diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 20a6cca48a..95071f3c9e 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427) - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408) - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609) +- Update Kubernetes Kubelet service metadata to new format [(#9677)](https://github.com/prowler-cloud/prowler/pull/9677) + --- diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_authorization_mode/kubelet_authorization_mode.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_authorization_mode/kubelet_authorization_mode.metadata.json index 2eeced91ae..b95e5c239e 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_authorization_mode/kubelet_authorization_mode.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_authorization_mode/kubelet_authorization_mode.metadata.json @@ -1,30 +1,38 @@ { "Provider": "kubernetes", "CheckID": "kubelet_authorization_mode", - "CheckTitle": "Ensure that the kubelet --authorization-mode argument is not set to AlwaysAllow", + "CheckTitle": "Kubelet --authorization-mode is not set to AlwaysAllow", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesKubelet", - "Description": "This check ensures that kubelets are not set to use the 'AlwaysAllow' authorization mode, which would allow all authenticated requests without explicit authorization.", - "Risk": "Setting --authorization-mode to AlwaysAllow can lead to unauthorized access to kubelet services.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/", + "ResourceType": "ConfigMap", + "Description": "**Kubelet** authorization configuration is inspected to confirm the mode is not `AlwaysAllow`.\n\n*If authorization settings are absent, the effective mode requires manual verification.*", + "Risk": "With `AlwaysAllow`, any authenticated user (or anonymous if enabled) can call **kubelet APIs**. This enables reading logs and stats, running `exec`, or disrupting pods, leading to takeover, data exfiltration, and node abuse, degrading **confidentiality**, **integrity**, and **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/zh/docs/reference/command-line-tools-reference/kubelet/", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/", + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization", + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/" + ], "Remediation": { "Code": { - "CLI": "--authorization-mode=Webhook", + "CLI": "", "NativeIaC": "", - "Other": "", + "Other": "1. In your cluster admin shell, run: kubectl -n kube-system edit configmap kubelet-config-\n2. In the opened YAML, set the authorization mode to Webhook (add if missing):\n authorization:\n mode: Webhook\n3. Save and exit. Re-run the scan to confirm the finding is now PASS.", "Terraform": "" }, "Recommendation": { - "Text": "Ensure kubelet is configured with an authorization mode other than AlwaysAllow.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization" + "Text": "Use kubelet authorization mode `Webhook` so decisions defer to **RBAC**. Apply **least privilege** on node subresources, disable anonymous access, and restrict network exposure of the kubelet endpoint. Employ **defense in depth** with TLS and audit to monitor and control access.", + "Url": "https://hub.prowler.com/check/kubelet_authorization_mode" } }, "Categories": [ - "trustboundaries" + "cluster-security", + "identity-access" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_client_ca_file_set/kubelet_client_ca_file_set.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_client_ca_file_set/kubelet_client_ca_file_set.metadata.json index 8e1f12207c..319726acad 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_client_ca_file_set/kubelet_client_ca_file_set.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_client_ca_file_set/kubelet_client_ca_file_set.metadata.json @@ -1,30 +1,37 @@ { "Provider": "kubernetes", "CheckID": "kubelet_client_ca_file_set", - "CheckTitle": "Ensure that the kubelet --client-ca-file argument is set as appropriate", + "CheckTitle": "Kubelet has a client CA file configured for authentication", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesKubelet", - "Description": "This check verifies that the kubelet is configured with the --client-ca-file argument to enable authentication using certificates. This configuration is essential to secure the connections from the apiserver to the kubelet.", - "Risk": "If --client-ca-file is not set, the apiserver cannot authenticate the kubelet, potentially leading to man-in-the-middle attacks.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/", + "ResourceType": "ConfigMap", + "Description": "**Kubelet** is evaluated for X.509 client certificate authentication by checking if its config sets `authentication.x509.clientCAFile` to validate clients on the HTTPS endpoint.", + "Risk": "Without a **client CA**, the kubelet cannot verify client certificates, weakening authentication. With network access, attackers could impersonate trusted clients to read pod logs/stats or perform node/pod actions, impacting confidentiality, integrity, and availability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization", + "https://hatchjs.com/kubelet-failed-to-load-kubelet-config-file/", + "https://discuss.kubernetes.io/t/kubelet-service-fail-to-start/26728", + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/" + ], "Remediation": { "Code": { - "CLI": "--client-ca-file=/path/to/ca-file", + "CLI": "", "NativeIaC": "", - "Other": "", + "Other": "1. On each node, open the kubelet config file used by the --config flag (commonly /var/lib/kubelet/config.yaml).\n2. Add or update this setting to provide a client CA bundle path:\n ```yaml\n authentication:\n x509:\n clientCAFile: \n ```\n3. Save and restart kubelet: `sudo systemctl restart kubelet`", "Terraform": "" }, "Recommendation": { - "Text": "Configure Kubelet with a client CA file for secure authentication.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization" + "Text": "Enforce **mutual TLS** to the kubelet by providing a trusted `clientCAFile`.\n- Disable anonymous access\n- Delegate authorization to the API server with least-privilege RBAC\n- Restrict network exposure to the kubelet\n- Rotate certificates and monitor access\n\n*Use defense-in-depth across authn and authz.*", + "Url": "https://hub.prowler.com/check/kubelet_client_ca_file_set" } }, "Categories": [ - "trustboundaries" + "cluster-security", + "identity-access" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_ownership/kubelet_conf_file_ownership.