1.3 Controller Manager
1.3.1 Ensure that the –terminated-pod-gc-threshold argument is set as appropriate (Manual)
Recommended Action
K3s server needs to be run with the following, –kube-controller-manager-arg=‘terminated-pod-gc-threshold=10.
1.3.2 Ensure that the –profiling argument is set to false (Automated)
Recommended Action
By default, K3s sets the –profiling flag parameter to false. No manual remediation needed.
1.3.3 Ensure that the –use-service-account-credentials argument is set to true (Automated)
Recommended Action
K3s server needs to be run with the following, –kube-controller-manager-arg=‘use-service-account-credentials=true’
1.3.4 Ensure that the –service-account-private-key-file argument is set as appropriate (Automated)
Recommended Action
By default, K3s sets the –service-account-private-key-file argument with the service account key file. No manual remediation needed.
1.3.5 Ensure that the –root-ca-file argument is set as appropriate (Automated)
Recommended Action
By default, K3s sets the –root-ca-file argument with the root ca file. No manual remediation needed.
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
Recommended Action
By default, K3s implements its own logic for certificate generation and rotation.
1.3.7 Ensure that the –bind-address argument is set to 127.0.0.1 (Automated)
Recommended Action
By default, K3s sets the –bind-address argument to 127.0.0.1. No manual remediation needed.