Securing kube-controller-manager
Please execute this command at master node, to see the values of configuration parameters / flags for K8s Controller Manager
ps -ef | grep kube-controller-manager
As per section 1.3 of CIS Benchmark below table describe (1) parameter (2) its default value and (3) its desired value
| Flags | Default | Value |
| --terminated-pod-gc-threshold | 12500 (pods) | set appropriate |
| --profiling | TRUE | FALSE |
| --use-service-account-credentials | FALSE | TRUE |
| --service-account-private-key-file | Not Set | Appropriate |
| --root-ca-file | Not Set | Appropriate |
| RotateKubeletServerCertificate | TRUE | TRUE |
| --bind-address | 0.0.0.0 | 127.0.0.1 |
when --use-service-account-credentials=true with RBAC, it ensures, control loop runs with minimum privilege.
0 comments:
Post a Comment