• 使用kube-bench检测Kubernetes集群安全


    一.系统环境

    本文主要基于Kubernetes1.22.2和Linux操作系统Ubuntu 18.04。

    服务器版本 docker软件版本 Kubernetes(k8s)集群版本 kube-bench版本 CPU架构
    Ubuntu 18.04.5 LTS Docker version 20.10.14 v1.22.2 0.6.7 x86_64

    Kubernetes集群架构:k8scludes1作为master节点,k8scludes2,k8scludes3作为worker节点。

    服务器 操作系统版本 CPU架构 进程 功能描述
    k8scludes1/192.168.110.128 Ubuntu 18.04.5 LTS x86_64 docker,kube-apiserver,etcd,kube-scheduler,kube-controller-manager,kubelet,kube-proxy,coredns,calico k8s master节点
    k8scludes2/192.168.110.129 Ubuntu 18.04.5 LTS x86_64 docker,kubelet,kube-proxy,calico k8s worker节点
    k8scludes3/192.168.110.130 Ubuntu 18.04.5 LTS x86_64 docker,kubelet,kube-proxy,calico k8s worker节点

    二.前言

    在当今云原生应用的开发中,Kubernetes已经成为标准,然而,随着其使用的普及,也带来了安全问题的挑战。本文将向你介绍如何使用kube-bench工具来评估和增强你的Kubernetes集群的安全性。

    使用kube-bench检测Kubernete集群安全的前提是已经有一套可以正常运行的Kubernetes集群,关于Kubernetes(k8s)集群的安装部署,可以查看博客《Ubuntu 安装部署Kubernetes(k8s)集群》https://www.cnblogs.com/renshengdezheli/p/17632858.html。

    三.CIS (Center for Internet Security)简介

    CIS(Center for Internet Security)是一家致力于网络安全的非营利组织。它提供一系列针对各种操作系统和应用程序的基线安全标准,这些标准被广泛认可,是防止网络攻击的有效手段。

    CIS基准是由美国计算机互联网安全中心(Center for Internet Security,简称CIS)制定的一系列全球公认的最佳实践标准,用于保护系统和数据免受威胁。这些基准包括了各种技术平台和系统的配置指南,例如操作系统、网络设备、移动设备、服务器应用等。

    CIS基准提供了详细的步骤来保护特定系统,每个步骤都有清晰的说明和建议。此外,它还提供了用于评估系统是否符合CIS基准的自动化工具。遵循CIS基准能帮助组织降低安全风险并增强合规性。

    在Kubernetes环境中,CIS Kubernetes基准就是一套针对Kubernetes的安全配置最佳实践。例如,CIS Kubernetes基准会涵盖如何配置kubelet,如何限制API服务器上的权限等内容。

    CIS官网为:https://www.cisecurity.org/,CIS的Kubernetes Benchmark文件下载方法如下:

    进入CIS(Center for Internet Security)官网。

    image-20230817164210605

    找到CIS Benchmarks,点击DOWNLOAD LATEST。

    image-20230817164427362

    我们需要的是kubernetes的benchmarks,找到Kubernetes,点击DOWNLOAD THE BENCHMARK。

    image-20230817164552973

    填写信息,就可以免费下载kubernetes的Benchmark PDF文件了。

    image-20230817164920146

    下载之后得到的文件为:CIS_Kubernetes_Benchmark_v1.6.0.pdf。

    或者直接去https://downloads.cisecurity.org/#/下载,找到kubernetes,选择合适的版本下载即可。

    image-20230817165221588

    四.什么是Kube-Bench?

