跳过和不适用的测试
本节列出了 RKE 的允许测试配置文件中跳过的测试。
所有跳过的测试和本页不适用的测试,在 v2.5 生成的报告中都会被算作不适用。跳过的测试计数将只提及用户定义的跳过测试。这允许用户跳过的测试与 RKE 允许的测试配置文件中默认跳过的测试区分开来。
CIS Benchmark v1.5
CIS Benchmark v1.5 Skipped Tests
Number | Description | Reason for Skipping |
---|---|---|
1.1.12 | Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) | A system service account is required for etcd data directory ownership. Refer to Rancher’s hardening guide for more details on how to configure this ownership. |
1.2.6 | Ensure that the —kubelet-certificate-authority argument is set as appropriate (Scored) | When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. |
1.2.16 | Ensure that the admission control plugin PodSecurityPolicy is set (Scored) | Enabling Pod Security Policy can cause applications to unexpectedly fail. |
1.2.33 | Ensure that the —encryption-provider-config argument is set as appropriate (Not Scored) | Enabling encryption changes how data can be recovered as data is encrypted. |
1.2.34 | Ensure that encryption providers are appropriately configured (Not Scored) | Enabling encryption changes how data can be recovered as data is encrypted. |
4.2.6 | Ensure that the —protect-kernel-defaults argument is set to true (Scored) | System level configurations are required prior to provisioning the cluster in order for this argument to be set to true. |
4.2.10 | Ensure that the—tls-cert-file and —tls-private-key-file arguments are set as appropriate (Scored) | When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. |
5.1.5 | Ensure that default service accounts are not actively used. (Scored) | Kubernetes provides default service accounts to be used. |
5.2.2 | Minimize the admission of containers wishing to share the host process ID namespace (Scored) | Enabling Pod Security Policy can cause applications to unexpectedly fail. |
5.2.3 | Minimize the admission of containers wishing to share the host IPC namespace (Scored) | Enabling Pod Security Policy can cause applications to unexpectedly fail. |
5.2.4 | Minimize the admission of containers wishing to share the host network namespace (Scored) | Enabling Pod Security Policy can cause applications to unexpectedly fail. |
5.2.5 | Minimize the admission of containers with allowPrivilegeEscalation (Scored) | Enabling Pod Security Policy can cause applications to unexpectedly fail. |
5.3.2 | Ensure that all Namespaces have Network Policies defined (Scored) | Enabling Network Policies can prevent certain applications from communicating with each other. |
5.6.4 | The default namespace should not be used (Scored) | Kubernetes provides a default namespace. |
CIS Benchmark v1.5 Not Applicable Tests
Number | Description | Reason for being not applicable |
---|---|---|
1.1.1 | Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for kube-apiserver. All configuration is passed in as arguments at container run time. |
1.1.2 | Ensure that the API server pod specification file ownership is set to root:root (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for kube-apiserver. All configuration is passed in as arguments at container run time. |
1.1.3 | Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time. |
1.1.4 | Ensure that the controller manager pod specification file ownership is set to root:root (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time. |
1.1.5 | Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time. |
1.1.6 | Ensure that the scheduler pod specification file ownership is set to root:root (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time. |
1.1.7 | Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for etcd. All configuration is passed in as arguments at container run time. |
1.1.8 | Ensure that the etcd pod specification file ownership is set to root:root (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for etcd. All configuration is passed in as arguments at container run time. |
1.1.13 | Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored) | Clusters provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes. |
1.1.14 | Ensure that the admin.conf file ownership is set to root:root (Scored) | Clusters provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes. |
1.1.15 | Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time. |
1.1.16 | Ensure that the scheduler.conf file ownership is set to root:root (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for scheduler. All configuration is passed in as arguments at container run time. |
1.1.17 | Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time. |
1.1.18 | Ensure that the controller-manager.conf file ownership is set to root:root (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. All configuration is passed in as arguments at container run time. |
1.3.6 | Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) | Clusters provisioned by RKE handles certificate rotation directly through RKE. |
4.1.1 | Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. All configuration is passed in as arguments at container run time. |
4.1.2 | Ensure that the kubelet service file ownership is set to root:root (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. All configuration is passed in as arguments at container run time. |
4.1.9 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet. All configuration is passed in as arguments at container run time. |
4.1.10 | Ensure that the kubelet configuration file ownership is set to root:root (Scored) | Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet. All configuration is passed in as arguments at container run time. |
4.2.12 | Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) | Clusters provisioned by RKE handles certificate rotation directly through RKE. |
CIS Benchmark v1.4
The skipped and not applicable tests for CIS Benchmark v1.4 are as follows:
CIS Benchmark v1.4 Skipped Tests
