Configure System to CIS Benchmark for Containers Standards¶
By default, StarlingX complies with the CIS Benchmark for containers for most specifications. Some specifications outlined in the CIS Benchmark that are not met by default, StarlingX can be configured to comply with these requirements. However, these configurations may affect system performance. The relevant CIS Benchmark specifications, along with the necessary StarlingX configuration steps to achieve compliance, are detailed below. Before applying these configurations in a live deployment, carefully assess their performance implications in the context of your specific security and operational needs.
- CIS-1.2.11
Ensure that the admission control plugin AlwaysPullImages is set
https://hub.armosec.io/docs/c-0123
- CIS-1.2.17
Ensure that the API Server
--profiling
argument is set tofalse
https://hub.armosec.io/docs/c-0129
- CIS-1.2.19
Ensure that the API Server
--audit-log-maxage
argument is set to30
or as appropriatehttps://hub.armosec.io/docs/c-0131
- CIS-3.2.1
Ensure that a minimal audit policy is created
https://hub.armosec.io/docs/c-0160
These CIS specifications are not applied by default in StarlingX and require you to configure them if you want to comply to these CIS specifications. The configuration mentioned in the table below are example minimal configurations required for CIS specifications; you should configure them according to your actual needs.
Specification |
Attribute |
Semantic |
Configuration |
---|---|---|---|
CIS- 1.2.11 |
AlwaysPullImages |
Forces the kubelet to always pull container images prior to starting containers, ensuring the latest image is used |
–enable-admission-plugins=…, NodeRestriction,AlwaysPullImages |
CIS- 1.2.17 |
Profiling |
Disabling profiling prevents exposure of sensitive performance data |
–profiling=false |
CIS- 1.2.19 |
audit-log-maxage |
Specifies the maximum number of days to retain old audit logs |
–audit-log-maxage=30 |
CIS- 3.2.1 |
audit-policy-file |
Defines minimal audit policy |
–audit-policy-file= /etc/kubernetes/default-audit-policy.yaml |
An example of the StarlingX commands used to configure these parameters is available
in the script located at /usr/local/bin/apiserver_cis_compliance.sh
. For
testing purposes only, this script can be executed from the active controller
to configure the kube-apiserver
in accordance with the CIS Benchmark
specifications mentioned above.
Warning
Critical Warning:
CIS-1.2.9 is not remediated.
To adhere to this control point, it is required to configure
enable-admission-plugins="EventRateLimit"
. But this configuration causes the API server to fail during startup due to a longstanding issue in Kubernetes. This is a known Kubernetes bug tracked (Kubernetes Issue #62861, https://github.com/kubernetes/kubernetes/issues/62861). Therefore, it is not recommended to configure this until this bug is resolved.
Minor Warning:
CIS-1.2.12 is not applicable to the current version.
To adhere to this control point, it is required to configure
enable-admission-plugins= “SecurityContextDeny”
. But this POD security policy is valid for Kubernetes versions prior to 1.24. The minimum supported Kubernetes version in StarlingX is v1.29, whereSecurityContextDeny
POD security policy is deprecated and removed from the API server.CIS-1.2.20 related Configuration (audit-log-maxbackup=10) is present, but not detected by CIS scanning tool.
The configuration required for this control point is already configured during bootstrap, but the scanning tool may incorrectly flag it due to limitations in runtime argument introspection.
CIS-1.2.21 related Configuration (audit-log-maxsize=100) is present, but not detected by CIS scanning tool.
The configuration required for this control point is already configured during bootstrap, but the scanning tool may incorrectly flag it due to limitations in runtime argument introspection.