docker-bench

run docker-bench on

1. VM ubuntu k8s cluster(v1.22)

root@bk8s-m:~/docker-bench-security# k get node 
NAME      STATUS   ROLES                  AGE   VERSION
bk8s-m    Ready    control-plane,master   20d   v1.22.1
bk8s-w1   Ready    <none>                 20d   v1.22.1
bk8s-w2   Ready    <none>                 20d   v1.22.1
oot@bk8s-m:~/docker-bench-security# ./docker-bench-security.sh 
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.3.6
#
# Docker, Inc. (c) 2015-2021
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.3.1.
# --------------------------------------------------------------------------------------------

Initializing 2021-12-07T04:47:32+00:00


Section A - Check results

[INFO] 1 - Host Configuration
[INFO] 1.1 - Linux Hosts Specific Configuration
WARNING: No swap limit support
[WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated)
[INFO] 1.1.2 - Ensure only trusted users are allowed to control Docker daemon (Automated)
[INFO]       * Users: 
[WARN] 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated)
[WARN] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)
[WARN] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)
[WARN] 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)
[WARN] 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated)
[INFO] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
[INFO]        * File not found
[WARN] 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated)
[WARN] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)
[WARN] 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)
[WARN] 1.1.12 - 1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)
[INFO] 1.1.13 - Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)
[INFO]        * File not found
[WARN] 1.1.14 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)
[WARN] 1.1.15 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)
[WARN] 1.1.16 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)
[WARN] 1.1.17 - Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)
[WARN] 1.1.18 - Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)
[INFO] 1.2 - General Configuration
[NOTE] 1.2.1 - Ensure the container host has been Hardened (Manual)
[PASS] 1.2.2 - Ensure that the version of Docker is up to date (Manual)
[INFO]        * Using 20.10.8, verify is it up to date as deemed necessary

[INFO] 2 - Docker daemon configuration
[NOTE] 2.1 - Run the Docker daemon as a non-root user, if possible (Manual)
[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[PASS] 2.3 - Ensure the logging level is set to 'info' (Scored)
[PASS] 2.4 - Ensure Docker is allowed to make changes to iptables (Scored)
[PASS] 2.5 - Ensure insecure registries are not used (Scored)
[PASS] 2.6 - Ensure aufs storage driver is not used (Scored)
[INFO] 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored)
[INFO]      * Docker daemon not listening on TCP
[INFO] 2.8 - Ensure the default ulimit is configured appropriately (Manual)
[INFO]      * Default ulimit doesn't appear to be set
[WARN] 2.9 - Enable user namespace support (Scored)
[PASS] 2.10 - Ensure the default cgroup usage has been confirmed (Scored)
[PASS] 2.11 - Ensure base device size is not changed until needed (Scored)
[WARN] 2.12 - Ensure that authorization for Docker client commands is enabled (Scored)
[WARN] 2.13 - Ensure centralized and remote logging is configured (Scored)
[WARN] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored)
[WARN] 2.15 - Ensure live restore is enabled (Scored)
[WARN] 2.16 - Ensure Userland Proxy is Disabled (Scored)
[PASS] 2.17 - Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)
[INFO] Ensure that experimental features are not implemented in production (Scored) (Deprecated)

[INFO] 3 - Docker daemon configuration files
[PASS] 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated)
[PASS] 3.2 - Ensure that docker.service file permissions are appropriately set (Automated)
[PASS] 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated)
[PASS] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)
[PASS] 3.5 - Ensure that the /etc/docker directory ownership is set to root:root (Automated)
[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)
[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root (Automated)
[INFO]      * Directory not found
[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)
[INFO]      * Directory not found
[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated)
[INFO]      * No TLS CA certificate found
[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)
[INFO]       * No TLS CA certificate found
[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated)
[INFO]       * No TLS Server certificate found
[INFO] 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)
[INFO]       * No TLS Server certificate found
[INFO] 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated)
[INFO]       * No TLS Key found
[INFO] 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated)
[INFO]       * No TLS Key found
[PASS] 3.15 - Ensure that the Docker socket file ownership is set to root:docker (Automated)
[PASS] 3.16 - Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)
[PASS] 3.17 - Ensure that the daemon.json file ownership is set to root:root (Automated)
[PASS] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)
[PASS] 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated)
[INFO] 3.20 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)
[INFO]       * File not found
[INFO] 3.21 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)
[INFO]       * File not found
[PASS] 3.22 - Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)
[PASS] 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated)
[PASS] 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)

