Hello K3s community. Hopefully I am in the right place for my enquiries.
I have been charged with verifying a K3s deployment against the CIS benchmark controls. For this I am using the CIS benchmark v1.6 from the CIS community coupled with the Hardening guide from the K3s website (https://docs.k3s.io/security/hardening-guide) and the self assessment guide on the same site (https://docs.k3s.io/security/self-assessment).
I understand that those guides on the K3s site are intended to match a slightly later revision of the CIS benchmark, however there is very little difference and I have successfully run through all the checks except for the following:
CIS Control 4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture
CIS Control 4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
For both these checks CIS recommends running "ps -ef |grep kubelet" on each worker node - which as I understand is not suitable for a k3s deployment. However the recommended alternative from the K3s self assessment guide seems equally unsuitable "/bin/ps -fC containerd"
So my question(s) is, am I missing something or is the K3s approach to that control miss-documented?
Can we even pass those parameters to the K3s binary on the worker nodes? if so, is there another way I can satisfy these checks? be it pass or fail.
All and any help would be greatly appreciated. Even if its just to point me to another channel/slack I should be enquiring on.
Hi there @late-needle-80860, I really appreciate you taking the time to respond. So thankyou for that 🙂
I am well aware that the PSP is a deprecated feature. I do really wish the platform was on a later revision to be honest as it was more than a little frustrating to even get the PSPs working as I wanted/needed.
As for the the K3 agent options I will look over the link you sent in case I do need to set something there. However, for now my question was more about verifying what is deployed/configured and how to check it.
The provided command "/bin/ps -fC containerd" in the guide I feel is not providing any insight to this.
Or, am I just misunderstanding something here? and the returned result of that is telling me that the result for the CIS controls (4.2.9 & 4.2.13) are in fact a fail 'FAIL' ?
FYI - the current retuned I see is:
worker-01 [~]# /bin/ps -fC containerd
UID PID PPID C STIME TTY TIME CMD
root 3245 2595 1 Nov06 ? 084012 containerd
Again, I am really grateful for your help thus far. :)
11/29/2022, 2:50 PM
The thing is that the containerd binary is not really running on the system … it’s embedded in the
So you can’t confirm with the command you’re using.
11/30/2022, 4:17 AM
Yes correct. So I was hoping there was another command that would appropriately verify the control.
Either pass or fail.
Checking if the following is set for workers/agents at runtime of the binary:
Then validating the contents within that config file passed in.
In your opinion, do you think that would satisfy the CIS control:
"CIS Control 4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers"
Then for the control:
"CIS Control 4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture"
Would the equivalent be:
If so, then a similar check against the runtime options passed in?