Detections
Analytics

Ensure that the --protect-kernel-defaults argument is set to true

LOW

Description

Description:

Protect tuned kernel parameters from overriding kubelet default kernel parameter values.

Rationale:

Kernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.

You would have to re-tune kernel parameters to match kubelet parameters.

Remediation

Remediation Method 1:

If modifying the Kubelet config file, edit the kubelet-config.json file '/etc/kubernetes/kubelet/kubelet-config.json' and set the below parameter to true

"protectKernelDefaults":

Remediation Method 2:

If using a Kubelet config file, edit the file to set 'protectKernelDefaults' to 'true'.

If using executable arguments, edit the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf' on each worker node and add the below parameter at the end of the 'KUBELET_ARGS' variable string.

----protect-kernel-defaults=true

Remediation Method 3:

If using the api configz endpoint consider searching for the status of '"protectKernelDefaults":' by extracting the live configuration from the nodes running kubelet.

**See detailed step-by-step configmap procedures in Reconfigure a Node's Kubelet in a Live Cluster, and then rerun the curl statement from audit process to check for kubelet configuration changes

kubectl proxy --port=8001 &

export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")

curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"

For all three remediations:
Based on your system, restart the 'kubelet' service and check status

systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
.

Policy Details

Rule Reference ID: AC_K8S_0012
CSP: Kubernetes
Remediation Available: No
Domain: Identity and Access Management
Resource: kubernetes_kubelet_configuration
Resource Category: Management
Resource Type: Kublet Configuration

Frameworks