Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - RedHat 1.0 > Worker Node Security Configuration >

Kubelet

N/A
Source
Kube Bench
ID
4.2
Version
rh-1.0

4.2 Kubelet

4.2.1 Ensure that the –anonymous-auth argument is set to false (Automated)

Follow the instructions in the documentation to create a Kubelet config CRD and set the anonymous-auth is set to false.

4.2.2 Ensure that the –authorization-mode argument is not set to AlwaysAllow (Manual)

None required. Unauthenticated/Unauthorized users have no access to OpenShift nodes.

4.2.3 Ensure that the –client-ca-file argument is set as appropriate (Automated)

None required. Changing the clientCAFile value is unsupported.

4.2.4 Verify that the read only port is not used or is set to 0 (Automated)

In earlier versions of OpenShift 4, the read-only-port argument is not used. Follow the instructions in the documentation to create a Kubelet config CRD and set the –read-only-port is set to 0.

4.2.5 Ensure that the –streaming-connection-idle-timeout argument is not set to 0 (Automated)

Follow the instructions in the documentation to create a Kubelet config CRD and set the –streaming-connection-idle-timeout to the desired value. Do not set the value to 0.

4.2.6 Ensure that the –protect-kernel-defaults argument is not set (Manual)

None required. The OpenShift 4 kubelet modifies the system tunable; using the protect-kernel-defaults flag will cause the kubelet to fail on start if the tunables don’t match the kubelet configuration and the OpenShift node will fail to start.

4.2.7 Ensure that the –make-iptables-util-chains argument is set to true (Manual)

None required. The –make-iptables-util-chains argument is set to true by default.

4.2.8 Ensure that the –hostname-override argument is not set (Manual)

By default, –hostname-override argument is not set.

4.2.9 Ensure that the kubeAPIQPS [–event-qps] argument is set to 0 or a level which ensures appropriate event capture (Manual)

Follow the documentation to edit kubelet parameters https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters KubeAPIQPS:

4.2.10 Ensure that the –tls-cert-file and –tls-private-key-file arguments are set as appropriate (Automated)

OpenShift automatically manages TLS authentication for the API server communication with the node/kublet. This is not configurable.

4.2.11 Ensure that the –rotate-certificates argument is not set to false (Manual)

None required.

4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)

By default, kubelet server certificate rotation is disabled.

4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)

Follow the directions above and in the OpenShift documentation to configure the tlsSecurityProfile. Configuring Ingress

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use