C-0179 - Ensure that the --hostname-override argument is not set
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-v1.23-t1.0.1, cis-aks-t1.2.0, cis-eks-t1.2.0
Severity
Low
Description of the the issue
Overriding hostnames could potentially break TLS setup between the kubelet and the apiserver. Additionally, with overridden hostnames, it becomes increasingly difficult to associate logs with a particular node and process them for security analytics. Hence, you should setup your kubelet nodes with resolvable FQDNs and avoid overriding the hostnames with IPs.
Related resources
What does this control test
Do not override node hostnames.
How to check it manually
Run the following command on each node:
ps -ef | grep kubelet
Verify that --hostname-override
argument does not exist.
Note This setting is not configurable via the Kubelet config file.
Remediation
Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and remove the --hostname-override
argument from the KUBELET_SYSTEM_PODS_ARGS
variable.
Based on your system, restart the kubelet
service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Impact Statement
Some cloud providers may require this flag to ensure that hostname matches names issued by the cloud provider. In these environments, this recommendation should not apply.
Default Value
By default, --hostname-override
argument is not set.
Example
No example
Updated 9 days ago