Number | Description | Reason for Skipping |
---|---|---|
1.1.11 | “Ensure that the admission control plugin AlwaysPullImages is set (Scored)” | Enabling AlwaysPullImages can use significant bandwidth. |
1.1.21 | “Ensure that the —kubelet-certificate-authority argument is set as appropriate (Scored)” | When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. |
1.1.24 | “Ensure that the admission control plugin PodSecurityPolicy is set (Scored)” | Enabling Pod Security Policy can cause applications to unexpectedly fail. |
1.1.34 | “Ensure that the —encryption-provider-config argument is set as appropriate (Scored)” | Enabling encryption changes how data can be recovered as data is encrypted. |
1.1.35 | “Ensure that the encryption provider is set to aescbc (Scored)” | Enabling encryption changes how data can be recovered as data is encrypted. |
1.1.36 | “Ensure that the admission control plugin EventRateLimit is set (Scored)” | EventRateLimit needs to be tuned depending on the cluster. |
1.2.2 | “Ensure that the —address argument is set to 127.0.0.1 (Scored)” | Adding this argument prevents Rancher’s monitoring tool to collect metrics on the scheduler. |
1.3.7 | “Ensure that the —address argument is set to 127.0.0.1 (Scored)” | Adding this argument prevents Rancher’s monitoring tool to collect metrics on the controller manager. |
1.4.12 | “Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)” | A system service account is required for etcd data directory ownership. Refer to Rancher’s hardening guide for more details on how to configure this ownership. |
1.7.2 | “Do not admit containers wishing to share the host process ID namespace (Scored)” | Enabling Pod Security Policy can cause applications to unexpectedly fail. |
1.7.3 | “Do not admit containers wishing to share the host IPC namespace (Scored)” | Enabling Pod Security Policy can cause applications to unexpectedly fail. |
1.7.4 | “Do not admit containers wishing to share the host network namespace (Scored)” | Enabling Pod Security Policy can cause applications to unexpectedly fail. |
1.7.5 | “ Do not admit containers with allowPrivilegeEscalation (Scored)” | Enabling Pod Security Policy can cause applications to unexpectedly fail. |
2.1.6 | “Ensure that the —protect-kernel-defaults argument is set to true (Scored)” | System level configurations are required prior to provisioning the cluster in order for this argument to be set to true. |
2.1.10 | “Ensure that the —tls-cert-file and —tls-private-key-file arguments are set as appropriate (Scored)” | When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. |
CIS Benchmark v1.4 Not Applicable Tests
Number | Description | Reason for being not applicable |
---|---|---|
1.1.9 | “Ensure that the —repair-malformed-updates argument is set to false (Scored)” | The argument —repair-malformed-updates has been removed as of Kubernetes version 1.14 |
1.3.6 | “Ensure that the RotateKubeletServerCertificate argument is set to true” | Cluster provisioned by RKE handles certificate rotation directly through RKE. |
1.4.1 | “Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)” | Cluster provisioned by RKE doesn’t require or maintain a configuration file for kube-apiserver. |
1.4.2 | “Ensure that the API server pod specification file ownership is set to root:root (Scored)” | Cluster provisioned by RKE doesn’t require or maintain a configuration file for kube-apiserver. |
1.4.3 | “Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)” | Cluster provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. |
1.4.4 | “Ensure that the controller manager pod specification file ownership is set to root:root (Scored)” | Cluster provisioned by RKE doesn’t require or maintain a configuration file for controller-manager. |
1.4.5 | “Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)” | Cluster provisioned by RKE doesn’t require or maintain a configuration file for scheduler. |
1.4.6 | “Ensure that the scheduler pod specification file ownership is set to root:root (Scored)” | Cluster provisioned by RKE doesn’t require or maintain a configuration file for scheduler. |
1.4.7 | “Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)” | Cluster provisioned by RKE doesn’t require or maintain a configuration file for etcd. |
1.4.8 | “Ensure that the etcd pod specification file ownership is set to root:root (Scored)” | Cluster provisioned by RKE doesn’t require or maintain a configuration file for etcd. |
1.4.13 | “Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)” | Cluster provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes. |
1.4.14 | “Ensure that the admin.conf file ownership is set to root:root (Scored)” | Cluster provisioned by RKE does not store the kubernetes default kubeconfig credentials file on the nodes. |
2.1.8 | “Ensure that the —hostname-override argument is not set (Scored)” | Clusters provisioned by RKE clusters and most cloud providers require hostnames. |
2.1.12 | “Ensure that the —rotate-certificates argument is not set to false (Scored)” | Cluster provisioned by RKE handles certificate rotation directly through RKE. |
2.1.13 | “Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)” | Cluster provisioned by RKE handles certificate rotation directly through RKE. |
2.2.3 | “Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)” | Cluster provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. |
2.2.4 | “Ensure that the kubelet service file ownership is set to root:root (Scored)” | Cluster provisioned by RKE doesn’t require or maintain a configuration file for the kubelet service. |
2.2.9 | “Ensure that the kubelet configuration file ownership is set to root:root (Scored)” | RKE doesn’t require or maintain a configuration file for the kubelet. |
2.2.10 | “Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)” | RKE doesn’t require or maintain a configuration file for the kubelet. |