ServiceApprovalAcceleratorTemplate.md

Service Approval Accelerator (SAA) Baseline

Version 2023.03.15

1. Baseline

The policies included in the following document(s) are required for security and compliance, unless otherwise noted in section 2: Amendments to the Baseline

Benchmark/Framework	Purpose	Name	Link	Comments
CIS	Security	Kubernetes V1.23 Benchmark v1.0.1	downloads.cisecurity.org	Profiles: Level 2 - Master Node and Level 1 - Worker Node

2. Amendments to the Baseline

All guidelines provided by the aforementioned baseline are to be followed without modification or exception.

3. Extensions to the Baseline

1. Ensure deployment from an unauthorized container registry is denied

Profile Applicability:

• Level 2 - Master Node

Description:

• Only accept known, authorised container registries for pod deployments.

Rationale:

• Containers deployed using unauthorized registries may introduce insecure images that are not approved for firm use. To mitigate this risk, only trusted registries with approved images should be allowed.

Impact:

• You reject any deployment that requests an unauthorized registry.

Audit:

• Attempt to deploy a pod using an image from docker.io.

Remediation:

• Follow the Kubernetes documentation and setup image provenance, or restrict access to unauthorized registries on the network.

References:

1. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook
2. https://stackoverflow.com/questions/54463125/how-to-reject-docker-registries-in-kubernetes

4. Security & Compliance Mapping

Security Benchmark/Framework Control	Compliance Standard Requirement	Comments
CIS Kubernetes V1.23 Benchmark v1.0.1 - 1.2.9 Ensure that the --authorization-mode argument includes RBAC.	PCI DSS v4.0 - Requirement 8.1 - Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.	NA