cyclops-k8s · EdwardCooke · Dec 21, 2025 · Dec 21, 2025 · Dec 21, 2025 · Dec 21, 2025
diff --git a/CIS hardening.md b/CIS hardening.md
@@ -1,6 +1,6 @@
 # CIS Benchmark
 
-I used the CIS Kubernetes Benchmark 1.9
+I used the CIS Kubernetes Benchmark 1.12
 
 ## 1.1 - Control plane
 
@@ -42,7 +42,7 @@ We use externalIP services
 
 Set by default
 
-### 1.2.5 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated) 
+### 1.2.5 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
 
 Fixed using automatic certificate renewal and issuing to kubelets
 
@@ -70,7 +70,7 @@ Set by default
 
 ### 1.2.15
 
-New relic uses the profiling data
+Fixed
 
 ### 1.2.16 - Ensure that the --audit-log-path argument is set
 
@@ -96,7 +96,11 @@ Set by default
 
 Set by default
 
-### 1.2.29 - Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual) 
+### 1.2.29 - Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)
+
+Fixed
+
+### 1.2.30 - Ensure that the --service-account-extend-token-expiration parameter is set to false
 
 Fixed
 
@@ -108,7 +112,7 @@ Fixed
 
 ### 1.3.2 - Ensure that the --profiling argument is set to false
 
-New Relic uses the profiling information
+Fixed
 
 ### 1.3.3 - 1.3.7
 
@@ -118,7 +122,7 @@ Set by default
 
 ### 1.4.1 - Ensure that the --profiling argument is set to false
 
-New Relic uses the profiling information
+Fixed
 
 ### 1.4.2
 
@@ -164,7 +168,7 @@ Set by default
 
 Set by default - config file is stored in the container
 
-### 4.1.4 - If proxy kubeconfig file exists ensure ownership is set to root:root (Manual) 
+### 4.1.4 - If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
 
 Set by default - config file is stored in the container
 
@@ -206,7 +210,7 @@ Setting serverTLSBootstrap resolves this
 
 Set by default
 
-### 4.2.11 - Verify that the RotateKubeletServerCertificate argument is set to true (Manual) 
+### 4.2.11 - Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
 
 Set by default
 
@@ -218,9 +222,13 @@ Fixed
 
 Fixed
 
+### 4.2.14 - Ensure that the --seccomp-default parameter is set to true
+
+Fixed
+
 ## 4.3 - Kube Proxy
 
-### 4.3.1 - Ensure that the kube-proxy metrics service is bound to localhost (Automated) 
+### 4.3.1 - Ensure that the kube-proxy metrics service is bound to localhost (Automated)
 
 Fixed
 
@@ -238,6 +246,6 @@ Set by default
 
 Fixed for initally created namespaces, it's a mnaul process to maintain the configuration on all default service accounts
 
-### 5.1.6 - 5.1.11
+### 5.1.6 - 5.1.13
 
 Set by default
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@
 
 ## Purpose
 
-The purpose of this playbook and roles is to install a vanilla Kubernetes cluster with OIDC enabled hardened against the CIS Benchmark and DOD Stig.
+The purpose of this playbook and roles is to install a vanilla Kubernetes cluster with OIDC enabled hardened against the CIS Benchmark 1.12 and DOD Stig.
 
 It is a vanilla `kubeadm` cluster that can be managed by `kubeadm` going forward, or for easy upgrades you can use the included `upgrade` playbook.
 

diff --git a/roles/kubernetes-control-plane/templates/kubeadm-init-1.33.yaml.j2 b/roles/kubernetes-control-plane/templates/kubeadm-init-1.33.yaml.j2
@@ -19,6 +19,8 @@ tlsCipherSuites:
 podPidsLimit: {{ kubernetes_podpidslimit }}
 # STIG V-242434
 protectKernelDefaults: true
+# CIS 4.2.14
+seccompDefault: {{ kubernetes_seccomp_default }}
 ---
 apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
@@ -105,6 +107,9 @@ apiServer:
     - name: service-account-issuer
       value: "{{ kubernetes_service_account_issuer }}"
 {% endif %}
+    # CIS 1.2.30
+    - name: service-account-extend-token-expiration
+      value: "{{ kubernetes_service_account_extend_token_expiration | lower }}"
 {% if kubernetes_api_server_extra_args is defined and kubernetes_api_server_extra_args | length > 0 %}
 {% for arg in kubernetes_api_server_extra_args %}
     - name: "{{ arg.name }}"

