|
1 | 1 | --- |
2 | | -title: Self assessment guide to validate worker node configuration |
| 2 | +title: Self assessment guide - Worker Node Configuration |
3 | 3 | sidebar_label: Worker Node Configuration |
4 | | -description: Self assessment guide to validate worker node configuration |
5 | | ---- |
| 4 | +description: Self assessment guide to validate Worker Node configuration |
| 5 | +--- |
| 6 | + |
| 7 | +This section provides security recommendations for components running on Kubernetes worker nodes: |
| 8 | +- Kubelet configuration and security |
| 9 | +- File system permissions |
| 10 | + |
| 11 | +_Assessment focus for vCluster_: Since vCluster uses the host cluster's nodes, this section's requirements are primarily inherited from the host cluster's configuration. Verification should focus on ensuring the host cluster meets these requirements. |
| 12 | + |
| 13 | +<!-- vale Google.Headings = NO --> |
| 14 | +## 4.1 Worker Node Configuration Files |
| 15 | +<!-- vale Google.Headings = YES --> |
| 16 | +### 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated) |
| 17 | + |
| 18 | +**Result:** NOT APPLICABLE |
| 19 | + |
| 20 | +**Remediation:** Run the below command (based on the file location on your system) on the each worker node. For example, |
| 21 | +```bash |
| 22 | +chmod 600 /etc/systemd/system/kubelet.service.d/kubeadm.conf |
| 23 | +``` |
| 24 | + |
| 25 | +### 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated) |
| 26 | + |
| 27 | +**Result:** NOT APPLICABLE |
| 28 | + |
| 29 | +**Remediation:** Run the below command (based on the file location on your system) on the each worker node. For example, |
| 30 | +```bash |
| 31 | +chown root:root /etc/systemd/system/kubelet.service.d/kubeadm.conf |
| 32 | +``` |
| 33 | + |
| 34 | +### 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated) |
| 35 | + |
| 36 | +**Result:** NOT APPLICABLE |
| 37 | + |
| 38 | +**Remediation:** Run the below command (based on the file location on your system) on the each worker node. For example, |
| 39 | +```bash |
| 40 | +chmod 600 <proxy kubeconfig file> |
| 41 | +``` |
| 42 | +
|
| 43 | +### 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Automated) |
| 44 | +
|
| 45 | +**Result:** NOT APPLICABLE |
| 46 | +
|
| 47 | +**Remediation:** Run the below command (based on the file location on your system) on the each worker node. For example, |
| 48 | +```bash |
| 49 | +chown root:root <proxy kubeconfig file> |
| 50 | +``` |
| 51 | + |
| 52 | +### 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated) |
| 53 | + |
| 54 | +**Result:** NOT APPLICABLE |
| 55 | + |
| 56 | +**Remediation:** Run the below command (based on the file location on your system) on the each worker node. For example, |
| 57 | +```bash |
| 58 | +chmod 600 /etc/kubernetes/kubelet.conf |
| 59 | +``` |
| 60 | + |
| 61 | +### 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated) |
| 62 | + |
| 63 | +**Result:** NOT APPLICABLE |
| 64 | + |
| 65 | +**Remediation:** Run the below command (based on the file location on your system) on the each worker node. For example, |
| 66 | +```bash |
| 67 | +chown root:root /etc/kubernetes/kubelet.conf |
| 68 | +``` |
| 69 | + |
| 70 | +### 4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated) |
| 71 | + |
| 72 | +**Result:** NOT APPLICABLE |
| 73 | + |
| 74 | + |
| 75 | +**Remediation:** Run the following command to modify the file permissions of the `--client-ca-file` |
| 76 | +```bash |
| 77 | +chmod 600 <filename> |
| 78 | +``` |
| 79 | + |
| 80 | +### 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Automated) |
| 81 | + |
| 82 | +**Result:** NOT APPLICABLE |
| 83 | + |
| 84 | +**Remediation:** Run the following command to modify the ownership of the `--client-ca-file`. |
| 85 | +```bash |
| 86 | +chown root:root <filename> |
| 87 | +``` |
| 88 | + |
| 89 | +### 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated) |
| 90 | + |
| 91 | +**Result:** NOT APPLICABLE |
| 92 | + |
| 93 | +**Remediation:** Run the following command (using the config file location identied in the Audit step) |
| 94 | +```bash |
| 95 | +chmod 600 /var/lib/kubelet/config.yaml |
| 96 | +``` |
| 97 | + |
| 98 | +### 4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated) |
| 99 | + |
| 100 | +**Result:** NOT APPLICABLE |
| 101 | + |
| 102 | +**Remediation:** Run the following command (using the config file location identied in the Audit step) |
| 103 | +```bash |
| 104 | +chown root:root /etc/kubernetes/kubelet.conf |
| 105 | +``` |
| 106 | + |
| 107 | +## 4.2 Kubelet |
| 108 | +### 4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated) |
| 109 | + |
| 110 | +**Result:** NOT APPLICABLE |
