Hello K3s community. Hopefully I am in the right place for my enquiries.
I have been charged with verifying a K3s deployment against the CIS benchmark controls. For this I am using the CIS benchmark v1.6 from the CIS community coupled with the Hardening guide from the K3s website (
https://docs.k3s.io/security/hardening-guide) and the self assessment guide on the same site (
https://docs.k3s.io/security/self-assessment).
I understand that those guides on the K3s site are intended to match a slightly later revision of the CIS benchmark, however there is very little difference and I have successfully run through all the checks except for the following:
CIS Control 4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture
CIS Control 4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
For both these checks CIS recommends running "ps -ef |grep kubelet" on each worker node - which as I understand is not suitable for a k3s deployment. However the recommended alternative from the K3s self assessment guide seems equally unsuitable "/bin/ps -fC containerd"
So my question(s) is, am I missing something or is the K3s approach to that control miss-documented?
Can we even pass those parameters to the K3s binary on the worker nodes? if so, is there another way I can satisfy these checks? be it pass or fail.
All and any help would be greatly appreciated. Even if its just to point me to another channel/slack I should be enquiring on.