    Kube-Bench是一个开源的Go语言工具,用于自动化检查Kubernetes集群是否符合CIS Kubernetes基准。这些基准包括一系列关于Kubernetes配置和部署安全性的建议和最佳实践。

    Kube-Bench执行了一系列针对Kubernetes组件(如kube-apiserver、etcd、kube-scheduler、kube-controller-manager等)的测试,来检查它们是否按照CIS基准的推荐进行了配置。测试结果会被分类为PASS、FAIL或WARN,以清晰明了地显示哪些地方需要改进。

    Kube-Bench是在运行时检查Kubernetes环境的工具,它并不会修改系统。你可以定期运行kube-bench来审计你的Kubernetes环境,确保其保持在最佳的安全状态。

    kube-bench在GitHub的网址为:https://github.com/aquasecurity/kube-bench/

    可在 https://github.com/aquasecurity/kube-bench/tags 下载kube-bench工具。

    选择版本,点击Downloads。

    image-20230817170059316

    下载kube-bench_0.6.17_linux_amd64.tar.gz。

    image-20230817170328455

    五.使用kube-bench检测不安全的设置

    5.1 手动设置不安全的参数

    按照CIS_Kubernetes_Benchmark文件设置kubernetes集群安全有点麻烦,我们使用工具kube-bench检测kubernetes集群安全。

    创建备份目录。

    root@k8scludes1:~# mkdir /bak
    

    把/etc/kubernetes/manifests/下的文件备份,后面要修改配置文件,如果修改错误之后可以复原。

    root@k8scludes1:~# cd /etc/kubernetes/manifests/
    
    root@k8scludes1:/etc/kubernetes/manifests# ls
    etcd.yaml  kube-apiserver.yaml  kube-controller-manager.yaml  kube-scheduler.yaml
    
    #cp -a: 递归复制,复制的数据会保留原有数据的时间戳等信息(具体:时间戳+所有权+复制连结文件属性而非档案本身)
    #cp -r: 递归复制,复制的数据会使用新的时间戳等信息
    root@k8scludes1:/etc/kubernetes/manifests# cp -a * /bak/
    

    现在文件就备份好了。

    root@k8scludes1:/etc/kubernetes/manifests# ls /bak/
    etcd.yaml  kube-apiserver.yaml  kube-controller-manager.yaml  kube-scheduler.yaml
    

    我们把etcd.yaml文件里的client-cert-auth=true改为client-cert-auth=false。

    root@k8scludes1:/etc/kubernetes/manifests# pwd
    /etc/kubernetes/manifests
    
    root@k8scludes1:/etc/kubernetes/manifests# ls
    etcd.yaml  kube-apiserver.yaml  kube-controller-manager.yaml  kube-scheduler.yaml
    
    root@k8scludes1:/etc/kubernetes/manifests# vim etcd.yaml 
    
    root@k8scludes1:/etc/kubernetes/manifests# grep client-cert-auth etcd.yaml
        - --client-cert-auth=false
        - --peer-client-cert-auth=true
    

    我们把authorization-mode授权模式改为AlwaysAllow。

    root@k8scludes1:/etc/kubernetes/manifests# vim kube-apiserver.yaml 
    
    root@k8scludes1:/etc/kubernetes/manifests# grep authorization-mode kube-apiserver.yaml 
          # - --authorization-mode=Node,RBAC
        - --authorization-mode=AlwaysAllow
    

    重启kubelet使配置生效。

    root@k8scludes1:/etc/kubernetes/manifests# systemctl restart kubelet
    
    root@k8scludes1:/etc/kubernetes/manifests# systemctl status kubelet
    ● kubelet.service - kubelet: The Kubernetes Node Agent
       Loaded: loaded (/lib/systemd/system/kubelet.service; enabled; vendor preset: enabled)
      Drop-In: /etc/systemd/system/kubelet.service.d
               └─10-kubeadm.conf
       Active: active (running) since Sun 2022-04-17 16:14:24 CST; 9s ago
         Docs: https://kubernetes.io/docs/home/
     Main PID: 49107 (kubelet)
        Tasks: 16 (limit: 3295)
       CGroup: /system.slice/kubelet.service
    

