With the experience shared by people on the internet, I summarized some key aspects as a series of articles for preparing the CKS exam. Each aspects should be in short concise points, so this is not a detailed tutorial, just some practical reminders.
Notice: some concepts are based on my understanding, it may be not accurate or even correct, therefore this is just a handbook when I was preparing the CKS exam.
kube-bench is a tool to check if the k8s cluster fulfilled the CIS security benchmark.
Concepts
Basic Command:
ssh NODE
kube-bench run --targets TARGETS --check VERSION
params:
1. check --targets:
masternodecontrolplaneetcdpolicies
2. check CIS version --check
Checking items
1. on master
kube-bench run --targets master
Apiserver (
/etc/kubernetes/manifests/kube-apiserver.yaml)ControllerManager (
/etc/kubernetes/manifests/kube-controller-manager.yaml)PKI directory (
/etc/kubernetes/pki/)Schedualer (
/etc/kubernetes/manifests/kube-scheduler.yaml)
2. on node
ssh NODE
kube-bench run --targets node
kubelet is considering as node-level component
it mainly checks kubelet related configs:
/var/lib/kubelet/config.yaml/etc/kubernetes/kubelet.conf/etc/systemd/system/kubelet.service.d/10-kubeadm.confkubelet certificate location
anonymous auth
webhook authz
protecting
/var/lib/kubelet/TLS bootstrapping config
client CA
permissions (644/600)
Notice: need manually restart
kubelet
3. etcd check
we only focus on kubeadm cluster ( for cloud, they will not expose etcd, and for external managed etcd cluster, ssh to the node)
kubeadm will assign the etcd to the controlplane node.
ssh CONTROLPLANE_NODE
kube-bench run --targets etcd
/etc/kubernetes/manifests/etcd.yaml
-
Authentication enabled
--client-cert-auth=true--peer-client-cert-auth=true
-
Encryption enabled
--cert-file--key-file--peer-cert-file--peer-key-file
-
Proper paths
/etc/kubernetes/pki/etcd/
notice: for
kubeadmcluster,kubeadmwill update the/mainfestsand thenkubeletwill auto restartetcd, there is no need to manually restart it.
Notice:
here we should notice command: kube-bench run --targets node , for kube-bench run --targets master or other targets:
master: API server, controller, etc —kubeletwatches the manifest filesetcd: etcd services —kubeletwatches the manifest filespolicy:kubectl
the kube-apiserver, kube-controller-manager, kube-scheduler, etcd under kubeadm cluster will managed by kubeadm/kubelet , the config file are under /etc/kubernetes/manifests/*
And the policy is control by kubectl, so these we can just follow the recommendations which kube-bench shows.
| Component | How it runs | Config change effect | Restart needed? |
|---|---|---|---|
| kube-apiserver | Static pod | Kubelet watches manifest | No (auto restart) |
| kube-controller-manager | Static pod | Same | No |
| kube-scheduler | Static pod | Same | No |
| etcd (kubeadm) | Static pod | Same | No |
| policies | YAML API objects | Apply with kubectl | No restart |
| kubelet | systemd service | Reads config only at startup | Yes — manual restart |
while for kubelet related configs we need to find the kubelet config file first, and then find the environment file location for fixing.
# find kubelet config file
systemctl status kubelet
# find the env para settings file location
# eg. the kubelet config is: /var/lib/kubelet/config.yaml, then inside it:
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# change the params in the corresponding file.
Do not directly fix the params in the
Environment:.
Summary
| Benchmark section | Contains checks for | kube-bench target |
|---|---|---|
| Master Node (1.x) | API server, controller-manager, PKI, scheduler, etc. |
master or controlplane
|
| Node (4.x) | Kubelet, kubelet config, certificates, permissions | node |
| etcd (3.x) | etcd service, certs, ports, flags | etcd |
| Policies (5.x) | PodSecurityPolicies (old), security policies | policies |
Top comments (0)