Configure System to CIS Benchmark for Containers Standards

By default, StarlingX complies with the CIS Benchmark for containers for most specifications. Some specifications outlined in the CIS Benchmark that are not met by default, StarlingX can be configured to comply with these requirements. However, these configurations may affect system performance. The relevant CIS Benchmark specifications, along with the necessary StarlingX configuration steps to achieve compliance, are detailed below. Before applying these configurations in a live deployment, carefully assess their performance implications in the context of your specific security and operational needs.

CIS-1.2.11

Ensure that the admission control plugin AlwaysPullImages is set https://hub.armosec.io/docs/c-0123

CIS-1.2.17

Ensure that the API Server --profiling argument is set to false https://hub.armosec.io/docs/c-0129

CIS-1.2.19

Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate https://hub.armosec.io/docs/c-0131

CIS-3.2.1

Ensure that a minimal audit policy is created https://hub.armosec.io/docs/c-0160

These CIS specifications are not applied by default in StarlingX and require you to configure them if you want to comply to these CIS specifications. The configuration mentioned in the table below are example minimal configurations required for CIS specifications; you should configure them according to your actual needs.

Specification

Attribute

Semantic

Configuration

CIS- 1.2.11

AlwaysPullImages

Forces the kubelet to always pull container images prior to starting containers, ensuring the latest image is used

–enable-admission-plugins=…, NodeRestriction,AlwaysPullImages

CIS- 1.2.17

Profiling

Disabling profiling prevents exposure of sensitive performance data

–profiling=false

CIS- 1.2.19

audit-log-maxage

Specifies the maximum number of days to retain old audit logs

–audit-log-maxage=30

CIS- 3.2.1

audit-policy-file

Defines minimal audit policy

–audit-policy-file= /etc/kubernetes/default-audit-policy.yaml

An example of the StarlingX commands used to configure these parameters is available in the script located at /usr/local/bin/apiserver_cis_compliance.sh. For testing purposes only, this script can be executed from the active controller to configure the kube-apiserver in accordance with the CIS Benchmark specifications mentioned above.

Warning

Critical Warning:

  • CIS-1.2.9 is not remediated.

    To adhere to this control point, it is required to configure enable-admission-plugins="EventRateLimit". But this configuration causes the API server to fail during startup due to a longstanding issue in Kubernetes. This is a known Kubernetes bug tracked (Kubernetes Issue #62861, https://github.com/kubernetes/kubernetes/issues/62861). Therefore, it is not recommended to configure this until this bug is resolved.

Minor Warning:

  • CIS-1.2.12 is not applicable to the current version.

    To adhere to this control point, it is required to configure enable-admission-plugins= “SecurityContextDeny”. But this POD security policy is valid for Kubernetes versions prior to 1.24. The minimum supported Kubernetes version in StarlingX is v1.29, where SecurityContextDeny POD security policy is deprecated and removed from the API server.

  • CIS-1.2.20 related Configuration (audit-log-maxbackup=10) is present, but not detected by CIS scanning tool.

    The configuration required for this control point is already configured during bootstrap, but the scanning tool may incorrectly flag it due to limitations in runtime argument introspection.

  • CIS-1.2.21 related Configuration (audit-log-maxsize=100) is present, but not detected by CIS scanning tool.

    The configuration required for this control point is already configured during bootstrap, but the scanning tool may incorrectly flag it due to limitations in runtime argument introspection.