List of CIS Benchmark Explanations

CIS 1.1.9 - Explanation

CIS 1.1.9

ID	Text	Remediation
1.1.9	Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)	Run the below command (based on the file location on your system) on the control plane node. For example, chmod 644 <path/to/cni/files>

DKP Explanation

The kubelet config --cni-config-dir has been deprecated and removed since Kubernetes v1.24. Calico which is used for CNI is stores is configuration at /etc/cni/net.d and has permissions set to 644.

CIS 1.1.10 - Explanation

CIS 1.1.10

ID	Text	Remediation
1.1.10	Ensure that the Container Network Interface file ownership is set to root:root (Manual)	Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root <path/to/cni/files>

DKP Explanation

The kubelet config --cni-config-dir has been deprecated and removed since Kubernetes v1.24. Calico which is used for CNI is stores is configuration at /etc/cni/net.d and has ownership set to root:root.

CIS 1.1.12 - Explanation

CIS 1.1.12

ID	Text	Remediation
1.1.12	Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)	On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the command 'ps -ef \| grep etcd'. Run the below command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd

DKP Explanation

etcd files are ownedby root. Creating another user adds additional attack vectors. On previous STIGs this has been acceptable to leave as root:root.

CIS 1.2.1 - Explanation

CIS 1.2.1

ID	Text	Remediation
1.2.1	Ensure that the --anonymous-auth argument is set to false (Manual)	Edit the API server pod specification file $apiserverconf on the control plane node and set the below parameter. --anonymous-auth=false

DKP Explanation

Although the --anonymous-auth flag defaults to true, we also set the --authorization-mode=Node,RBAC flag. Having anonymous auth enabled is generally used for discovery and health checking. This is also important for kubeadm join to function properly (see https://github.com/aws/eks-anywhere/pull/3122#issuecomment-1226581563)

CIS 1.2.6 - Explanation

CIS 1.2.6

ID	Text	Remediation
1.2.6	Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)	Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file $apiserverconf on the control plane node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. --kubelet-certificate-authority=<ca-string>

DKP Explanation

The --kubelet-certificate-authority flag needs to be set on each API Server after the cluster has been fully provisioned, adding it earlier causes issues with the creation and adding of worker nodes via CAPI and kubeadm.

CIS 1.2.10 - Explanation

CIS 1.2.10

ID	Text	Remediation
1.2.10	Ensure that the admission control plugin EventRateLimit is set (Manual)	Follow the Kubernetes documentation and set the desired limits in a configuration file. Then, edit the API server pod specification file $apiserverconf and set the below parameters. --enable-admission-plugins=...,EventRateLimit,... --admission-control-config-file=<path/to/configuration/file>

DKP Explanation

Kuberentes recommends the use of API Priority and Fairness using the --max-requests-inflight and --max-mutating-requests-inflight flags to control how the Kuberentes API Server behaves in overload situations. The APIPriorityAndFairness Feature Gate has been enabled by default since Kubernetes v1.20.

CIS 1.2.13 - Explanation

CIS 1.2.13

ID	Text	Remediation
1.2.13	Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)	Edit the API server pod specification file $apiserverconf on the control plane node and set the --enable-admission-plugins parameter to include SecurityContextDeny, unless PodSecurityPolicy is already in place. --enable-admission-plugins=...,SecurityContextDeny,...

DKP Explanation

The Kuberentes Project recommends not using this admission controller, as it is deprecated and will be removed in a future release.

CIS 4.2.8 - Explanation

CIS 4.2.8

ID	Text	Remediation
4.2.8	Ensure that the --hostname-override argument is not set (Manual)	Edit the kubelet service file $kubeletsvc on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service

DKP Explanation

The hostname-override argument is used by various infrastructure providers to provision nodes, removing this argument will impact how CAPI will work with the infrastructure provider.

CIS 4.2.10 - Explanation

CIS 4.2.10

ID	Text	Remediation
4.2.10	Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)	If using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameters in KUBELET_CERTIFICATE_ARGS variable. --tls-cert-file=<path/to/tls-certificate-file> --tls-private-key-file=<path/to/tls-key-file> Based on your system, restart the kubelet service. For example, systemctl daemon-reload systemctl restart kubelet.service

DKP Explanation

This remediation refers to a serving certificate on the kubelet, where the https endpoint on the kubelet is used. By default a self-signed certificate is used here. Connecting to a kubelet’s https endpoint should only be used for diagnostic or debugging purposes where applying a provided key and certificate isn’t common.