CIS_V1.8_CHECKS.md

CIS Kubernetes Benchmark v1.8 - Production Checks

Overview

This document describes the production-ready security checks implemented for CIS Kubernetes Benchmark v1.8.

Implemented Checks

Section 1: Control Plane Components

1.1 API Server (CIS 1.1.x, 1.2.x)

Check: API Server Flags Validation (check-apiserver-flags)

• CIS Controls: 1.2.1 - 1.2.12
• Validates:
  • --anonymous-auth=false
  • --authorization-mode includes Node and RBAC
  • --audit-log-maxage=30
  • --audit-log-maxbackup=10
  • --audit-log-maxsize=100
  • --request-timeout=300s
  • --service-account-lookup=true
  • --enable-bootstrap-token-auth=false
  • --tls-cipher-suites (strong ciphers)
  • --tls-min-version=VersionTLS12
  • Dangerous flags disabled (--insecure-port, --insecure-bind-address)

Check: etcd Encryption (check-etcd-encryption)

• CIS Control: 1.1.20
• Validates:
  • --encryption-provider-config is set
  • Encryption provider uses strong algorithms (aescbc or secretbox)
  • etcd data is encrypted at rest

1.1 RBAC (CIS 1.1.x)

Check: RBAC Misconfigurations (check-rbac-misconfigurations)

• CIS Controls: 1.1.1, 1.1.8
• Validates:
  • ClusterRoles without wildcard privileges
  • ClusterRoleBindings to cluster-admin (non-system accounts)
  • Roles without wildcard privileges
  • Excessive ServiceAccount permissions

Check: ServiceAccount Permissions (check-serviceaccount-permissions)

• CIS Control: 1.1.8
• Validates:
  • ServiceAccounts not bound to cluster-admin
  • ServiceAccounts with least privilege roles
  • ServiceAccount token mounting only where necessary

Section 4: Network Policies and CNI

Check: Namespace Isolation (check-namespace-isolation)

• CIS Controls: 4.1.1, 4.2.1
• Validates:
  • All namespaces have NetworkPolicies
  • Default-deny NetworkPolicies exist
  • ResourceQuotas are configured
  • LimitRanges are configured

Check: NetworkPolicy Coverage (check-networkpolicy-coverage)

• CIS Control: 4.1.2
• Validates:
  • All pods are covered by NetworkPolicies
  • No pods with unrestricted network access

Section 5: Pod Security Standards

Check: Pod Security Standards (check-pod-security-standards)

• CIS Control: 5.2.1
• Validates:
  • Namespaces have pod-security.kubernetes.io/enforce label
  • Enforcement level is 'restricted' or 'baseline'
  • Audit and warn modes are configured

Check: Pod Security Policy (check-pod-security-policy)

• CIS Control: 5.2.2
• Validates:
  • Pods comply with Pod Security Standards
  • No pods running as root
  • No privileged containers
  • No privilege escalation
  • Read-only root filesystem
  • Proper capability management

Implementation Details

API Server Checks

The API server checks examine the kube-apiserver pod configuration in the kube-system namespace:

// Find API server pods
pods, err := client.Clientset.CoreV1().Pods("kube-system").List(ctx, metav1.ListOptions{
    LabelSelector: "component=kube-apiserver",
})

// Extract command-line flags
flags := extractFlags(container.Command)

// Validate required flags
for flag, expectedValue := range requiredFlags {
    // Check flag exists and has correct value
}

RBAC Checks

RBAC checks examine ClusterRoles, Roles, and their bindings:

// Check ClusterRoles for wildcard privileges
clusterRoles, _ := client.Clientset.RbacV1().ClusterRoles().List(ctx, ...)

// Check ClusterRoleBindings to cluster-admin
clusterRoleBindings, _ := client.Clientset.RbacV1().ClusterRoleBindings().List(ctx, ...)

// Check Roles in namespaces
roles, _ := client.Clientset.RbacV1().Roles(namespace).List(ctx, ...)

Namespace Isolation Checks

Namespace isolation checks validate network segmentation:

// Check NetworkPolicies
netpols, _ := client.Clientset.NetworkingV1().NetworkPolicies(namespace).List(ctx, ...)

// Check ResourceQuotas
quotas, _ := client.Clientset.CoreV1().ResourceQuotas(namespace).List(ctx, ...)

// Check LimitRanges
limits, _ := client.Clientset.CoreV1().LimitRanges(namespace).List(ctx, ...)

Pod Security Standards Checks

Pod Security Standards checks validate namespace-level and pod-level security:

// Check namespace labels/annotations
pssEnforce := namespace.Labels["pod-security.kubernetes.io/enforce"]

// Check pod security contexts
if pod.Spec.SecurityContext.RunAsUser == 0 {
    // Violation: running as root
}

Evidence Collection

All checks collect detailed evidence:

• Resource Evidence: Pod configurations, RBAC rules, NetworkPolicies
• Config Evidence: API server flags, namespace labels
• Query Evidence: API query results

Findings and Remediation

Each check provides:

• Finding ID: Unique identifier
• Title: Short description
• Description: Detailed explanation
• Severity: Critical, High, Medium, Low
• Resource: Kubernetes resource identifier
• Remediation: Step-by-step fix instructions

Usage

// Initialize checkers
apiserverChecker := k8s.NewAPIServerChecker(client)
rbacChecker := k8s.NewRBACAdvancedChecker(client)
namespaceChecker := k8s.NewNamespaceIsolationChecker(client)
pssChecker := k8s.NewPodSecurityStandardsChecker(client)

// Execute checks
apiResult, _ := apiserverChecker.CheckAPIServerFlags(ctx)
etcdResult, _ := apiserverChecker.CheckEtcdEncryption(ctx)
rbacResult, _ := rbacChecker.CheckRBACMisconfigurations(ctx)
namespaceResult, _ := namespaceChecker.CheckNamespaceIsolation(ctx)
pssResult, _ := pssChecker.CheckPodSecurityStandards(ctx)

Compliance

These checks align with:

• CIS Kubernetes Benchmark v1.8
• NIST 800-53 (via compliance mappings)
• ISO 27001 (via compliance mappings)
• SOC 2 (via compliance mappings)

Production Readiness

All checks are production-ready with:

• ✅ Error handling
• ✅ Evidence collection
• ✅ Detailed findings
• ✅ Remediation guidance
• ✅ Performance optimization
• ✅ Comprehensive logging