    5.2 安装kube-bench

    kube-bench我们已经下载好了,没有下载的可以去这个网站下载:https://github.com/aquasecurity/kube-bench/tags

    root@k8scludes1:~# ls
    kube-bench_0.6.7_linux_amd64.tar.gz  
    

    解压kube-bench_0.6.7_linux_amd64.tar.gz之后得到cfg和kube-bench。

    root@k8scludes1:~# tar xf kube-bench_0.6.7_linux_amd64.tar.gz 
    
    root@k8scludes1:~# ls
    cfg  kube-bench  kube-bench_0.6.7_linux_amd64.tar.gz  
    

    进入 cfg目录,cfg/config.yaml包含了master包含哪些组件,配置文件放在哪里,需要去哪里读取配置文件等等,如果k8s的某些配置文件自定义放到了某个目录,修改config.yaml里的相应目录就行。

    root@k8scludes1:~# ls cfg/
    ack-1.0  aks-1.0  cis-1.20  cis-1.5  cis-1.6  config.yaml  eks-1.0.1  gke-1.0  gke-1.2.0  rh-0.7  rh-1.0
    
    root@k8scludes1:~# cd cfg/cis-1.6/
    
    #etcd.yaml文件记录了需要检测etcd的信息
    root@k8scludes1:~/cfg/cis-1.6# ls
    config.yaml  controlplane.yaml  etcd.yaml  master.yaml  node.yaml  policies.yaml
    

    5.3 kube-bench检测etcd组件

    kube-bench V0.31版本执行方法为:./kube-bench ,./kube-bench master(检测master设置) ,./kube-bench node(检测worker设置),但是新版本kube-bench不能这样执行。

    root@k8scludes1:~/cfg# cd
    
    root@k8scludes1:~# ./kube-bench node
    Error: unknown command "node" for "./kube-bench"
    Run './kube-bench --help' for usage.
    unknown command "node" for "./kube-bench"
    

    执行新版本kube-bench需要指定配置目录,检测语法为:./kube-bench --config-dir 配置目录 --config 配置文件 run --targets=需要检测的组件。

    root@k8scludes1:~# pwd
    /root
    
    root@k8scludes1:~# ls
    cfg  kube-bench  kube-bench_0.6.7_linux_amd64.tar.gz 
    
    #--targets=检测的组件就是cfg/cis-1.6/目录下的那些组件
    root@k8scludes1:~# ls cfg/cis-1.6/
    config.yaml  controlplane.yaml  etcd.yaml  master.yaml  node.yaml  policies.yaml
    

    我们现在使用kube-bench开始检测etcd组件,可以看到etcd组件有6个PASS,1个FAIL。

    root@k8scludes1:~# pwd
    /root
    
    root@k8scludes1:~# ls
    cfg  kube-bench  kube-bench_0.6.7_linux_amd64.tar.gz  
    
    root@k8scludes1:~# ./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml run --targets=etcd
    Warning: Kubernetes version was not auto-detected because kubectl could not connect to the Kubernetes server. This may be because the kubeconfig information is missing or has credentials that do not match the server. Assuming default version 1.18
    Warning: Kubernetes version was not auto-detected because kubectl could not connect to the Kubernetes server. This may be because the kubeconfig information is missing or has credentials that do not match the server. Assuming default version 1.18
    [INFO] 2 Etcd Node Configuration
    [INFO] 2 Etcd Node Configuration Files
    [PASS] 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)
    [FAIL] 2.2 Ensure that the --client-cert-auth argument is set to true (Automated)
    [PASS] 2.3 Ensure that the --auto-tls argument is not set to true (Automated)
    [PASS] 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)
    [PASS] 2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)
    [PASS] 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)
    [PASS] 2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)
    
    == Remediations etcd ==
    2.2 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
    node and set the below parameter.
    --client-cert-auth="true"
    
    
    == Summary etcd ==
    6 checks PASS
    1 checks FAIL
    0 checks WARN
    0 checks INFO
    
    == Summary total ==
    6 checks PASS
    1 checks FAIL
    0 checks WARN
    0 checks INFO
    

