https://rancher.com/ logo
#k3s
Title
# k3s
b

bright-postman-91926

11/24/2022, 7:41 AM
Hello K3s community. Hopefully I am in the right place for my enquiries. I have been charged with verifying a K3s deployment against the CIS benchmark controls. For this I am using the CIS benchmark v1.6 from the CIS community coupled with the Hardening guide from the K3s website (https://docs.k3s.io/security/hardening-guide) and the self assessment guide on the same site (https://docs.k3s.io/security/self-assessment). I understand that those guides on the K3s site are intended to match a slightly later revision of the CIS benchmark, however there is very little difference and I have successfully run through all the checks except for the following: CIS Control 4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture CIS Control 4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers For both these checks CIS recommends running "ps -ef |grep kubelet" on each worker node - which as I understand is not suitable for a k3s deployment. However the recommended alternative from the K3s self assessment guide seems equally unsuitable "/bin/ps -fC containerd" So my question(s) is, am I missing something or is the K3s approach to that control miss-documented? Can we even pass those parameters to the K3s binary on the worker nodes? if so, is there another way I can satisfy these checks? be it pass or fail. All and any help would be greatly appreciated. Even if its just to point me to another channel/slack I should be enquiring on.
l

late-needle-80860

11/27/2022, 4:52 PM
In regards to configuring these args see > https://docs.k3s.io/reference/agent-config#customized-flags … for e.g. configuring >
/bin/ps -fC containerd
I hope that helps @bright-postman-91926
b

bright-postman-91926

11/27/2022, 11:46 PM
Hi there @late-needle-80860, I really appreciate you taking the time to respond. So thankyou for that 🙂 I am well aware that the PSP is a deprecated feature. I do really wish the platform was on a later revision to be honest as it was more than a little frustrating to even get the PSPs working as I wanted/needed. As for the the K3 agent options I will look over the link you sent in case I do need to set something there. However, for now my question was more about verifying what is deployed/configured and how to check it. The provided command "/bin/ps -fC containerd" in the guide I feel is not providing any insight to this. Or, am I just misunderstanding something here? and the returned result of that is telling me that the result for the CIS controls (4.2.9 & 4.2.13) are in fact a fail 'FAIL' ? FYI - the current retuned I see is: worker-01 [~]# /bin/ps -fC containerd UID PID PPID C STIME TTY TIME CMD root 3245 2595 1 Nov06 ? 084012 containerd Again, I am really grateful for your help thus far. :)
l

late-needle-80860

11/29/2022, 2:50 PM
The thing is that the containerd binary is not really running on the system … it’s embedded in the
k3s
binary.
So you can’t confirm with the command you’re using.
b

bright-postman-91926

11/30/2022, 4:17 AM
Yes correct. So I was hoping there was another command that would appropriately verify the control. Either pass or fail. Checking if the following is set for workers/agents at runtime of the binary: "--image-credential-provider-config value" Then validating the contents within that config file passed in. In your opinion, do you think that would satisfy the CIS control: "CIS Control 4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers" Then for the control: "CIS Control 4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture" Would the equivalent be: "--alsologtostderr" & "--log" If so, then a similar check against the runtime options passed in?