You can configure the kURL installer to be Center for Internet Security (CIS) compliant. Opt-in to this feature by setting the kurl.cisCompliance
field to true
in the kURL specification. For information about known limitations, see Known Limitations. For more information about CIS security compliance for Kubernetes, see the CIS benchmark information.
When you set cisCompliance
is set to true
, the following settings are changed from the default settings:
Primary node configuration:
The admin.conf file ownership is set to root:root
.
API server configuration:
--kubelet-certificate-authority
is set as appropriate.PodSecurityPolicy
is enabled.--insecure-port
is set to 0
.Kubelet configuration:
--protect-kernel-defaults
is set to true
.
This YAML file example shows a valid specification for CIS compliance:
apiVersion: "cluster.kurl.sh/v1beta1"
kind: "Installer"
metadata:
name: "latest"
spec:
kotsadm:
version: "latest"
kubernetes:
version: "1.23.x"
cisCompliance: true
flannel:
version: "0.20.x"
contour:
version: "1.20.x"
prometheus:
version: "0.53.x"
registry:
version: "2.7.x"
containerd:
version: "1.4.x"
ekco:
version: "latest"
minio:
version: "2020-01-25T02-50-51Z"
longhorn:
version: "1.2.x"
root:sudo 440
to root:root 400
.The following failure was identified in kURL testing with kube-bench
v0.6.8 and is believed to be due to the etcd user not being listed in /etc/passwd mounted from the host:
[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
kube-bench
is deployed as a Kubernetes job running on a control plane node.The kernel defaults of this Amazon Machine Image (AMI) are not set properly for CIS compliance. CIS compliance does not allow Kubernetes to change kernel settings itself. You must change the kernel defaults to the following settings before installing with kURL:
sudo sysctl vm.overcommit_memory=1
sudo sysctl kernel.panic=10
sudo sysctl kernel.panic_on_oops=1
Failure to set these values will result in kubelet crashing. These settings must also be configured on AL2 instance nodes before upgrading them to a CIS compliant kURL specification.