https://rancher.com/ logo
Title
h

happy-elephant-46487

01/24/2023, 7:57 AM
@fast-piano-59234 Hi • I am trying to run Rancher provided CIS Benchmark Scan on RKE1 cluster • Downloaded report, showing few tests have failed • Scan ID is " *1.2.6*" Below is the Description: ◦ Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated) • Remediation is: ◦ Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. --kubelet-certificate-authority=<ca-string> • Manifests files "*/etc/kubernetes/manifests/kube-apiserver.yaml", "/etc/kubernetes/manifests/kube-controller-manager.yaml" are* not present on my MASTER nodes of RKE cluster. HOW SHOULD I SOLVE/PASS SUCH TEST IN CIS SCAN?
f

fast-piano-59234

01/24/2023, 8:55 AM
Please specify Rancher and cluster version used, it will probably explain why. Latest 2.6 shows this as passed; https://ranchermanager.docs.rancher.com/v2.6/reference-guides/rancher-security/rancher-v2.6-[…]es/rke1-self-assessment-guide-with-cis-v1.6-benchmark
h

happy-elephant-46487

01/24/2023, 9:38 AM
Rancher Version: 2.5.8 RKE Version: 1.2.13
f

fast-piano-59234

01/24/2023, 6:17 PM
Cluster version is missing
h

happy-elephant-46487

01/25/2023, 5:43 AM
Oh Sorry, cluster version is 1.20.11
@fast-piano-59234 How and where can I add this argument "--kubelet-certificate-authority=<ca-string>" to make this as passed? It is still failing.
h

happy-elephant-46487

02/20/2023, 7:21 AM
I have downloaded CIS scan report in excel sheet format and id "1.2.6" shows as below.