This message was deleted.
# k3s
a
This message was deleted.
l
In regards to configuring these args see > https://docs.k3s.io/reference/agent-config#customized-flags … for e.g. configuring >
/bin/ps -fC containerd
I hope that helps @bright-postman-91926
b
Hi there @late-needle-80860, I really appreciate you taking the time to respond. So thankyou for that 🙂 I am well aware that the PSP is a deprecated feature. I do really wish the platform was on a later revision to be honest as it was more than a little frustrating to even get the PSPs working as I wanted/needed. As for the the K3 agent options I will look over the link you sent in case I do need to set something there. However, for now my question was more about verifying what is deployed/configured and how to check it. The provided command "/bin/ps -fC containerd" in the guide I feel is not providing any insight to this. Or, am I just misunderstanding something here? and the returned result of that is telling me that the result for the CIS controls (4.2.9 & 4.2.13) are in fact a fail 'FAIL' ? FYI - the current retuned I see is: worker-01 [~]# /bin/ps -fC containerd UID PID PPID C STIME TTY TIME CMD root 3245 2595 1 Nov06 ? 084012 containerd Again, I am really grateful for your help thus far. :)
l
The thing is that the containerd binary is not really running on the system … it’s embedded in the
k3s
binary.
So you can’t confirm with the command you’re using.
b
Yes correct. So I was hoping there was another command that would appropriately verify the control. Either pass or fail. Checking if the following is set for workers/agents at runtime of the binary: "--image-credential-provider-config value" Then validating the contents within that config file passed in. In your opinion, do you think that would satisfy the CIS control: "CIS Control 4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers" Then for the control: "CIS Control 4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture" Would the equivalent be: "--alsologtostderr" & "--log" If so, then a similar check against the runtime options passed in?