| 111 | + |
| 112 | +**Remediation:** If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to `false`. If using executable arguments, edit the kubelet service file `/etc/kubernetes/kubelet.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable. |
| 113 | +```bash |
| 114 | +--anonymous-auth=false |
| 115 | +``` |
| 116 | +Based on your system, restart the kubelet service. For example: |
| 117 | +```bash |
| 118 | +systemctl daemon-reload |
| 119 | +systemctl restart kubelet.service |
| 120 | +``` |
| 121 | +<!-- vale Google.Headings = NO --> |
| 122 | +### 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) |
| 123 | +<!-- vale Google.Headings = YES --> |
| 124 | + |
| 125 | +**Result:** NOT APPLICABLE |
| 126 | + |
| 127 | +**Remediation:** If using a Kubelet config file, edit the file to set `authorization: mode` to `Webhook`. |
| 128 | +If using executable arguments, edit the kubelet service file `/etc/kubernetes/kubelet.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable. |
| 129 | +```bash |
| 130 | +--authorization-mode=Webhook |
| 131 | +``` |
| 132 | +Based on your system, restart the `kubelet` service. For example: |
| 133 | +```bash |
| 134 | +systemctl daemon-reload |
| 135 | +systemctl restart kubelet.service |
| 136 | +``` |
| 137 | + |
| 138 | +### 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated) |
| 139 | + |
| 140 | +**Result:** NOT APPLICABLE |
| 141 | + |
| 142 | +**Remediation:** If using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. |
| 143 | +If using command line arguments, edit the kubelet service file `/etc/kubernetes/kubelet.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable. |
| 144 | +```bash |
| 145 | +--client-ca-file=<path/to/client-ca-file> |
| 146 | +``` |
| 147 | +Based on your system, restart the kubelet service. For example: |
| 148 | +```bash |
| 149 | +systemctl daemon-reload |
| 150 | +systemctl restart kubelet.service |
| 151 | +``` |
| 152 | + |
| 153 | +<!-- vale Google.LyHyphens = NO --> |
| 154 | +### 4.2.4 Ensure that the --read-only-port argument is set to 0 (Automated) |
| 155 | +<!-- vale Google.LyHyphens = YES --> |
| 156 | + |
| 157 | +**Result:** NOT APPLICABLE |
| 158 | + |
| 159 | +**Remediation:** If using a Kubelet config file, edit the file to set `readOnlyPort` to `0`. |
| 160 | +If using command line arguments, edit the kubelet service file `/etc/kubernetes/kubelet.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable. |
| 161 | +```bash |
| 162 | +--read-only-port=0 |
| 163 | +``` |
| 164 | +Based on your system, restart the `kubelet` service. For example: |
| 165 | +```bash |
| 166 | +systemctl daemon-reload |
| 167 | +systemctl restart kubelet.service |
| 168 | +``` |
| 169 | +### 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual) |
| 170 | + |
| 171 | +**Result:** NOT APPLICABLE |
| 172 | + |
| 173 | +**Remediation:** If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. |
| 174 | +If using command line arguments, edit the kubelet service file `/etc/kubernetes/kubelet.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable. |
| 175 | +```bash |
| 176 | +--streaming-connection-idle-timeout=5m |
| 177 | +``` |
| 178 | +Based on your system, restart the `kubelet` service. For example: |
| 179 | +```bash |
| 180 | +systemctl daemon-reload |
| 181 | +systemctl restart kubelet.service |
| 182 | +``` |
| 183 | + |
| 184 | +### 4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated) |
| 185 | + |
| 186 | +**Result:** NOT APPLICABLE |
| 187 | + |
| 188 | +**Remediation:** If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. |
| 189 | +If using command line arguments, edit the kubelet service file `/etc/kubernetes/kubelet.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. |
| 190 | + |
| 191 | +Based on your system, restart the `kubelet` service. For example: |
| 192 | +```bash |
| 193 | +systemctl daemon-reload |
| 194 | +systemctl restart kubelet.service |
| 195 | +``` |
| 196 | + |
| 197 | +### 4.2.7 Ensure that the --hostname-override argument is not set (Manual) |
| 198 | + |
| 199 | +**Result:** NOT APPLICABLE |
| 200 | + |
| 201 | +**Remediation:** Edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--hostname-override` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. |
| 202 | +Based on your system, restart the `kubelet` service. For example: |
| 203 | +```bash |
| 204 | +systemctl daemon-reload |
| 205 | +systemctl restart kubelet.service |
| 206 | +``` |
| 207 | + |
| 208 | +### 4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual) |
| 209 | + |
| 210 | +**Result:** NOT APPLICABLE |
| 211 | + |
| 212 | +**Remediation:** If using a Kubelet config file, edit the file to set `eventRecordQPS:` to an appropriate level. |
