{"component-definition":{"components":[{"control-implementations":[{"description":"FedRAMP Rev 5 Moderate Baseline for Kubernetes","implemented-requirements":[{"control-id":"ac-2","description":"Account Management controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_anonymous_auth"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_basic_auth"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_token_auth"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_anonymous_auth"}],"uuid":"1b82eb98-f61e-4aa9-9d0f-25865b1ac953"},{"control-id":"ac-3","description":"Access Enforcement controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_authorization_mode"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_authorization_mode_node"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_authorization_mode_rbac"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_authorization_mode"}],"uuid":"918ee579-05f6-490d-b119-292bf6e12727"},{"control-id":"ac-6","description":"Least Privilege controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_admission_control_plugin_always_admit"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_admission_control_plugin_security_context_deny"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"pod_security_policy_enabled"}],"uuid":"66ff833f-5144-4b95-9735-67f2a3df6cbc"},{"control-id":"au-2","description":"Audit Events controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_audit_log_path"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_audit_log_maxage"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_audit_log_maxbackup"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_audit_log_maxsize"}],"uuid":"1a28c9c4-ac19-4d0a-bf8e-16934aaf3160"},{"control-id":"cm-6","description":"Configuration Settings controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_insecure_port"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_secure_port"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_profiling"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_scheduler_profiling"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_controller_manager_profiling"}],"uuid":"dd1ad0f0-dafc-4746-9292-405249c0b83b"},{"control-id":"ia-5","description":"Authenticator Management controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_kubelet_client_certificate"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_kubelet_certificate_authority"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_client_ca_file"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_client_ca_file"}],"uuid":"a3286600-8ac2-4c03-984d-138a6b111f6b"},{"control-id":"sc-8","description":"Transmission Confidentiality controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_kubelet_https"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_tls_cert_file"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_etcd_certfile"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_tls_cert_file"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"etcd_cert_file"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"etcd_peer_cert_file"}],"uuid":"d3308ff6-8ffa-4c56-94bc-55e6597282a7"},{"control-id":"sc-13","description":"Cryptographic Protection controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_encryption_provider_config"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_tls_cipher_suites"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"etcd_client_cert_auth"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"etcd_peer_client_cert_auth"}],"uuid":"cbe6547c-f6bd-4e12-874a-1082159fbf6f"},{"control-id":"sc-23","description":"Session Authenticity controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_service_account_lookup"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_service_account_key_file"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_controller_manager_service_account_private_key_file"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_admission_control_plugin_service_account"}],"uuid":"5b72547d-9c32-46cd-948a-ae0542f1a3d6"},{"control-id":"si-7","description":"Software and Information Integrity controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_admission_control_plugin_always_pull_images"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_rotate_certificates"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_controller_manager_feature_gates_rotate_kubelet_server_certificate"}],"uuid":"125b9748-b63b-4980-82b0-8347e5791b90"},{"control-id":"cm-7","description":"Least Functionality controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_admission_control_plugin_namespace_lifecycle"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_admission_control_plugin_node_restriction"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_admission_control_plugin_pod_security_policy"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"network_policy_enabled"}],"uuid":"4b99c553-36fa-4226-804f-60131627b891"},{"control-id":"sc-7","description":"Boundary Protection controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_scheduler_bind_address"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_controller_manager_bind_address"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_read_only_port"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_etcd_cafile"}],"uuid":"4c003bb7-bd0d-43e0-a950-2abf2ccfc437"},{"control-id":"si-2","description":"Flaw Remediation controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_controller_manager_terminated_pod_gc_threshold"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_controller_manager_use_service_account_credentials"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_controller_manager_root_ca_file"}],"uuid":"12d8a171-4f5d-461b-a50f-cee53675473b"},{"control-id":"si-4","description":"Information System Monitoring controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_streaming_connection_idle_timeout"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_event_qps"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_request_timeout"}],"uuid":"eca30bfa-7299-48f1-8545-d01e61110cfe"},{"control-id":"cm-2","description":"Baseline Configuration controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_protect_kernel_defaults"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_make_iptables_util_chains"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"worker_node_kubelet_hostname_override"}],"uuid":"3bd672f4-adcd-4d5b-adea-06b567753e68"},{"control-id":"sc-28","description":"Protection of Information at Rest controls for Kubernetes","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"etcd_auto_tls"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"etcd_peer_auto_tls"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"etcd_unique_ca"}],"uuid":"4accc1fd-5ea3-4a8a-acbe-a488eb228bcc"},{"control-id":"au-6.4","description":"Central Review and Analysis of Audit Records for Kubernetes (FedRAMP High only)","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_audit_log_path"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_audit_log_maxage"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","value":"control_plane_api_server_audit_log_maxbackup"}],"uuid":"7f8e9d0c-1a2b-4c3d-8e9f-0a1b2c3d4e5f"}],"source":"../../catalogs/resolved-FedRAMP-Rev5-Moderate/catalog.json","uuid":"8caa8c7b-913c-4b5f-a2c0-9073cba592ad"}],"description":"Kubernetes