podtemplate containers argument etcd client cert auth should be enabled
- PodTemplate containers should have etcd peer certfile and peer keyfile configured appropriately
- PodTemplate containers argument event qps should be less than 5
- PodTemplate containers argument insecure port should be set to 0
- PodTemplate containers kube-apiserver profiling should be disabled
- PodTemplate containers should have TLS cert file and TLS private key file configured appropriately
- PodTemplate containers argument kube-controller-manager bind address should be set to 127.0.0.1
- PodTemplate containers kube controller manager profiling should be disabled
- PodTemplate containers should have kube controller manager root CA file configured appropriately
- PodTemplate containers argument kube controller manager service account credentials should be enabled
- PodTemplate containers should have kube controller manager service account private key file configured appropriately
- PodTemplate containers kube scheduler profiling should be disabled
- PodTemplate containers argument anonymous auth should be disabled
- PodTemplate containers argument kubelet authorization mode should not be set to 'always allow'
- PodTemplate containers should have kubelet client CA file configured appropriately
- PodTemplate containers argument kubelet client certificate and key should be configured
- PodTemplate containers argument kubelet HTTPS should be enabled
- PodTemplate containers argument kubelet read-only port should be set to 0
- PodTemplate containers should have kubelet terminated pod gc threshold configured appropriately
- PodTemplate containers argument make iptables util chains should be enabled
- PodTemplate containers argument admission control plugin NamespaceLifecycle should be enabled
- PodTemplate containers argument admission control plugin NodeRestriction should be enabled
- PodTemplate containers argument admission control plugin PodSecurityPolicy should be enabled
- PodTemplate containers argument protect kernel defaults should be enabled
- PodTemplate containers argument request timeout should be set as appropriate
- PodTemplate containers argument rotate kubelet server certificate should be enabled
- PodTemplate containers argument secure port should not be set to 0
- PodTemplate containers argument admission control plugin where either PodSecurityPolicy or SecurityContextDeny should be enabled
- PodTemplate containers argument admission control plugin ServiceAccount should be enabled
- PodTemplate containers --service-account-key-file argument should be set as appropriate
- PodTemplate containers argument service account lookup should be enabled
- PodTemplate containers should have TLS cert file and TLS private key file configured appropriately
- PodTemplate containers should minimize its admission with capabilities assigned
- PodTemplate containers should have encryption providers configured appropriately
- PodTemplate containers ports should not have host port specified
- PodTemplate containers should has image pull policy set to Always
- PodTemplate containers have image tag specified which should be fixed not latest or blank
- PodTemplate containers should have kubelet certificate authority configured appropriately
- PodTemplate containers argument --streaming-connection-idle-timeout should not be set to 0
- PodTemplate containers Kubernetes dashboard should not be deployed
- PodTemplate containers should have liveness probe
- PodTemplate containers argument basic auth file should not be set
- PodTemplate containers argument hostname override should not be configured
- PodTemplate containers argument insecure bind address should not be set
- PodTemplate containers should not have privileged access
- PodTemplate containers should not allow privilege escalation
- PodTemplate containers should have readiness probe
- PodTemplate containers certificate rotation should be enabled
- PodTemplate containers should have secrets defined as files
- PodTemplate containers should has security context defined
- PodTemplate containers kube-apiserver should only make use of strong cryptographic ciphers
- PodTemplate containers kubelet should only make use of strong cryptographic ciphers
- PodTemplate containers should not use CAP_SYS_ADMIN Linux capability
- PodTemplate containers token auth file should not be configured
- PodTemplate containers should not have added capabilities
- PodTemplate containers should have a CPU limit
- PodTemplate containers should have a CPU request
- PodTemplate containers should run with a read only root file system
- PodTemplate containers should have a memory limit
- PodTemplate containers should have a memory request