Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - RedHat 0.7 > Worker Node Security Configuration >

Kubelet

N/A
Source
Kube Bench
ID
7
Version
rh-0.7

7 Kubelet

7.1 Use Security Context Constraints to manage privileged containers as needed

7.2 Ensure anonymous-auth is not disabled

7.3 Verify that the –authorization-mode argument is set to WebHook

Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under kubeletArguments in /etc/origin/node/node-config.yaml or set it to “Webhook”.

7.4 Verify the OpenShift default for the client-ca-file argument

Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following: grep -A1 client-ca-file /etc/origin/node/node-config.yaml

Reset to the OpenShift default. See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65 The config file does not have this defined in kubeletArgument, but in PodManifestConfig.

7.5 Verify the OpenShift default setting for the read-only-port argument

Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.

7.6 Adjust the streaming-connection-idle-timeout argument

Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout value like the following in node-config.yaml.

kubeletArguments:  streaming-connection-idle-timeout:    - “5m”

7.7 Verify the OpenShift defaults for the protect-kernel-defaults argument

7.8 Verify the OpenShift default value of true for the make-iptables-util-chains argument

Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift default value of true.

7.9 Verify that the –keep-terminated-pod-volumes argument is set to false

Reset to the OpenShift defaults

7.10 Verify the OpenShift defaults for the hostname-override argument

7.11 Set the –event-qps argument to 0

Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in the kubeletArguments section of.

7.12 Verify the OpenShift cert-dir flag for HTTPS traffic

Reset to the OpenShift default values.

7.13 Verify the OpenShift default of 0 for the cadvisor-port argument

Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag if it is set in the kubeletArguments section.

7.14 Verify that the RotateKubeletClientCertificate argument is set to true

Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.

7.15 Verify that the RotateKubeletServerCertificate argument is set to true

Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use