added kubernetes cluster security profile
Prince Chaddha
parent
623251bba4
commit
814e793cc2
|
|
@ -11,7 +11,7 @@ info:
|
|||
Set CPU limits for all containers in Kubernetes Deployments to ensure fair CPU resource distribution and prevent performance issues.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Set CPU requests for all containers in Kubernetes Deplayments to ensure efficient scheduling and resource allocation.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Avoid using the default namespace for Kubernetes Deployments. Create and specify dedicated namespaces tailored to specific applications or teams to enhance security and manage resources effectively.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,namespaces
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,namespaces,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Avoid using host ports in Kubernetes Deployments. Use services or other networking mechanisms to expose container applications.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/services-networking/service/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,deployments
|
||||
tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ info:
|
|||
remediation: Update the image pull policy in Kubernetes Deployments to 'Always' to ensure that the latest container images are always used.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/containers/images/#updating-images
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,images,docker
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,images,docker,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Use specific image tags for all containers in Kubernetes Deployments to ensure reproducibility and stability of application deployments.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/containers/images/
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ info:
|
|||
remediation: Configure liveness probes for all containers in Kubernetes Deployments to ensure proper health checks and automatic restarts of failing containers
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ info:
|
|||
remediation: Set memory limits for all containers in Kubernetes Deployments to ensure resource management and application stability
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ info:
|
|||
remediation: Set memory requests for all containers in Kubernetes Deployments to ensure efficient pod scheduling and node resource utilization.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Ensure that no unnecessary capabilities are added to containers within Kubernetes Deployments. Use security contexts to define the minimum necessary privileges.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Ensure that no container in Kubernetes Deployments runs in privileged mode, as the root user, or with privilege escalation enabled. Modify the security context for each container to set `privileged: false`, `runAsUser` appropriately, and `allowPrivilegeEscalation: false`.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Define readiness probes in all containers within your Kubernetes Deployments to ensure that traffic is only routed to containers that are fully prepared to handle it.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Configure security contexts for all pods to run containers with a non-root user. Use Pod Security Policies or OPA/Gatekeeper to enforce these configurations.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
|
||||
tags: cloud,devops,kubernetes,devsecops,deployments,k8s
|
||||
tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Ensure that all containers in Kubernetes Deployments have a seccomp profile of docker/default or runtime/default set in their security contexts.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tutorials/clusters/seccomp/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,containers
|
||||
tags: cloud,devops,kubernetes,devsecops,containers,k8s,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ info:
|
|||
Checks if kubernetes CLI is set up and all necessary tools are installed on the environment.
|
||||
reference:
|
||||
- https://kubernetes.io/
|
||||
tags: cloud,devops,kubernetes,k8s,kubernetes-cloud-config
|
||||
tags: cloud,devops,kubernetes,k8s,k8s-cluster-security
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ info:
|
|||
remediation: Define egress rules in all network policies to control outbound traffic from your Kubernetes pods, thereby reducing security risks.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,network
|
||||
tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Ensure that all Network Policies explicitly define a namespace to maintain proper network isolation and security boundaries.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,networking
|
||||
tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Define specific ingress rules in all network policies to control the flow of inbound traffic to pods, ensuring only authorized traffic can access cluster resources.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
||||
tags: cloud,devops,kubernetes,security,networking
|
||||
tags: cloud,devops,kubernetes,security,k8s,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ info:
|
|||
remediation: Ensure that the allowPrivilegeEscalation flag is set to false in all container configurations to minimize security risks
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,containers
|
||||
tags: cloud,devops,kubernetes,security,devsecops,containers,k8s,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ info:
|
|||
remediation: Ensure that no container in Kubernetes Pods is set to share the host IPC namespace. Configure 'spec.hostIPC' to 'false' for all pods to isolate IPC namespaces.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,pods
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Ensure that the 'hostNetwork' field is set to false in all Kubernetes Pods to prevent containers from sharing the host's network namespace.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,namespace