Container Orchestration Platform version 1.28","props":[{"name":"version","value":"1.28.0"},{"name":"vendor","value":"Cloud Native Computing Foundation"}],"title":"Kubernetes_1.28","type":"software","uuid":"9a8b7c6d-5e4f-4a2b-9c0d-9e8f7a6b5c4d"},{"control-implementations":[],"description":"CIS Kubernetes Benchmark validation using kube-bench","props":[{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_00","value":"control_plane_api_server_anonymous_auth"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_00","value":"Ensure that the --anonymous-auth argument is set to false"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_01","value":"control_plane_api_server_basic_auth"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_01","value":"Ensure that the --basic-auth-file argument is not set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_02","value":"control_plane_api_server_token_auth"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_02","value":"Ensure that the --token-auth-file parameter is not set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_03","value":"control_plane_api_server_kubelet_https"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_03","value":"Ensure that the --kubelet-https argument is set to true"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_04","value":"control_plane_api_server_kubelet_client_certificate"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_04","value":"Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_05","value":"control_plane_api_server_kubelet_certificate_authority"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_05","value":"Ensure that the --kubelet-certificate-authority argument is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_06","value":"control_plane_api_server_authorization_mode"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_06","value":"Ensure that the --authorization-mode argument is not set to AlwaysAllow"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_07","value":"control_plane_api_server_authorization_mode_node"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_07","value":"Ensure that the --authorization-mode argument includes Node"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_08","value":"control_plane_api_server_authorization_mode_rbac"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_08","value":"Ensure that the --authorization-mode argument includes RBAC"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_09","value":"control_plane_api_server_admission_control_plugin_always_admit"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_09","value":"Ensure that the admission control plugin AlwaysAdmit is not set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_10","value":"control_plane_api_server_admission_control_plugin_always_pull_images"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_10","value":"Ensure that the admission control plugin AlwaysPullImages is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_11","value":"control_plane_api_server_admission_control_plugin_security_context_deny"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_11","value":"Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_12","value":"control_plane_api_server_admission_control_plugin_service_account"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_12","value":"Ensure that the admission control plugin ServiceAccount is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_13","value":"control_plane_api_server_admission_control_plugin_namespace_lifecycle"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_13","value":"Ensure that the admission control plugin NamespaceLifecycle is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_14","value":"control_plane_api_server_admission_control_plugin_pod_security_policy"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_14","value":"Ensure that the admission control plugin PodSecurityPolicy is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_15","value":"control_plane_api_server_admission_control_plugin_node_restriction"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_15","value":"Ensure that the admission control plugin NodeRestriction is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_16","value":"control_plane_api_server_insecure_port"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_16","value":"Ensure that the --insecure-port argument is set to 0"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_17","value":"control_plane_api_server_secure_port"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_17","value":"Ensure that the --secure-port argument is not set to 0"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_18","value":"control_plane_api_server_profiling"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_18","value":"Ensure that the --profiling argument is set to false"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_19","value":"control_plane_api_server_audit_log_path"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_19","value":"Ensure that the --audit-log-path argument is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_20","value":"control_plane_api_server_audit_log_maxage"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_20","value":"Ensure that the --audit-log-maxage argument is set to 30 or as appropriate"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_21","value":"control_plane_api_server_audit_log_maxbackup"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_21","value":"Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_22","value":"control_plane_api_server_audit_log_maxsize"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_22","value":"Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_23","value":"control_plane_api_server_request_timeout"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_23","value":"Ensure that the --request-timeout argument is set as appropriate"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_24","value":"control_plane_api_server_service_account_lookup"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_24","value":"Ensure that the --service-account-lookup argument is set to true"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_25","value":"control_plane_api_server_service_account_key_file"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_25","value":"Ensure that the --service-account-key-file argument is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_26","value":"control_plane_api_server_etcd_certfile"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_26","value":"Ensure that the --etcd-certfile and --etcd-keyfile arguments are set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_27","value":"control_plane_api_server_tls_cert_file"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_27","value":"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_28","value":"control_plane_api_server_client_ca_file"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_28","value":"Ensure that the --client-ca-file argument is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_29","value":"control_plane_api_server_etcd_cafile"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_29","value":"Ensure