| 213 | +If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_ARGS` variable. |
| 214 | +Based on your system, restart the `kubelet` service. For example: |
| 215 | +```bash |
| 216 | +systemctl daemon-reload |
| 217 | +systemctl restart kubelet.service |
| 218 | +``` |
| 219 | + |
| 220 | +### 4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated) |
| 221 | + |
| 222 | +**Result:** NOT APPLICABLE |
| 223 | + |
| 224 | +**Remediation:** If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the corresponding private key file. |
| 225 | +If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf` on each worker node and set the below parameters in `KUBELET_CERTIFICATE_ARGS` variable. |
| 226 | +```bash |
| 227 | +--tls-cert-file=<path/to/tls-certificate-file> --tls-private-key-file=<path/to/tls-key-file> |
| 228 | +``` |
| 229 | +Based on your system, restart the kubelet service. For example: |
| 230 | +```bash |
| 231 | +systemctl daemon-reload |
| 232 | +systemctl restart kubelet.service |
| 233 | +``` |
| 234 | + |
| 235 | +### 4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated) |
| 236 | + |
| 237 | +**Result:** NOT APPLICABLE |
| 238 | + |
| 239 | +**Remediation:** If using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. |
| 240 | +If using command line arguments, edit the kubelet service file `/etc/kubernetes/kubelet.conf` on each worker node and remove `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable or set --rotate-certificates=true. |
| 241 | +Based on your system, restart the `kubelet` service. For example: |
| 242 | +```bash |
| 243 | +systemctl daemon-reload |
| 244 | +systemctl restart kubelet.service |
| 245 | +``` |
| 246 | + |
| 247 | +<!-- vale Google.Headings = NO --> |
| 248 | +### 4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated) |
| 249 | +<!-- vale Google.Headings = YES --> |
| 250 | + |
| 251 | +**Result:** NOT APPLICABLE |
| 252 | + |
| 253 | +**Remediation:** Edit the kubelet service file `/etc/kubernetes/kubelet.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable. |
| 254 | +```bash |
| 255 | +--feature-gates=RotateKubeletServerCertificate=true |
| 256 | +``` |
| 257 | +Based on your system, restart the `kubelet` service. For example: |
| 258 | +```bash |
| 259 | +systemctl daemon-reload |
| 260 | +systemctl restart kubelet.service |
| 261 | +``` |
| 262 | + |
| 263 | +<!-- vale Google.Headings = NO --> |
| 264 | +### 4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated) |
| 265 | +<!-- vale Google.Headings = YES --> |
| 266 | + |
| 267 | +**Result:** NOT APPLICABLE |
| 268 | + |
| 269 | +**Remediation:** If using a Kubelet config file, edit the file to set `TLSCipherSuites:` to |
| 270 | +``` |
| 271 | +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM |
| 272 | +_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM |
| 273 | +_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM |
| 274 | +_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 |
| 275 | +``` |
| 276 | +or to a subset of these values.<br/> |
| 277 | +If using executable arguments, edit the kubelet service file `/etc/kubernetes/kubelet.conf` on each worker node and set the `--tls-cipher-suites` parameter as follows, or to a subset of these values. |
| 278 | +```bash |
| 279 | +--tls-cipher- |
| 280 | +suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM |
| 281 | +_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM |
| 282 | +_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM |
| 283 | +_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 |
| 284 | +``` |
| 285 | +Based on your system, restart the `kubelet` service. For example: |
| 286 | +```bash |
| 287 | +systemctl daemon-reload |
| 288 | +systemctl restart kubelet.service |
| 289 | +``` |
| 290 | + |
| 291 | +<!-- vale Google.Headings = NO --> |
| 292 | +### 4.2.13 Ensure that a limit is set on pod PIDs (Manual) |
| 293 | +<!-- vale Google.Headings = YES --> |
| 294 | + |
| 295 | +**Result:** NOT APPLICABLE |
| 296 | + |
| 297 | +**Remediation:** Decide on an appropriate level for this parameter and set it, either via the `--pod-max-pids` command line parameter or the `PodPidsLimit` configuration file setting. |
| 298 | + |
| 299 | +<!-- vale Google.Headings = NO --> |
| 300 | +## 4.3 kube-proxy |
| 301 | +<!-- vale Google.Headings = YES --> |
| 302 | +### 4.3.1 Ensure that the kube-proxy metrics service is bound to localhost (Automated) |
| 303 | + |
| 304 | +**Result:** NOT APPLICABLE |
| 305 | + |
| 306 | +**Remediation:** Modify or remove any values which bind the metrics service to a non-localhost address |
0 commit comments