Task weight: 3%
Use context: kubectl config use-context infra-prod
You're ask to evaluate specific settings of cluster2 against the CIS Benchmark recommendations. Use the tool kube-bench which is already installed on the nodes.
Connect using ssh cluster2-controlplane1 and ssh cluster2-node1.
On the master node ensure (correct if necessary) that the CIS recommendations are set for:
- The --profiling argument of the kube-controller-manager
- The ownership of directory /var/lib/etcd
On the worker node ensure (correct if necessary) that the CIS recommendations are set for:
- The permissions of the kubelet configuration /var/lib/kubelet/config.yaml
- The --client-ca-file argument of the kubelet
译文
任务重量:3%。
使用环境: kubectl config use-context infra-prod
你被要求根据CIS Benchmark的建议来评估 cluster2 的具体设置。使用已经安装在各节点上的工具kube-bench。
使用 ssh cluster2-controlplane1 和 ssh cluster2-node1 连接。
在主节点上确保(必要时纠正)已按CIS建议进行设置。
- kube-controller-manager 的 --profiling 参数
- 目录 /var/lib/etcd 的权限
在工作节点上,确保(如有必要,请纠正)已按CIS建议进行设置:。
- kubelet配置的权限 /var/lib/kubelet/config.yaml
- kubelet 的 --client-ca-file 参数
解答:
对master进行检查
ssh cluster2-controlplane1
kube-bench run --targets=master
1
通过关键字进行查找
kube-bench run --targets=master | grep "kube-controller-manager" -A 3
编辑配置文件
vim /etc/kubernetes/manifests/kube-controller-manager.yaml
# /etc/kubernetes/manifests/kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: kube-controller-manager
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
- --allocate-node-cidrs=true
- --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
- --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
- --bind-address=127.0.0.1
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --cluster-cidr=10.244.0.0/16
- --cluster-name=kubernetes
- --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
- --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
- --controllers=*,bootstrapsigner,tokencleaner
- --kubeconfig=/etc/kubernetes/controller-manager.conf
- --leader-elect=true
- --node-cidr-mask-size=24
- --port=0
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --root-ca-file=/etc/kubernetes/pki/ca.crt
- --service-account-private-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --use-service-account-credentials=true
- --profiling=false # 添加
pod重新运行以后 再次进行检查,已经修复
kube-bench run --targets=master | grep kube-controller -A 3
kube-bench run --targets=master | grep 1.3.2
2
查看 /var/lib/etcd 的权限
ll /var/lib/etcd
权限为root:root, 需要设置为 etcd:etcd
chown -R etcd:etcd /var/lib/etcd #设置文件夹权限为etcd:etcd
3
切换到 cluster2-node1 ,对node进行检查
ssh cluster2-node1
kube-bench run --targets=node
检查 /var/lib/kubelet/config.yaml 权限,权限为777,需要修改权限为644
ll /var/lib/kubelet/config.yaml
chmod 644 /var/lib/kubelet/config.yaml
4
检查 client-ca-file
kube-bench run --targets=node | grep client-ca-file
验证时通过的,无需修改