FYI re CIS test 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true

[davidhay1969]

Purely FYI, just spent a happy hour or two trying to work out how to mitigate CIS 4.2.6: -

Ensure that the --protect-kernel-defaults argument is set to true

in my K8s v1.19.1 cluster.

Running kube-bench as follows: -

kube-bench run --targets node --version 1.19 --config-dir $GOPATH/src/github.com/aquasecurity/kube-bench/cfg/

I had one FAIL : -

[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

== Remediations node ==
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

I modified the kubelet configuration file: -

vi /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

and inserted: -

Environment="KUBELET_SYSTEM_PODS_ARGS=--protect-kernel-defaults=true"

and restarted kubelet : -

systemctl daemon-reload
systemctl restart kubelet.service

and checked the configuration: -

systemctl show --property=Environment kubelet

Environment=[unprintable] KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml KUBELET_SYSTEM_PODS_ARGS=--protect-kernel-defaults=true

BUT kube-bench still threw the same FAIL

😢 😢 😢

Then I realised what a doofus I was ....

I was setting the KUBELET_SYSTEM_PODS_ARGS variable BUT not actually using it 🤦

I further edited 10-kubeadm.conf and changed from: -

ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS

to: -

ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS $KUBELET_SYSTEM_PODS_ARGS

and again restarted kubelet : -

systemctl daemon-reload
systemctl restart kubelet.service

I also validated how kubelet was now running: -

ps -eaf | grep kubelet

root     24007     1  2 14:58 ?        00:00:13 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=k8s.gcr.io/pause:3.2 --protect-kernel-defaults=true

This time, all is good: -

kube-bench run --targets node --version 1.19 --config-dir $GOPATH/src/github.com/aquasecurity/kube-bench/cfg/

[PASS] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)

Final point, in my single node K8s cluster, kubelet is running on BOTH the Master and Worker nodes, so I needed to make the change on BOTH.

Thanks for an awesome tool

Cheers, Dave

[yoavrotems]

@davidhay1969 Thank you for sharing your experience glad to hear kube-bench helped you !