Skip to content

Commit

Permalink
fixup! Update baseline cluster security (#475)
Browse files Browse the repository at this point in the history
Signed-off-by: Hannes Baum <[email protected]>
  • Loading branch information
cah-hbaum committed May 2, 2024
1 parent 075b295 commit 14a726d
Showing 1 changed file with 14 additions and 14 deletions.
28 changes: 14 additions & 14 deletions Standards/scs-0217-v1-cluster-hardening.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,8 @@ In most cases, only the API server machines should need access to etcd on ports

#### ACL restrictions

(https://etcd.io/docs/v3.3/op-guide/authentication/)
etcd implements access control lists (ACL) and authentication since version 2.1.
()
etcd implements access control lists (ACL) and authentication since version 2.1 [1][etcd-auth].
etcd provides users and roles; users gain permissions through roles. When authentication is enabled,
each request to etcd requires authentication and the transaction is only allowed, if the user has the correct access rights.
etcd can also be launched with `--client-cert-auth=true`, which enables authentication via
Expand All @@ -112,7 +112,7 @@ for securing peer communication and the flags `--key-file=k8sclient.key` and `--
client communication (and therefore cluster communication).
Additionally, HTTPS should be used as the URL schema.
It is also possibly to use a separate CA for the etcd in order to separate and better control access through client
certificates, since etcd by default trusts all the certificates issued by the root CA [1][nsa-cisa].
certificates, since etcd by default trusts all the certificates issued by the root CA [2][nsa-cisa].
More information about authentication via TLS are provided in the chapter [ACL restrictions](#acl-restrictions).

### Securing endpoints
Expand All @@ -131,7 +131,7 @@ guidelines for this task.

A list of the default ports used in Kubernetes as well as the components accessing them can be found below:

**Control plane nodes**
#### Control plane nodes

| Ports | Protocol | Purpose | Used by | Type |
|-----------|----------|-------------------------|----------------------|--------------------|
Expand All @@ -142,7 +142,7 @@ A list of the default ports used in Kubernetes as well as the components accessi
| 10257 | TCP | kube-controller-manager | Self | Internal |
| 10259 | TCP | kube-scheduler | Self | Internal |

**Worker nodes**
#### Worker nodes

| Ports | Protocol | Purpose | Used by | Type |
|-------------|----------|-----------------------|---------------------|--------------------|
Expand Down Expand Up @@ -174,7 +174,7 @@ the objects contents.
#### Authentication

Kubernetes provides different internal authentication mechanisms, that can be used depending
on the requirements of the cluster provider and user. Multiple authentication systems can
on the requirements of the cluster provider and user. Multiple authentication systems can
be enabled and the [Kubernetes documentation][kubernetes-auth] recommends at least using two methods,
including Service Account Tokens and another method. Methods directly provided by Kubernetes include
the following (a more complete or up-to-date list may be found in the [Kubernetes authentication docs][kubernetes-auth]):
Expand Down Expand Up @@ -294,11 +294,11 @@ with varying access to sensitive data and also enables various levels
of performant operations enabling manipulation of node data and containers.
There is also a read-only HTTP endpoint that was used for monitoring a Kubelet and
its information. This port was also used by applications like `kubeadm` to check
the health status of the Kubelet.
the health status of the Kubelet.
This port is still available, but it is planned to be [removed][ro-port-removal]
in a future version. At the moment, the port is disabled by default since [Kubernetes 1.10][ro-port-disabled]
and shortly later also in [`kubeadm`][ro-port-disabled-kubeadm].
Different sources recommend disabling this port [1][ro-port-s1] [2][ro-port-s2] due to possible
Different sources recommend disabling this port [3][ro-port-s1] [4][ro-port-s2] due to possible
security risks, but since this standard recommends restricting accessibility of internal ports,
this port wouldn't be accessible from external networks.
It is nevertheless recommended to keep this port disabled, since Kubernetes also acknowledged
Expand Down Expand Up @@ -343,8 +343,8 @@ Allows the default (minimally specified) Pod configuration.
* *Restricted*
Heavily restricted policy, following current Pod hardening best practices.

Kubernetes also offers the *Pod security* admission controller, which enforces
the *Pod security standards* on a namespace level during pod creation.
Kubernetes also offers the *Pod security* admission controller, which enforces
the *Pod security standards* on a namespace level during pod creation.
The admission controller defines the standard to be used with the three levels
`privileged`, `baseline` and `restricted`. Each namespace can be configured to enforce
a different control mode, which defines what action the control plane takes
Expand Down Expand Up @@ -424,8 +424,8 @@ Additionally, the `NodeRestriction` admission controller MUST be activated in or
different Kubelets by disallowing modification of non-bound.

At last, *Pod security standards* in the form of policies MUST be activated for the cluster. The SCS REQUIRES at least
the *Baseline* policy with the *Restricted* policy CAN also be used.
The *Pod security* admission controller MUST also be activated in order to enforce these policies on a namespace level.
the *Baseline* policy with the *Restricted* policy CAN also be used.
The *Pod security* admission controller MUST also be activated in order to enforce these policies on a namespace level.
We RECOMMEND the `enforce` level to be used for this admission controller setup.

## Conformance Tests
Expand All @@ -443,7 +443,6 @@ Conformance Tests will be written within another issue.
[Configure etcd](https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/)
[Google Kubernetes cluster trust](https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-trust)


[kubernetes-releases]: https://kubernetes.io/releases/
[kubernetes-version-skew]: https://kubernetes.io/releases/version-skew-policy/
[strong-credentials]: https://pages.nist.gov/800-63-3/sp800-63b.html
Expand All @@ -461,4 +460,5 @@ Conformance Tests will be written within another issue.
[ro-port-disabled-kubeadm]: https://github.com/kubernetes/kubeadm/issues/732
[ro-port-s1]: https://www.stigviewer.com/stig/kubernetes/2021-04-14/finding/V-242387
[ro-port-s2]: https://docs.datadoghq.com/security/default_rules/cis-kubernetes-1.5.1-4.2.4/
[nsa-cisa]: https://kubernetes.io/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/
[nsa-cisa]: https://kubernetes.io/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/
[etcd-auth]: https://etcd.io/docs/v3.3/op-guide/authentication/

0 comments on commit 14a726d

Please sign in to comment.