2024-04-22 06:16:16,579 - xtesting.ci.run_tests - INFO - Deployment description: +-------------------------+------------------------------------------------------------+ | ENV VAR | VALUE | +-------------------------+------------------------------------------------------------+ | CI_LOOP | daily | | DEBUG | false | | DEPLOY_SCENARIO | k8-nosdn-nofeature-noha | | INSTALLER_TYPE | unknown | | BUILD_TAG | 0DMNO5XB885K | | NODE_NAME | v1.29 | | TEST_DB_URL | http://testresults.opnfv.org/test/api/v1/results | | TEST_DB_EXT_URL | http://testresults.opnfv.org/test/api/v1/results | | S3_ENDPOINT_URL | https://storage.googleapis.com | | S3_DST_URL | s3://artifacts.opnfv.org/functest- | | | kubernetes/0DMNO5XB885K/functest-kubernetes-opnfv- | | | functest-kubernetes- | | | security-v1.29-kube_bench_node-run-10 | | HTTP_DST_URL | http://artifacts.opnfv.org/functest- | | | kubernetes/0DMNO5XB885K/functest-kubernetes-opnfv- | | | functest-kubernetes- | | | security-v1.29-kube_bench_node-run-10 | +-------------------------+------------------------------------------------------------+ 2024-04-22 06:16:16,593 - xtesting.ci.run_tests - INFO - Loading test case 'kube_bench_node'... 2024-04-22 06:16:16,964 - xtesting.ci.run_tests - INFO - Running test case 'kube_bench_node'... 2024-04-22 06:16:17,044 - functest_kubernetes.security.security - INFO - Job kube-bench-node created 2024-04-22 06:16:30,217 - functest_kubernetes.security.security - INFO - kube-bench-node started in 13.25 sec 2024-04-22 06:16:30,270 - functest_kubernetes.security.security - INFO - {'Controls': [{'id': '4', 'version': 'cis-1.23', 'detected_version': '1.29', 'text': 'Worker Node Security Configuration', 'node_type': 'node', 'tests': [{'section': '4.1', 'type': '', 'pass': 10, 'fail': 0, 'warn': 0, 'info': 0, 'desc': 'Worker Node Configuration Files', 'results': [{'test_number': '4.1.1', 'test_desc': 'Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; then stat -c permissions=%a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; fi' ", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n'], 'status': 'PASS', 'actual_value': 'permissions=644', 'scored': True, 'IsMultiple': False, 'expected_result': 'permissions has permissions 644, expected 644 or more restrictive'}, {'test_number': '4.1.2', 'test_desc': 'Ensure that the kubelet service file ownership is set to root:root (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; then stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf; fi' ", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': False, 'expected_result': "'root:root' is present"}, {'test_number': '4.1.3', 'test_desc': 'If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/proxy.conf; then stat -c permissions=%a /etc/kubernetes/proxy.conf; fi' ", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /etc/kubernetes/proxy.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /etc/kubernetes/proxy.conf\n'], 'status': 'PASS', 'actual_value': '', 'scored': False, 'IsMultiple': False, 'expected_result': "'permissions' is present OR '/etc/kubernetes/proxy.conf' is not present"}, {'test_number': '4.1.4', 'test_desc': 'If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/proxy.conf; then stat -c %U:%G /etc/kubernetes/proxy.conf; fi' ", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example, chown root:root /etc/kubernetes/proxy.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example, chown root:root /etc/kubernetes/proxy.conf\n'], 'status': 'PASS', 'actual_value': '', 'scored': False, 'IsMultiple': False, 'expected_result': "'root:root' is present OR '/etc/kubernetes/proxy.conf' is not present"}, {'test_number': '4.1.5', 'test_desc': 'Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/kubelet.conf; then stat -c permissions=%a /etc/kubernetes/kubelet.conf; fi' ", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /etc/kubernetes/kubelet.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /etc/kubernetes/kubelet.conf\n'], 'status': 'PASS', 'actual_value': 'permissions=600', 'scored': True, 'IsMultiple': False, 'expected_result': 'permissions has permissions 600, expected 644 or more restrictive'}, {'test_number': '4.1.6', 'test_desc': 'Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)', 'audit': "/bin/sh -c 'if test -e /etc/kubernetes/kubelet.conf; then stat -c %U:%G /etc/kubernetes/kubelet.conf; fi' ", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root:root /etc/kubernetes/kubelet.conf\n', 'test_info': ['Run the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root:root /etc/kubernetes/kubelet.conf\n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': False, 'expected_result': "'root:root' is present"}, {'test_number': '4.1.7', 'test_desc': 'Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)', 'audit': "CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')\nif test -z $CAFILE; then CAFILE=/etc/kubernetes/pki/ca.crt; fi\nif test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi\n", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the following command to modify the file permissions of the\n--client-ca-file chmod 644 \n', 'test_info': ['Run the following command to modify the file permissions of the\n--client-ca-file chmod 644 \n'], 'status': 'PASS', 'actual_value': 'permissions=644', 'scored': False, 'IsMultiple': False, 'expected_result': 'permissions has permissions 644, expected 644 or more restrictive'}, {'test_number': '4.1.8', 'test_desc': 'Ensure that the client certificate authorities file ownership is set to root:root (Manual)', 'audit': "CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')\nif test -z $CAFILE; then CAFILE=/etc/kubernetes/pki/ca.crt; fi\nif test -e $CAFILE; then stat -c %U:%G $CAFILE; fi\n", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the following command to modify the ownership of the --client-ca-file.