    根据kube-bench的报错信息:“[FAIL] 2.2 Ensure that the --client-cert-auth argument is set to true (Automated)”,表明--client-cert-auth参数应该设置为true。

    Remediations etcd告诉我们解决的办法,按照提示修改/etc/kubernetes/manifests/etcd.yaml的--client-cert-auth参数。

    root@k8scludes1:~# vim /etc/kubernetes/manifests/etcd.yaml
    
    root@k8scludes1:~# grep client-cert-auth /etc/kubernetes/manifests/etcd.yaml
        - --client-cert-auth=true
        - --peer-client-cert-auth=true
    

    重启kubelet让参数生效。

    root@k8scludes1:~# systemctl restart kubelet
    
    root@k8scludes1:~# kubectl get node
    NAME         STATUS   ROLES                  AGE   VERSION
    k8scludes1   Ready    control-plane,master   26h   v1.22.2
    k8scludes2   Ready    <none>                 23h   v1.22.2
    k8scludes3   Ready    <none>                 23h   v1.22.2
    

    使用kube-bench重新检测etcd组件,现在etcd组件就全是PASS状态了,etcd没有安全隐患了。

    root@k8scludes1:~# ./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml run --targets=etcd
    [INFO] 2 Etcd Node Configuration
    [INFO] 2 Etcd Node Configuration Files
    [PASS] 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)
    [PASS] 2.2 Ensure that the --client-cert-auth argument is set to true (Automated)
    [PASS] 2.3 Ensure that the --auto-tls argument is not set to true (Automated)
    [PASS] 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)
    [PASS] 2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)
    [PASS] 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)
    [PASS] 2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)
    
    == Summary etcd ==
    7 checks PASS
    0 checks FAIL
    0 checks WARN
    0 checks INFO
    
    == Summary total ==
    7 checks PASS
    0 checks FAIL
    0 checks WARN
    0 checks INFO
    

    5.4 kube-bench检测master节点

    现在检测master节点,master节点参数很多,输出信息太多了,我把PASS的信息删除了。

    可以看到master节点有39个PASS,14个FAIL,11个WARN。

    root@k8scludes1:~# ./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml run --targets=master
    [INFO] 1 Master Node Security Configuration
    [INFO] 1.1 Master Node Configuration Files
    [PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
    ......
    ......
    [INFO] 1.2 API Server
    [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)
    [PASS] 1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)
    ......
    [FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
    [FAIL] 1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
    [FAIL] 1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)
    [FAIL] 1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)
    ......
    [PASS] 1.2.19 Ensure that the --secure-port argument is not set to 0 (Automated)
    [FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated)
    [FAIL] 1.2.21 Ensure that the --audit-log-path argument is set (Automated)
    [FAIL] 1.2.22 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
    [FAIL] 1.2.23 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
    [FAIL] 1.2.24 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
    [WARN] 1.2.25 Ensure that the --request-timeout argument is set as appropriate (Manual)
    [PASS] 1.2.26 Ensure that the --service-account-lookup argument is set to true (Automated)
    [PASS] 1.2.27 Ensure that the --service-account-key-file argument is set as appropriate (Automated)
    ......
    [FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)
    [PASS] 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
    
    == Remediations master ==
    1.1.9 Run the below command (based on the file location on your system) on the master node.
    For example,
    chmod 644 <path/to/cni/files>
    ......
    
    1.2.6 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
    on the master node and set the --authorization-mode parameter to values other than AlwaysAllow.
    One such example could be as below.
    --authorization-mode=RBAC
    
    1.2.7 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
    on the master node and set the --authorization-mode parameter to a value that includes Node.
    --authorization-mode=Node,RBAC
    
    ......
    
