Securing kubelet
Please execute this command at master node, to see the values of configuration parameters / flags for kubelet. This is for first column.
ps -ef | grep kubelet | grep config
The default configuration path can be found from /etc/systemd/system/kubelet.service.d/10-kubeadm.conf This is for second column.
As per section 4.2 of CIS Benchmark below table describe (1) parameter with desired value (2) its default value
| Command line arguments | Config File | Default |
| --anonymous-auth=false | authentication: anonymous: disabled | true |
| KUBELET_AUTHZ_ARGS --authorization-mode!=AlwaysAllow | authorization: mode!=AlwaysAllow | AlwaysAllow |
| KUBELET_AUTHZ_ARGS --authorization-mode=Webhook | authorization: mode=Webhook | |
| KUBELET_AUTHZ_ARGS --client-ca-file | authentication: x509: clientCAFile | |
| KUBELET_SYSTEM_PODS_ARGS --read-only-port=0 | readOnlyPort:0 | 0 or 10255 |
| KUBELET_SYSTEM_PODS_ARGS --streaming-connection-idle-timeout=NON-ZERO | streamingConnectionIdleTimeout=NON-ZERO | 4 hrs |
| KUBELET_SYSTEM_PODS_ARGS --protect-kernel-defaults=true | protectKernelDefaults=true | fasle |
| KUBELET_SYSTEM_PODS_ARGS --make-iptables-util-chains=true | makeIPTablesUtilChains=true | true |
| KUBELET_SYSTEM_PODS_ARGS --hostname-override=ABSENT | ABSENT | |
| KUBELET_SYSTEM_PODS_ARGS --event-qps=0 OR APPROPRIATE | eventRecordQPS:0 OR APPROPRIATE | 5 |
| --rotate-certificates=true | rotateCertificates=true | true |
| KUBELET_CERTIFICATE_ARGS --rotateserver-certificates=true | RotateKubeletServerCertificate=true | false |
| --tls-cipher-suites | TLSCipherSuites | |
| KUBELET_CERTIFICATE_ARGS --tls-cert-file | ||
| KUBELET_CERTIFICATE_ARGS --tls-private-key-file |
* --tls-cipher-suites : kubelet supports a wide range of cipher suits : TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
One should select a stonger cipher suite
Additional tips not in CIS Benchmark
* the APIs exposed by kubelet shall be accessible by K8s API Server only, using RBAC
* Enable the NodeRestriction admission controller: The NodeRestriction admission controller only allows kubelet to modify the node and pod objects on the node it is bound to.
0 comments:
Post a Comment