-
Notifications
You must be signed in to change notification settings - Fork 0
/
ed564b54.45b78b1e.js
1 lines (1 loc) · 12.7 KB
/
ed564b54.45b78b1e.js
1
(window.webpackJsonp=window.webpackJsonp||[]).push([[34],{167:function(e,t,r){"use strict";r.r(t),r.d(t,"frontMatter",(function(){return c})),r.d(t,"metadata",(function(){return i})),r.d(t,"rightToc",(function(){return s})),r.d(t,"default",(function(){return p}));var a=r(2),n=r(9),b=(r(0),r(173)),c={id:"cis-benchmark",title:"CIS Benchmark"},i={id:"cis-benchmark",title:"CIS Benchmark",description:"| ID | Description | Code |",source:"@site/docs/cis-benchmark.md",permalink:"/docs/cis-benchmark",editUrl:"https://github.com/raspbernetes/docs/edit/master/website/docs/cis-benchmark.md",sidebar:"someSidebar",previous:{title:"Boot Raspberry Pi From USB SSD",permalink:"/docs/usb_booting"},next:{title:"Kubesec Benchmark",permalink:"/docs/kubesec-benchmark"}},s=[],o={rightToc:s};function p(e){var t=e.components,r=Object(n.a)(e,["components"]);return Object(b.b)("wrapper",Object(a.a)({},o,r,{components:t,mdxType:"MDXLayout"}),Object(b.b)("table",null,Object(b.b)("thead",{parentName:"table"},Object(b.b)("tr",{parentName:"thead"},Object(b.b)("th",Object(a.a)({parentName:"tr"},{align:"center"}),"ID"),Object(b.b)("th",Object(a.a)({parentName:"tr"},{align:null}),"Description"),Object(b.b)("th",Object(a.a)({parentName:"tr"},{align:"center"}),"Code"))),Object(b.b)("tbody",{parentName:"table"},Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.1.2.1"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the --anonymous-auth argument is set to false"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.1.2.1/CIS.1.2.1.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.1.2.10"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the admission control plugin EventRateLimit is set"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.1.2.10/CIS.1.2.10.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.1.2.11"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the admission control plugin AlwaysAdmit is not set"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.1.2.11/CIS.1.2.11.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.1.2.12"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the admission control plugin AlwaysPullImages is set"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.1.2.12/CIS.1.2.12.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.1.2.13"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.1.2.13/CIS.1.2.13.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.1.2.14"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the admission control plugin ServiceAccount is set"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.1.2.14/CIS.1.2.14.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.1.2.15"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the admission control plugin NamespaceLifecycle is set"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.1.2.15/CIS.1.2.15.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.1.2.16"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the admission control plugin PodSecurityPolicy is set"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.1.2.16/CIS.1.2.16.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.1.2.17"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the admission control plugin NodeRestriction is set"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.1.2.17/CIS.1.2.17.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.1.4.1"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the --profiling argument is set to false"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.1.4.1/CIS.1.4.1.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.2.1"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the --cert-file and --key-file arguments are set as appropriate"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.2.1/CIS.2.1.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.2.2"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the --client-cert-auth argument is set to true"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.2.2/CIS.2.2.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.2.3"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the --auto-tls argument is not set to true"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.2.3/CIS.2.3.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.2.4"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.2.4/CIS.2.4.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.2.5"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the --peer-client-cert-auth argument is set to true"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.2.5/CIS.2.5.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.2.6"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the --peer-auto-tls argument is not set to true"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.2.6/CIS.2.6.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.2.7"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that a unique Certificate Authority is used for etcd"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.2.7/CIS.2.7.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.5.1.1"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Ensure that the cluster-admin role is only used where required"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.5.1.1/CIS.5.1.1.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.5.1.3"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Minimize wildcard use in Roles and ClusterRoles"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.5.1.3/CIS.5.1.3.rego"}),"Link"))),Object(b.b)("tr",{parentName:"tbody"},Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),"CIS.5.5.1"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:null}),"Configure Image Provenance using ImagePolicyWebhook admission controller"),Object(b.b)("td",Object(a.a)({parentName:"tr"},{align:"center"}),Object(b.b)("a",Object(a.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-security-policies/blob/master/policies/CIS.5.5.1/CIS.5.5.1.rego"}),"Link"))))))}p.isMDXComponent=!0},173:function(e,t,r){"use strict";r.d(t,"a",(function(){return l})),r.d(t,"b",(function(){return j}));var a=r(0),n=r.n(a);function b(e,t,r){return t in e?Object.defineProperty(e,t,{value:r,enumerable:!0,configurable:!0,writable:!0}):e[t]=r,e}function c(e,t){var r=Object.keys(e);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);t&&(a=a.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),r.push.apply(r,a)}return r}function i(e){for(var t=1;t<arguments.length;t++){var r=null!=arguments[t]?arguments[t]:{};t%2?c(Object(r),!0).forEach((function(t){b(e,t,r[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(r)):c(Object(r)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(r,t))}))}return e}function s(e,t){if(null==e)return{};var r,a,n=function(e,t){if(null==e)return{};var r,a,n={},b=Object.keys(e);for(a=0;a<b.length;a++)r=b[a],t.indexOf(r)>=0||(n[r]=e[r]);return n}(e,t);if(Object.getOwnPropertySymbols){var b=Object.getOwnPropertySymbols(e);for(a=0;a<b.length;a++)r=b[a],t.indexOf(r)>=0||Object.prototype.propertyIsEnumerable.call(e,r)&&(n[r]=e[r])}return n}var o=n.a.createContext({}),p=function(e){var t=n.a.useContext(o),r=t;return e&&(r="function"==typeof e?e(t):i(i({},t),e)),r},l=function(e){var t=p(e.components);return n.a.createElement(o.Provider,{value:t},e.children)},m={inlineCode:"code",wrapper:function(e){var t=e.children;return n.a.createElement(n.a.Fragment,{},t)}},O=n.a.forwardRef((function(e,t){var r=e.components,a=e.mdxType,b=e.originalType,c=e.parentName,o=s(e,["components","mdxType","originalType","parentName"]),l=p(r),O=a,j=l["".concat(c,".").concat(O)]||l[O]||m[O]||b;return r?n.a.createElement(j,i(i({ref:t},o),{},{components:r})):n.a.createElement(j,i({ref:t},o))}));function j(e,t){var r=arguments,a=t&&t.mdxType;if("string"==typeof e||a){var b=r.length,c=new Array(b);c[0]=O;var i={};for(var s in t)hasOwnProperty.call(t,s)&&(i[s]=t[s]);i.originalType=e,i.mdxType="string"==typeof e?e:a,c[1]=i;for(var o=2;o<b;o++)c[o]=r[o];return n.a.createElement.apply(null,c)}return n.a.createElement.apply(null,r)}O.displayName="MDXCreateElement"}}]);