diff --git a/roles/kubernetes-control-plane/templates/kubeadm-init-1.34.yaml.j2 b/roles/kubernetes-control-plane/templates/kubeadm-init-1.34.yaml.j2
@@ -19,6 +19,8 @@ tlsCipherSuites:
 podPidsLimit: {{ kubernetes_podpidslimit }}
 # STIG V-242434
 protectKernelDefaults: true
+# CIS 4.2.14
+seccompDefault: {{ kubernetes_seccomp_default }}
 ---
 apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
@@ -105,6 +107,9 @@ apiServer:
     - name: service-account-issuer
       value: "{{ kubernetes_service_account_issuer }}"
 {% endif %}
+    # CIS 1.2.30
+    - name: service-account-extend-token-expiration
+      value: "{{ kubernetes_service_account_extend_token_expiration | lower }}"
 {% if kubernetes_api_server_extra_args is defined and kubernetes_api_server_extra_args | length > 0 %}
 {% for arg in kubernetes_api_server_extra_args %}
     - name: "{{ arg.name }}"

diff --git a/roles/kubernetes-control-plane/templates/kubeadm-join-1.33.yaml.j2 b/roles/kubernetes-control-plane/templates/kubeadm-join-1.33.yaml.j2
@@ -19,6 +19,8 @@ tlsCipherSuites:
 podPidsLimit: {{ kubernetes_podpidslimit }}
 # STIG V-242434
 protectKernelDefaults: true
+# CIS 4.2.14
+seccompDefault: {{ kubernetes_seccomp_default }}
 ---
 apiVersion: kubeadm.k8s.io/v1beta4
 kind: JoinConfiguration

diff --git a/roles/kubernetes-control-plane/templates/kubeadm-join-1.34.yaml.j2 b/roles/kubernetes-control-plane/templates/kubeadm-join-1.34.yaml.j2
@@ -19,6 +19,8 @@ tlsCipherSuites:
 podPidsLimit: {{ kubernetes_podpidslimit }}
 # STIG V-242434
 protectKernelDefaults: true
+# CIS 4.2.14
+seccompDefault: {{ kubernetes_seccomp_default }}
 ---
 apiVersion: kubeadm.k8s.io/v1beta4
 kind: JoinConfiguration

diff --git a/roles/kubernetes-defaults/defaults/main.yml b/roles/kubernetes-defaults/defaults/main.yml
@@ -345,6 +345,12 @@ kubernetes_scheduler_extra_args: []
 # Directory to store scripts for Kubernetes on the nodes
 kubernetes_scripts_directory: /opt/kubernetes/scripts
 
+# CIS 4.2.14 - Ensure that seccomp is enabled by default in the Kubelet
+kubernetes_seccomp_default: true
+
+# CIS 1.2.30 - Ensure that the --service-account-extend-token-expiration argument is set to false
+kubernetes_service_account_extend_token_expiration: false
+
 # Subnet for the cluster services running in the Kubernetes cluster
 kubernetes_service_subnet: 10.96.0.0/16
 

diff --git a/roles/kubernetes-worker/templates/worker-kubeadm.yaml.j2 b/roles/kubernetes-worker/templates/worker-kubeadm.yaml.j2
@@ -19,6 +19,8 @@ tlsCipherSuites:
 podPidsLimit: {{ kubernetes_podpidslimit }}
 # STIG V-242434
 protectKernelDefaults: true
+# CIS 4.2.14
+seccompDefault: true
 ---
 apiVersion: kubeproxy.config.k8s.io/v1alpha1
 kind: KubeProxyConfiguration
@@ -29,7 +31,7 @@ kind: JoinConfiguration
 discovery:
   bootstrapToken:
     apiServerEndpoint: "{{ kubernetes_api_endpoint }}:{{ kubernetes_api_port }}"
-    token: "{{ join_token}}"
+    token: "{{ join_token }}"
     unsafeSkipCAVerification: true
 nodeRegistration:
   kubeletExtraArgs: