CKS 模拟真题 Killer.sh | Question 5 | CIS Benchmark

Task weight: 3%

Use context: kubectl config use-context infra-prod

You’re ask to evaluate specific settings of cluster2 against the CIS Benchmark recommendations. Use the tool kube-bench which is already installed on the nodes.

Connect using ssh cluster2-controlplane1 and ssh cluster2-node1 .

On the master node ensure (correct if necessary) that the CIS recommendations are set for:

The --profiling argument of the kube-controller-manager
The ownership of directory /var/lib/etcd

On the worker node ensure (correct if necessary) that the CIS recommendations are set for:

The permissions of the kubelet configuration /var/lib/kubelet/config.yaml
The --client-ca-file argument of the kubelet

译文

任务重量：3%。

使用环境: kubectl config use-context infra-prod

你被要求根据CIS Benchmark的建议来评估 cluster2 的具体设置。使用已经安装在各节点上的工具 kube-bench 。

使用 ssh cluster2-controlplane1 和 ssh cluster2-node1 连接。

在主节点上确保（必要时纠正）已按CIS建议进行设置。

kube-controller-manager 的 --profiling 参数
目录 /var/lib/etcd 的权限

在工作节点上，确保（如有必要，请纠正）已按CIS建议进行设置：。

kubelet配置的权限 /var/lib/kubelet/config.yaml
kubelet 的 --client-ca-file 参数

解答

对master进行检查

ssh cluster2-controlplane1
kube-bench run --targets=master

1

通过关键字进行查找

kube-bench run --targets=master | grep "kube-controller-manager" -A 3

kube-benc-2-0

编辑配置文件

vim /etc/kubernetes/manifests/kube-controller-manager.yaml

# /etc/kubernetes/manifests/kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-controller-manager
    tier: control-plane
  name: kube-controller-manager
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-controller-manager
    - --allocate-node-cidrs=true
    - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
    - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
    - --bind-address=127.0.0.1
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --cluster-cidr=10.244.0.0/16
    - --cluster-name=kubernetes
    - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
    - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
    - --controllers=*,bootstrapsigner,tokencleaner
    - --kubeconfig=/etc/kubernetes/controller-manager.conf
    - --leader-elect=true
    - --node-cidr-mask-size=24
    - --port=0
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --root-ca-file=/etc/kubernetes/pki/ca.crt
    - --service-account-private-key-file=/etc/kubernetes/pki/sa.key
    - --service-cluster-ip-range=10.96.0.0/12
    - --use-service-account-credentials=true
    - --profiling=false            # 添加

pod重新运行以后再次进行检查,已经修复

kube-bench run --targets=master | grep kube-controller -A 3
kube-bench run --targets=master | grep 1.3.2

2

查看 /var/lib/etcd 的权限

ll /var/lib/etcd

kube-benc-2-1

权限为root:root, 需要设置为 etcd:etcd

chown -R etcd:etcd /var/lib/etcd  #设置文件夹权限为etcd:etcd

3

切换到 cluster2-node1 ,对node进行检查

ssh cluster2-node1

kube-bench run --targets=node

检查 /var/lib/kubelet/config.yaml 权限,权限为777,需要修改权限为644

ll /var/lib/kubelet/config.yaml
chmod 644 /var/lib/kubelet/config.yaml

4

检查 client-ca-file

kube-bench run --targets=node | grep client-ca-file

验证时通过的,无需修改

kube-benc-2-2