Guides
  1. kubernetes policies
  2. Node

Ensure that the --hostname-override argument is not set (Kubelet)

Risk Level: Low
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.OPE.02
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesNode should have kubeletData.kubeletconfig.--hostname-override isEmpty()

REMEDIATION

Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

-If using the api configz endpoint consider searching for the status of hostnameOverride by
extracting the live configuration from the nodes running kubelet.
**See detailed step-by-step configmap procedures in
https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/

References:

  1. https://kubernetes.io/docs/admin/kubelet/
  2. https://github.com/kubernetes/kubernetes/issues/22063

Node

A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices

Updated 7 months ago