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_ownership/kubelet_conf_file_ownership.metadata.json index cfed2832ad..db5474b50d 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_ownership/kubelet_conf_file_ownership.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_ownership/kubelet_conf_file_ownership.metadata.json @@ -1,26 +1,34 @@ { "Provider": "kubernetes", "CheckID": "kubelet_conf_file_ownership", - "CheckTitle": "Ensure kubelet.conf file ownership is set to root:root", + "CheckTitle": "Node kubelet.conf file ownership is set to root:root", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesWorkerNode", - "Description": "Ensure that the kubelet.conf file, which is the kubeconfig file for the node, has its file ownership set to root:root. This check verifies the proper ownership settings to maintain the security and integrity of the node's configuration.", - "Risk": "Incorrect file ownership settings on kubelet.conf can lead to unauthorized access and potential security vulnerabilities.", - "RelatedUrl": "https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/", + "ResourceType": "Node", + "Description": "**Node kubeconfig** at `/etc/kubernetes/kubelet.conf` is evaluated for file ownership `root:root`. The check focuses on who owns the file that defines the kubelet's API client settings and certificates.", + "Risk": "Non-root ownership lets local users alter kubelet API credentials and endpoints, enabling **node impersonation**, unauthorized control of Pods, and **data exfiltration** via the kubelet. This threatens **integrity** (config tampering), **confidentiality** (secrets access), and **availability** (pod eviction or node disruption).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/", + "https://stackarmor.com/securing-kubernetes-for-compliance-with-fedramp-fisma-or-cmmc-requirements/", + "https://blog.palark.com/kubernetes-security-with-kube-bench-and-kube-hunter/", + "https://learn.microsoft.com/en-us/azure/aks/cis-kubernetes", + "https://www.bordergate.co.uk/kubernetes-penetration-testing/", + "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" + ], "Remediation": { "Code": { "CLI": "chown root:root /etc/kubernetes/kubelet.conf", "NativeIaC": "", - "Other": "", + "Other": "1. SSH into the affected node\n2. Run: sudo chown root:root /etc/kubernetes/kubelet.conf", "Terraform": "" }, "Recommendation": { - "Text": "Ensure kubelet.conf file ownership is correctly set to protect the node's configuration.", - "Url": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" + "Text": "Set `/etc/kubernetes/kubelet.conf` ownership to `root:root` and use restrictive perms (e.g., `600`). Apply **least privilege** on node access, protect kubelet dirs, and enable **file integrity monitoring**. Use **defense in depth**: configuration management to enforce state and periodic audits to detect drift.", + "Url": "https://hub.prowler.com/check/kubelet_conf_file_ownership" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_permissions/kubelet_conf_file_permissions.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_permissions/kubelet_conf_file_permissions.metadata.json index e155c3d5d2..6e6d83ea6b 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_permissions/kubelet_conf_file_permissions.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_conf_file_permissions/kubelet_conf_file_permissions.metadata.json @@ -1,26 +1,30 @@ { "Provider": "kubernetes", "CheckID": "kubelet_conf_file_permissions", - "CheckTitle": "Ensure kubelet.conf file permissions are set to 600 or more restrictive", + "CheckTitle": "Node kubelet.conf file permissions are set to 600 or more restrictive", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesWorkerNode", - "Description": "Ensure that the kubelet.conf file, which is the kubeconfig file for the node, has permissions set to 600 or more restrictive. This ensures the integrity and security of the node's configuration.", - "Risk": "Improper permissions on kubelet.conf can expose sensitive configuration data, potentially leading to cluster security compromises.", - "RelatedUrl": "https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/", + "ResourceType": "Node", + "Description": "**Kubelet kubeconfig** at `/etc/kubernetes/kubelet.conf` must have **owner-only** permissions (`0600` or stricter). The check evaluates the file mode to ensure it is not more permissive than `0600`.", + "Risk": "**Overly permissive `kubelet.conf`** exposes kubelet credentials, allowing local users or malware to act as the node.\n- Integrity: modify workloads or node state\n- Confidentiality: access secrets/metadata\n- Availability: disrupt scheduling or drain nodes", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/", + "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" + ], "Remediation": { "Code": { - "CLI": "chmod 600 /etc/kubernetes/kubelet.conf", + "CLI": "sudo chmod 600 /etc/kubernetes/kubelet.conf", "NativeIaC": "", - "Other": "", + "Other": "1. SSH into the node running kubelet\n2. Set restrictive permissions:\n ```\n sudo chmod 600 /etc/kubernetes/kubelet.conf\n ```\n3. Verify it reads 600:\n ```\n stat -c \"%a %n\" /etc/kubernetes/kubelet.conf\n ```", "Terraform": "" }, "Recommendation": { - "Text": "Ensure kubelet.conf file permissions are correctly set to protect the node's configuration.", - "Url": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" + "Text": "Apply **least privilege** to `/etc/kubernetes/kubelet.conf`:\n- Set permissions to `0600` or stricter\n- Restrict ownership to the kubelet user; no group/world access\n- Limit shell access and monitor file changes\n- Layer controls with **RBAC** and certificate/key rotation", + "Url": "https://hub.prowler.com/check/kubelet_conf_file_permissions" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_ownership/kubelet_config_yaml_ownership.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_ownership/kubelet_config_yaml_ownership.metadata.json index ffbc2a2980..d03cab79f6 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_ownership/kubelet_config_yaml_ownership.