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,namespace,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Ensure that the 'hostPID' field is set to 'false' in Kubernetes Pod specifications to prevent containers from sharing the host's PID namespace.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,pods
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ info:
|
|||
remediation: Configure containers to use read-only filesystems where possible to enhance security and minimize risk of unauthorized data modification
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,pods
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Configure all pods and containers to have their root filesystem set to read-only mode. This can be achieved by setting the securityContext.readOnlyRootFilesystem parameter to true in the pod or container configuration.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
|
||||
tags: cloud,devops,kubernetes,security,devsecops,pods,k8s
|
||||
tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ info:
|
|||
remediation: Configure pods to run with a non-root user ID by setting the 'securityContext' for each container and the pod itself.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,pods
|
||||
tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Configure the Kubernetes API server to include the audit-log-path argument pointing to a secure, writeable directory where audit logs will be stored. Ensure that this directory is properly secured and regularly monitored.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,api-server
|
||||
tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security
|
||||
|
||||
variables:
|
||||
argument: "audit-log-path"
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Ensure that the encryption provider configuration file is set up correctly and referenced properly in the API server configuration. Encryption should be enabled and configured according to the security best practices.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,encryption
|
||||
tags: cloud,devops,kubernetes,devsecops,encryption,k8s,k8s-cluster-security
|
||||
|
||||
variables:
|
||||
argument: "encryption-provider-config"
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Configure etcd to use an etcd-cafile argument that points to a valid CA certificate bundle. This setting should be part of the etcd startup arguments or in its configuration file.
|
||||
reference:
|
||||
- https://etcd.io/docs/v3.5/op-guide/security/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,etcd
|
||||
tags: cloud,devops,kubernetes,devsecops,etcd,k8s,k8s-cluster-security
|
||||
|
||||
variables:
|
||||
argument: "etcd-cafile"
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Configure the etcd server to use etcd-certfile and etcd-keyfile arguments that point to valid certificate and key files respectively. This ensures that communications to and from the etcd server are properly encrypted.
|
||||
reference:
|
||||
- https://etcd.io/docs/v3.4.0/op-guide/security/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,etcd
|
||||
tags: cloud,devops,kubernetes,devsecops,etcd,k8s,k8s-cluster-security
|
||||
|
||||
variables:
|
||||
argument: "etcd-certfile or etcd-keyfile"
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Implement and use namespaces to organize resources within the Kubernetes cluster effectively. Define access controls and resource quotas on a per-namespace basis.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,namespaces
|
||||
tags: cloud,devops,kubernetes,devsecops,namespaces,k8s,k8s-cluster-security
|
||||
|
||||
variables:
|
||||
argument: "namespaces"
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Set the service-account-issuer argument to a valid issuer URL in the API server's startup arguments or configuration file. This ensures the tokens issued are trusted across services.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,api-server
|
||||
tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security
|
||||
|
||||
variables:
|
||||
argument: "service-account-issuer"
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Configure the API server to use a service-account-key-file that points to a valid private key used to sign service account tokens. This setting should be part of the API server startup arguments or in its configuration file.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/admin/kube-apiserver/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,api-server
|
||||
tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
|
||||
|
||||
variables:
|
||||
argument: "service-account-key-file"
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Set the service-account-lookup argument to true in the API server's startup arguments or configuration file to ensure proper verification of service accounts.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/admin/kube-apiserver/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,api-server
|
||||
tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
|
||||
|
||||
variables:
|
||||
argument: "service-account-lookup=true"
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ info:
|
|||
Configure the API server to use tls-cert-file and tls-private-key-file that point to a valid certificate and key file respectively. This setting should be part of the API server startup arguments or in its configuration file.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/admin/kube-apiserver/
|
||||
tags: cloud,devops,kubernetes,security,devsecops,api-server
|
||||
tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
|
||||
|
||||
variables:
|
||||
argument: "tls-cert-file or tls-private-key-file"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
# Nuclei scan profile for scanning aws ACLs
|
||||
|
||||
code: true # enable code templates
|
||||
|
||||
tags:
|
||||
- k8s-cluster-security # filter templates with "k8s-cluster-security" tags
|
||||
Loading…
Reference in New Issue