Related information
- 1.1.1 - Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)
- 1.1.2 - Ensure that the API server pod specification file ownership is set to root:root (Automated)
- 1.1.3 - Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)
- 1.1.4 - Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
- 1.1.5 - Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)
- 1.1.6 - Ensure that the scheduler pod specification file ownership is set to root:root (Automated)
- 1.1.7 - Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)
- 1.1.8 - Ensure that the etcd pod specification file ownership is set to root:root (Automated)
- 1.1.11 - Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)
- 1.1.12 - Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
- 1.1.13 - Ensure that the default administrative credential file permissions are set to 600 (Automated)
- 1.1.14 - Ensure that the default administrative credential file ownership is set to root:root (Automated)
- 1.1.15 - Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)
- 1.1.16 - Ensure that the scheduler.conf file ownership is set to root:root (Automated)
- 1.1.17 - Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)
- 1.1.18 - Ensure that the controller-manager.conf file ownership is set to root:root (Automated)
- 1.1.19 - Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)
- 1.2.2 - Ensure that the --token-auth-file parameter is not set (Automated)
- 1.2.4 - Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)
- 1.2.5 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
- 1.2.6 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
- 1.2.7 - Ensure that the --authorization-mode argument includes Node (Automated)
- 1.2.8 - Ensure that the --authorization-mode argument includes RBAC (Automated)
- 1.2.10 - Ensure that the admission control plugin AlwaysAdmit is not set (Automated)
- 1.2.12 - Ensure that the admission control plugin ServiceAccount is set (Automated)
- 1.2.13 - Ensure that the admission control plugin NamespaceLifecycle is set (Automated)
- 1.2.14 - Ensure that the admission control plugin NodeRestriction is set (Automated)
- 1.2.15 - Ensure that the --profiling argument is set to false (Automated)
- 1.2.16 - Ensure that the --audit-log-path argument is set (Automated)
- 1.2.17 - Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
- 1.2.18 - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
- 1.2.19 - Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
- 1.2.21 - Ensure that the --service-account-lookup argument is set to true (Automated)
- 1.2.22 - Ensure that the --service-account-key-file argument is set as appropriate (Automated)
- 1.2.23 - Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)
- 1.2.24 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)
- 1.2.25 - Ensure that the --client-ca-file argument is set as appropriate (Automated)
- 1.2.26 - Ensure that the --etcd-cafile argument is set as appropriate (Automated)
- 1.3.2 - Ensure that the --profiling argument is set to false (Automated)
- 1.3.3 - Ensure that the --use-service-account-credentials argument is set to true (Automated)
- 1.3.4 - Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)
- 1.3.5 - Ensure that the --root-ca-file argument is set as appropriate (Automated)
- 1.3.6 - Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
- 1.3.7 - Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
- 1.4.1 - Ensure that the --profiling argument is set to false (Automated)
- 1.4.2 - Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
- 2.1 - Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)
- 2.2 - Ensure that the --client-cert-auth argument is set to true (Automated)
- 2.3 - Ensure that the --auto-tls argument is not set to true (Automated)
- 2.4 - Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)
- 2.5 - Ensure that the --peer-client-cert-auth argument is set to true (Automated)
- 2.6 - Ensure that the --peer-auto-tls argument is not set to true (Automated)
- 4.1.1 - Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)
- 4.1.2 - Ensure that the kubelet service file ownership is set to root:root (Automated)
- 4.1.5 - Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)
- 4.1.6 - Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)
- 4.1.9 - If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)
- 4.1.10 - If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Automated)
- 4.2.1 - Ensure that the --anonymous-auth argument is set to false (Automated)
- 4.2.2 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
- 4.2.3 - Ensure that the --client-ca-file argument is set as appropriate (Automated)
- 4.2.6 - Ensure that the --make-iptables-util-chains argument is set to true (Automated)
- 4.2.10 - Ensure that the --rotate-certificates argument is not set to false (Automated)
- 4.3.1 - Ensure that the kube-proxy metrics service is bound to localhost (Automated)
- 5.1.1 - Ensure that the cluster-admin role is only used where required (Automated)
- 5.1.2 - Minimize access to secrets (Automated)
- 5.1.3 - Minimize wildcard use in Roles and ClusterRoles (Automated)
- 5.1.4 - Minimize access to create pods (Automated)
- 5.1.5 - Ensure that default service accounts are not actively used (Automated)
- 5.1.6 - Ensure that Service Account Tokens are only mounted where necessary (Automated)