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_ownership/kubelet_config_yaml_ownership.metadata.json @@ -1,30 +1,37 @@ { "Provider": "kubernetes", "CheckID": "kubelet_config_yaml_ownership", - "CheckTitle": "Validate kubelet config.yaml File Ownership", + "CheckTitle": "Node kubelet config.yaml file ownership is root:root", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesWorkerNode", - "Description": "Ensure that if the kubelet refers to a configuration file with the --config argument, that file is owned by root:root. The kubelet config file contains various critical parameters for the kubelet service on worker nodes, and its ownership should be strictly controlled.", - "Risk": "Improper file ownership on kubelet config.yaml can expose sensitive data or allow unauthorized modifications.", - "RelatedUrl": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/", + "ResourceType": "Node", + "Description": "**Kubelet** configuration file `config.yaml` (e.g., `/var/lib/kubelet/config.yaml`) is evaluated to confirm ownership by `root:root` when the kubelet uses a config file via `--config`.", + "Risk": "**Non-root ownership** of kubelet `config.yaml` enables local users or daemons to alter node-agent settings, affecting confidentiality, integrity, and availability. They could weaken authN/Z, enable insecure ports, or redirect certificate paths, leading to node takeover, lateral movement, data exfiltration, and workload disruption.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://support.icompaas.com/support/solutions/articles/62000234742-if-the-kubelet-config-yaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-r", + "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/", + "https://www.tenable.com/audits/items/CIS_Kubernetes_v1.10.0_Level_1_Worker.audit:64df71090138c3971f7c99863f3528c5", + "https://paper.bobylive.com/Security/CIS/CIS_Kubernetes_Benchmark_v1_6_0.pdf" + ], "Remediation": { "Code": { "CLI": "chown root:root /var/lib/kubelet/config.yaml", "NativeIaC": "", - "Other": "", + "Other": "1. SSH into the Kubernetes node running the kubelet\n2. Set ownership to root:root:\n ```bash\n sudo chown root:root /var/lib/kubelet/config.yaml\n ```", "Terraform": "" }, "Recommendation": { - "Text": "Secure the kubelet configuration by enforcing strict file ownership.", - "Url": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" + "Text": "Enforce `root:root` ownership with restrictive permissions on the kubelet config. Apply **least privilege** and **separation of duties** so only trusted admins/processes can write. Use centralized, immutable configuration, monitor with integrity/audit logs, and limit interactive access to nodes for **defense in depth**.", + "Url": "https://hub.prowler.com/check/kubelet_config_yaml_ownership" } }, "Categories": [ - "node-security" + "node-security", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_permissions/kubelet_config_yaml_permissions.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_permissions/kubelet_config_yaml_permissions.metadata.json index 2b79d806be..16e89c2732 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_permissions/kubelet_config_yaml_permissions.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_config_yaml_permissions/kubelet_config_yaml_permissions.metadata.json @@ -1,26 +1,29 @@ { "Provider": "kubernetes", "CheckID": "kubelet_config_yaml_permissions", - "CheckTitle": "Validate kubelet config.yaml File Permissions", + "CheckTitle": "Kubelet config.yaml file permissions on the node are set to 600 or more restrictive", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesWorkerNode", - "Description": "Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive. The kubelet config file contains various critical parameters for the kubelet service on worker nodes, and its permissions should be strictly controlled.", - "Risk": "Improper file permissions on kubelet config.yaml can expose sensitive data or allow unauthorized modifications.", - "RelatedUrl": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/", + "ResourceType": "Node", + "Description": "**Kubelet configuration file** (`/var/lib/kubelet/config.yaml`) is evaluated for **restrictive file permissions**. When kubelet uses `--config`, the file is expected to be owner-only readable/writable (`600`) or more restrictive.", + "Risk": "Overly permissive kubelet config permissions allow unauthorized reads or edits. Attackers could extract credentials, adjust auth settings, or change node behavior, leading to data exposure (C), configuration tampering (I), and potential service disruption (A).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" + ], "Remediation": { "Code": { "CLI": "chmod 600 /var/lib/kubelet/config.yaml", "NativeIaC": "", - "Other": "", + "Other": "1. SSH into the affected node with sufficient privileges\n2. Set the file permission:\n ```bash\n sudo chmod 600 /var/lib/kubelet/config.yaml\n ```\n3. Verify:\n ```bash\n stat -c \"%a\" /var/lib/kubelet/config.yaml\n # should output: 600\n ```", "Terraform": "" }, "Recommendation": { - "Text": "Secure the kubelet configuration by enforcing strict file permissions.", - "Url": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" + "Text": "Apply **least privilege** to the kubelet config:\n- Set mode `600` or stricter\n- Ensure trusted ownership; deny group/world access\n- Harden the parent directory\n- Enforce via config management and file integrity monitoring\n- Limit interactive access to worker nodes", + "Url": "https://hub.prowler.com/check/kubelet_config_yaml_permissions" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_disable_anonymous_auth/kubelet_disable_anonymous_auth.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_disable_anonymous_auth/kubelet_disable_anonymous_auth.metadata.json index 073a2839c3..718511908c 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_disable_anonymous_auth/kubelet_disable_anonymous_auth.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_disable_anonymous_auth/kubelet_disable_anonymous_auth.metadata.json @@ -1,30 +1,35 @@ { "Provider": "kubernetes", "CheckID": "kubelet_disable_anonymous_auth", - "CheckTitle": "Ensure that the --anonymous-auth argument is set to false", + "CheckTitle": "Kubelet anonymous authentication is disabled", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesKubelet", - "Description": "This check ensures that anonymous requests to the Kubelet server are disabled by setting the --anonymous-auth argument to false. Disabling anonymous requests enhances the security by ensuring that all requests are authenticated and authorized.", - "Risk": "Enabling anonymous requests can lead to unauthorized access to Kubelet APIs and potentially sensitive cluster data.