    1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
    on the master node and set the below parameter.
    --profiling=false
    
    1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
    on the master node and set the --audit-log-path parameter to a suitable path and
    file where you would like audit logs to be written, for example:
    --audit-log-path=/var/log/apiserver/audit.log
    ......
    1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file
    on the master node and set the below parameter.
    --profiling=false
    
    
    == Summary master ==
    39 checks PASS
    14 checks FAIL
    11 checks WARN
    0 checks INFO
    
    == Summary total ==
    39 checks PASS
    14 checks FAIL
    11 checks WARN
    0 checks INFO
    

    查看1.2.6的报错信息:“1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)“,表示-authorization-mode不应该设置为AlwaysAllow,应该设置为--authorization-mode=Node,RBAC,按照提示修改。

    root@k8scludes1:~# vim /etc/kubernetes/manifests/kube-apiserver.yaml
    
    root@k8scludes1:~# grep authorization-mode /etc/kubernetes/manifests/kube-apiserver.yaml
        - --authorization-mode=Node,RBAC
    

    1.2.20的报错信息为:“[FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated) “,表示--profiling参数应该设置为false。

    根据提示信息:”1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
    on the master node and set the below parameter. --profiling=false“。修改参数。

    root@k8scludes1:~# vim /etc/kubernetes/manifests/kube-apiserver.yaml
    
    root@k8scludes1:~# grep profiling /etc/kubernetes/manifests/kube-apiserver.yaml
        - --profiling=false
    

    重启kubelet使配置生效。

    root@k8scludes1:~# systemctl restart kubelet
    
    root@k8scludes1:~# kubectl get node
    NAME         STATUS   ROLES                  AGE   VERSION
    k8scludes1   Ready    control-plane,master   36h   v1.22.2
    k8scludes2   Ready    <none>                 33h   v1.22.2
    k8scludes3   Ready    <none>                 33h   v1.22.2
    

    使用kube-bench重新检测master节点,现在pass变多了,FAIL变少了。

    root@k8scludes1:~# ./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml run --targets=master
    [INFO] 1 Master Node Security Configuration
    [INFO] 1.1 Master Node Configuration Files
    [PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
    [PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)
    [PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)
    [PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
    ......
    [PASS] 1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
    [PASS] 1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)
    [PASS] 1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)
    [WARN] 1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)
    [PASS] 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)
    [WARN] 1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)
    [WARN] 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
    [PASS] 1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)
    [PASS] 1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)
    [FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
    [PASS] 1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)
    [PASS] 1.2.17 Ensure that the --insecure-bind-address argument is not set (Automated)
    [FAIL] 1.2.18 Ensure that the --insecure-port argument is set to 0 (Automated)
    [PASS] 1.2.19 Ensure that the --secure-port argument is not set to 0 (Automated)
    [PASS] 1.2.20 Ensure that the --profiling argument is set to false (Automated)
    ......
    == Remediations master ==
    ......
    == Summary master ==
    43 checks PASS
    10 checks FAIL
    11 checks WARN
    0 checks INFO
    
    == Summary total ==
    43 checks PASS
    10 checks FAIL
    11 checks WARN
    0 checks INFO
    

    5.5 kube-bench检测worker节点

    把kube-bench安装包拷贝到kubernetes集群的worker节点。

    root@k8scludes1:~# scp kube-bench_0.6.7_linux_amd64.tar.gz k8scludes2:~/
    

    解压。

    root@k8scludes2:~# ls
    kube-bench_0.6.7_linux_amd64.tar.gz  
    
    root@k8scludes2:~# tar xf kube-bench_0.6.7_linux_amd64.tar.gz 
    
    root@k8scludes2:~# ls
    cfg  kube-bench  kube-bench_0.6.7_linux_amd64.tar.gz  
    

    使用kube-bench检测kubernetes集群的worker节点,可以看到19个PASS,1个FAIL,3个WARN。

    root@k8scludes2:~# ./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml run --targets=node
    Warning: Kubernetes version was not auto-detected because kubectl could not connect to the Kubernetes server. This may be because the kubeconfig information is missing or has credentials that do not match the server. Assuming default version 1.18
    Warning: Kubernetes version was not auto-detected because kubectl could not connect to the Kubernetes server. This may be because the kubeconfig information is missing or has credentials that do not match the server. Assuming default version 1.18
    [INFO] 4 Worker Node Security Configuration
    [INFO] 4.1 Worker Node Configuration Files
    ......
    [PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)
    [FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)
    [PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)
    [PASS] 4.2.8 Ensure that the --hostname-override argument is not set (Manual)
    [WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
    [WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
    [PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
    [PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
    [WARN] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
    
