From 4c5d2b98208bd0acd2cf5654b84590fc4859daaf Mon Sep 17 00:00:00 2001 From: dhruvmewada15 Date: Wed, 16 Mar 2022 18:49:16 +0530 Subject: [PATCH] Updated 1.6-hardening-v2.5 guide and Self-Assessment guide --- .../en/security/rancher-2.5/1.6-benchmark-2.5/_index.md | 8 ++++---- .../en/security/rancher-2.5/1.6-hardening-2.5/_index.md | 6 ++++++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/content/rancher/v2.5/en/security/rancher-2.5/1.6-benchmark-2.5/_index.md b/content/rancher/v2.5/en/security/rancher-2.5/1.6-benchmark-2.5/_index.md index 57b65e5b004..e0dc1e45c5d 100644 --- a/content/rancher/v2.5/en/security/rancher-2.5/1.6-benchmark-2.5/_index.md +++ b/content/rancher/v2.5/en/security/rancher-2.5/1.6-benchmark-2.5/_index.md @@ -1803,13 +1803,13 @@ on the master node and ensure the correct value for the --bind-address parameter **Expected Result**: ```console -'--bind-address' is not present OR '--bind-address' is not present +'--bind-address' argument is set to 127.0.0.1 ``` **Returned Value**: ```console -root 4788 4773 4 16:16 ? 00:00:09 kube-controller-manager --configure-cloud-routes=false --cloud-provider= --service-cluster-ip-range=10.43.0.0/16 --v=2 --pod-eviction-timeout=5m0s --leader-elect=true --cluster-cidr=10.42.0.0/16 --kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-controller-manager.yaml --profiling=false --node-monitor-grace-period=40s --service-account-private-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem --address=0.0.0.0 --allow-untagged-cloud=true --root-ca-file=/etc/kubernetes/ssl/kube-ca.pem --allocate-node-cidrs=true --enable-hostpath-provisioner=false --terminated-pod-gc-threshold=1000 --feature-gates=RotateKubeletServerCertificate=true --use-service-account-credentials=true +root 4788 4773 4 16:16 ? 00:00:09 kube-controller-manager --configure-cloud-routes=false --cloud-provider= --service-cluster-ip-range=10.43.0.0/16 --v=2 --bind-address=127.0.0.1 --pod-eviction-timeout=5m0s --leader-elect=true --cluster-cidr=10.42.0.0/16 --kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-controller-manager.yaml --profiling=false --node-monitor-grace-period=40s --service-account-private-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem --address=127.0.0.1 --allow-untagged-cloud=true --root-ca-file=/etc/kubernetes/ssl/kube-ca.pem --allocate-node-cidrs=true --enable-hostpath-provisioner=false --terminated-pod-gc-threshold=1000 --feature-gates=RotateKubeletServerCertificate=true --use-service-account-credentials=true ``` ## 1.4 Scheduler @@ -1859,13 +1859,13 @@ on the master node and ensure the correct value for the --bind-address parameter **Expected Result**: ```console -'--bind-address' is not present OR '--bind-address' is not present +'--bind-address' argument is set to 127.0.0.1 ``` **Returned Value**: ```console -root 4947 4930 1 16:16 ? 00:00:02 kube-scheduler --kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-scheduler.yaml --leader-elect=true --profiling=false --v=2 --address=0.0.0.0 +root 4947 4930 1 16:16 ? 00:00:02 kube-scheduler --kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-scheduler.yaml --leader-elect=true --profiling=false --v=2 --address=127.0.0.1 --bind-address=127.0.0.1 ``` ## 2 Etcd Node Configuration Files diff --git a/content/rancher/v2.5/en/security/rancher-2.5/1.6-hardening-2.5/_index.md b/content/rancher/v2.5/en/security/rancher-2.5/1.6-hardening-2.5/_index.md index 0b6497f2e1f..d628bfd8c5a 100644 --- a/content/rancher/v2.5/en/security/rancher-2.5/1.6-hardening-2.5/_index.md +++ b/content/rancher/v2.5/en/security/rancher-2.5/1.6-hardening-2.5/_index.md @@ -511,6 +511,8 @@ rancher_kubernetes_engine_config: kube_controller: extra_args: feature-gates: RotateKubeletServerCertificate=true + bind-address: 127.0.0.1 + address: 127.0.0.1 kubelet: extra_args: feature-gates: RotateKubeletServerCertificate=true @@ -519,6 +521,10 @@ rancher_kubernetes_engine_config: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 fail_swap_on: false generate_serving_certificate: true + scheduler: + extra_args: + bind-address: 127.0.0.1 + address: 127.0.0.1 ssh_agent_auth: false upgrade_strategy: max_unavailable_controlplane: '1'