\nchown root:root \n', 'test_info': ['Run the following command to modify the ownership of the --client-ca-file.\nchown root:root \n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': False, 'IsMultiple': False, 'expected_result': "'root:root' is equal to 'root:root'"}, {'test_number': '4.1.9', 'test_desc': 'Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)', 'audit': "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c permissions=%a /var/lib/kubelet/config.yaml; fi' ", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml\n', 'test_info': ['Run the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml\n'], 'status': 'PASS', 'actual_value': 'permissions=644', 'scored': True, 'IsMultiple': False, 'expected_result': 'permissions has permissions 644, expected 644 or more restrictive'}, {'test_number': '4.1.10', 'test_desc': 'Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)', 'audit': "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml; fi' ", 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Run the following command (using the config file location identified in the Audit step)\nchown root:root /var/lib/kubelet/config.yaml\n', 'test_info': ['Run the following command (using the config file location identified in the Audit step)\nchown root:root /var/lib/kubelet/config.yaml\n'], 'status': 'PASS', 'actual_value': 'root:root', 'scored': True, 'IsMultiple': False, 'expected_result': "'root:root' is present"}]}, {'section': '4.2', 'type': '', 'pass': 9, 'fail': 1, 'warn': 3, 'info': 0, 'desc': 'Kubelet', 'results': [{'test_number': '4.2.1', 'test_desc': 'Ensure that the --anonymous-auth argument is set to false (Automated)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to\n`false`.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n`--anonymous-auth=false`\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to\n`false`.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n`--anonymous-auth=false`\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': True, 'IsMultiple': False, 'expected_result': "'{.authentication.anonymous.enabled}' is equal to 'false'"}, {'test_number': '4.2.2', 'test_desc': 'Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': True, 'IsMultiple': False, 'expected_result': "'{.authorization.mode}' does not have 'AlwaysAllow'"}, {'test_number': '4.2.3', 'test_desc': 'Ensure that the --client-ca-file argument is set as appropriate (Automated)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--client-ca-file=\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--client-ca-file=\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': True, 'IsMultiple': False, 'expected_result': "'{.authentication.x509.clientCAFile}' is present"}, {'test_number': '4.2.4', 'test_desc': 'Ensure that the --read-only-port argument is set to 0 (Manual)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set `readOnlyPort` to 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set `readOnlyPort` to 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': False, 'IsMultiple': False, 'expected_result': "'{.readOnlyPort}' is present OR '{.readOnlyPort}' is not present"}, {'test_number': '4.2.5', 'test_desc': 'Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': False, 'IsMultiple': False, 'expected_result': "'{.streamingConnectionIdleTimeout}' is not equal to '0' OR '{.streamingConnectionIdleTimeout}' is not present"}, {'test_number': '4.2.6', 'test_desc': 'Ensure that the --protect-kernel-defaults argument is set to true (Automated)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'FAIL', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': True, 'IsMultiple': False, 'expected_result': "'{.protectKernelDefaults}' is present"}, {'test_number': '4.2.7', 'test_desc': 'Ensure that the --make-iptables-util-chains argument is set to true (Automated)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': True, 'IsMultiple': False, 'expected_result': "'{.makeIPTablesUtilChains}' is present OR '{.makeIPTablesUtilChains}' is not present"}, {'test_number': '4.2.8', 'test_desc': 'Ensure that the --hostname-override argument is not set (Manual)', 'audit': '/bin/ps -fC kubelet ', 'AuditEnv': '', 'AuditConfig': '', 'type': '', 'remediation': 'Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'UID PID PPID C STIME TTY TIME CMD\nroot 269 1 2 Apr18 ? 01:54:51 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///run/containerd/containerd.sock --node-ip=172.22.0.12 --node-labels= --pod-infra-container-image=registry.k8s.io/pause:3.9 --provider-id=kind://docker/v129/v129-worker2 --runtime-cgroups=/system.slice/containerd.service', 'scored': False, 'IsMultiple': False, 'expected_result': "'--hostname-override' is not present"}, {'test_number': '4.2.9', 'test_desc': 'Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'WARN', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': False, 'IsMultiple': False, 'expected_result': "'{.eventRecordQPS}' is present"}, {'test_number': '4.2.10', 'test_desc': 'Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set `tlsCertFile` to the location\nof the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile`\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable.\n--tls-cert-file=\n--tls-private-key-file=\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set `tlsCertFile` to the location\nof the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile`\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable.\n--tls-cert-file=\n--tls-private-key-file=\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'WARN', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': False, 'IsMultiple': False, 'expected_result': "'{.tlsCertFile}' is present AND '{.tlsPrivateKeyFile}' is present"}, {'test_number': '4.2.11', 'test_desc': 'Ensure that the --rotate-certificates argument is not set to false (Automated)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': True, 'IsMultiple': False, 'expected_result': "'{.rotateCertificates}' is equal to 'true' OR '{.rotateCertificates}' is not present"}, {'test_number': '4.2.12', 'test_desc': 'Verify that the RotateKubeletServerCertificate argument is set to true (Manual)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'PASS', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': False, 'IsMultiple': False, 'expected_result': "'{.featureGates.RotateKubeletServerCertificate}' is present OR '{.featureGates.RotateKubeletServerCertificate}' is not present"}, {'test_number': '4.2.13', 'test_desc': 'Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)', 'audit': '/bin/ps -fC kubelet', 'AuditEnv': '', 'AuditConfig': '/bin/cat /var/lib/kubelet/config.yaml', 'type': '', 'remediation': 'If using a Kubelet config file, edit the file to set `TLSCipherSuites` to\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nor to a subset of these values.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the --tls-cipher-suites parameter as follows, or to a subset of these values.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n', 'test_info': ['If using a Kubelet config file, edit the file to set `TLSCipherSuites` to\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nor to a subset of these values.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the --tls-cipher-suites parameter as follows, or to a subset of these values.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service\n'], 'status': 'WARN', 'actual_value': 'apiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n anonymous:\n enabled: false\n webhook:\n cacheTTL: 0s\n enabled: true\n x509:\n clientCAFile: /etc/kubernetes/pki/ca.crt\nauthorization:\n mode: Webhook\n webhook:\n cacheAuthorizedTTL: 0s\n cacheUnauthorizedTTL: 0s\ncgroupDriver: systemd\ncgroupRoot: /kubelet\nclusterDNS:\n- 10.96.0.10\nclusterDomain: cluster.local\ncontainerRuntimeEndpoint: ""\ncpuManagerReconcilePeriod: 0s\nevictionHard:\n imagefs.available: 0%\n nodefs.available: 0%\n nodefs.inodesFree: 0%\nevictionPressureTransitionPeriod: 0s\nfailSwapOn: false\nfileCheckFrequency: 0s\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 0s\nimageGCHighThresholdPercent: 100\nimageMaximumGCAge: 0s\nimageMinimumGCAge: 0s\nkind: KubeletConfiguration\nlogging:\n flushFrequency: 0\n options:\n json:\n infoBufferSize: "0"\n verbosity: 0\nmemorySwap: {}\nnodeStatusReportFrequency: 0s\nnodeStatusUpdateFrequency: 0s\nrotateCertificates: true\nruntimeRequestTimeout: 0s\nshutdownGracePeriod: 0s\nshutdownGracePeriodCriticalPods: 0s\nstaticPodPath: /etc/kubernetes/manifests\nstreamingConnectionIdleTimeout: 0s\nsyncFrequency: 0s\nvolumeStatsAggPeriod: 0s', 'scored': False, 'IsMultiple': False, 'expected_result': "'{range .tlsCipherSuites[:]}{}{','}{end}' is present"}]}], 'total_pass': 19, 'total_fail': 1, 'total_warn': 3, 'total_info': 0}], 'Totals': {'total_pass': 19, 'total_fail': 1, 'total_warn': 3, 'total_info': 0}} 2024-04-22 06:16:30,277 - functest_kubernetes.security.security - ERROR - Ensure that the --protect-kernel-defaults argument is set to true (Automated) If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service 2024-04-22 06:16:30,279 - functest_kubernetes.security.security - WARNING - Targets: +-------------------+------------------+-----------------------------------------+--------------+--------------+--------------+ | NODE_TYPE | VERSION | TEST_DESC | PASS | FAIL | WARN | +-------------------+------------------+-----------------------------------------+--------------+--------------+--------------+ | node | cis-1.23 | Worker Node Configuration Files | 10 | 0 | 0 | | node | cis-1.23 | Kubelet | 9 | 1 | 3 | +-------------------+------------------+-----------------------------------------+--------------+--------------+--------------+ 2024-04-22 06:16:30,279 - xtesting.ci.run_tests - INFO - Test result: +-------------------------+------------------+------------------+----------------+ | TEST CASE | PROJECT | DURATION | RESULT | +-------------------------+------------------+------------------+----------------+ | kube_bench_node | functest | 00:13 | PASS | +-------------------------+------------------+------------------+----------------+