forked from elastic/csp-security-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
data.yaml
48 lines (43 loc) · 1.77 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
metadata:
id: 6f2e9eb5-d55f-5eaa-9f8d-472f246d1343
name: Ensure that the --hostname-override argument is not set
rule_number: 4.2.8
profile_applicability: '* Level 1 - Worker Node'
description: Do not override node hostnames.
rationale: |-
Overriding hostnames could potentially break TLS setup between the kubelet and the apiserver.
Additionally, with overridden hostnames, it becomes increasingly difficult to associate logs with a particular node and process them for security analytics.
Hence, you should setup your kubelet nodes with resolvable FQDNs and avoid overriding the hostnames with IPs.
audit: |-
Run the following command on each node:
```
ps -ef | grep kubelet
```
Verify that `--hostname-override` argument does not exist.
**Note** This setting is not configurable via the Kubelet config file.
remediation: |-
Edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--hostname-override` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable.
Based on your system, restart the `kubelet` service.
For example:
```
systemctl daemon-reload
systemctl restart kubelet.service
```
impact: |-
Some cloud providers may require this flag to ensure that hostname matches names issued by the cloud provider. In these environments, this recommendation should not apply.
default_value: |
By default, `--hostname-override argument` is not set.
references: |-
1. https://kubernetes.io/docs/admin/kubelet/
2. https://github.com/kubernetes/kubernetes/issues/22063
section: Kubelet
version: '1.0'
tags:
- CIS
- Kubernetes
- CIS 4.2.8
- Kubelet
benchmark:
name: CIS Kubernetes V1.23
version: v1.0.1
id: cis_k8s