search

kubermatic / kubeone

Kubermatic KubeOne automate cluster operations on all your cloud, on-prem, edge, and IoT environments.
https://kubeone.io
Apache License 2.0
1.38k stars 234 forks source link

Worker Node CIS issues #2793

Open kron4eg opened 1 year ago

kron4eg commented 1 year ago

What happened?

Running CIS benchmark results to failures:

[INFO] 4 Worker Node Security Configuration
[INFO] 4.1 Worker Node Configuration Files
[FAIL] 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)
[FAIL] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)
[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)
[INFO] 4.2 Kubelet
[FAIL] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)
[FAIL] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
[FAIL] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)
[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)
[WARN] 4.2.8 Ensure that the --hostname-override argument is not set (Manual)
[WARN] 4.2.9 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)
[WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
[WARN] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)

== Summary total ==
12 checks PASS
6 checks FAIL
5 checks WARN
0 checks INFO

How to reproduce the issue?

What KubeOne version are you using?

```console $ kubeone version { "kubeone": { "major": "1", "minor": "6", "gitVersion": "1.6.2", "gitCommit": "184adc3b7d0c1e2e7630ded518cbfdfab7300755", "gitTreeState": "", "buildDate": "2023-04-14T11:20:23Z", "goVersion": "go1.19.8", "compiler": "gc", "platform": "linux/amd64" }, "machine_controller": { "major": "1", "minor": "56", "gitVersion": "v1.56.2", "gitCommit": "", "gitTreeState": "", "buildDate": "", "goVersion": "", "compiler": "", "platform": "linux/amd64" } } ```

Provide your KubeOneCluster manifest here (if applicable)

```yaml apiVersion: kubeone.k8c.io/v1beta2 kind: KubeOneCluster versions: kubernetes: 1.25.10 cloudProvider: external: true containerRuntime: containerd: {} ```

What cloud provider are you running on?

AWS

What operating system are you running in your cluster?

Ubuntu 22.04

kubermatic-bot commented 1 year ago

Issues go stale after 90d of inactivity. After a furter 30 days, they will turn rotten. Mark the issue as fresh with /remove-lifecycle stale.

If this issue is safe to close now please do so with /close.

/lifecycle stale

xmudrii commented 1 year ago

/remove-lifecycle stale

xmudrii commented 1 year ago

We still need documentation for known issues.

kubermatic-bot commented 11 months ago

Issues go stale after 90d of inactivity. After a furter 30 days, they will turn rotten. Mark the issue as fresh with /remove-lifecycle stale.

If this issue is safe to close now please do so with /close.

/lifecycle stale

xmudrii commented 11 months ago

/remove-lifecycle stale

xmudrii commented 7 months ago

From https://github.com/kubermatic/docs/pull/1637, we should fix: 1.1.9, 4.1.1, 4.1.9, 4.2.12, for the upcoming 1.8 release

xmudrii commented 7 months ago

Those can also be fixed in a patch release (e.g. 1.8.1)

kron4eg commented 7 months ago