public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-04-20 21:35:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

k3s doc: Update protect-kernel-defaults and remove failing checks note

Browse Source
This commit is contained in:
Andy Pitcher
2023-09-07 14:50:49 -04:00
parent ef47c32541
commit ec43045b57
1 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docs/pages-for-subheaders/k3s-hardening-guide.md
View File

@@ -21,8 +21,7 @@ This hardening guide is intended to be used for K3s clusters and is associated w
| Rancher v2.7 | Benchmark v1.7 | Kubernetes v1.25 up to v1.26 |
:::note
- In Benchmark v1.24 and later, some check ids might fail due to new file permission requirements (600 instead of 644). Impacted check ids: `1.1.15`, `1.1.17` and `4.1.15`.
- In Benchmark v1.7, the `--protect-kernel-defaults` (`4.2.6`) parameter isn't required anymore, and was removed by CIS.
- In Benchmark v1.7, the `--protect-kernel-defaults` (`4.2.6`) parameter isn't required anymore, and was removed by CIS.
:::
For more details on how to evaluate a hardened K3s cluster against the official CIS benchmark, refer to the K3s self-assessment guides for specific Kubernetes and CIS benchmark versions.
@@ -38,6 +37,28 @@ The first section (1.1) of the CIS Benchmark primarily focuses on pod manifest
## Host-level Requirements
### Ensure `protect-kernel-defaults` is set
<Tabs groupId="k3s-version">
<TabItem value="v1.25 and Newer" default>
`protect-kernel-defaults` is no longer required since CIS benchmark 1.7.
</TabItem>
<TabItem value="v1.24 and Older">
This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults.
The `protect-kernel-defaults` flag can be set in the cluster configuration in Rancher.
```yaml
spec:
rkeConfig:
machineSelectorConfig:
- config:
protect-kernel-defaults: true
```
### Set kernel parameters
The following `sysctl` configuration is recommended for all nodes type in the cluster. Set the following parameters in `/etc/sysctl.d/90-kubelet.conf`:
@@ -709,6 +730,7 @@ spec:
- config:
kubelet-arg:
- make-iptables-util-chains=true # CIS 4.2.7
protect-kernel-defaults: true # CIS 4.2.6
```
</TabItem>