Skip to main content
Skip table of contents

Mitigate Issues by Creating Custom Clusters

For issues that can be mitigated, create patch files with the mitigations, then create a cluster kustomization that references these patch files, and, lastly, create a new cluster based on the kustomization file

1. Create Patch Files with CIS Benchmark Mitigations

All files you create in this and the following sections must be present in the same directory.

  1. Establish a name for the cluster you will create by setting the CLUSTER_NAME environment variable:
    (info) Replace the placeholder <name_of_the_cluster> with the actual name you want to use.

    CODE 
    export CLUSTER_NAME=<name_of_the_cluster>

  2. Create CIS patch files for the issues you want to mitigate. Here are all issues that you can mitigate:

CIS 1.2.12 - Mitigation

CIS 1.2.12

ID

Text

Remediation

1.2.12

Ensure that the admission control plugin AlwaysPullImages is set (Manual).

Edit the API server pod specification file $apiserverconf on the control plane node and set the --enable-admission-plugins parameter to include AlwaysPullImages:

--enable-admission-plugins=...,AlwaysPullImages,...

DKP Mitigation

Create a file called cis-1.2.12-patches.yaml with the following in the same folder as kustomization.yaml:

YAML 
cat <<EOF > cis-1.2.12-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: ${CLUSTER_NAME}-control-plane
spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      apiServer:
        extraArgs:
          enable-admission-plugins: "AlwaysPullImages"
EOF

CIS 1.2.18 - Mitigation

CIS 1.2.18

ID

Text

Remediation

1.2.18

Ensure that the --profiling argument is set to false (Automated).

Edit the API server pod specification file $apiserverconf on the control plane node and set the below parameter:

--profiling=false

DKP Mitigation
Create a file called cis-1.2.18-patches.yaml with the following in the same folder as kustomization.yaml:

YAML 
cat <<EOF > cis-1.2.18-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: ${CLUSTER_NAME}-control-plane
spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      apiServer:
        extraArgs:
          profiling: "false"
EOF

CIS 1.2.32 - Mitigation

CIS 1.2.32

ID

Text

Remediation

1.2.32

Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the below parameter.

--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384

DKP Mitigation

Create a file called cis-1.2.32-patches.yaml with the following in the same folder as kustomization.yaml:

YAML 
cat <<EOF > cis-1.2.32-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: ${CLUSTER_NAME}-control-plane
spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      apiServer:
        extraArgs:
          tls-cipher-suites: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"
EOF

CIS 1.3.1 - Mitigation

ID

Text

Remediation

1.3.1

Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual).

Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example:

--terminated-pod-gc-threshold=10

DKP Mitigation

Create a file called cis-1.3.1-patches.yaml with the following in the same folder as kustomization.yaml:

YAML 
cat <<EOF > cis-1.3.1-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: ${CLUSTER_NAME}-control-plane
spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      controllerManager:
        extraArgs:
          terminated-pod-gc-threshold: "12500"
EOF

CIS 1.3.2 - Mitigation

ID

Text

Remediation

1.3.2

Ensure that the --profiling argument is set to false (Automated).

Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and set the below parameter:

--profiling=false

DKP Mitigation

Create a file called cis-1.3.2-patches.yaml with the following in the same folder as kustomization.yaml:

YAML 
cat <<EOF > cis-1.3.2-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: ${CLUSTER_NAME}-control-plane
spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      controllerManager:
        extraArgs:
          profiling: "false"
EOF

CIS 1.4.1 - Mitigation

CIS 1.4.1

ID

Text

Remediation

1.4.1

Ensure that the --profiling argument is set to false (Automated).

Edit the Controller Manager pod specification file $schedulerconf on the control plane node and set the below parameter:

--profiling=false

DKP Mitigation

Create a file called cis-1.4.1-patches.yaml with the following in the same folder as kustomization.yaml:

YAML 
cat <<EOF > cis-1.4.1-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: ${CLUSTER_NAME}-control-plane
spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      scheduler:
        extraArgs:
          profiling: "false"
EOF

CIS 4.2.6 - Mitigation

ID

Text

Remediation

4.2.6

Ensure that the --protect-kernel-defaults argument is set to true (Automated).

