Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
scored:true
- id:4.1.9
text:"If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)"
type:"skip"
audit:'/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag:"permissions"
compare:
op:bitmask
value:"600"
remediation:|
Run the following command (using the config file location identified in the Audit step)
chmod 600 $kubeletconf
Not Applicable - Clusters provisioned by RKE do not require or maintain a configuration file for the kubelet.
All configuration is passed in as arguments at container run time.
scored:true
- id:4.1.10
text:"If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)"
type:"skip"
audit:'/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
- flag:root:root
remediation:|
Run the following command (using the config file location identified in the Audit step)
chown root:root $kubeletconf
Not Applicable - Clusters provisioned by RKE doesn’t require or maintain a configuration file for the kubelet.
All configuration is passed in as arguments at container run time.
scored:false
- id:4.2
text:"Kubelet"
checks:
- id:4.2.1
text:"Ensure that the --anonymous-auth argument is set to false (Automated)"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
test_items:
- flag:"--anonymous-auth"
path:'{.authentication.anonymous.enabled}'
compare:
op:eq
value:false
remediation:|
If using a Kubelet config file, edit the file to set `authentication: anonymous:enabled` to
`false`.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
`--anonymous-auth=false`
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored:true
- id:4.2.2
text:"Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
test_items:
- flag:--authorization-mode
path:'{.authorization.mode}'
compare:
op:nothave
value:AlwaysAllow
remediation:|
If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored:true
- id:4.2.3
text:"Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
test_items:
- flag:--client-ca-file
path:'{.authentication.x509.clientCAFile}'
remediation:|
If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored:true
- id:4.2.4
text:"Verify that the --read-only-port argument is set to 0 (Automated)"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
bin_op:or
test_items:
- flag:"--read-only-port"
path:'{.readOnlyPort}'
compare:
op:eq
value:0
- flag:"--read-only-port"
path:'{.readOnlyPort}'
set:false
remediation:|
If using a Kubelet config file, edit the file to set `readOnlyPort` to 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored:true
- id:4.2.5
text:"Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
test_items:
- flag:--streaming-connection-idle-timeout
path:'{.streamingConnectionIdleTimeout}'
compare:
op:noteq
value:0
- flag:--streaming-connection-idle-timeout
path:'{.streamingConnectionIdleTimeout}'
set:false
bin_op:or
remediation:|
If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored:false
- id:4.2.6
text:"Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
test_items:
- flag:--make-iptables-util-chains
path:'{.makeIPTablesUtilChains}'
compare:
op:eq
value:true
- flag:--make-iptables-util-chains
path:'{.makeIPTablesUtilChains}'
set:false
bin_op:or
remediation:|
If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored:true
- id:4.2.7
text:"Ensure that the --hostname-override argument is not set (Manual)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
type:"skip"
audit:"/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag:--hostname-override
set:false
remediation:|
Edit the kubelet service file $kubeletsvc
oneach worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
Not Applicable - Clusters provisioned by RKE set the --hostname-override to avoid any hostname configuration errors
scored:false
- id:4.2.8
text:"Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
test_items:
- flag:--event-qps
path:'{.eventRecordQPS}'
compare:
op:gte
value:0
- flag:--event-qps
path:'{.eventRecordQPS}'
set:false
bin_op:or
remediation:|
If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored:false
- id:4.2.9
text:"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
type:"skip"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
test_items:
- flag:--tls-cert-file
path:'{.tlsCertFile}'
- flag:--tls-private-key-file
path:'{.tlsPrivateKeyFile}'
remediation:|
If using a Kubelet config file, edit the file to set `tlsCertFile` to the location
of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile`
to the location of the corresponding private key file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
Permissive - When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers.
scored:false
- id:4.2.10
text:"Ensure that the --rotate-certificates argument is not set to false (Automated)"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
test_items:
- flag:--rotate-certificates
path:'{.rotateCertificates}'
compare:
op:eq
value:true
- flag:--rotate-certificates
path:'{.rotateCertificates}'
set:false
bin_op:or
remediation:|
If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or
remove it altogether to use the default value.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
variable.
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored:true
- id:4.2.11
text:"Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
type:"skip"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