    == Remediations node ==
    4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
    If using command line arguments, edit the kubelet service file
    /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
    set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
    --protect-kernel-defaults=true
    Based on your system, restart the kubelet service. For example:
    systemctl daemon-reload
    systemctl restart kubelet.service
    
    4.2.9 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
    If using command line arguments, edit the kubelet service file
    /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
    set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
    Based on your system, restart the kubelet service. For example:
    systemctl daemon-reload
    systemctl restart kubelet.service
    
    4.2.10 If using a Kubelet config file, edit the file to set tlsCertFile to the location
    of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
    to the location of the corresponding private key file.
    If using command line arguments, edit the kubelet service file
    /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
    set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
    --tls-cert-file=<path/to/tls-certificate-file>
    --tls-private-key-file=<path/to/tls-key-file>
    Based on your system, restart the kubelet service. For example:
    systemctl daemon-reload
    systemctl restart kubelet.service
    
    4.2.13 If using a Kubelet config file, edit the file to set TLSCipherSuites: to
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
    or to a subset of these values.
    If using executable arguments, edit the kubelet service file
    /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
    set the --tls-cipher-suites parameter as follows, or to a subset of these values.
    --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
    Based on your system, restart the kubelet service. For example:
    systemctl daemon-reload
    systemctl restart kubelet.service
    
    == Summary node ==
    19 checks PASS
    1 checks FAIL
    3 checks WARN
    0 checks INFO
    
    == Summary total ==
    19 checks PASS
    1 checks FAIL
    3 checks WARN
    0 checks INFO
    

    可以看到4.2.6的FAIL报错信息为:“[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)”。Remediations node已经告诉我们修改方法。

    查看kubelet的配置参数,--config=/var/lib/kubelet/config.yaml。

    root@k8scludes2:~# ps -ef | grep kubelet | grep -v grep
    root       1010      1  2 09:58 ?        00:01:44 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.5
    

    查看kubelet的启动脚本。

    root@k8scludes2:~# systemctl status kubelet
    ● kubelet.service - kubelet: The Kubernetes Node Agent
       Loaded: loaded (/lib/systemd/system/kubelet.service; enabled; vendor preset: enabled)
      Drop-In: /etc/systemd/system/kubelet.service.d
               └─10-kubeadm.conf
       Active: active (running) since Mon 2022-04-18 09:58:12 CST; 1h 28min ago
         Docs: https://kubernetes.io/docs/home/
     Main PID: 1010 (kubelet)
        Tasks: 16 (limit: 3295)
       CGroup: /system.slice/kubelet.service
               └─1010 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-
    

    修改/etc/systemd/system/kubelet.service.d/10-kubeadm.conf,根据kube-bench的提示,添加环境变量Environment="KUBELET_SYSTEM_PODS_ARGS=--protect-kernel-defaults=true",并且要在ExecStart里引用变量$KUBELET_SYSTEM_PODS_ARGS。

    root@k8scludes2:~# vim /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
    
    root@k8scludes2:~# cat /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
    # Note: This dropin only works with kubeadm and kubelet v1.11+
    [Service]
    Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
    Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
    Environment="KUBELET_SYSTEM_PODS_ARGS=--protect-kernel-defaults=true"
    # This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
    EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
    # This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
    # the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
    EnvironmentFile=-/etc/default/kubelet
    ExecStart=
    ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS $KUBELET_SYSTEM_PODS_ARGS
    

