Version:

Version:

Version:

Version:


Table of Contents

Online Help

Google GKE Compliance Audit Configuration File Paths

This table displays all possible configuration file paths of compliance audits performed on Kubernetes clusters of Google Kubernetes Engine (GKE).

ID Name Audit All Possible Configuration Paths
3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) /bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi''

"/etc/kubernetes/kubelet-kubeconfig"

"/var/lib/kubelet/kubeconfig"

"/var/snap/microk8s/current/credentials/proxy.config"

3.1.2 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) /bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi''

"/etc/kubernetes/kubelet-kubeconfig"

"/var/lib/kubelet/kubeconfig"

"/var/snap/microk8s/current/credentials/proxy.config"

3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) /bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi''

"/var/lib/kubelet/config.yaml"

"/var/lib/kubelet/config.yml"

"/etc/kubernetes/kubelet/kubelet-config.json"

"/home/kubernetes/kubelet-config.yaml"

"/home/kubernetes/kubelet-config.yml"

"/etc/default/kubeletconfig.json"

"/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig"

"/var/snap/kubelet/current/args"

"/var/snap/microk8s/current/args/kubelet"

"/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"

"/etc/systemd/system/kubelet.service"

"/lib/systemd/system/kubelet.service"

"/etc/systemd/system/snap.kubelet.daemon.service"

"/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Scored) /bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi''

"/var/lib/kubelet/config.yaml"

"/var/lib/kubelet/config.yml"

"/etc/kubernetes/kubelet/kubelet-config.json"

"/home/kubernetes/kubelet-config.yaml"

"/home/kubernetes/kubelet-config.yml"

"/etc/default/kubeletconfig.json"

"/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig"

"/var/snap/kubelet/current/args"

"/var/snap/microk8s/current/args/kubelet"

"/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"

"/etc/systemd/system/kubelet.service"

"/lib/systemd/system/kubelet.service"

"/etc/systemd/system/snap.kubelet.daemon.service"

"/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.1 Ensure that the --anonymous-auth argument is set to false (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.8 Ensure that the --hostname-override argument is not set (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored) /bin/ps -fC $kubeletbin

"hyperkube kubelet"

"kubelet"

3.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.11 Ensure that the --rotate-certificates argument is not set to false (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

 

 

 

 

Google GKE Compliance Audit Configuration File Paths

This table displays all possible configuration file paths of compliance audits performed on Kubernetes clusters of Google Kubernetes Engine (GKE).

ID Name Audit All Possible Configuration Paths
3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) /bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi''

"/etc/kubernetes/kubelet-kubeconfig"

"/var/lib/kubelet/kubeconfig"

"/var/snap/microk8s/current/credentials/proxy.config"

3.1.2 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) /bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi''

"/etc/kubernetes/kubelet-kubeconfig"

"/var/lib/kubelet/kubeconfig"

"/var/snap/microk8s/current/credentials/proxy.config"

3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) /bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi''

"/var/lib/kubelet/config.yaml"

"/var/lib/kubelet/config.yml"

"/etc/kubernetes/kubelet/kubelet-config.json"

"/home/kubernetes/kubelet-config.yaml"

"/home/kubernetes/kubelet-config.yml"

"/etc/default/kubeletconfig.json"

"/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig"

"/var/snap/kubelet/current/args"

"/var/snap/microk8s/current/args/kubelet"

"/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"

"/etc/systemd/system/kubelet.service"

"/lib/systemd/system/kubelet.service"

"/etc/systemd/system/snap.kubelet.daemon.service"

"/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Scored) /bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi''

"/var/lib/kubelet/config.yaml"

"/var/lib/kubelet/config.yml"

"/etc/kubernetes/kubelet/kubelet-config.json"

"/home/kubernetes/kubelet-config.yaml"

"/home/kubernetes/kubelet-config.yml"

"/etc/default/kubeletconfig.json"

"/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig"

"/var/snap/kubelet/current/args"

"/var/snap/microk8s/current/args/kubelet"

"/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"

"/etc/systemd/system/kubelet.service"

"/lib/systemd/system/kubelet.service"

"/etc/systemd/system/snap.kubelet.daemon.service"

"/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.1 Ensure that the --anonymous-auth argument is set to false (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.8 Ensure that the --hostname-override argument is not set (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored) /bin/ps -fC $kubeletbin

"hyperkube kubelet"

"kubelet"

3.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.11 Ensure that the --rotate-certificates argument is not set to false (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"

3.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)

/bin/ps -fC $kubeletbin

or

/bin/cat $kubeletconf

"hyperkube kubelet"

"kubelet"

"/var/lib/kubelet/config.yaml" "/var/lib/kubelet/config.yml" "/etc/kubernetes/kubelet/kubelet-config.json" "/home/kubernetes/kubelet-config.yaml" "/home/kubernetes/kubelet-config.yml" "/etc/default/kubeletconfig.json" "/etc/default/kubelet"

"/var/lib/kubelet/kubeconfig" "/var/snap/kubelet/current/args" "/var/snap/microk8s/current/args/kubelet" "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" "/etc/systemd/system/kubelet.service" "/lib/systemd/system/kubelet.service" "/etc/systemd/system/snap.kubelet.daemon.service" "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"