Benchmark: ReplicationController
Description
This section contains recommendations for configuring ReplicationController resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select ReplicationController.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.all_controls_replication_controllerSnapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.all_controls_replication_controller --shareControls
- Replication Controller containers should has admission capability restricted
- Replication Controller containers admission control plugin should be set to 'always pull images'
- Replication Controller containers admission control plugin should not be set to 'always admit'
- Replication Controller containers peer client cert auth should be enabled
- Replication Controller containers argument anonymous auth should be disabled
- Replication Controller containers should have audit log max-age set to 30 or greater
- Replication Controller containers should have audit log max backup set to 10 or greater
- Replication Controller containers should have audit log max size set to 100 or greater
- Replication Controller containers should have audit log path configured appropriately
- Replication Controller containers argument authorization mode should not be set to 'always allow'
- Replication Controller containers argument authorization mode should have node
- Replication Controller containers argument authorization mode should have RBAC
- Replication Controller containers argument etcd auto TLS should be disabled
- Replication Controller containers argument etcd cafile should be set
- Replication Controller containers should have etcd certfile and keyfile configured appropriately
- Replication Controller containers argument etcd client cert auth should be enabled
- Replication Controller containers should have etcd peer certfile and peer keyfile configured appropriately
- Replication Controller containers argument event qps should be less than 5
- Replication Controller containers argument insecure port should be set to 0
- Replication Controller containers argument apiserver etcd certfile and keyfile should be configured
- Replication Controller containers kube-apiserver profiling should be disabled
- Replication Controller containers should have kube-apiserver TLS cert file and TLS private key file configured appropriately
- Replication Controller containers argument kube-controller-manager bind address should be set to 127.0.0.1
- Replication Controller containers kube controller manager profiling should be disabled
- Replication Controller containers should have kube controller manager root CA file configured appropriately
- Replication Controller containers argument kube controller manager service account credentials should be enabled
- Replication Controller containers should have kube controller manager service account private key file configured appropriately
- Replication Controller containers argument kube-scheduler bind address should be set to 127.0.0.1
- Replication Controller containers kube scheduler profiling should be disabled
- Replication Controller containers argument kubelet authorization mode should not be set to 'always allow'
- Replication Controller containers should have kubelet client CA file configured appropriately
- Replication Controller containers argument kubelet client certificate and key should be configured
- Replication Controller containers argument kubelet HTTPS should be enabled
- Replication Controller containers argument kubelet read-only port should be set to 0
- Replication Controller containers should have kubelet terminated pod gc threshold configured appropriately
- Replication Controller containers should have kubelet TLS cert file and TLS private key file configured appropriately
- Replication Controller containers argument make iptables util chains should be enabled
- Replication Controller containers argument admission control plugin NamespaceLifecycle should be enabled
- Replication Controller containers argument admission control plugin NodeRestriction should be enabled
- Replication Controller containers argument admission control plugin PodSecurityPolicy should be enabled
- Replication Controller containers argument protect kernel defaults should be enabled
- Replication Controller containers argument request timeout should be set as appropriate
- Replication Controller containers argument rotate kubelet server certificate should be enabled
- Replication Controller containers argument secure port should not be set to 0
- Replication Controller containers argument admission control plugin where either PodSecurityPolicy or SecurityContextDeny should be enabled
- Replication Controller containers argument admission control plugin ServiceAccount should be enabled
- Replication Controller containers --service-account-key-file argument should be set as appropriate
- Replication Controller containers argument service account lookup should be enabled
- Replication Controller containers should minimize its admission with capabilities assigned
- Replication Controller containers should has encryption providers configured appropriately
- Replication Controller containers ports should not have host port specified
- Replication Controller containers has image pull policy set to Always
- Replication Controller containers have image tag specified which should be fixed not latest or blank
- Replication Controller containers should have kubelet certificate authority configured appropriately
- Replication Controller containers Kubernetes dashboard should not be deployed
- ReplicationController containers should have liveness probe
- Replication Controller containers argument basic auth file should not be set
- Replication Controller containers argument hostname override should not be configured
- Replication Controller containers argument insecure bind address should not be set
- ReplicationController containers should not have privileged access
- ReplicationController containers should not allow privilege escalation
- ReplicationController containers should not be mapped with privilege ports
- ReplicationController containers should have readiness probe
- Replication Controller containers certificate rotation should be enabled
- Replication Controller containers should have secrets defined as files
- Replication Controller containers should have securityContext defined
- Replication Controller containers argument --streaming-connection-idle-timeout should not be set to 0
- Replication Controller containers kube-apiserver should only make use of strong cryptographic ciphers
- Replication Controller containers kubelet should only make use of strong cryptographic ciphers
- Replication Controller containers should not use CAP_SYS_ADMIN linux capability
- Replication Controller containers token auth file should not be configured
- Replication Controller containers should minimize the admission of containers with added capability
- ReplicationController containers should have a CPU limit
- ReplicationController containers should have a CPU request
- ReplicationController definition should not use default namespace
- Seccomp profile is set to docker/default in your Replication Controller definition
- ReplicationController containers should not run with host network access
- ReplicationController containers should not share the host process namespace
- ReplicationController containers should run with a read only root file system
- ReplicationController containers should have a memory limit
- ReplicationController containers should have a memory request
- ReplicationController containers should not run with root privileges