[INFO] 4 - Container Images and Build File
[WARN] 4.1 - Ensure that a user for the container has been created (Automated)
[WARN]      * Running as root: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1
[WARN]      * Running as root: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1
[WARN]      * Running as root: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]      * Running as root: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]      * Running as root: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]      * Running as root: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]      * Running as root: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]      * Running as root: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[NOTE] 4.2 - Ensure that containers use only trusted base images (Manual)
[NOTE] 4.3 - Ensure that unnecessary packages are not installed in the container (Manual)
[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches (Manual)
[WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated)
[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated)
[WARN]      * No Healthcheck found: [k8s.gcr.io/kube-apiserver:v1.22.3]
[WARN]      * No Healthcheck found: [k8s.gcr.io/kube-scheduler:v1.22.3]
[WARN]      * No Healthcheck found: [k8s.gcr.io/kube-controller-manager:v1.22.3]
[WARN]      * No Healthcheck found: [k8s.gcr.io/kube-proxy:v1.22.3]
[WARN]      * No Healthcheck found: [k8s.gcr.io/etcd:3.5.0-0]
[WARN]      * No Healthcheck found: [k8s.gcr.io/coredns/coredns:v1.8.4]
[WARN]      * No Healthcheck found: [k8s.gcr.io/pause:3.5]
[WARN]      * No Healthcheck found: [calico/pod2daemon-flexvol:v3.17.1]
[WARN]      * No Healthcheck found: [calico/cni:v3.17.1]
[WARN]      * No Healthcheck found: [calico/node:v3.17.1]
[WARN]      * No Healthcheck found: [calico/kube-controllers:v3.17.1]
[PASS] 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual)
[NOTE] 4.8 - Ensure setuid and setgid permissions are removed (Manual)
[INFO] 4.9 - Ensure that COPY is used instead of ADD in Dockerfiles (Manual)
[INFO]      * ADD in image history: [k8s.gcr.io/coredns/coredns:v1.8.4]
[INFO]      * ADD in image history: [k8s.gcr.io/pause:3.5]
[INFO]      * ADD in image history: [calico/pod2daemon-flexvol:v3.17.1]
[INFO]      * ADD in image history: [calico/cni:v3.17.1]
[INFO]      * ADD in image history: [calico/kube-controllers:v3.17.1]
[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles (Manual)
[NOTE] 4.11 - Ensure only verified packages are installed (Manual)

