By default, K3s kube-apiserver is configured to run with –anonymous-auth=false flag and value.
By default, K3s does not run with basic authentication enabled. No manual remediation is needed.
By default, K3s does not run with basic authentication enabled. No manual remediation is needed.
By default, K3s kube-apiserver doesn’t run with the –kubelet-https parameter as it runs with TLS. No manual remediation is needed.
By default, K3s kube-apiserver is ran with these arguments for secure communication with kubelet. No manual remediation is needed.
By default, K3s kube-apiserver is ran with this argument for secure communication with kubelet. No manual remediation is needed.
By default, K3s sets Node,RBAC as the parameter to the –authorization-mode argument. No manual remediation is needed.
By default, K3s sets Node,RBAC as the parameter to the –authorization-mode argument. No manual remediation is needed.
By default, K3s sets Node,RBAC as the parameter to the –authorization-mode argument. No manual remediation is needed.
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the –enable-admission-plugins argument. To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file. Then refer to K3s’s documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the –enable-admission-plugins argument. No manual remediation needed.
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the –enable-admission-plugins argument. To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file. Then refer to K3s’s documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
K3s would need to have the SecurityContextDeny admission plugin enabled by passing it as an argument to K3s. –kube-apiserver-arg=‘enable-admission-plugins=SecurityContextDeny
By default, K3s does not use this argument. If there’s a desire to use this argument, follow the documentation and create ServiceAccount objects as per your environment. Then refer to K3s’s documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
By default, K3s does not use this argument. No manual remediation needed.
K3s would need to have the PodSecurityPolicy admission plugin enabled by passing it as an argument to K3s. –kube-apiserver-arg=‘enable-admission-plugins=PodSecurityPolicy.
K3s would need to have the NodeRestriction admission plugin enabled by passing it as an argument to K3s. –kube-apiserver-arg=‘enable-admission-plugins=NodeRestriction.
By default, K3s explicitly excludes the use of the –insecure-bind-address parameter. No manual remediation is needed.
By default, K3s starts the kube-apiserver process with this argument’s parameter set to 0. No manual remediation is needed.
By default, K3s sets the parameter of 6444 for the –secure-port argument. No manual remediation is needed.
By default, K3s sets the –profiling flag parameter to false. No manual remediation needed.
K3s server needs to be run with the following argument, –kube-apiserver-arg=‘audit-log-path=/path/to/log/file’
K3s server needs to be run with the following argument, –kube-apiserver-arg=‘audit-log-maxage=30’
K3s server needs to be run with the following argument, –kube-apiserver-arg=‘audit-log-maxbackup=10’
K3s server needs to be run with the following argument, –kube-apiserver-arg=‘audit-log-maxsize=100’
By default, K3s does not set the –request-timeout argument. No manual remediation needed.
K3s server needs to be run with the following argument, –kube-apiserver-arg=‘service-account-lookup=true’
By default, K3s sets the –service-account-key-file explicitly. No manual remediation needed.
By default, K3s sets the –etcd-certfile and –etcd-keyfile arguments explicitly. No manual remediation needed.
By default, K3s sets the –tls-cert-file and –tls-private-key-file arguments explicitly. No manual remediation needed.
By default, K3s sets the –client-ca-file argument explicitly. No manual remediation needed.
By default, K3s sets the –etcd-cafile argument explicitly. No manual remediation needed.
K3s server needs to be ran with the follow, –kube-apiserver-arg=‘encryption-provider-config=/path/to/encryption_config’. This can be done by running k3s with the –secrets-encryptiuon argument which will configure the encryption provider.
K3s server needs to be run with the following, –secrets-encryption=true, and verify that one of the allowed encryption providers is present. Run the below command on the master node. grep aescbc /path/to/encryption-config.json Verify that aescbc/kms/secretbox is set as the encryption provider for all the desired resources.
By default, K3s explicitly doesn’t set this flag. No manual remediation needed.