If using a Kubelet config file, edit $kubeletconf to set readOnlyPort to 0. If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. –read-only-port=0 Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. –anonymous-auth=false Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. –authorization-mode=Webhook Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service
Edit $kubeletconf on each node to to remove the staticPodPath Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service
Run the following command: kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A If any of the values returned reference environment variables rewrite application code to read secrets from mounted secret files, rather than from environment variables.
If using a Kubelet config file, edit $kubeletconf to set protectKernelDefaults: true. If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. –protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. –authorization-mode=Webhook Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service
To stop the sshd service, run the command: systemctl stop sshd
To disable the sshd service, run the command: chkconfig sshd off
Run the command: kubectl get pods –all-namespaces -l k8s-app=kubernetes-dashboard If any resources are returned, this is a finding. Fix Text: Delete the Kubernetes dashboard deployment with the following command: kubectl delete deployment kubernetes-dashboard –namespace=kube-system
Edit any manifest files or kubelet config files that contain the feature-gates setting with DynamicAuditing set to “true”. Set the flag to “false” or remove the “DynamicAuditing” setting completely. Restart the kubelet service if the kubelet config file if the kubelet config file is changed.
Edit any manifest files or $kubeletconf that contain the feature-gates setting with DynamicKubeletConfig set to “true”. Set the flag to “false” or remove the “DynamicKubeletConfig” setting completely. Restart the kubelet service if the kubelet config file if the kubelet config file is changed.
Edit the kubelet service file $kubeletbin on each worker node and remove the –hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service
Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $kubeletkubeconfig
Run the following command (using the config file location identified in the Audit step) chmod 644 $kubeletconf
For any of the pods that are using ports below 1024, reconfigure the pod to use a service to map a host non-privileged port to the pod port or reconfigure the image to use non-privileged ports.
To view all pods and the images used to create the pods, from the Master node, run the following command:
kubectl get pods –all-namespaces -o jsonpath="{..image}" |
tr -s ‘[[:space:]]’ ‘\n’ |
sort |
uniq -c
Review the images used for pods running within Kubernetes.
Remove any old pods that are using older images.
If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding. Upgrade the Master and Worker nodes to the latest version of kubectl.