For issues that can be mitigated, create patch files with the mitigations, then create a cluster kustomization that references these patch files, and, lastly, create a new cluster based on the kustomization file
1. Create Patch Files with CIS Benchmark Mitigations
All files you create in this and the following sections must be present in the same directory.
Establish a name for the cluster you will create by setting the CLUSTER_NAME environment variable:
Replace the placeholder <name_of_the_cluster> with the actual name you want to use.
CODE
export CLUSTER_NAME=<name_of_the_cluster>
Create CIS patch files for the issues you want to mitigate. Here are all issues that you can mitigate:
CIS 1.2.16 - Mitigation
CIS 1.2.16
ID | Text | Remediation |
|---|
1.2.16 | Ensure that the --profiling argument is set to false (Automated). | Edit the API server pod specification file $apiserverconf on the control plane node and set the below parameter:
--profiling=false |
DKP Mitigation
Create a file called cis-1.2.16-patches.yaml with the following in the same folder as kustomization.yaml:
YAML
cat <<EOF > cis-1.2.16-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
name: ${CLUSTER_NAME}-control-plane
spec:
kubeadmConfigSpec:
clusterConfiguration:
apiServer:
extraArgs:
profiling: "false"
EOF
CIS 1.3.2 - Mitigation
ID | Text | Remediation |
|---|
1.3.2 | Ensure that the --profiling argument is set to false (Automated). | Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and set the below parameter:
--profiling=false |
DKP Mitigation
Create a file called cis-1.3.2-patches.yaml with the following in the same folder as kustomization.yaml:
YAML
cat <<EOF > cis-1.3.2-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
name: ${CLUSTER_NAME}-control-plane
spec:
kubeadmConfigSpec:
clusterConfiguration:
controllerManager:
extraArgs:
profiling: "false"
EOF
CIS 1.4.1 - Mitigation
CIS 1.4.1
ID | Text | Remediation |
|---|
1.4.1 | Ensure that the --profiling argument is set to false (Automated). | Edit the Controller Manager pod specification file $schedulerconf on the control plane node and set the below parameter:
--profiling=false |
DKP Mitigation
Create a file called cis-1.4.1-patches.yaml with the following in the same folder as kustomization.yaml:
YAML
cat <<EOF > cis-1.4.1-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
name: ${CLUSTER_NAME}-control-plane
spec:
kubeadmConfigSpec:
clusterConfiguration:
scheduler:
extraArgs:
profiling: "false"
EOF
CIS 4.1.1 - Mitigation
ID | Text | Remediation |
|---|
4.1.1 | Ensure that the kubelet
service file permissions are set to 600 or more restrictive
(Automated). All known nodes are affected. | Run the below command (based on the file location on your svstem) on the each node.
For example, chmod 600 /lib/systemd/system/kubelet.service |
DKP Mitigation
Create a file called cis-4.1.1-patches.yaml with the following in the same folder as kustomization.yaml:
YAML
cat <<EOF > cis-4.1.1-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
name: ${CLUSTER_NAME}-control-plane
spec:
kubeadmConfigSpec:
postKubeadmCommands:
- chmod 600 /lib/systemd/system/kubelet.service
---
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate
metadata:
name: ${CLUSTER_NAME}-md-0
spec:
template:
spec:
postKubeadmCommands:
- chmod 600 /lib/systemd/system/kubelet.service
EOF
CIS 4.1.9 - Mitigation
ID | Text | Remediation |
|---|
4.1.9 | If the kubelet config.yaml
configuration file is being used validate permissions set to
600 or more restrictive. | Run the following command (using the config file location identified in the Audit step)
chmod 600 /var/lib/kubelet/config.yaml |
DKP Mitigation
Create a file called cis-4.1.9-patches.yaml with the following in the same folder as kustomization.yaml:
YAML
cat <<EOF > cis-4.2.6-patches.yaml
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
name: ${CLUSTER_NAME}-control-plane
spec:
kubeadmConfigSpec:
postKubeadmCommands:
- chmod 600 /var/lib/kubelet/config.yaml
---
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate
metadata:
name: ${CLUSTER_NAME}-md-0
spec:
template:
spec:
postKubeadmCommands:
- chmod 600 /var/lib/kubelet/config.yaml
EOF
2. Create a Cluster Kustomization
Create a cluster kustomization that references the CIS patch files you created in the previous section.
The kustomization.yaml file you create in this section must be present in the same directory as the CIS patch files.
Prerequisite
Refer to Customizing CAPI Components for a Cluster to get familiarized with the customization procedure and options. We will use similar terms in this page.
Create Customization
Create a cluster YAML using the DKP CLI, modify any arguments as necessary:
CODE
dkp create cluster aws
--cluster-name=${CLUSTER_NAME} \
--dry-run \
--output=yaml \
> ${CLUSTER_NAME}.yaml
Create a kustomization.yaml file to include patches for each of the CIS mitigations.
In this example, we use the CIS-1.2.16 patch, but you can include all mitigation files you created in the first section.
YAML
cat <<EOF > kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
bases:
- ${CLUSTER_NAME}.yaml
patches:
- cis-1.2.16-patch.yaml
#- Add more CIS patch files here.
EOF
3. Create a Cluster with the Kustomization
The CIS patch, kustomization.yaml, and ${CLUSTER_NAME}.yaml files must be present in the same directory.
1. Create a Bootstrap Cluster. Ensure that the bootstrap cluster has been created for the desired provider:
Run the following command to apply the customizations and create a new cluster:
Monitor and watch the cluster creation.
.png)
