Edit the API server pod specification file $apiserverconf on the control plane node and set the below parameter. –anonymous-auth=false
Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file $apiserverconf on the control plane node and remove the –token-auth-file= parameter.
Edit the API server pod specification file $apiserverconf
on the control plane node and remove the DenyServiceExternalIPs
from enabled admission plugins.
Edit the API server pod specification file $apiserverconf on the control plane node and remove the –kubelet-https parameter.
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file $apiserverconf on the control plane node and set the kubelet client certificate and key parameters as below. –kubelet-client-certificate=<path/to/client-certificate-file> –kubelet-client-key=<path/to/client-key-file>
Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file $apiserverconf on the control plane node and set the –kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. –kubelet-certificate-authority=
Edit the API server pod specification file $apiserverconf on the control plane node and set the –authorization-mode parameter to values other than AlwaysAllow. One such example could be as below. –authorization-mode=RBAC
Edit the API server pod specification file $apiserverconf on the control plane node and set the –authorization-mode parameter to a value that includes Node. –authorization-mode=Node,RBAC
Edit the API server pod specification file $apiserverconf
on the control plane node and set the –authorization-mode parameter to a value that includes RBAC,
for example --authorization-mode=Node,RBAC
.
Follow the Kubernetes documentation and set the desired limits in a configuration file. Then, edit the API server pod specification file $apiserverconf and set the below parameters. –enable-admission-plugins=…,EventRateLimit,… –admission-control-config-file=<path/to/configuration/file>
Edit the API server pod specification file $apiserverconf on the control plane node and either remove the –enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.
Edit the API server pod specification file $apiserverconf on the control plane node and set the –enable-admission-plugins parameter to include AlwaysPullImages. –enable-admission-plugins=…,AlwaysPullImages,…
Edit the API server pod specification file $apiserverconf on the control plane node and set the –enable-admission-plugins parameter to include SecurityContextDeny, unless PodSecurityPolicy is already in place. –enable-admission-plugins=…,SecurityContextDeny,…
Follow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file $apiserverconf on the control plane node and ensure that the –disable-admission-plugins parameter is set to a value that does not include ServiceAccount.
Edit the API server pod specification file $apiserverconf on the control plane node and set the –disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.
Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file $apiserverconf on the control plane node and set the –enable-admission-plugins parameter to a value that includes NodeRestriction. –enable-admission-plugins=…,NodeRestriction,…
Edit the API server pod specification file $apiserverconf on the control plane node and either remove the –secure-port parameter or set it to a different (non-zero) desired port.
Edit the API server pod specification file $apiserverconf on the control plane node and set the below parameter. –profiling=false
Edit the API server pod specification file $apiserverconf on the control plane node and set the –audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example, –audit-log-path=/var/log/apiserver/audit.log
Edit the API server pod specification file $apiserverconf on the control plane node and set the –audit-log-maxage parameter to 30 or as an appropriate number of days, for example, –audit-log-maxage=30
Edit the API server pod specification file $apiserverconf on the control plane node and set the –audit-log-maxbackup parameter to 10 or to an appropriate value. For example, –audit-log-maxbackup=10
Edit the API server pod specification file $apiserverconf on the control plane node and set the –audit-log-maxsize parameter to an appropriate size in MB. For example, to set it as 100 MB, –audit-log-maxsize=100
Edit the API server pod specification file $apiserverconf and set the below parameter as appropriate and if needed. For example, –request-timeout=300s
Edit the API server pod specification file $apiserverconf on the control plane node and set the below parameter. –service-account-lookup=true Alternatively, you can delete the –service-account-lookup parameter from this file so that the default takes effect.
Edit the API server pod specification file $apiserverconf on the control plane node and set the –service-account-key-file parameter to the public key file for service accounts. For example, –service-account-key-file=
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file $apiserverconf on the control plane node and set the etcd certificate and key file parameters. –etcd-certfile=<path/to/client-certificate-file> –etcd-keyfile=<path/to/client-key-file>
Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file $apiserverconf on the control plane node and set the TLS certificate and private key file parameters. –tls-cert-file=<path/to/tls-certificate-file> –tls-private-key-file=<path/to/tls-key-file>
Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file $apiserverconf on the control plane node and set the client certificate authority file. –client-ca-file=<path/to/client-ca-file>
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file $apiserverconf on the control plane node and set the etcd certificate authority file parameter. –etcd-cafile=<path/to/ca-file>
Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file $apiserverconf on the control plane node and set the –encryption-provider-config parameter to the path of that file. For example, –encryption-provider-config=</path/to/EncryptionConfig/File>
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc, kms or secretbox as the encryption provider.
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the below parameter. –tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384