Ensure that the --hostname-override argument is not set (Kubelet)

Do not override node hostnames. Overriding hostnames could potentially break TLS setup between the kubelet and the apiserver. Additionally, with overridden hostnames, it becomes increasingly difficult to associate logs with a particular node and process them for security analytics. Hence, you should setup your kubelet nodes with resolvable FQDNs and avoid overriding the hostnames with IPs.

Risk Level: Low
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.OPE.02
Covered by Spectral: Yes
Category: Compute


KubernetesNode should have kubeletData.kubeletconfig.--hostname-override isEmpty()


Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

-If using the api configz endpoint consider searching for the status of hostnameOverride by
extracting the live configuration from the nodes running kubelet.
**See detailed step-by-step configmap procedures in


  1. https://kubernetes.io/docs/admin/kubelet/
  2. https://github.com/kubernetes/kubernetes/issues/22063


A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices