|
|
|
@ -63,7 +63,7 @@
|
|
|
|
|
[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)
|
|
|
|
|
[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)
|
|
|
|
|
[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)
|
|
|
|
|
[FAIL] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
|
|
|
|
|
[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
|
|
|
|
|
[PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
|
|
|
|
|
[INFO] 1.4 Scheduler
|
|
|
|
|
[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)
|
|
|
|
@ -163,18 +163,14 @@ for example:
|
|
|
|
|
on the master node and set the below parameter.
|
|
|
|
|
--profiling=false
|
|
|
|
|
|
|
|
|
|
1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
|
|
|
|
|
on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.
|
|
|
|
|
--feature-gates=RotateKubeletServerCertificate=true
|
|
|
|
|
|
|
|
|
|
1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file
|
|
|
|
|
on the master node and set the below parameter.
|
|
|
|
|
--profiling=false
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
== Summary ==
|
|
|
|
|
44 checks PASS
|
|
|
|
|
11 checks FAIL
|
|
|
|
|
45 checks PASS
|
|
|
|
|
10 checks FAIL
|
|
|
|
|
10 checks WARN
|
|
|
|
|
0 checks INFO
|
|
|
|
|
[INFO] 2 Etcd Node Configuration
|
|
|
|
@ -238,7 +234,7 @@ minimum.
|
|
|
|
|
[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
|
|
|
|
|
[WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
|
|
|
|
|
[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
|
|
|
|
|
[WARN] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
|
|
|
|
|
[PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
|
|
|
|
|
[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
|
|
|
|
|
|
|
|
|
|
== Remediations ==
|
|
|
|
@ -271,18 +267,11 @@ Based on your system, restart the kubelet service. For example:
|
|
|
|
|
systemctl daemon-reload
|
|
|
|
|
systemctl restart kubelet.service
|
|
|
|
|
|
|
|
|
|
4.2.12 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
|
|
|
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
|
|
|
|
--feature-gates=RotateKubeletServerCertificate=true
|
|
|
|
|
Based on your system, restart the kubelet service. For example:
|
|
|
|
|
systemctl daemon-reload
|
|
|
|
|
systemctl restart kubelet.service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
== Summary ==
|
|
|
|
|
19 checks PASS
|
|
|
|
|
20 checks PASS
|
|
|
|
|
1 checks FAIL
|
|
|
|
|
3 checks WARN
|
|
|
|
|
2 checks WARN
|
|
|
|
|
0 checks INFO
|
|
|
|
|
[INFO] 5 Kubernetes Policies
|
|
|
|
|
[INFO] 5.1 RBAC and Service Accounts
|
|
|
|
|