3.2.8 Ensure that the --hostname-override argument is not set

Information

Do not override node hostnames.

Rationale:

Overriding hostnames could potentially break TLS setup between the kubelet and the apiserver. Additionally, with overridden hostnames, it becomes increasingly difficult to associate logs with a particular node and process them for security analytics. Hence, you should setup your kubelet nodes with resolvable FQDNs and avoid overriding the hostnames with IPs. --hostname-override also may have some undefined/unsupported behaviors.

Solution

Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

Default Value:

See the GKE documentation for the default value.

See Also

https://workbench.cisecurity.org/files/4135

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|5

Plugin: Unix

Control ID: c5c6dd6f5c79a82cd4c06b8c5b2bad764f6c911c48b9127a924ffba8a1d3b3b3