    重新加载配置文件。

    root@k8scludes2:~# systemctl daemon-reload ; systemctl restart kubelet
    

    现在就可以看到--protect-kernel-defaults=true参数了。

    root@k8scludes2:~# ps -ef | grep kubelet | grep -v grep
    root      73612      1  4 11:34 ?        00:00:01 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.5 --protect-kernel-defaults=true
    

    再次使用kube-bench检测kubernetes集群的worker节点,现在就没有FAIL了。

    root@k8scludes2:~# ./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml run --targets=node
    Warning: Kubernetes version was not auto-detected because kubectl could not connect to the Kubernetes server. This may be because the kubeconfig information is missing or has credentials that do not match the server. Assuming default version 1.18
    Warning: Kubernetes version was not auto-detected because kubectl could not connect to the Kubernetes server. This may be because the kubeconfig information is missing or has credentials that do not match the server. Assuming default version 1.18
    [INFO] 4 Worker Node Security Configuration
    [INFO] 4.1 Worker Node Configuration Files
    [PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)
    ......
    [WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
    [WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
    [PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
    [PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
    [WARN] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
    
    == Remediations node ==
    4.2.9 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
    If using command line arguments, edit the kubelet service file
    /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
    set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
    Based on your system, restart the kubelet service. For example:
    systemctl daemon-reload
    systemctl restart kubelet.service
    ......
    == Summary node ==
    20 checks PASS
    0 checks FAIL
    3 checks WARN
    0 checks INFO
    
    == Summary total ==
    20 checks PASS
    0 checks FAIL
    3 checks WARN
    0 checks INFO
    

    注意:--protect-kernel-defaults=true该参数的作用就是保护内核参数不被随意修改,现在protect-kernel-defaults不设置为true了,因为我们后面要修改内核参数,不然修改内核参数之后pod无法正常运行。

    root@k8scludes2:~# vim /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
    
    root@k8scludes2:~# cat /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
    # Note: This dropin only works with kubeadm and kubelet v1.11+
    [Service]
    Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
    Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
    #Environment="KUBELET_SYSTEM_PODS_ARGS=--protect-kernel-defaults=true"
    # This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
    EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
    # This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
    # the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
    EnvironmentFile=-/etc/default/kubelet
    ExecStart=
    ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS 
    

    重新加载配置文件。

    root@k8scludes2:~# systemctl daemon-reload ; systemctl restart kubelet
    

    现在--protect-kernel-defaults参数就消失了。

    root@k8scludes2:~# ps -ef | grep kubelet | grep -v grep
    root      79852      1 10 11:42 ?        00:00:00 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.5
    

    六.总结

    kube-bench是一款强大的工具,它可以帮助我们发现哪些Kubernetes配置没有遵循CIS的最佳实践,从而改正这些问题,增强我们的Kubernetes集群的安全性。虽然kube-bench不能捕获所有可能的安全问题,但它至少可以帮助我们消除最常见的一些安全漏洞。

    七.附加信息

    请注意,kube-bench只是一个检查工具,它不能自动修复发现的问题。它提供的是关于哪些配置可能需要您的注意的信息。对于任何可能的配置更改,都需要由具备相应知识的管理员审慎决定并手动实施。

  • 相关阅读:
    便携式电热水壶外贸出口欧洲CE认证准备资料
    怎么修改linux的root@后面的名称
    k8s学习--kubernetes服务自动伸缩之水平收缩(pod副本收缩)HPA详细解释与案例应用
    若依框架解读(微服务版)——2.模块间的调用逻辑(ruoyi-api模块)(OpenFeign)
    MyBatis查询数据库(1)-------JavaEE
    8个独立站海外营销工具
    Oracle EBS R12 DBA(一)
    Python性能优化实录
    CUDA学习笔记4——自定义设备函数
    超越传统:明懿金汇定义现代金融服务
  • 原文地址:https://www.cnblogs.com/renshengdezheli/p/17640119.html