CIS K8s Benchmark Findings¶
After the initial scan is completed, you can view the compliance results
Info
Note: etcd should be configured for peer authentication
Description¶
etcd is a highly available key-value store used by Kubernetes deployments to store all of its REST API objects persistently. These sensitive objects should be accessible only by authenticated etcd peers in the etcd cluster.
Steps¶
-
Go to Issues > Findings in Accuknox.
-
Use the Findings dropdown to filter and select CIS k8s Benchmarking finding results
-
Apply the risk factor as Critical filter and select Failed from the Tool Output filter
-
Click on Apply
Solution:
All peers attempting to communicate with the etcd server will require a valid client certificate for authentication
Info
Note: Ensure that the --kubelet-certificate-authority argument is set as appropriate
Description¶
The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the apiserver does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.
Steps¶
-
Go to Issues > Findings in Accuknox.
-
Use the Findings dropdown to filter and select CIS k8s Benchmarking finding results
-
Apply the risk factor as High filter and select Failed from the Tool Output filter
-
Click on Apply
Solution¶
This will configure TLS on apiserver as well as kubelets to avoid MITM attacks