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization", + "ResourceType": "ConfigMap", + "Description": "**Kubelet** configuration for its HTTPS endpoint is evaluated to ensure **anonymous authentication** is disabled, requiring authenticated requests (`authentication.anonymous.enabled=false`).", + "Risk": "Allowing anonymous access to the kubelet exposes node and pod data and can permit privileged actions, impacting CIA: disclosure via logs/metrics (C), unauthorized container operations or exec (I), and pod or node disruption (A). This can enable lateral movement and broader cluster compromise.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization", + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/" + ], "Remediation": { "Code": { - "CLI": "--anonymous-auth=false", + "CLI": "", "NativeIaC": "", - "Other": "", + "Other": "1. SSH to each Kubernetes node with root privileges\n2. Edit /var/lib/kubelet/config.yaml and set the following:\n\n```yaml\n# Critical: disables anonymous requests to the kubelet\nauthentication:\n anonymous:\n enabled: false\n```\n\n3. Restart kubelet:\n\n```bash\nsudo systemctl restart kubelet\n```", "Terraform": "" }, "Recommendation": { - "Text": "Ensure that anonymous requests to the Kubelet server are disabled for enhanced cluster security.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/" + "Text": "Disable anonymous auth and require **strong, authenticated clients** (mTLS or tokens). Delegate authorization to **RBAC** and apply **least privilege** for kubelet APIs. Limit network exposure to the kubelet endpoint and monitor access patterns as part of **defense in depth**.", + "Url": "https://hub.prowler.com/check/kubelet_disable_anonymous_auth" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_disable_read_only_port/kubelet_disable_read_only_port.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_disable_read_only_port/kubelet_disable_read_only_port.metadata.json index f7b80fae37..7849887d87 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_disable_read_only_port/kubelet_disable_read_only_port.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_disable_read_only_port/kubelet_disable_read_only_port.metadata.json @@ -1,30 +1,35 @@ { "Provider": "kubernetes", "CheckID": "kubelet_disable_read_only_port", - "CheckTitle": "Verify that the kubelet --read-only-port argument is set to 0", + "CheckTitle": "Kubelet read-only port is disabled (set to 0)", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "KubernetesKubelet", - "Description": "This check ensures that the read-only port of the Kubelet is disabled by verifying that the --read-only-port argument is set to 0. Disabling the read-only port is crucial to prevent unauthenticated access to sensitive cluster data.", - "Risk": "If the read-only port is open, it could allow unauthenticated access to sensitive cluster information.", - "RelatedUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "Severity": "medium", + "ResourceType": "ConfigMap", + "Description": "**Kubelet** configuration is inspected for the `readOnlyPort` setting and whether it is set to `0` to disable the unauthenticated HTTP endpoint.", + "Risk": "An open **kubelet read-only port** allows unauthenticated queries to node and pod metadata and metrics, causing **information disclosure**. Attackers can map workloads, discover endpoints, and prepare **lateral movement**, undermining **confidentiality** and enabling targeted exploitation of weak configurations.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options" + ], "Remediation": { "Code": { - "CLI": "--read-only-port=0", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-read-only-port-argument-is-set-to-0", - "Other": "", + "CLI": "", + "NativeIaC": "", + "Other": "1. Edit the kubelet configuration ConfigMap: run `kubectl -n kube-system edit configmap/` (e.g., kubelet-config-1.xx)\n2. In the data entry that contains the KubeletConfiguration YAML, add or set this top-level line:\n ```\n readOnlyPort: 0\n ```\n3. Save and exit\n4. Restart kubelet on each node to apply:\n ```\n sudo systemctl restart kubelet\n ```", "Terraform": "" }, "Recommendation": { - "Text": "Disable the read-only port in the kubelet for enhanced cluster security.", - "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options" + "Text": "Disable the unauthenticated endpoint by setting `readOnlyPort: 0`.\n\nApply **least privilege**: expose only the TLS-authenticated kubelet endpoint, enforce authorization, and restrict network access to kubelet with host firewalls or network policies. Monitor nodes for unexpected open ports.", + "Url": "https://hub.prowler.com/check/kubelet_disable_read_only_port" } }, "Categories": [ - "trustboundaries" + "cluster-security", + "node-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_event_record_qps/kubelet_event_record_qps.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_event_record_qps/kubelet_event_record_qps.metadata.json index 64845936cc..5a7e7044f6 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_event_record_qps/kubelet_event_record_qps.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_event_record_qps/kubelet_event_record_qps.metadata.json @@ -1,30 +1,35 @@ { "Provider": "kubernetes", "CheckID": "kubelet_event_record_qps", - "CheckTitle": "Ensure that the kubelet eventRecordQPS argument is set to an appropriate level", + "CheckTitle": "Kubelet eventRecordQPS is set to a positive value", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "KubernetesKubelet", - "Description": "This check ensures that the Kubelet is configured with an appropriate eventRecordQPS level. The eventRecordQPS parameter limits the rate at which events are gathered, ensuring important security events are not missed while preventing potential denial-of-service conditions.", - "Risk": "An inappropriate eventRecordQPS setting could lead to missing vital security events or DoS conditions.", - "RelatedUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "Severity": "high", + "ResourceType": "ConfigMap", + "Description": "**Kubelet** configuration defines **event rate limiting** via `eventRecordQPS`. The setting is evaluated for presence and a positive value, where `0` means unlimited event generation.", + "Risk": "Uncapped or mis-tuned event rates can overwhelm the API and etcd, reducing **availability**, or suppress key signals, harming the **integrity** of telemetry. Noisy pods or abuse can flood events; too-low caps drop diagnostics, hindering detection and response.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options" + ], "Remediation": { "Code": { - "CLI": "--event-qps=", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture", - "Other": "", + "CLI": "", + "NativeIaC": "", + "Other": "1. SSH to each node running kubelet\n2. Edit /var/lib/kubelet/config.yaml and set: eventRecordQPS: 5 (any integer > 0)\n3. Restart kubelet: sudo systemctl restart kubelet", "Terraform": "" }, "Recommendation": { - "Text": "Configure kubelet with a balanced eventRecordQPS setting for effective event capture without causing DoS conditions.", - "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options" + "Text": "Set `eventRecordQPS` to a positive, workload-appropriate rate and avoid `0`. Monitor event volumes and backpressure and tune periodically. Apply **defense in depth** by limiting noisy workloads and enforcing operational safeguards to prevent event storms.", + "Url": "https://hub.prowler.com/check/kubelet_event_record_qps" } }, "Categories": [ - "logging" + "resilience", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_manage_iptables/kubelet_manage_iptables.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_manage_iptables/kubelet_manage_iptables.metadata.json index 2d206b736a..54cc3d1b4d 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_manage_iptables/kubelet_manage_iptables.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_manage_iptables/kubelet_manage_iptables.metadata.json @@ -1,30 +1,34 @@ { "Provider": "kubernetes", "CheckID": "kubelet_manage_iptables", - "CheckTitle": "Ensure that the kubelet --make-iptables-util-chains argument is set to true", + "CheckTitle": "Kubelet configuration has makeIPTablesUtilChains set to true", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "KubernetesKubelet", - "Description": "This check ensures that the Kubelet is configured to manage iptables, which keeps the iptables configuration in sync with the dynamic pod network configuration. Allowing the Kubelet to manage iptables helps to avoid network communication issues between pods/containers.", - "Risk": "If kubelet does not manage iptables, manual configurations might conflict with dynamic pod networking, causing communication issues.", - "RelatedUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "ResourceType": "ConfigMap", + "Description": "**Kubelet** configured with `makeIPTablesUtilChains` manages **iptables utility chains**, keeping node firewall primitives aligned with dynamic pod networking. The setting is expected to be present and enabled in kubelet configuration.", + "Risk": "Without kubelet-managed iptables chains, nodes can drift to inconsistent firewall states, enabling:\n- Traffic drops and service outages (availability)\n- Unintended inter-pod exposure (confidentiality)\n- Conflicting rules altering expected flows (integrity)", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options" + ], "Remediation": { "Code": { - "CLI": "--make-iptables-util-chains=true", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-make-iptables-util-chains-argument-is-set-to-true", - "Other": "", + "CLI": "", + "NativeIaC": "", + "Other": "1. SSH to each node running kubelet\n2. Edit the kubelet config file:\n - sudo vi /var/lib/kubelet/config.yaml\n3. In the KubeletConfiguration, set:\n - makeIPTablesUtilChains: true\n4. Save and restart kubelet:\n - sudo systemctl restart kubelet", "Terraform": "" }, "Recommendation": { - "Text": "Enable kubelet management of iptables for consistent network configuration.", - "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options" + "Text": "Enable kubelet management of **iptables utility chains** by setting `makeIPTablesUtilChains=true`.\n\nPrefer **automation over manual iptables edits** to prevent drift. Combine with **network policies**, least privilege, and **defense in depth** to control east-west traffic. *If your CNI replaces iptables, document the exception*.", + "Url": "https://hub.prowler.com/check/kubelet_manage_iptables" } }, "Categories": [ - "internet-exposed" + "node-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_rotate_certificates/kubelet_rotate_certificates.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_rotate_certificates/kubelet_rotate_certificates.metadata.json index 7aae3ecf5f..7ec1afab3f 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_rotate_certificates/kubelet_rotate_certificates.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_rotate_certificates/kubelet_rotate_certificates.metadata.json @@ -1,31 +1,41 @@ { "Provider": "kubernetes", "CheckID": "kubelet_rotate_certificates", - "CheckTitle": "Ensure that the kubelet client certificate rotation is enabled", + "CheckTitle": "Kubelet client certificate rotation is enabled", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesKubelet", - "Description": "This check ensures that the kubelet client certificate rotation is enabled, allowing for automated periodic rotation of credentials, thereby addressing availability concerns in the security triad. This is crucial for avoiding downtime due to expired certificates.", - "Risk": "Not enabling kubelet client certificate rotation may lead to service interruptions due to expired certificates, compromising the availability of the node.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/", + "ResourceType": "ConfigMap", + "Description": "**Kubelet** configuration is inspected for client TLS credential rotation. The finding determines whether `rotateCertificates` is enabled so kubelets automatically renew the client certificates they use to authenticate to the API server.", + "Risk": "Without rotation, kubelet client certs can expire, breaking authentication to the API server and making nodes NotReady, disrupting scheduling and operations (**availability**). Long-lived certs also widen exposure if keys leak, risking unauthorized access (**integrity**, **confidentiality**).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/", + "https://suraj.io/post/add-new-k8s-node-cert-rotate/", + "https://docs.kics.io/2.0.0/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a/", + "https://github.com/SUSE/kucero", + "https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/", + "https://docs.datadoghq.com/security/default_rules/vc8-r6d-eye/", + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation", + "https://www.outofmemory.info/tanzu/vsphere-with-tanzu/cluster-lifecycle-management/tkgs-certificate-rotation/" + ], "Remediation": { "Code": { - "CLI": "--rotate-certificates=true", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-rotate-certificates-argument-is-not-set-to-false", - "Other": "", + "CLI": "", + "NativeIaC": "", + "Other": "1. SSH to each Kubernetes node\n2. Open /var/lib/kubelet/config.yaml\n3. Add or set the line:\n ```yaml\n rotateCertificates: true\n ```\n If using kubelet flags instead of a config file, remove --rotate-certificates=false (or set --rotate-certificates=true) from the kubelet service options\n4. Restart kubelet:\n ```\n sudo systemctl restart kubelet\n ```", "Terraform": "" }, "Recommendation": { - "Text": "Enable kubelet client certificate rotation for automated renewal of credentials.