that the --etcd-cafile argument is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_30","value":"control_plane_api_server_encryption_provider_config"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_30","value":"Ensure that the --encryption-provider-config argument is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_31","value":"control_plane_api_server_tls_cipher_suites"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_31","value":"Ensure that the --tls-cipher-suites argument is set as appropriate"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_32","value":"control_plane_scheduler_profiling"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_32","value":"Ensure that the --profiling argument is set to false (Scheduler)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_33","value":"control_plane_scheduler_bind_address"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_33","value":"Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_34","value":"control_plane_controller_manager_terminated_pod_gc_threshold"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_34","value":"Ensure that the --terminated-pod-gc-threshold argument is set as appropriate"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_35","value":"control_plane_controller_manager_profiling"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_35","value":"Ensure that the --profiling argument is set to false (Controller Manager)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_36","value":"control_plane_controller_manager_use_service_account_credentials"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_36","value":"Ensure that the --use-service-account-credentials argument is set to true"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_37","value":"control_plane_controller_manager_service_account_private_key_file"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_37","value":"Ensure that the --service-account-private-key-file argument is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_38","value":"control_plane_controller_manager_root_ca_file"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_38","value":"Ensure that the --root-ca-file argument is set"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_39","value":"control_plane_controller_manager_feature_gates_rotate_kubelet_server_certificate"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_39","value":"Ensure that the RotateKubeletServerCertificate argument is set to true"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_40","value":"control_plane_controller_manager_bind_address"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_40","value":"Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_41","value":"worker_node_kubelet_anonymous_auth"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_41","value":"Ensure that the --anonymous-auth argument is set to false (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_42","value":"worker_node_kubelet_authorization_mode"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_42","value":"Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_43","value":"worker_node_kubelet_client_ca_file"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_43","value":"Ensure that the --client-ca-file argument is set (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_44","value":"worker_node_kubelet_read_only_port"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_44","value":"Ensure that the --read-only-port argument is set to 0 (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_45","value":"worker_node_kubelet_streaming_connection_idle_timeout"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_45","value":"Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_46","value":"worker_node_kubelet_protect_kernel_defaults"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_46","value":"Ensure that the --protect-kernel-defaults argument is set to true (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_47","value":"worker_node_kubelet_make_iptables_util_chains"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_47","value":"Ensure that the --make-iptables-util-chains argument is set to true (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_48","value":"worker_node_kubelet_hostname_override"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_48","value":"Ensure that the --hostname-override argument is not set (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_49","value":"worker_node_kubelet_event_qps"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_49","value":"Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_50","value":"worker_node_kubelet_tls_cert_file"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_50","value":"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_51","value":"worker_node_kubelet_rotate_certificates"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_51","value":"Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_52","value":"etcd_cert_file"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_52","value":"Ensure that the --cert-file and --key-file arguments are set (etcd)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_53","value":"etcd_client_cert_auth"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_53","value":"Ensure that the --client-cert-auth argument is set to true (etcd)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_54","value":"etcd_auto_tls"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_54","value":"Ensure that the --auto-tls argument is not set to true (etcd)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_55","value":"etcd_peer_cert_file"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_55","value":"Ensure that the --peer-cert-file and --peer-key-file arguments are set (etcd)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_56","value":"etcd_peer_client_cert_auth"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_56","value":"Ensure that the --peer-client-cert-auth argument is set to true (etcd)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_57","value":"etcd_peer_auto_tls"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_57","value":"Ensure that the --peer-auto-tls argument is not set to true (etcd)"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_58","value":"etcd_unique_ca"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_58","value":"Ensure that a unique Certificate Authority is used for etcd"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_59","value":"network_policy_enabled"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_59","value":"Ensure that Network Policies are enabled and used"},{"name":"Rule_Id","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_60","value":"pod_security_policy_enabled"},{"name":"Rule_Description","ns":"https://oscal-compass/compliance-trestle/schemas/oscal/cd","remarks":"rule_set_60","value":"Ensure that Pod Security Policies are enabled and configured"}],"title":"kube-bench","type":"validation","uuid":"1b2c3d4e-5f6a-4b8c-9d0e-1f2a3b4c5d6e"}],"metadata":{"last-modified":"2026-05-09T10:36:00+00:00","oscal-version":"1.2.1","title":"Component definition for Kubernetes 1.28","version":"V1.0"},"uuid":"8f7a9c2d-3e4b-4f5a-9c8d-7e6f5a4b3c2d"}}