From 6534f67ebef17156b30c84ebd6733ead886af596 Mon Sep 17 00:00:00 2001 From: Taylor Price Date: Fri, 12 Jul 2019 09:54:04 -0700 Subject: [PATCH] remove todo --- content/rancher/v2.x/en/security/benchmark-2.2/_index.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/content/rancher/v2.x/en/security/benchmark-2.2/_index.md b/content/rancher/v2.x/en/security/benchmark-2.2/_index.md index 338423a0d66..d6cbbdee39c 100644 --- a/content/rancher/v2.x/en/security/benchmark-2.2/_index.md +++ b/content/rancher/v2.x/en/security/benchmark-2.2/_index.md @@ -315,7 +315,6 @@ docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--token-auth-file=.* RKE is using the kubelet's ability to automatically create self-signed certs. No CA cert is saved to verify the communication between `kube-apiserver` and `kubelet`. **Mitigation** -@TODO: See what happens when you give RKE a private cert. Make sure nodes with `role:controlplane` are on the same local network as your nodes with `role:worker`. Use network ACLs to restrict connections to the kubelet port (10250/tcp) on worker nodes, only permitting it from controlplane nodes. @@ -1228,9 +1227,11 @@ docker inspect etcd | jq -e '.[0].Args[] | match("--peer-auto-tls(?:(?!=false).* #### 1.5.7 - Ensure that a unique Certificate Authority is used for `etcd` (Not Scored) -**Notes** +**Mitigation** -RKE does not currently implement a separate CA for etcd certificates. This could be remediated by managing an external etcd cluster. +RKE supports connecting to an external etcd cluster. This external cluster could be configured with its own discreet CA. + +**Notes** `--trusted-ca-file` is set and different from the `--client-ca-file` used by `kube-apiserver`. @@ -1242,7 +1243,7 @@ docker inspect etcd | jq -e '.[0].Args[] | match("--trusted-ca-file=(?:(?!/etc/k **Returned Value:** `null` -**Result:** Fail +**Result:** Pass (See Mitigation) #### 1.6 - General Security Primitives