[INFO] 5 - Container Runtime
[WARN] 5.1 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated)
[WARN]      * No AppArmorProfile Found: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]      * No AppArmorProfile Found: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]      * No AppArmorProfile Found: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]      * No AppArmorProfile Found: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN] 5.2 - Ensure that, if applicable, SELinux security options are set (Automated)
[WARN]      * No SecurityOptions Found: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]      * No SecurityOptions Found: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]      * No SecurityOptions Found: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]      * No SecurityOptions Found: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[PASS] 5.3 - Ensure that Linux kernel capabilities are restricted within containers (Automated)
[WARN] 5.4 - Ensure that privileged containers are not used (Automated)
[WARN]      * Container running in Privileged mode: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]      * Container running in Privileged mode: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]      * Container running in Privileged mode: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]      * Container running in Privileged mode: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers (Automated)
[PASS] 5.6 - Ensure sshd is not run within containers (Automated)
[PASS] 5.7 - Ensure privileged ports are not mapped within containers (Automated)
[PASS] 5.8 - Ensure that only needed ports are open on the container (Manual)
[WARN] 5.9 - Ensure that the host's network namespace is not shared (Automated)
[WARN]      * Container running with networking mode 'host': k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]      * Container running with networking mode 'host': k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]      * Container running with networking mode 'host': k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]      * Container running with networking mode 'host': k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]      * Container running with networking mode 'host': k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]      * Container running with networking mode 'host': k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN] 5.10 - Ensure that the memory usage for containers is limited (Automated)
[WARN]       * Container running without memory restrictions: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1
[WARN]       * Container running without memory restrictions: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12
[WARN]       * Container running without memory restrictions: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12
[WARN]       * Container running without memory restrictions: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12
[WARN]       * Container running without memory restrictions: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Container running without memory restrictions: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Container running without memory restrictions: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * Container running without memory restrictions: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * Container running without memory restrictions: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * Container running without memory restrictions: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * Container running without memory restrictions: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * Container running without memory restrictions: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN]       * Container running without memory restrictions: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * Container running without memory restrictions: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * Container running without memory restrictions: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * Container running without memory restrictions: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[PASS] 5.11 - Ensure that CPU priority is set appropriately on containers (Automated)
[WARN] 5.12 - Ensure that the container's root filesystem is mounted as read only (Automated)
[WARN]       * Container running with root FS mounted R/W: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1
[WARN]       * Container running with root FS mounted R/W: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12
[WARN]       * Container running with root FS mounted R/W: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12
[WARN]       * Container running with root FS mounted R/W: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12
[WARN]       * Container running with root FS mounted R/W: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Container running with root FS mounted R/W: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Container running with root FS mounted R/W: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * Container running with root FS mounted R/W: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * Container running with root FS mounted R/W: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * Container running with root FS mounted R/W: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * Container running with root FS mounted R/W: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * Container running with root FS mounted R/W: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN]       * Container running with root FS mounted R/W: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * Container running with root FS mounted R/W: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * Container running with root FS mounted R/W: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * Container running with root FS mounted R/W: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[PASS] 5.13 - Ensure that incoming container traffic is bound to a specific host interface (Automated)
[WARN] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated)
[WARN]       * MaximumRetryCount is not set to 5: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12
[WARN]       * MaximumRetryCount is not set to 5: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12
[WARN]       * MaximumRetryCount is not set to 5: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12
[WARN]       * MaximumRetryCount is not set to 5: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * MaximumRetryCount is not set to 5: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[PASS] 5.15 - Ensure that the host's process namespace is not shared (Automated)
[PASS] 5.16 - Ensure that the host's IPC namespace is not shared (Automated)
[PASS] 5.17 - Ensure that host devices are not directly exposed to containers (Manual)
[INFO] 5.18 - Ensure that the default ulimit is overwritten at runtime if needed (Manual)
[INFO]       * Container no default ulimit override: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1
[INFO]       * Container no default ulimit override: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1
[INFO]       * Container no default ulimit override: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1
[INFO]       * Container no default ulimit override: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12
[INFO]       * Container no default ulimit override: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12
[INFO]       * Container no default ulimit override: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12
[INFO]       * Container no default ulimit override: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[INFO]       * Container no default ulimit override: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[INFO]       * Container no default ulimit override: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[INFO]       * Container no default ulimit override: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[INFO]       * Container no default ulimit override: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[INFO]       * Container no default ulimit override: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[INFO]       * Container no default ulimit override: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[INFO]       * Container no default ulimit override: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[INFO]       * Container no default ulimit override: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[INFO]       * Container no default ulimit override: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[INFO]       * Container no default ulimit override: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[INFO]       * Container no default ulimit override: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN] 5.19 - Ensure mount propagation mode is not set to shared (Automated)
[WARN]       * Mount propagation mode is shared: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN] 5.20 - Ensure that the host's UTS namespace is not shared (Automated)
[WARN]       * Host UTS namespace being shared with: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Host UTS namespace being shared with: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * Host UTS namespace being shared with: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * Host UTS namespace being shared with: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * Host UTS namespace being shared with: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * Host UTS namespace being shared with: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN] 5.21 - Ensure the default seccomp profile is not Disabled (Automated)
[WARN]       * Default seccomp profile disabled: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1
[WARN]       * Default seccomp profile disabled: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1
[WARN]       * Default seccomp profile disabled: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1
[WARN]       * Default seccomp profile disabled: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Default seccomp profile disabled: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[NOTE] 5.22 - Ensure that docker exec commands are not used with the privileged option (Automated)
[NOTE] 5.23 - Ensure that docker exec commands are not used with the user=root option (Manual)
[WARN] 5.24 - Ensure that cgroup usage is confirmed (Automated)
[WARN]       * Confirm cgroup usage: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1
[WARN]       * Confirm cgroup usage: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1
[WARN]       * Confirm cgroup usage: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1
[WARN]       * Confirm cgroup usage: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12
[WARN]       * Confirm cgroup usage: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12
[WARN]       * Confirm cgroup usage: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12
[WARN]       * Confirm cgroup usage: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Confirm cgroup usage: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Confirm cgroup usage: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * Confirm cgroup usage: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * Confirm cgroup usage: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * Confirm cgroup usage: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * Confirm cgroup usage: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * Confirm cgroup usage: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN]       * Confirm cgroup usage: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * Confirm cgroup usage: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * Confirm cgroup usage: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * Confirm cgroup usage: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN] 5.25 - Ensure that the container is restricted from acquiring additional privileges (Automated)
[WARN]       * Privileges not restricted: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1
[WARN]       * Privileges not restricted: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Privileges not restricted: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * Privileges not restricted: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * Privileges not restricted: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * Privileges not restricted: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * Privileges not restricted: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN] 5.26 - Ensure that container health is checked at runtime (Automated)
[WARN]       * Health check not set: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1
[WARN]       * Health check not set: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1
[WARN]       * Health check not set: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1
[WARN]       * Health check not set: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12
[WARN]       * Health check not set: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12
[WARN]       * Health check not set: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12
[WARN]       * Health check not set: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Health check not set: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * Health check not set: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * Health check not set: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * Health check not set: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * Health check not set: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * Health check not set: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * Health check not set: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN]       * Health check not set: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * Health check not set: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * Health check not set: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * Health check not set: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[INFO] 5.27 - Ensure that Docker commands always make use of the latest version of their image (Manual)
[WARN] 5.28 - Ensure that the PIDs cgroup limit is used (Automated)
[WARN]       * PIDs limit not set: k8s_coredns_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_1
[WARN]       * PIDs limit not set: k8s_calico-kube-controllers_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_1
[WARN]       * PIDs limit not set: k8s_coredns_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_1
[WARN]       * PIDs limit not set: k8s_POD_coredns-78fcd69978-rqxgp_kube-system_7bf8863b-6d1f-448d-b2e7-02e24eda11fd_12
[WARN]       * PIDs limit not set: k8s_POD_coredns-78fcd69978-rm2bp_kube-system_a86580f7-6cae-431a-8c22-cfa86c756929_12
[WARN]       * PIDs limit not set: k8s_POD_calico-kube-controllers-57c5b6487c-zzln4_kube-system_7b0c6094-dd2c-4905-b32b-1f35bba1acd7_12
[WARN]       * PIDs limit not set: k8s_calico-node_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * PIDs limit not set: k8s_POD_calico-node-8wvfd_kube-system_4f35adc7-ddec-4c17-b3b1-453d32a469ff_1
[WARN]       * PIDs limit not set: k8s_kube-proxy_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * PIDs limit not set: k8s_POD_kube-proxy-kjglh_kube-system_76228020-e0d7-401f-8221-2b8a932ecfa6_1
[WARN]       * PIDs limit not set: k8s_etcd_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * PIDs limit not set: k8s_kube-controller-manager_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * PIDs limit not set: k8s_kube-apiserver_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * PIDs limit not set: k8s_kube-scheduler_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[WARN]       * PIDs limit not set: k8s_POD_etcd-bk8s-m_kube-system_f86a96d19aa90e2f7895116d37e0af0c_1
[WARN]       * PIDs limit not set: k8s_POD_kube-controller-manager-bk8s-m_kube-system_b40e063af60b537157dece6b2840456d_1
[WARN]       * PIDs limit not set: k8s_POD_kube-apiserver-bk8s-m_kube-system_251ae29af3f2269ade368aff7cd89050_1
[WARN]       * PIDs limit not set: k8s_POD_kube-scheduler-bk8s-m_kube-system_c101042065f914985f7f90fe22c8146e_1
[PASS] 5.29 - Ensure that Docker's default bridge 'docker0' is not used (Manual)
[PASS] 5.30 - Ensure that the host's user namespaces are not shared (Automated)
[PASS] 5.31 - Ensure that the Docker socket is not mounted inside any containers (Automated)

[INFO] 6 - Docker Security Operations
[INFO] 6.1 - Ensure that image sprawl is avoided (Manual)
[INFO]      * There are currently: 11 images
[INFO]      * Only 0 out of 11 are in use
[INFO] 6.2 - Ensure that container sprawl is avoided (Manual)
[INFO]      * There are currently a total of 39 containers, with 18 of them currently running

[INFO] 7 - Docker Swarm Configuration
[PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed (Automated)
[PASS] 7.2 - Ensure that the minimum number of manager nodes have been created in a swarm (Automated) (Swarm mode not enabled)
[PASS] 7.3 - Ensure that swarm services are bound to a specific host interface (Automated) (Swarm mode not enabled)
[PASS] 7.4 - Ensure that all Docker swarm overlay networks are encrypted (Automated)
[PASS] 7.5 - Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) (Swarm mode not enabled)
[PASS] 7.6 - Ensure that swarm manager is run in auto-lock mode (Automated) (Swarm mode not enabled)
[PASS] 7.7 - Ensure that the swarm manager auto-lock key is rotated periodically (Manual) (Swarm mode not enabled)
[PASS] 7.8 - Ensure that node certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS] 7.9 - Ensure that CA certificates are rotated as appropriate (Manual) (Swarm mode not enabled)
[PASS] 7.10 - Ensure that management plane traffic is separated from data plane traffic (Manual) (Swarm mode not enabled)


Section C - Score

[INFO] Checks: 116
[INFO] Score: -3

Last updated