If using a Kubelet config file, edit the file to set protectKernelDefaults to true. If using command line arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable:

--protect-kernel-defaults=true

Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

DKP Mitigation

Create a file called cis-4.2.6-patches.yaml with the following in the same folder as kustomization.yaml:

YAML 
cat <<EOF > cis-4.2.6-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: ${CLUSTER_NAME}-control-plane
spec:
  kubeadmConfigSpec:
    initConfiguration:
      nodeRegistration:
        kubeletExtraArgs:
          protect-kernel-defaults: "true"
    joinConfiguration:
      nodeRegistration:
        kubeletExtraArgs:
          protect-kernel-defaults: "true"
---
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate
metadata:
  name: ${CLUSTER_NAME}-md-0
spec:
  template:
    spec:
      joinConfiguration:
        nodeRegistration:
          kubeletExtraArgs:
            protect-kernel-defaults: "true"
EOF

CIS 4.2.9 - Mitigation

CIS 4.2.9

ID

Text

Remediation

4.2.9

Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual).

If using a Kubelet config file, edit the file to set eventRecordQPS to an appropriate level.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

DKP Mitigation

eventRecordQPS can also be configured with the --event-qps argument on the kubelet’s arguments.

Create a file called cis-4.2.9-patches.yaml with the following in the same folder as kustomization.yaml:

YAML 
cat <<EOF > cis-4.2.9-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: ${CLUSTER_NAME}-control-plane
spec:
  kubeadmConfigSpec:
    initConfiguration:
      nodeRegistration:
        kubeletExtraArgs:
          event-qps: "0"
    joinConfiguration:
      nodeRegistration:
        kubeletExtraArgs:
          event-qps: "0"
---
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate
metadata:
  name: ${CLUSTER_NAME}-md-0
spec:
  template:
    spec:
      joinConfiguration:
        nodeRegistration:
          kubeletExtraArgs:
            event-qps: "0"
EOF

CIS 4.2.13 - Mitigation

CIS 4.2.13

ID

Text

Remediation

4.2.13

Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)

If using a Kubelet config file, edit the file to set TLSCipherSuites to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values.

If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the --tls-cipher-suites parameter as follows, or to a subset of these values.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

DKP Mitigation

Create a file called cis-4.2.13-patches.yaml with the following in the same folder as kustomization.yaml:

YAML 
cat <<EOF > cis-4.2.13-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: ${CLUSTER_NAME}-control-plane
spec:
  kubeadmConfigSpec:
    initConfiguration:
      nodeRegistration:
        kubeletExtraArgs:
          tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
    joinConfiguration:
      nodeRegistration:
        kubeletExtraArgs:
          tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
---
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate
metadata:
  name: ${CLUSTER_NAME}-md-0
spec:
  template:
    spec:
      joinConfiguration:
        nodeRegistration:
          kubeletExtraArgs:
            tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
EOF

2. Create a Cluster Kustomization

Create a cluster kustomization that references the CIS patch files you created in the previous section.

The kustomization.yaml file you create in this section must be present in the same directory as the CIS patch files.

Prerequisite

Refer to Customizing CAPI Components for a Cluster to get familiarized with the customization procedure and options. We will use similar terms in this page.

Create Customization

  1. Create a cluster YAML using the DKP CLI, modify any arguments as necessary:

    CODE 
    dkp create cluster aws 
  --cluster-name=${CLUSTER_NAME} \
  --dry-run \
  --output=yaml \
  > ${CLUSTER_NAME}.yaml

  2. Create a kustomization.yaml file to include patches for each of the CIS mitigations.
    (info) In this example, we use the CIS-1.2.18 patch, but you can include all mitigation files you created in the first section.

    YAML 
    cat <<EOF > kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
bases:
  - ${CLUSTER_NAME}.yaml
patches:
  - cis-1.2.18-patch.yaml
 #- Add more CIS patch files here.
 EOF

3. Create a Cluster with the Kustomization

The CIS patch, kustomization.yaml, and ${CLUSTER_NAME}.yaml files must be present in the same directory.

1. Create a Bootstrap Cluster. Ensure that the bootstrap cluster has been created for the desired provider:

  1. Run the following command to apply the customizations and create a new cluster:

    CODE 
    kubectl create -k .

    Monitor and watch the cluster creation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close