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation" + "Text": "Enable **kubelet client certificate rotation** by setting `rotateCertificates: true`. Apply controlled CSR approval and monitor certificate health to ensure timely renewals. Prefer short-lived, automatically rotated credentials over static keys, aligning with **least privilege** and **defense in depth**. *If using an external CA*, implement equivalent automated rotation.", + "Url": "https://hub.prowler.com/check/kubelet_rotate_certificates" } }, "Categories": [ "encryption", - "internet-exposed" + "node-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_ownership_root/kubelet_service_file_ownership_root.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_ownership_root/kubelet_service_file_ownership_root.metadata.json index a6c97d6f52..13ed0a175f 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_ownership_root/kubelet_service_file_ownership_root.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_ownership_root/kubelet_service_file_ownership_root.metadata.json @@ -1,26 +1,35 @@ { "Provider": "kubernetes", "CheckID": "kubelet_service_file_ownership_root", - "CheckTitle": "Ensure that the kubelet service file ownership is set to root:root", + "CheckTitle": "Kubelet service file on the node is owned by root:root", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesWorkerNode", - "Description": "This check ensures that the kubelet service file on each Node is owned by root. Proper file ownership is critical for the security and integrity of the kubelet service configuration.", - "Risk": "Incorrect ownership settings can lead to unauthorized modifications, potentially compromising the security and functionality of the kubelet service.", - "RelatedUrl": "https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/", + "ResourceType": "Node", + "Description": "**Kubelet service configuration** on each node is expected to be owned by **root**. This assessment inspects the systemd drop-in at `/etc/systemd/system/kubelet.service.d/kubeadm.conf` and expects ownership `root:root`, ensuring only privileged users can modify kubelet startup settings.", + "Risk": "Non-root ownership enables unauthorized changes to kubelet startup flags, degrading configuration **integrity** and service **availability**. Attackers could disable auth, expose ports, weaken TLS, or load rogue configs-leading to node compromise, credential theft (**confidentiality**), lateral movement, and cluster disruption.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/", + "https://docs.k0sproject.io/v1.22.4+k0s.2/cis_benchmark/", + "https://schoenwald.aero/posts/2025-03-12_cis-benchmark-for-kubernetes/", + "https://vltraheaven.io/img/CIS_Kubernetes_Benchmark_v1.6.0.pdf", + "https://learn.microsoft.com/en-us/azure/aks/cis-kubernetes", + "https://docs.cloud.google.com/kubernetes-engine/distributed-cloud/bare-metal/docs/concepts/cis-benchmarks", + "https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-config/" + ], "Remediation": { "Code": { - "CLI": "chown root:root /etc/systemd/system/kubelet.service.d/kubeadm.conf", + "CLI": "sudo chown root:root /etc/systemd/system/kubelet.service.d/kubeadm.conf", "NativeIaC": "", - "Other": "", + "Other": "1. SSH into the node with sudo privileges\n2. Run: sudo chown root:root /etc/systemd/system/kubelet.service.d/kubeadm.conf", "Terraform": "" }, "Recommendation": { - "Text": "Set the kubelet service file ownership to root:root to maintain its integrity.", - "Url": "https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-config/" + "Text": "Apply **least privilege** to node config: ensure the kubelet service file is `root:root` and writable only by root. Use **configuration management** to enforce permissions and detect drift, enable **file integrity monitoring**, harden the OS, and restrict privileged node access with **separation of duties**.", + "Url": "https://hub.prowler.com/check/kubelet_service_file_ownership_root" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_permissions/kubelet_service_file_permissions.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_permissions/kubelet_service_file_permissions.metadata.json index 84a7e68f19..420e1d704f 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_permissions/kubelet_service_file_permissions.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_service_file_permissions/kubelet_service_file_permissions.metadata.json @@ -1,26 +1,34 @@ { "Provider": "kubernetes", "CheckID": "kubelet_service_file_permissions", - "CheckTitle": "Ensure that the kubelet service file permissions are set to 600 or more restrictive", + "CheckTitle": "Node kubelet service file permissions are set to 600 or more restrictive", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesNode", - "Description": "This check ensures that the kubelet service file on worker nodes has permissions set to 600 or more restrictive, limiting the file's write access to only system administrators. This measure is crucial to maintain the integrity and security of the kubelet service configuration.", - "Risk": "Improper file permissions on the kubelet service file could lead to unauthorized modifications, compromising node security and stability.", - "RelatedUrl": "https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-config/", + "ResourceType": "Node", + "Description": "**Kubelet service file** on worker nodes is assessed for restrictive permissions of `600` or tighter. The evaluation reviews the kubelet systemd drop-in configuration to confirm only the owner has read/write access and no broader permissions are granted.", + "Risk": "Excess permissions let local users alter kubelet startup options, undermining **integrity** and **availability**. Attackers could enable insecure ports, weaken auth/TLS, or inject flags, leading to node compromise, pod tampering, and **lateral movement** that threatens cluster **confidentiality**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://hub.armosec.io/docs/c-0162", + "https://paper.bobylive.com/Security/CIS/CIS-Kubernetes-Benchmark-V1_23--PDF.pdf", + "https://support.icompaas.com/support/solutions/articles/62000234693-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive", + "https://www.cnblogs.com/lldhsds/p/18246352", + "https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes", + "https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-config/" + ], "Remediation": { "Code": { "CLI": "chmod 600 /etc/systemd/system/kubelet.service.d/kubeadm.conf", "NativeIaC": "", - "Other": "", + "Other": "1. SSH to the affected Kubernetes node as a privileged user\n2. Set the kubelet service file permissions: `chmod 600 /etc/systemd/system/kubelet.service.d/kubeadm.conf`\n3. Repeat on each node where this file exists", "Terraform": "" }, "Recommendation": { - "Text": "Ensure the kubelet service file is securely configured with restrictive permissions.", - "Url": "https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes" + "Text": "Apply **least privilege**: set the kubelet service file to `600` with root control to block group/other access. Enforce via **configuration management**, restrict administrative shell access to nodes, and monitor with **file integrity** alerts. Use **defense in depth** by maintaining strong kubelet auth and TLS settings.", + "Url": "https://hub.prowler.com/check/kubelet_service_file_permissions" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_streaming_connection_timeout/kubelet_streaming_connection_timeout.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_streaming_connection_timeout/kubelet_streaming_connection_timeout.metadata.json index e6c0918c99..c15d38d354 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_streaming_connection_timeout/kubelet_streaming_connection_timeout.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_streaming_connection_timeout/kubelet_streaming_connection_timeout.metadata.json @@ -1,26 +1,36 @@ { "Provider": "kubernetes", "CheckID": "kubelet_streaming_connection_timeout", - "CheckTitle": "Ensure that the kubelet --streaming-connection-idle-timeout argument is not set to 0", + "CheckTitle": "Kubelet streaming connection idle timeout is not set to 0", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "KubernetesKubelet", - "Description": "This check ensures that the Kubelet is configured with a non-zero timeout for streaming connections. Setting a non-zero timeout helps protect against Denial-of-Service attacks and resource exhaustion due to idle connections.", - "Risk": "A zero timeout on streaming connections can lead to Denial-of-Service attacks and resource exhaustion.", - "RelatedUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/", + "ResourceType": "ConfigMap", + "Description": "**Kubelet** streaming sessions use a **non-zero idle timeout** via `streamingConnectionIdleTimeout` for `exec`, `logs`, and `port-forward` connections.\n\nAssesses whether this setting exists and is not `0`.", + "Risk": "With `0` (no timeout), idle `exec/logs/port-forward` streams can persist, consuming sockets, file descriptors, and memory. This enables resource exhaustion and **DoS**, degrading node **availability** and potentially disrupting workload operations and administrative access.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://stackoverflow.com/questions/47484312/kubectl-port-forwarding-timeout-issue", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options", + "https://hub.armosec.io/docs/c-0176", + "https://www.tenable.com/audits/items/CIS_Google_Kubernetes_Engine_GKE_v1.7.0_L1_Node.audit:ffa1a649283ad2518361d1ac9094fa62", + "https://docs.datadoghq.com/security/default_rules/rii-wmd-3qm/", + "https://docs.truewatch.com/scheck/0425-k8s-idle-timeout/", + "https://orca.security/resources/blog/kubernetes-nodes-kubelet-streaming-connection-idle-timeout-is-set-0/", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" + ], "Remediation": { "Code": { - "CLI": "--streaming-connection-idle-timeout=", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-streaming-connection-idle-timeout-argument-is-not-set-to-0", - "Other": "", + "CLI": "", + "NativeIaC": "", + "Other": "1. SSH to each Kubernetes node.\n2. If kubelet uses a config file, set a non-zero timeout:\n - Find the path: `systemctl cat kubelet | grep -- --config=`\n - Edit that file and add/update:\n ```yaml\n streamingConnectionIdleTimeout: \"5m\"\n ```\n3. If no config file is used, add the flag to the kubelet service drop-in (e.g., `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf`) so the kubelet starts with:\n ```\n --streaming-connection-idle-timeout=5m\n ```\n4. Apply the change: `sudo systemctl daemon-reload && sudo systemctl restart kubelet`", "Terraform": "" }, "Recommendation": { - "Text": "Configure a non-zero timeout for streaming connections in kubelet to enhance node security.", - "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options" + "Text": "Set a bounded, non-zero `streamingConnectionIdleTimeout` aligned to operational needs; avoid `0`.\n\nApply consistently across nodes, prefer fail-safe defaults, and monitor for unusually long streaming sessions. This supports **defense in depth** and preserves node **availability**.", + "Url": "https://hub.prowler.com/check/kubelet_streaming_connection_timeout" } }, "Categories": [ diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.metadata.json index ae761e157a..a1449e9a6e 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_strong_ciphers_only/kubelet_strong_ciphers_only.metadata.json @@ -1,31 +1,40 @@ { "Provider": "kubernetes", "CheckID": "kubelet_strong_ciphers_only", - "CheckTitle": "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers", + "CheckTitle": "Kubelet uses only strong TLS cipher suites", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "KubernetesKubelet", - "Description": "This check verifies that the kubelet is configured to use only strong cryptographic ciphers. Ensuring the use of strong ciphers is essential to minimize the risk of vulnerabilities and enhance the security of TLS connections to the kubelet.", - "Risk": "Using weak ciphers can expose the kubelet to cryptographic attacks, compromising the security of data in transit.