본문 바로가기
★ Study/▶ Kubernetes

K8S - CIS benchmarks (kube-bench) (6)

by lina_j 2023. 4. 4.
더보기

※ 저작권 침해가 있을 수 있어 간략한 사진이나 학습한 내용만 게시하겠습니다.

※ 해당 학습은 패스트캠퍼스 교육임을 알립니다.

 

< #6 CIS benchmarks 문제>

 

kubectl config use context sk8s

CIS Benchmark tool 이 동작하여 발생된 이슈에 대해 해결하라

 

- API server

 [FAIL] 1.2.7 Ensure that the --authorization-mode argument includes Node

 [FAIL] 1.2.8 Ensure that the --authorization-mode argument includes RBAC

 [FAIL] 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set

 

- etcd

 [FAIL] 2.2 Ensure that the --client-cert-auth argument is set to true

 

- kubelet

 [FAIL] 1.2.1 Ensure that the --anonymous-auth argument is set to false

 [FAIL] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow

 Use Webhook

 

 

 

<문제풀이>

 

 

0. cluster 전환

$ kubectl config use-context sk8s
$ kubectl get nodes
sk8s-master
sk8s-node1

 

 

1. apiserver.yaml 수정

master 접속

$ ssh sk8s-master
sk8s-master$ sudo -i

root@sk8s-master$ cd /etc/kubernetes/manifests
root@sk8s-master$ vi kube-apiserver.yaml

...
- command:
  - kube-apiserver
  - --advertise-address=172.31.1.xx
  - --allow-privileged=true
  - --authorization-mode=Node,RBAC                  <- AlwaysAllow를 Node,RBAC으로 수정
  - --enable-admission-plugins=NodeRestriction      <- AlwaysAdmit 삭제, NodeRestriction만 남기기
...



확인
root@sk8s-master$ docker ps | grep kube-apiserver
root@sk8s-master$ kubectl get nodes
sk8s-master
sk8s-node1

 

 

 

2. etcd.yaml 수정

root@sk8s-master$ vi etcd.yaml

...
- command:
  - etcd
  - --advertise-client-urls=https://172.31.1.xx:2379
  - --cert-fle=/etc/kubernetes/pki/etcd/server.crt
  - --client-cert-auth=true                              <- false를 true로 수정
...



확인
root@sk8s-master$ docker ps | grep etcd
root@sk8s-master$ kubectl get nodes

 

 

 

3. kubelet.yaml 수정

root@sk8s-master$ cd /var/lib/kubelet
root@sk8s-master$ vi config.yaml

...
authentication:
  anonymous:
    enabled: false                                       <- true를 false로 수정
...
authorization:
  mode: Webhook                                          <- AlwaysAllow를 Webhook으로 수정
  webhook:
...



재시작
root@sk8s-master$ systemctl restart kubelet.service
root@sk8s-master$ systemctl status kubelet.service


확인
root@sk8s-master$ exit
ubuntu@sk8s-master$ kubectl get nodes
sk8s-master
sk8s-node1
저작자표시 비영리 변경금지

'★ Study > ▶ Kubernetes' 카테고리의 다른 글

K8S - Runtime Sandbox (8)  (0) 2023.04.09
K8S - Binaries (7)  (0) 2023.04.05
K8S - Security Container (5)  (0) 2023.04.04
K8s - Secret (4)  (0) 2023.04.03
K8S - RBAC_Role (3)  (0) 2023.04.03

관련글

댓글

티스토리툴바