Solve this question on: ssh cks3477
You're asked to evaluate specific settings of the cluster against the CIS Benchmark recommendations. Use the kube-bench tool which is already installed on the nodes.
Connect to the worker node using
ssh cks3477-node1 from cks3477.
On the controlplane node ensure (correct if necessary) that the CIS recommendations are set for:
--profiling argument of the
kube-controller-manager
/var/lib/etcdOn the worker node ensure (correct if necessary) that the CIS recommendations are set for:
/var/lib/kubelet/config.yaml
--client-ca-file argument of the kubelet
sudo -i to become root which may be required
for this question
➜ ssh cks3477
➜ candidate@cks3477:~# sudo -i
➜ root@cks3477:~# kube-bench run --targets=master
...
== Summary master ==
38 checks PASS
10 checks FAIL
11 checks WARN
0 checks INFOCheck the controller manager profiling setting:
➜ root@cks3477:~# kube-bench run --targets=master | grep kube-controller -A 3
1.3.1 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,
for example, --terminated-pod-gc-threshold=10
1.3.2 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the control plane node and set the below parameter.
--profiling=falseEdit the controller manager manifest:
# cks3477:/etc/kubernetes/manifests/kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: kube-controller-manager
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
- --allocate-node-cidrs=true
- --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
- --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
- --bind-address=127.0.0.1
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --cluster-cidr=10.244.0.0/16
- --cluster-name=kubernetes
- --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
- --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
- --controllers=*,bootstrapsigner,tokencleaner
- --kubeconfig=/etc/kubernetes/controller-manager.conf
- --leader-elect=true
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --root-ca-file=/etc/kubernetes/pki/ca.crt
- --service-account-private-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --use-service-account-credentials=true
- --profiling=false # add➜ root@cks3477:~# ls -lh /var/lib | grep etcd
drwx------ 3 root root 4.0K Sep 11 20:08 etcd
➜ root@cks3477:~# stat -c %U:%G /var/lib/etcd
root:rootChange ownership to etcd:etcd:
➜ root@cks3477:~# chown etcd:etcd /var/lib/etcd
➜ root@cks3477:~# ls -lh /var/lib | grep etcd
drwx------ 3 etcd etcd 4.0K Sep 11 20:08 etcd➜ candidate@cks3477:~# ssh cks3477-node1
➜ candidate@cks3477-node1:~# sudo -i
➜ root@cks3477-node1:~# stat -c %a /var/lib/kubelet/config.yaml
777Set recommended permissions:
➜ root@cks3477-node1:~# chmod 600 /var/lib/kubelet/config.yaml
➜ root@cks3477-node1:~# stat -c %a /var/lib/kubelet/config.yaml
644➜ root@cks3477-node1:~# kube-bench run --targets=node | grep client-ca-file
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)Verify the configuration:
➜ root@cks3477-node1:~# ps -ef | grep kubelet
root 6972 1 1 10:15 ? 00:06:26 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubele.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infra-container-image=registry.k8s.io/pause:3.9
➜ root@cks3477-node1:~# vim /var/lib/kubelet/config.yaml
# /var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
...