> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example:
> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example:
1.1.39 Edit the API server pod specification file kube-apiserver on the master node and set the --authorization-mode parameter to a value that includes RBAC, for example: --authorization-mode=Node,RBAC
1.2.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml
1.2.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml
file on the master node and set the below parameter.
file on the master node and set the below parameter.
--profiling=false
--profiling=false
@ -262,20 +209,6 @@ on the master node and set the --terminated-pod-gc-threshold to an appropriate t
on the master node and set the below parameter.
on the master node and set the below parameter.
--profiling=false
--profiling=false
1.3.3 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node to set the below parameter.
--use-service-account-credentials=true
1.3.4 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --service-account-private-
key-file parameter to the private key file for service accounts.
--service-account-private-key-file=<filename>
1.3.5 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --root-ca-file parameter to
the certificate bundle file.
--root-ca-file=<path/to/file>
1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
controller-manager.yaml on the master node and set the --feature-gates parameter to
controller-manager.yaml on the master node and set the --feature-gates parameter to
include RotateKubeletServerCertificate=true.
include RotateKubeletServerCertificate=true.
@ -291,12 +224,6 @@ Run the below command (based on the file location on your system) on the master
For example,
For example,
chown root:root <path/to/cni/files>
chown root:root <path/to/cni/files>
1.4.11 On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:
ps -ef | grep etcd
Run the below command (based on the etcd data directory found above). For example,
chmod 700 /var/lib/etcd
1.4.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
1.4.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:
from the below command:
ps -ef | grep etcd
ps -ef | grep etcd
@ -315,26 +242,6 @@ For example, chmod -R 644 /etc/kubernetes/pki/*.crt
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 600 /etc/kubernetes/pki/*.key
For example, chmod -R 600 /etc/kubernetes/pki/*.key
1.5.1 Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the
master node and set the below parameters.
--ca-file=</path/to/ca-file>
--key-file=</path/to/key-file>
1.5.2 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
node and set the below parameter.
--client-cert-auth="true"
1.5.4 Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
1.5.5 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
node and set the below parameter.
--peer-client-cert-auth=true
1.5.7 [Manual test]
1.5.7 [Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
etcd service.
@ -420,7 +327,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
1.1.39 Edit the API server pod specification file kube-apiserver on the master node and set the --authorization-mode parameter to a value that includes RBAC, for example: --authorization-mode=Node,RBAC
1.2.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml
1.2.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml
file on the master node and set the below parameter.
file on the master node and set the below parameter.
--profiling=false
--profiling=false
@ -262,20 +209,6 @@ on the master node and set the --terminated-pod-gc-threshold to an appropriate t
on the master node and set the below parameter.
on the master node and set the below parameter.
--profiling=false
--profiling=false
1.3.3 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node to set the below parameter.
--use-service-account-credentials=true
1.3.4 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --service-account-private-
key-file parameter to the private key file for service accounts.
--service-account-private-key-file=<filename>
1.3.5 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --root-ca-file parameter to
the certificate bundle file.
--root-ca-file=<path/to/file>
1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
controller-manager.yaml on the master node and set the --feature-gates parameter to
controller-manager.yaml on the master node and set the --feature-gates parameter to
include RotateKubeletServerCertificate=true.
include RotateKubeletServerCertificate=true.
@ -291,12 +224,6 @@ Run the below command (based on the file location on your system) on the master
For example,
For example,
chown root:root <path/to/cni/files>
chown root:root <path/to/cni/files>
1.4.11 On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:
ps -ef | grep etcd
Run the below command (based on the etcd data directory found above). For example,
chmod 700 /var/lib/etcd
1.4.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
1.4.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:
from the below command:
ps -ef | grep etcd
ps -ef | grep etcd
@ -315,26 +242,6 @@ For example, chmod -R 644 /etc/kubernetes/pki/*.crt
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 600 /etc/kubernetes/pki/*.key
For example, chmod -R 600 /etc/kubernetes/pki/*.key
1.5.1 Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the
master node and set the below parameters.
--ca-file=</path/to/ca-file>
--key-file=</path/to/key-file>
1.5.2 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
node and set the below parameter.
--client-cert-auth="true"
1.5.4 Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
1.5.5 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
node and set the below parameter.
--peer-client-cert-auth=true
1.5.7 [Manual test]
1.5.7 [Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
etcd service.
@ -420,8 +327,8 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp