【CKS】考试之 kube-bench CIS 基准测试

3. 【CKS】考试之 kube-bench CIS 基准测试

3.1 题目要求

3.2 官网位置

3.3 操作步骤

3.3.1 修改 kube-apiserver 配置

切换 Context 后， ssh 到对应的 master 节点

# vim /etc/kubernetes/manifests/kube-apiserver.yaml

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.30.60.35:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=172.30.60.35
    - --allow-privileged=true 
    - --authorization-mode=Node,RBAC #修改部分
    -  --enable-bootstrap-token-auth=true  

3.3.2 修改etcd配置

# vim /etc/kubernetes/manifests/etcd.yaml

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/etcd.advertise-client-urls: https://172.30.60.35:2379
  creationTimestamp: null
  labels:
    component: etcd
    tier: control-plane
  name: etcd
  namespace: kube-system
spec:
  containers:
  - command:
    - etcd
    - --advertise-client-urls=https://172.30.60.35:2379
    - --cert-file=/etc/kubernetes/pki/etcd/server.crt
    - --client-cert-auth=true  #修改部分

3.3.3 修改 kubelet 配置

Kubelet 的配置在 Master 节点修改完成后，退出 Master 然后 SSH 到 Node 节点
检查是否需要修改

# vim /var/lib/kubelet/config.yaml

apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false   # 修改部分
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
  mode: Webhook # 修改部分
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: systemd

重启 kubelet：

# systemctl daemon-reload
# systemctl restart kubelet