Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS 1.6 K3s > Master Node Security Configuration >

Controller Manager

N/A
Source
Kube Bench
ID
1.3
Version
cis-1.6-k3s

1.3 Controller Manager

1.3.1 Ensure that the –terminated-pod-gc-threshold argument is set as appropriate (Manual)

K3s server needs to be run with the following, –kube-controller-manager-arg=‘terminated-pod-gc-threshold=10.

1.3.2 Ensure that the –profiling argument is set to false (Automated)

By default, K3s sets the –profiling flag parameter to false. No manual remediation needed.

1.3.3 Ensure that the –use-service-account-credentials argument is set to true (Automated)

K3s server needs to be run with the following, –kube-controller-manager-arg=‘use-service-account-credentials=true’

1.3.4 Ensure that the –service-account-private-key-file argument is set as appropriate (Automated)

By default, K3s sets the –service-account-private-key-file argument with the service account key file. No manual remediation needed.

1.3.5 Ensure that the –root-ca-file argument is set as appropriate (Automated)

By default, K3s sets the –root-ca-file argument with the root ca file. No manual remediation needed.

1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)

By default, K3s implements its own logic for certificate generation and rotation.

1.3.7 Ensure that the –bind-address argument is set to 127.0.0.1 (Automated)

By default, K3s sets the –bind-address argument to 127.0.0.1. No manual remediation needed.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use