CIS Kubernetes Benchmark v1.6 - RKE2 v1.20
This document is a companion to the RKE2 security hardening guide. The hardening guide provides prescriptive guidance for hardening a production installation of RKE2, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes benchmark. It is to be used by RKE2 operators, security teams, auditors, and decision makers.
This guide is specific to the v1.20 release line of RKE2 and the v1.6.1 release of the CIS Kubernetes Benchmark.
For more detail about each control, including more detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark after logging in to CISecurity.org.
Testing controls methodology
Each control in the CIS Kubernetes Benchmark was evaluated against an RKE2 cluster that was configured according to the accompanying hardening guide.
Where control audits differ from the original CIS benchmark, the audit commands specific to RKE2 are provided for testing.
These are the possible results for each control:
- Pass - The RKE2 cluster under test passed the audit outlined in the benchmark.
- Not Applicable - The control is not applicable to RKE2 because of how it is designed to operate. The remediation section will explain why this is so.
- Manual - Operator Dependent - The control is Manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure RKE2 does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed.
1 Master Node Security Configuration
1.1 Master Node Configuration Files
Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
RationaleThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.
stat -c %a /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml