https://rancher.com/ logo
Title
b

breezy-france-3792

05/26/2022, 7:38 AM
Hey #kubernetes Kubernetes CIS Benchmark requires anonymous auth set to false on api server but adding the new node or upgrade of existing node might fail because of this setting. We have a option to use the discovery file option but that requires the kubconfig to be places on the node which will again be flagged by security team as risk. Did anyone came across this issue in your setup if yes how did you resolve this. I see this setting set to false in other kubenetes engines like RKE(Rancher Kubernetes Engine) Thanks In advance
f

faint-policeman-5206

06/01/2022, 1:39 PM
How was the cluster deployed. In some cases (like kubeadm), the main option is to convince the Risk section that it is needed for correct functioning and add it to a risk register / whatever the process is. (kubeadm uses info from a kube-public namespace, other methods of joining nodes might be able to avoid that. (e.g. issuing client certs for the worker nodes to join with)