-
Notifications
You must be signed in to change notification settings - Fork 0
/
f2ed8eb2.d5a38956.js
1 lines (1 loc) · 13.5 KB
/
f2ed8eb2.d5a38956.js
1
(window.webpackJsonp=window.webpackJsonp||[]).push([[36],{169:function(e,t,a){"use strict";a.r(t),a.d(t,"frontMatter",(function(){return b})),a.d(t,"metadata",(function(){return i})),a.d(t,"rightToc",(function(){return s})),a.d(t,"default",(function(){return p}));var r=a(2),n=a(9),c=(a(0),a(173)),b={id:"kubesec-benchmark",title:"Kubesec Benchmark"},i={id:"kubesec-benchmark",title:"Kubesec Benchmark",description:"| ID | Description | Code | URL |",source:"@site/docs/kubesec-benchmark.md",permalink:"/docs/kubesec-benchmark",editUrl:"https://github.com/raspbernetes/docs/edit/master/website/docs/kubesec-benchmark.md",sidebar:"someSidebar",previous:{title:"CIS Benchmark",permalink:"/docs/cis-benchmark"}},s=[],o={rightToc:s};function p(e){var t=e.components,a=Object(n.a)(e,["components"]);return Object(c.b)("wrapper",Object(r.a)({},o,a,{components:t,mdxType:"MDXLayout"}),Object(c.b)("table",null,Object(c.b)("thead",{parentName:"table"},Object(c.b)("tr",{parentName:"thead"},Object(c.b)("th",Object(r.a)({parentName:"tr"},{align:"center"}),"ID"),Object(c.b)("th",Object(r.a)({parentName:"tr"},{align:null}),"Description"),Object(c.b)("th",Object(r.a)({parentName:"tr"},{align:"center"}),"Code"),Object(c.b)("th",Object(r.a)({parentName:"tr"},{align:"center"}),"URL"))),Object(c.b)("tbody",{parentName:"table"},Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.01"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Enforcing CPU limits prevents DOS via resource exhaustion"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.01.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/containers-resources-limits-cpu/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.02"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Enforcing memory limits prevents DOS via resource exhaustion"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.02.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/containers-resources-limits-memory"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.03"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"CAP_SYS_ADMIN is the most privileged capability and should always be avoided"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.03.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/containers-securitycontext-capabilities-add-index-sys-admin/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.04"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Drop all capabilities and add only those required to reduce syscall attack surface"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.05.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.05"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Privileged containers can allow almost completely unrestricted host access"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.05.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/containers-securitycontext-privileged-true/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.06"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.06.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.07"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Force the running image to run as a non-root user to ensure least privilege"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.07.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/containers-securitycontext-runasnonroot-true/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.08"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Run as a high-UID user to avoid conflicts with the host\u2019s user table"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.08.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/containers-securitycontext-runasuser/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.09"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Managing /etc/hosts aliases can prevent Docker from modifying the file after a pod\u2019s containers have already been started"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.09.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/spec-hostaliases/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.10"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Sharing the host\u2019s IPC namespace allows container processes to communicate with processes on the host"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.10.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/spec-hostipc/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.11"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Sharing the host\u2019s network namespace permits processes in the pod to communicate with processes bound to the host\u2019s loopback adapter"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.11.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/spec-hostnetwork/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.12"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Sharing the host\u2019s PID namespace allows visibility of processes on the host, potentially leaking information such as environment variables and configuration"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.12.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/spec-hostpid/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.13"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Mounting the docker.socket leaks information about other containers and can allow container breakout"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.13.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubesec.io/basics/spec-volumes-hostpath-path-var-run-docker-sock/"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.14"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Avoid using the :latest tag when deploying containers in production as it is harder to track which version of the image is running and more difficult to roll back properly."),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.14.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubernetes.io/docs/concepts/configuration/overview/#container-images"}),"Link"))),Object(c.b)("tr",{parentName:"tbody"},Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),"K.SEC.15"),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:null}),"Disabling allowPrivilegeEscalation to false ensures that no child process of a container can gain more privileges than its parent."),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.15.rego"}),"Link")),Object(c.b)("td",Object(r.a)({parentName:"tr"},{align:"center"}),Object(c.b)("a",Object(r.a)({parentName:"td"},{href:"https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation"}),"Link"))))))}p.isMDXComponent=!0},173:function(e,t,a){"use strict";a.d(t,"a",(function(){return l})),a.d(t,"b",(function(){return m}));var r=a(0),n=a.n(r);function c(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function b(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);t&&(r=r.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),a.push.apply(a,r)}return a}function i(e){for(var t=1;t<arguments.length;t++){var a=null!=arguments[t]?arguments[t]:{};t%2?b(Object(a),!0).forEach((function(t){c(e,t,a[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(a)):b(Object(a)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(a,t))}))}return e}function s(e,t){if(null==e)return{};var a,r,n=function(e,t){if(null==e)return{};var a,r,n={},c=Object.keys(e);for(r=0;r<c.length;r++)a=c[r],t.indexOf(a)>=0||(n[a]=e[a]);return n}(e,t);if(Object.getOwnPropertySymbols){var c=Object.getOwnPropertySymbols(e);for(r=0;r<c.length;r++)a=c[r],t.indexOf(a)>=0||Object.prototype.propertyIsEnumerable.call(e,a)&&(n[a]=e[a])}return n}var o=n.a.createContext({}),p=function(e){var t=n.a.useContext(o),a=t;return e&&(a="function"==typeof e?e(t):i(i({},t),e)),a},l=function(e){var t=p(e.components);return n.a.createElement(o.Provider,{value:t},e.children)},O={inlineCode:"code",wrapper:function(e){var t=e.children;return n.a.createElement(n.a.Fragment,{},t)}},j=n.a.forwardRef((function(e,t){var a=e.components,r=e.mdxType,c=e.originalType,b=e.parentName,o=s(e,["components","mdxType","originalType","parentName"]),l=p(a),j=r,m=l["".concat(b,".").concat(j)]||l[j]||O[j]||c;return a?n.a.createElement(m,i(i({ref:t},o),{},{components:a})):n.a.createElement(m,i({ref:t},o))}));function m(e,t){var a=arguments,r=t&&t.mdxType;if("string"==typeof e||r){var c=a.length,b=new Array(c);b[0]=j;var i={};for(var s in t)hasOwnProperty.call(t,s)&&(i[s]=t[s]);i.originalType=e,i.mdxType="string"==typeof e?e:r,b[1]=i;for(var o=2;o<c;o++)b[o]=a[o];return n.a.createElement.apply(null,b)}return n.a.createElement.apply(null,a)}j.displayName="MDXCreateElement"}}]);