💼 4 Worker Nodes

• ID: /frameworks/cis-gke-v1.0.0/04

Description

This section consists of security recommendations for the components that run on Kubernetes worker nodes. Note that these components may also run on Kubernetes master nodes, so the recommendations in this section should be applied to master nodes as well as worker nodes where the master nodes make use of these components.

Similar

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 4.1 Worker Node Configuration Files	10				no data
💼 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Not Scored)					no data
💼 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Not Scored)					no data
💼 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)					no data
💼 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)					no data
💼 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Not Scored)					no data
💼 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Not Scored)					no data
💼 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Not Scored)					no data
💼 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Not Scored)					no data
💼 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)					no data
💼 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)					no data
💼 4.2 Kubelet	13				no data
💼 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored)					no data
💼 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)					no data
💼 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)					no data
💼 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)					no data
💼 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)					no data
💼 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored)					no data
💼 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Scored)					no data
💼 4.2.8 Ensure that the --hostname-override argument is not set (Scored)					no data
💼 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)					no data
💼 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)					no data
💼 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Scored)					no data
💼 4.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)					no data
💼 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)					no data