Add cis-1.11 assessment, update hardening guide (#489)

Signed-off-by: Derek Nola <derek.nola@suse.com>

Author: dereknola

docs/security/hardening-guide.md

@@ -32,6 +32,80 @@ kernel.panic=10
 kernel.panic_on_oops=1
 ```
 
+## Configuration for Kubernetes Components
+
+
+The configuration below should be placed in the [configuration file](../installation/configuration.md#configuration-file), and contains all the necessary remediations to harden the Kubernetes components.
+
+
+<Tabs groupId="pod-sec" queryString>
+<TabItem value="v1.29 and Newer" default>
+
+```yaml
+protect-kernel-defaults: true
+secrets-encryption: true
+kube-apiserver-arg:
+  - "enable-admission-plugins=NodeRestriction,EventRateLimit"
+  - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'
+  - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
+  - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
+  - 'audit-log-maxage=30'
+  - 'audit-log-maxbackup=10'
+  - 'audit-log-maxsize=100'
+  - 'service-account-extend-token-expiration=false'
+kube-controller-manager-arg:
+  - 'terminated-pod-gc-threshold=10'
+kubelet-arg:
+  - 'streaming-connection-idle-timeout=5m'
+  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+```
+
+</TabItem>
+<TabItem value="v1.25 - v1.28" default>
+
+```yaml
+protect-kernel-defaults: true
+secrets-encryption: true
+kube-apiserver-arg:
+  - "enable-admission-plugins=NodeRestriction,EventRateLimit"
+  - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'
+  - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
+  - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
+  - 'audit-log-maxage=30'
+  - 'audit-log-maxbackup=10'
+  - 'audit-log-maxsize=100'
+kube-controller-manager-arg:
+  - 'terminated-pod-gc-threshold=10'
+kubelet-arg:
+  - 'streaming-connection-idle-timeout=5m'
+  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+```
+
+</TabItem>
+
+<TabItem value="v1.24 and Older" default>
+
+```yaml
+protect-kernel-defaults: true
+secrets-encryption: true
+kube-apiserver-arg:
+  - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,NamespaceLifecycle,ServiceAccount'
+  - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
+  - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
+  - 'audit-log-maxage=30'
+  - 'audit-log-maxbackup=10'
+  - 'audit-log-maxsize=100'
+kube-controller-manager-arg:
+  - 'terminated-pod-gc-threshold=10'
+kubelet-arg:
+  - 'streaming-connection-idle-timeout=5m'
+  - 'make-iptables-util-chains=true'
+  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+```
+
+</TabItem>
+</Tabs>
+
 ## Kubernetes Runtime Requirements
 
 The runtime requirements to comply with the CIS Benchmark are centered around pod security (via PSP or PSA), network policies and API Server auditing logs. These are outlined in this section.
@@ -487,6 +561,7 @@ kube-apiserver-arg:
   - 'audit-log-maxage=30'
   - 'audit-log-maxbackup=10'
   - 'audit-log-maxsize=100'
+  - 'service-account-extend-token-expiration=false'
 ```
 </TabItem>
 <TabItem value="cmdline">
@@ -506,58 +581,6 @@ sudo systemctl daemon-reload
 sudo systemctl restart k3s.service
 ```
 
-## Configuration for Kubernetes Components
-
-
-The configuration below should be placed in the [configuration file](../installation/configuration.md#configuration-file), and contains all the necessary remediations to harden the Kubernetes components.
-
-
-<Tabs groupId="pod-sec" queryString>
-<TabItem value="v1.25 and Newer" default>
-
-```yaml
-protect-kernel-defaults: true
-secrets-encryption: true
-kube-apiserver-arg:
-  - "enable-admission-plugins=NodeRestriction,EventRateLimit"
-  - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'
-  - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
-  - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
-  - 'audit-log-maxage=30'
-  - 'audit-log-maxbackup=10'
-  - 'audit-log-maxsize=100'
-kube-controller-manager-arg:
-  - 'terminated-pod-gc-threshold=10'
-kubelet-arg:
-  - 'streaming-connection-idle-timeout=5m'
-  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
-```
-
-</TabItem>
-
-<TabItem value="v1.24 and Older" default>
-
-```yaml
-protect-kernel-defaults: true
-secrets-encryption: true
-kube-apiserver-arg:
-  - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,NamespaceLifecycle,ServiceAccount'
-  - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
-  - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
-  - 'audit-log-maxage=30'
-  - 'audit-log-maxbackup=10'
-  - 'audit-log-maxsize=100'
-kube-controller-manager-arg:
-  - 'terminated-pod-gc-threshold=10'
-kubelet-arg:
-  - 'streaming-connection-idle-timeout=5m'
-  - 'make-iptables-util-chains=true'
-  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
-```
-
-</TabItem>
-</Tabs>
-
 ## Manual Operations
 The following are controls that K3s currently does not pass by with the above configuration applied. These controls require manual intervention to fully comply with the CIS Benchmark.
 

docs/security/security.md

@@ -10,9 +10,9 @@ First the hardening guide provides a list of security best practices to secure a
 
 Second, is the self assessment to validate a hardened cluster. We currently have two different assessments available:
 
-* [CIS 1.7 Benchmark Self-Assessment Guide](self-assessment-1.7.md), for K3s version v1.25
+* [CIS 1.9 Benchmark Self-Assessment Guide](self-assessment-1.9.md), for K3s version v1.27-v1.29
 
-* [CIS 1.8 Benchmark Self-Assessment Guide](self-assessment-1.8.md), for K3s version v1.26
+* [CIS 1.10 Benchmark Self-Assessment Guide](self-assessment-1.10.md), for K3s version v1.28-v1.31
 
-* [CIS 1.9 Benchmark Self-Assessment Guide](self-assessment-1.8.md), for K3s version v1.27-v1.29
+* [CIS 1.11 Benchmark Self-Assessment Guide](self-assessment-1.11.md), for K3s version v1.29-v1.34
 

docs/security/self-assessment-1.10.md

@@ -6,7 +6,7 @@ title: CIS 1.10 Self Assessment Guide
 
 This document is a companion to the [K3s security hardening guide](hardening-guide.md). The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers.
 
-This guide is specific to the **v1.28-v1.33** release line of K3s and the **v1.10** release of the CIS Kubernetes Benchmark.
+This guide is specific to the **v1.28-v1.31** release line of K3s and the **v1.10** release of the CIS Kubernetes Benchmark.
 
 For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.9. You can download the benchmark, after creating a free account, in [Center for Internet Security (CIS)](https://www.cisecurity.org/benchmark/kubernetes).