2023 CKS考试指南:kube-bench基准问题修复详解及答案解析
题目:k8s Kube-Bench不安全项修复
Context:
针对 kubeadm创建的 cluster运行CIS基准测试工具时,发现了多个必须立即解决的问题。
Task:
通过配置修复所有问题并重新启动受影响的组件以确保新的设置生效。
修复针对 API 服务器发现的所有以下违规行为:
1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow FAIL
1.2.8 Ensure that the --authorization-mode argument includes Node FAIL
1.2.9 Ensure that the --authorization-mode argument includes RBAC FAIL
1.2.18 Ensure that the --insecure-bind-address argument is not set FAIL (1.25中这项题目没给出,但最好也检查一下,模拟环境里需要改)
~~1.2.19 Ensure that the --insecure-port argument is set to 0 FAIL ~~(1.25中这项题目没给出,不需要再修改了)修复针对kubelet发现的所有以下违规行为:
Fix all of the following violations that were found against the kubelet:
4.2.1 Ensure that the anonymous-auth argument is set to false FAIL
4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow FAIL
注意:尽可能使用 Webhook 身份验证/授权。修复针对etcd发现的所有以下违规行为:
Fix all of the following violations that were found against etcd:
2.2 Ensure that the --client-cert-auth argument is set to true FAIL
参考
Kubelet 配置 (v1beta1) | Kubernetes
解答
切换集群
kubectl config use-context KSCS002011、修改api-server
kube-bench master检查FAIL项,并根据题目要求进行修改
备份文件 /etc/kubernetes/manifests/kube-apiserver.yaml
修改文件内容
- --authorization-mode=Node,RBAC #修改参数为Node,RBAC
- --insecure-bind-address=0.0.0.0 #删除这一行 #2、修改kubelet
kube-bench node检查FAIL项,并根据题目修改对应项
systemctl status kubelet
cat /etc/systemd/system/kubelet.service.d/10-kubeadm.conf中你也会看到Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"。
所以去修改这个文件
修改之前,备份一下配置文件。
vi /var/lib/kubelet/config.yaml
重载配置 重启kubelet服务
systemctl daemon-reload
systemctl restart kubelet.service3、修改 etcd
kube-bench备份文件 /etc/kubernetes/manifests/etcd.yaml
- --client-cert-auth=true #修改为true做完以后要检查一下 apiserver 运行正常