fixup! Update baseline cluster security (#475)

Signed-off-by: Hannes Baum <hannes.baum@cloudandheat.com>
SovereignCloudStack · May 2, 2024 · 14a726d · 14a726d
1 parent 075b295
commit 14a726d
Showing 1 changed file with 14 additions and 14 deletions.
diff --git a/Standards/scs-0217-v1-cluster-hardening.md b/Standards/scs-0217-v1-cluster-hardening.md
@@ -92,8 +92,8 @@ In most cases, only the API server machines should need access to etcd on ports
 
 #### ACL restrictions
 
-(https://etcd.io/docs/v3.3/op-guide/authentication/)
-etcd implements access control lists (ACL) and authentication since version 2.1.
+()
+etcd implements access control lists (ACL) and authentication since version 2.1 [1][etcd-auth].
 etcd provides users and roles; users gain permissions through roles. When authentication is enabled,
 each request to etcd requires authentication and the transaction is only allowed, if the user has the correct access rights.
 etcd can also be launched with `--client-cert-auth=true`, which enables authentication via
@@ -112,7 +112,7 @@ for securing peer communication and the flags `--key-file=k8sclient.key` and `--
 client communication (and therefore cluster communication).
 Additionally, HTTPS should be used as the URL schema.
 It is also possibly to use a separate CA for the etcd in order to separate and better control access through client
-certificates, since etcd by default trusts all the certificates issued by the root CA [1][nsa-cisa].
+certificates, since etcd by default trusts all the certificates issued by the root CA [2][nsa-cisa].
 More information about authentication via TLS are provided in the chapter [ACL restrictions](#acl-restrictions).
 
 ### Securing endpoints
@@ -131,7 +131,7 @@ guidelines for this task.
 
 A list of the default ports used in Kubernetes as well as the components accessing them can be found below:
 
-**Control plane nodes**
+#### Control plane nodes
 
 | Ports     | Protocol | Purpose                 | Used by              | Type               |
 |-----------|----------|-------------------------|----------------------|--------------------|
@@ -142,7 +142,7 @@ A list of the default ports used in Kubernetes as well as the components accessi
 | 10257     | TCP      | kube-controller-manager | Self                 | Internal           |
 | 10259     | TCP      | kube-scheduler          | Self                 | Internal           |
 
-**Worker nodes**
+#### Worker nodes
 
 | Ports       | Protocol | Purpose               | Used by             | Type               |
 |-------------|----------|-----------------------|---------------------|--------------------|
@@ -174,7 +174,7 @@ the objects contents.
 #### Authentication
 
 Kubernetes provides different internal authentication mechanisms, that can be used depending
-on the requirements of the cluster provider and user. Multiple authentication systems can 
+on the requirements of the cluster provider and user. Multiple authentication systems can
 be enabled and the [Kubernetes documentation][kubernetes-auth] recommends at least using two methods,
 including Service Account Tokens and another method. Methods directly provided by Kubernetes include
 the following (a more complete or up-to-date list may be found in the [Kubernetes authentication docs][kubernetes-auth]):
@@ -294,11 +294,11 @@ with varying access to sensitive data and also enables various levels
 of performant operations enabling manipulation of node data and containers.
 There is also a read-only HTTP endpoint that was used for monitoring a Kubelet and
 its information. This port was also used by applications like `kubeadm` to check
-the health status of the Kubelet. 
+the health status of the Kubelet.
 This port is still available, but it is planned to be [removed][ro-port-removal]
 in a future version. At the moment, the port is disabled by default since [Kubernetes 1.10][ro-port-disabled]
 and shortly later also in [`kubeadm`][ro-port-disabled-kubeadm].
-Different sources recommend disabling this port [1][ro-port-s1] [2][ro-port-s2] due to possible
+Different sources recommend disabling this port [3][ro-port-s1] [4][ro-port-s2] due to possible
 security risks, but since this standard recommends restricting accessibility of internal ports,
 this port wouldn't be accessible from external networks.
 It is nevertheless recommended to keep this port disabled, since Kubernetes also acknowledged
@@ -343,8 +343,8 @@ Allows the default (minimally specified) Pod configuration.
 * *Restricted*  
 Heavily restricted policy, following current Pod hardening best practices.
 
-Kubernetes also offers the *Pod security* admission controller, which enforces 
-the *Pod security standards* on a namespace level during pod creation. 
+Kubernetes also offers the *Pod security* admission controller, which enforces
+the *Pod security standards* on a namespace level during pod creation.
 The admission controller defines the standard to be used with the three levels
 `privileged`, `baseline` and `restricted`. Each namespace can be configured to enforce
 a different control mode, which defines what action the control plane takes
@@ -424,8 +424,8 @@ Additionally, the `NodeRestriction` admission controller MUST be activated in or
 different Kubelets by disallowing modification of non-bound.
 
 At last, *Pod security standards* in the form of policies MUST be activated for the cluster. The SCS REQUIRES at least
-the *Baseline* policy with the *Restricted*  policy CAN also be used.
-The *Pod security*  admission controller MUST also be activated in order to enforce these policies on a namespace level.
+the *Baseline* policy with the *Restricted* policy CAN also be used.
+The *Pod security* admission controller MUST also be activated in order to enforce these policies on a namespace level.
 We RECOMMEND the `enforce` level to be used for this admission controller setup.
 
 ## Conformance Tests
@@ -443,7 +443,6 @@ Conformance Tests will be written within another issue.
 [Configure etcd](https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/)
 [Google Kubernetes cluster trust](https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-trust)
 
-
 [kubernetes-releases]: https://kubernetes.io/releases/
 [kubernetes-version-skew]: https://kubernetes.io/releases/version-skew-policy/
 [strong-credentials]: https://pages.nist.gov/800-63-3/sp800-63b.html
@@ -461,4 +460,5 @@ Conformance Tests will be written within another issue.
 [ro-port-disabled-kubeadm]: https://github.com/kubernetes/kubeadm/issues/732
 [ro-port-s1]: https://www.stigviewer.com/stig/kubernetes/2021-04-14/finding/V-242387
 [ro-port-s2]: https://docs.datadoghq.com/security/default_rules/cis-kubernetes-1.5.1-4.2.4/
-[nsa-cisa]: https://kubernetes.io/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/
+[nsa-cisa]: https://kubernetes.io/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/
+[etcd-auth]: https://etcd.io/docs/v3.3/op-guide/authentication/