Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AKS 1.5.0 CIS benchmark #1678

Open
wants to merge 16 commits into
base: main
Choose a base branch
from

Conversation

deboshree-b
Copy link

@CLAassistant
Copy link

CLAassistant commented Sep 15, 2024

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ deboshree-b
❌ rootxrishabh
You have signed the CLA already but the status is still pending? Let us recheck it.

scored: false

- id: 4.2
text: "Pod Security Policies"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was renamed to Pod Security Standards: https://workbench.cisecurity.org/benchmarks/15692/sections/2312375

- id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New (full) remediation text:

Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.
To enable PSA for a namespace in your cluster, set the pod-security.kubernetes.io/enforce label with the policy value you want to enforce.

`kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted`

The above command enforces the restricted policy for the NAMESPACE namespace.
You can also enable Pod Security Admission for all your namespaces. For example:

`kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline`

Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

- id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New (full) remediation text:

Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostPID` containers.

Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

- id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New (full) remediation text:

Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostIPC` containers.

Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

- id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New (full) remediation text:

Add policies to each namespace in the cluster which has user workloads to restrict the admission of `hostNetwork` containers.

Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

- id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New (full) remediation text:

Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with `.spec.allowPrivilegeEscalation` set to `true`.

Pod Security Policies and Assignments can be found by searching for Policies in the Azure Portal. A detailed step-by-step guide can be found here:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

@saikumar0412
Copy link

Can you please update when we can expected thi PR to be merged?

@afdesk
Copy link
Collaborator

afdesk commented Nov 18, 2024

Hi guys! thanks for your efforts!
This branch has conflicts that must be resolved
could you fix it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants