Worker node configuration
The following section provides security recommendations for components running on Kubernetes worker nodes. The assessment focuses on Kubelet configuration and security and file system permissions.
Assessment focus for vCluster involves understanding that since vCluster uses the host cluster's nodes, these section requirements are primarily inherited from the host cluster's configuration. Verification should focus on ensuring the host cluster meets these requirements. Most controls in this section are marked as NOT APPLICABLE for vCluster deployments since the underlying node security is managed by the host cluster administrators.
The control numbers used throughout this guide (4.1.1, 4.2.1, etc.) correlate directly to the official CIS Kubernetes Benchmark control numbers. This allows you to cross-reference with the official CIS documentation and maintain consistency with standard security frameworks.
4.1 Worker node configuration files​
4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive​
Result: NOT APPLICABLE
vCluster runs as pods within the host cluster and does not manage kubelet service files directly. The host cluster administrator is responsible for securing kubelet service files. Run the following command based on the file location on your system on each worker node:
chmod 600 /etc/systemd/system/kubelet.service.d/kubeadm.conf
4.1.2 Ensure that the kubelet service file ownership is set to root:root​
Result: NOT APPLICABLE
vCluster runs as pods within the host cluster and does not manage kubelet service file ownership. The host cluster administrator is responsible for securing kubelet service file ownership. Run the following command based on the file location on your system on each worker node:
chown root:root /etc/systemd/system/kubelet.service.d/kubeadm.conf
4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive​
Result: NOT APPLICABLE
vCluster does not manage proxy kubeconfig files as these are part of the host cluster configuration. The host cluster administrator should ensure appropriate permissions. Run the following command based on the file location on your system on each worker node:
chmod 600 <proxy kubeconfig file>
4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root​
Result: NOT APPLICABLE
vCluster does not manage proxy kubeconfig file ownership as these are part of the host cluster configuration. The host cluster administrator should ensure appropriate ownership. Run the following command based on the file location on your system on each worker node:
chown root:root <proxy kubeconfig file>
4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive​
Result: NOT APPLICABLE
vCluster does not manage kubelet configuration files as these are part of the host cluster. The host cluster administrator is responsible for securing kubelet configuration file permissions. Run the following command based on the file location on your system on each worker node:
chmod 600 /etc/kubernetes/kubelet.conf
4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root​
Result: NOT APPLICABLE
vCluster does not manage kubelet configuration file ownership as these are part of the host cluster. The host cluster administrator is responsible for securing kubelet configuration file ownership. Run the following command based on the file location on your system on each worker node:
chown root:root /etc/kubernetes/kubelet.conf
4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive​
Result: NOT APPLICABLE
vCluster does not manage certificate authority files on worker nodes as these are part of the host cluster infrastructure. The host cluster administrator should ensure appropriate file permissions for certificate authorities. Run the following command to modify the file permissions of the --client-ca-file:
chmod 600 <filename>
4.1.8 Ensure that the client certificate authorities file ownership is set to root:root​
Result: NOT APPLICABLE
vCluster does not manage certificate authority file ownership on worker nodes as these are part of the host cluster infrastructure. The host cluster administrator should ensure appropriate file ownership. Run the following command to modify the ownership of the --client-ca-file:
chown root:root <filename>
4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive​
Result: NOT APPLICABLE
vCluster does not manage kubelet configuration files as these are controlled by the host cluster. The host cluster administrator is responsible for securing kubelet configuration file permissions. Run the following command using the config file location identified in the Audit step:
chmod 600 /var/lib/kubelet/config.yaml
4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root​
Result: NOT APPLICABLE
vCluster does not manage kubelet configuration file ownership as these are controlled by the host cluster. The host cluster administrator is responsible for securing kubelet configuration file ownership. Run the following command using the config file location identified in the Audit step:
chown root:root /etc/kubernetes/kubelet.conf
4.2 Kubelet​
4.2.1 Ensure that the --anonymous-auth argument is set to false​
Result: NOT APPLICABLE
vCluster does not control kubelet configuration parameters as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for disabling anonymous authentication on kubelets. If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the following parameter in KUBELET_SYSTEM_PODS_ARGS variable:
--anonymous-auth=false
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow​
Result: NOT APPLICABLE
vCluster does not control kubelet authorization modes as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for configuring appropriate authorization modes. If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the following parameter in KUBELET_AUTHZ_ARGS variable:
--authorization-mode=Webhook
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.3 Ensure that the --client-ca-file argument is set as appropriate​
Result: NOT APPLICABLE
vCluster does not manage kubelet client CA configuration as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for configuring client CA files appropriately. If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to the location of the client CA file. If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the following parameter in KUBELET_AUTHZ_ARGS variable:
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.4 Ensure that the --read-only-port argument is set to 0​
Result: NOT APPLICABLE
vCluster does not control kubelet read-only port configuration as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for disabling the read-only port. If using a Kubelet config file, edit the file to set readOnlyPort to 0. If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the following parameter in KUBELET_SYSTEM_PODS_ARGS variable:
--read-only-port=0
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0​
Result: NOT APPLICABLE
vCluster does not control kubelet streaming connection timeout configuration as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for configuring appropriate timeout values. If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a value other than 0. If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the following parameter in KUBELET_SYSTEM_PODS_ARGS variable:
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.6 Ensure that the --make-iptables-util-chains argument is set to true​
Result: NOT APPLICABLE
vCluster does not control kubelet iptables configuration as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for configuring iptables utility chains. If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true. If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and remove the --make-iptables-util-chains argument from the KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.7 Ensure that the --hostname-override argument is not set​
Result: NOT APPLICABLE
vCluster does not control kubelet hostname configuration as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for hostname configuration. Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture​
Result: NOT APPLICABLE
vCluster does not control kubelet event recording configuration as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for configuring appropriate event recording rates. If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the following parameter in KUBELET_ARGS variable.
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate​
Result: NOT APPLICABLE
vCluster does not control kubelet TLS configuration as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for configuring TLS certificates appropriately. If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the following parameters in KUBELET_CERTIFICATE_ARGS variable:
--tls-cert-file=<path/to/tls-certificate-file> --tls-private-key-file=<path/to/tls-key-file>
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.10 Ensure that the --rotate-certificates argument is not set to false​
Result: NOT APPLICABLE
vCluster does not control kubelet certificate rotation configuration as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for enabling certificate rotation. If using a Kubelet config file, edit the file to add the line rotateCertificates: true or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS variable or set --rotate-certificates=true.
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true​
Result: NOT APPLICABLE
vCluster does not control kubelet server certificate rotation as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for enabling server certificate rotation. Edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the following parameter in KUBELET_CERTIFICATE_ARGS variable:
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers​
Result: NOT APPLICABLE
vCluster does not control kubelet TLS cipher configuration as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for configuring strong cryptographic ciphers. If using a Kubelet config file, edit the file to set TLSCipherSuites: to:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values. If using executable arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the --tls-cipher-suites parameter as follows, or to a subset of these values:
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
Based on your system, restart the kubelet service:
systemctl daemon-reload
systemctl restart kubelet.service
4.2.13 Ensure that a limit is set on pod PIDs​
Result: NOT APPLICABLE
vCluster does not control kubelet PID limits as kubelet runs on the host cluster nodes. The host cluster administrator is responsible for setting appropriate PID limits. Decide on an appropriate level for this parameter and set it, either via the --pod-max-pids command line parameter or the PodPidsLimit configuration file setting.
4.3 kube-proxy​
4.3.1 Ensure that the kube-proxy metrics service is bound to localhost​
Result: NOT APPLICABLE
vCluster does not control kube-proxy configuration as kube-proxy runs on the host cluster nodes. The host cluster administrator is responsible for securing kube-proxy metrics endpoints. Modify or remove any values which bind the metrics service to a non-localhost address.