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/", + "Severity": "medium", + "ResourceType": "ConfigMap", + "Description": "**Kubelet HTTPS** configuration is assessed for use of **strong TLS cipher suites**. The presence of `tlsCipherSuites` is checked and its values are validated against an approved, modern allowlist (e.g., ECDHE with GCM/CHACHA20).", + "Risk": "Weak or unspecified ciphers enable downgrade and cryptographic attacks on kubelet traffic. Adversaries could read logs/exec streams, hijack sessions, or tamper with requests, undermining **confidentiality** and **integrity** and facilitating lateral movement across nodes.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/", + "https://paper.bobylive.com/Security/CIS/CIS_Kubernetes_V1_20_Benchmark_v1_0_0_PDF.pdf", + "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options", + "https://support.icompaas.com/support/solutions/articles/62000234732-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers", + "https://github.com/awslabs/amazon-eks-ami/issues/99", + "https://www.cnblogs.com/renshengdezheli/p/17640119.html", + "https://davidxiao.me/posts/k8s-security/file/cis-k8s-v161.pdf" + ], "Remediation": { "Code": { - "CLI": "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,...", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers", - "Other": "", + "CLI": "", + "NativeIaC": "", + "Other": "1. Identify the kubelet config ConfigMap name:\n - Run: kubectl -n kube-system get configmap | grep kubelet-config\n2. Edit that ConfigMap:\n - Run: kubectl -n kube-system edit configmap >\n - In the data.kubelet YAML (KubeletConfiguration), add the following and save:\n \n tlsCipherSuites:\n - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305\n - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\n - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n - TLS_RSA_WITH_AES_256_GCM_SHA384\n - TLS_RSA_WITH_AES_128_GCM_SHA256\n3. Apply on each node (required for kubelets using local config):\n - SSH to the node, edit /var/lib/kubelet/config.yaml to include the same tlsCipherSuites list\n - Restart kubelet: sudo systemctl restart kubelet", "Terraform": "" }, "Recommendation": { - "Text": "Restrict the kubelet to only use strong cryptographic ciphers for enhanced security.", - "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options" + "Text": "Restrict `tlsCipherSuites` to a minimal set of modern suites (ECDHE with GCM or CHACHA20) and prefer `TLS1.2+`/`TLS1.3`. Remove deprecated CBC/RC4/3DES suites. Apply **defense in depth**: limit network access to the kubelet, rotate certificates, and review cipher policy regularly for deprecations.", + "Url": "https://hub.prowler.com/check/kubelet_strong_ciphers_only" } }, "Categories": [ "encryption", - "internet-exposed" + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/kubelet/kubelet_tls_cert_and_key/kubelet_tls_cert_and_key.metadata.json b/prowler/providers/kubernetes/services/kubelet/kubelet_tls_cert_and_key/kubelet_tls_cert_and_key.metadata.json index 75c3b2a61d..81dad51214 100644 --- a/prowler/providers/kubernetes/services/kubelet/kubelet_tls_cert_and_key/kubelet_tls_cert_and_key.metadata.json +++ b/prowler/providers/kubernetes/services/kubelet/kubelet_tls_cert_and_key/kubelet_tls_cert_and_key.metadata.json @@ -1,31 +1,35 @@ { "Provider": "kubernetes", "CheckID": "kubelet_tls_cert_and_key", - "CheckTitle": "Ensure that the kubelet TLS certificate and private key are set appropriately", + "CheckTitle": "Kubelet has TLS certificate and private key files configured", "CheckType": [], "ServiceName": "kubelet", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "KubernetesKubelet", - "Description": "This check ensures that each Kubelet is configured with a TLS certificate and private key for secure connections. These settings are crucial for preventing man-in-the-middle attacks and ensuring secure communication between the apiserver and kubelets.", - "Risk": "Not setting the kubelet's TLS certificate and private key can expose the node to security vulnerabilities and interception of sensitive data.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/", + "ResourceType": "ConfigMap", + "Description": "**Kubelet** configuration includes a TLS serving certificate and private key defined by `tlsCertFile` and `tlsPrivateKeyFile` to secure its HTTPS endpoint.", + "Risk": "Without a verifiable TLS serving cert/key, kubelet traffic may fall back to self-signed or skipped verification, enabling **MITM** and endpoint **spoofing**. Attackers could read logs or pod data, run **exec/attach**, and alter node interactions, compromising **confidentiality** and **integrity**, and risking **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/", + "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#client-and-serving-certificates" + ], "Remediation": { "Code": { - "CLI": "--tls-cert-file= --tls-private-key-file=", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate-for-kubelet", - "Other": "", - "Terraform": "" + "CLI": "kubectl -n kube-system patch configmap --type merge -p '{\"data\":{\"kubelet\":\"tlsCertFile: /var/lib/kubelet/pki/kubelet.crt\\ntlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key\\n\"}}'", + "NativeIaC": "", + "Other": "1. In your cluster, open the kubelet config ConfigMap: kubectl -n kube-system edit configmap kubelet-config-\n2. Under the KubeletConfiguration root, add:\n - tlsCertFile: /var/lib/kubelet/pki/kubelet.crt\n - tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key\n3. Save and exit.\n4. On each node, restart kubelet to apply: sudo systemctl restart kubelet\n5. Verify the ConfigMap now contains both fields and the check passes.", + "Terraform": "```hcl\nresource \"kubernetes_config_map\" \"\" {\n metadata {\n name = \"\"\n namespace = \"kube-system\"\n }\n data = {\n kubelet = <<-YAML\n tlsCertFile: /var/lib/kubelet/pki/kubelet.crt # FIX: adds kubelet TLS cert path\n tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key # FIX: adds kubelet TLS key path\n YAML\n }\n}\n```" }, "Recommendation": { - "Text": "Configure each kubelet with its own TLS certificate and private key for secure connections.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#client-and-serving-certificates" + "Text": "Provision a **CA-signed, node-unique** serving certificate and private key for each kubelet and set `tlsCertFile` and `tlsPrivateKeyFile`. Prefer automated issuance and rotation. Ensure clients validate the certificate and limit kubelet API exposure with network controls and RBAC, applying **least privilege** and **defense in depth**.", + "Url": "https://hub.prowler.com/check/kubelet_tls_cert_and_key" } }, "Categories": [ "encryption", - "internet-exposed" + "cluster-security" ], "DependsOn": [], "RelatedTo": [],