Azure - Kubernetes
VM hosted Kubernetes Security Policies
| Category Name | Policy Name |
|---|---|
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the API server pod specification file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the API server pod specification file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the controller manager pod specification file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the scheduler pod specification file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the etcd pod specification file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the etcd pod specification file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the etcd data directory permissions are set to 700 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the etcd data directory ownership is set to etcd:etcd |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the admin.conf file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the admin.conf file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the scheduler.conf file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the scheduler.conf file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | VM hosted - Ensure that the controller-manager.conf file ownership is set to root:root |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --basic-auth-file argument is not set |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --token-auth-file argument is not set |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --kubelet-https argument is set to true |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --kubelet-certificate-authority argument is set as appropriate |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --authorization-mode argument includes Node |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --authorization-mode argument includes RBAC |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the admission control plugin AlwaysAdmit is not set |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the admission control plugin ServiceAccount is set |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the admission control plugin NamespaceLifecycle is set |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the admission control plugin PodSecurityPolicy is set |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the admission control plugin NodeRestriction is set |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --insecure-bind-address argument is not set |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --insecure-port argument is set to 0 |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --secure-port argument is not set to 0 |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --profiling argument is set to false |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --request-timeout argument is set as appropriate |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --service-account-lookup argument is set to true |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --service-account-key-file argument is set as appropriate |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --client-ca-file argument is set as appropriate |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --etcd-cafile argument is set as appropriate |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --audit-log-maxage argument is set to 30 or as appropriate |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --audit-log-path argument is set |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate |
| Kubernetes - Control Plane Components - API Server | VM hosted - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate |
| Kubernetes - Control Plane Components - Controller Manager | VM hosted - Ensure that the --use-service-account-credentials argument is set to true |
| Kubernetes - Control Plane Components - Controller Manager | VM hosted - Ensure that the --profiling argument is set to false |
| Kubernetes - Control Plane Components - Controller Manager | VM hosted - Ensure that the --root-ca-file argument is set as appropriate |
| Kubernetes - Control Plane Components - Controller Manager | VM hosted - Ensure that the --service-account-private-key-file argument is set as appropriate |
| Kubernetes - Control Plane Components - Controller Manager | VM hosted - Ensure that the --bind-address argument is set to 127.0.0.1 |
| Kubernetes - Control Plane Components - Controller Manager | VM hosted - Ensure that the RotateKubeletServerCertificate argument is set to true |
| Kubernetes - Control Plane Components - Scheduler | VM hosted - Ensure that the --profiling argument is set to false |
| Kubernetes - Control Plane Components - Scheduler | VM hosted - Ensure that the --bind-address argument is set to 127.0.0.1 |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | VM hosted - Ensure that the kubelet service file has permissions of 644 or more restrictive |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | VM hosted - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | VM hosted - Ensure that the kubelet service file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | VM hosted - Ensure that the kubelet.conf file permissions are set to 644 or more restrictive |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | VM hosted - Ensure that the proxy kubeconfig file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | VM hosted - Ensure that the client certificate authorities file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | VM hosted - Ensure that the kubelet.conf file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | VM hosted - Ensure that the kubelet configuration file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | VM hosted - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive |
| Kubernetes - Worker Nodes - Kubelet | VM hosted - Ensure that the --anonymous-auth argument is set to false |
| Kubernetes - Worker Nodes - Kubelet | VM hosted - Ensure that the --client-ca-file argument is set as appropriate |
| Kubernetes - Worker Nodes - Kubelet | VM hosted - Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| Kubernetes - Worker Nodes - Kubelet | VM hosted - Ensure that the --read-only-port argument is set to 0 |
| Kubernetes - Worker Nodes - Kubelet | VM hosted - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 |
| Kubernetes - Worker Nodes - Kubelet | VM hosted - Ensure that the --protect-kernel-defaults argument is set to true |
| Kubernetes - Worker Nodes - Kubelet | VM hosted - Ensure that the --make-iptables-util-chains argument is set to true |
| Kubernetes - Worker Nodes - Kubelet | VM hosted - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
| Kubernetes - Worker Nodes - Kubelet | VM hosted - Ensure that the --rotate-certificates argument is not set to false |
| Kubernetes - Worker Nodes - Kubelet | VM hosted - Ensure that the RotateKubeletServerCertificate argument is set to true |
AKS Engine Security Policies
| Category Name | Policy Name |
|---|---|
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the API server pod specification file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the API server pod specification file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the controller manager pod specification file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the scheduler pod specification file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the etcd pod specification file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the etcd pod specification file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the etcd data directory permissions are set to 700 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the etcd data directory ownership is set to etcd:etcd |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the admin.conf file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the admin.conf file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the scheduler.conf file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the scheduler.conf file ownership is set to root:root |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive |
