4.2 Kubelet
4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)
Recommended Action
By default, K3s starts kubelet with –anonymous-auth set to false. No manual remediation needed.
4.2.2 Ensure that the –authorization-mode argument is not set to AlwaysAllow (Automated)
Recommended Action
K3s starts kubelet with Webhook as the value for the –authorization-mode argument. No manual remediation needed.
4.2.3 Ensure that the –client-ca-file argument is set as appropriate (Automated)
Recommended Action
By default, K3s starts the kubelet process with the –client-ca-file. No manual remediation needed.
4.2.4 Ensure that the –read-only-port argument is set to 0 (Automated)
Recommended Action
By default, K3s starts the kubelet process with the –read-only-port argument set to 0.
4.2.5 Ensure that the –streaming-connection-idle-timeout argument is not set to 0 (Automated)
Recommended Action
By default, K3s does not set –streaming-connection-idle-timeout when starting kubelet.
4.2.6 Ensure that the –protect-kernel-defaults argument is set to true (Automated)
Recommended Action
K3s server needs to be started with the following, –protect-kernel-defaults=true.
4.2.7 Ensure that the –make-iptables-util-chains argument is set to true (Automated)
Recommended Action
K3s server needs to be run with the following, –kube-apiserver-arg=‘make-iptables-util-chains=true’.
4.2.8 Ensure that the –hostname-override argument is not set (Not Applicable)
Recommended Action
4.2.9 Ensure that the –event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
Recommended Action
If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.10 Ensure that the –tls-cert-file and –tls-private-key-file arguments are set as appropriate (Manual)
Recommended Action
By default, K3s sets the –tls-cert-file and –tls-private-key-file arguments when executing the kubelet process.
4.2.11 Ensure that the –rotate-certificates argument is not set to false (Not Applicable)
Recommended Action
4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Not Applicable)
Recommended Action
4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Applicable)
Recommended Action