Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS 1.6 K3s > Worker Node Security Configuration >

Kubelet

N/A
Source
Kube Bench
ID
4.2
Version
cis-1.6-k3s

4.2 Kubelet

4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)

By default, K3s starts kubelet with –anonymous-auth set to false. No manual remediation needed.

4.2.2 Ensure that the –authorization-mode argument is not set to AlwaysAllow (Automated)

K3s starts kubelet with Webhook as the value for the –authorization-mode argument. No manual remediation needed.

4.2.3 Ensure that the –client-ca-file argument is set as appropriate (Automated)

By default, K3s starts the kubelet process with the –client-ca-file. No manual remediation needed.

4.2.4 Ensure that the –read-only-port argument is set to 0 (Automated)

By default, K3s starts the kubelet process with the –read-only-port argument set to 0.

4.2.5 Ensure that the –streaming-connection-idle-timeout argument is not set to 0 (Automated)

By default, K3s does not set –streaming-connection-idle-timeout when starting kubelet.

4.2.6 Ensure that the –protect-kernel-defaults argument is set to true (Automated)

K3s server needs to be started with the following, –protect-kernel-defaults=true.

4.2.7 Ensure that the –make-iptables-util-chains argument is set to true (Automated)

K3s server needs to be run with the following, –kube-apiserver-arg=‘make-iptables-util-chains=true’.

4.2.8 Ensure that the –hostname-override argument is not set (Not Applicable)

4.2.9 Ensure that the –event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)

If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service

4.2.10 Ensure that the –tls-cert-file and –tls-private-key-file arguments are set as appropriate (Manual)

By default, K3s sets the –tls-cert-file and –tls-private-key-file arguments when executing the kubelet process.

4.2.11 Ensure that the –rotate-certificates argument is not set to false (Not Applicable)

4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Not Applicable)

4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Applicable)

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use