| Kubernetes - Control Plane Components - Master Node Configuration Files | AKS Engine - Ensure that the controller-manager.conf file ownership is set to root:root |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --token-auth-file argument is not set |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --basic-auth-file argument is not set |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --kubelet-https argument is set to true |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --kubelet-certificate-authority argument is set as appropriate |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --authorization-mode argument includes RBAC |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --authorization-mode argument includes Node |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the admission control plugin ServiceAccount is set |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the admission control plugin AlwaysAdmit is not set |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the admission control plugin PodSecurityPolicy is set |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the admission control plugin NamespaceLifecycle is set |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --insecure-bind-address argument is not set |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the admission control plugin NodeRestriction is set |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --secure-port argument is not set to 0 |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --insecure-port argument is set to 0 |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --request-timeout argument is set as appropriate |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --profiling argument is set to false |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --service-account-key-file argument is set as appropriate |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --service-account-lookup argument is set to true |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --etcd-cafile argument is set as appropriate |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --client-ca-file argument is set as appropriate |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --audit-log-path argument is set |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --audit-log-maxage argument is set to 30 or as appropriate |
| Kubernetes - Control Plane Components - API Server | AKS Engine - Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate |
| Kubernetes - Control Plane Components - Controller Manager | AKS Engine - Ensure that the --profiling argument is set to false |
| Kubernetes - Control Plane Components - Controller Manager | AKS Engine - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate |
| Kubernetes - Control Plane Components - Controller Manager | AKS Engine - Ensure that the --service-account-private-key-file argument is set as appropriate |
| Kubernetes - Control Plane Components - Controller Manager | AKS Engine - Ensure that the --use-service-account-credentials argument is set to true |
| Kubernetes - Control Plane Components - Controller Manager | AKS Engine - Ensure that the RotateKubeletServerCertificate argument is set to true |
| Kubernetes - Control Plane Components - Controller Manager | AKS Engine - Ensure that the --root-ca-file argument is set as appropriate |
| Kubernetes - Control Plane Components - Controller Manager | AKS Engine - Ensure that the --bind-address argument is set to 127.0.0.1 |
| Kubernetes - Control Plane Components - Scheduler | AKS Engine - Ensure that the --profiling argument is set to false |
| Kubernetes - Control Plane Components - Scheduler | AKS Engine - Ensure that the --bind-address argument is set to 127.0.0.1 |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS Engine - Ensure that the kubelet service file has permissions of 644 or more restrictive |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS Engine - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS Engine - Ensure that the kubelet service file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS Engine - Ensure that the kubelet.conf file permissions are set to 644 or more restrictive |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS Engine - Ensure that the proxy kubeconfig file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS Engine - Ensure that the client certificate authorities file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS Engine - Ensure that the kubelet.conf file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS Engine - Ensure that the kubelet configuration file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS Engine - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive |
| Kubernetes - Worker Nodes - Kubelet | AKS Engine - Ensure that the --anonymous-auth argument is set to false |
| Kubernetes - Worker Nodes - Kubelet | AKS Engine - Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| Kubernetes - Worker Nodes - Kubelet | AKS Engine - Ensure that the --client-ca-file argument is set as appropriate |
| Kubernetes - Worker Nodes - Kubelet | AKS Engine - Ensure that the --read-only-port argument is set to 0 |
| Kubernetes - Worker Nodes - Kubelet | AKS Engine - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 |
| Kubernetes - Worker Nodes - Kubelet | AKS Engine - Ensure that the --protect-kernel-defaults argument is set to true |
| Kubernetes - Worker Nodes - Kubelet | AKS Engine - Ensure that the --make-iptables-util-chains argument is set to true |
| Kubernetes - Worker Nodes - Kubelet | AKS Engine - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
| Kubernetes - Worker Nodes - Kubelet | AKS Engine - Ensure that the --rotate-certificates argument is not set to false |
| Kubernetes - Worker Nodes - Kubelet | AKS Engine - Ensure that the RotateKubeletServerCertificate argument is set to true |
AKS Security Policies
| Category Name | Policy Name |
|---|---|
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS - Ensure that the kubelet service file has permissions of 644 or more restrictive |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS - Ensure that the kubelet service file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS - Ensure that the kubelet.conf file permissions are set to 644 or more restrictive |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS - Ensure that the proxy kubeconfig file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS - Ensure that the client certificate authorities file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS - Ensure that the kubelet.conf file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS - Ensure that the kubelet configuration file ownership is set to root:root |
| Kubernetes - Worker Nodes - Worker Node Configuration Files | AKS - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive |
| Kubernetes - Worker Nodes - Kubelet | AKS - Ensure that the --anonymous-auth argument is set to false |
| Kubernetes - Worker Nodes - Kubelet | AKS - Ensure that the --authorization-mode argument is not set to AlwaysAllow |
| Kubernetes - Worker Nodes - Kubelet | AKS - Ensure that the --client-ca-file argument is set as appropriate |
| Kubernetes - Worker Nodes - Kubelet | AKS - Ensure that the --read-only-port argument is set to 0 |
| Kubernetes - Worker Nodes - Kubelet | AKS - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 |
| Kubernetes - Worker Nodes - Kubelet | AKS - Ensure that the --protect-kernel-defaults argument is set to true |
| Kubernetes - Worker Nodes - Kubelet | AKS - Ensure that the --make-iptables-util-chains argument is set to true |
| Kubernetes - Worker Nodes - Kubelet | AKS - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate |
| Kubernetes - Worker Nodes - Kubelet | AKS - Ensure that the --rotate-certificates argument is not set to false |
| Kubernetes - Worker Nodes - Kubelet | AKS - Ensure that the RotateKubeletServerCertificate argument is set to true |