CIS-4.2.8 - Ensure that the --hostname-override argument is not set

Ensure that the --hostname-override argument is not set

Note: to enable this control run Kubescape with host sensor (see here)

Framework

CIS

Severity

Low

Description of the the issue

Overriding hostnames could potentially break TLS setup between the kubelet and the apiserver. Additionally, with overridden hostnames, it becomes increasingly difficult to associate logs with a particular node and process them for security analytics. Hence, you should setup your kubelet nodes with resolvable FQDNs and avoid overriding the hostnames with IPs.

Related resources

What does this control test

Do not override node hostnames.

How to check it manually

Run the following command on each node:

ps -ef | grep kubelet

Verify that --hostname-override argument does not exist.

Note This setting is not configurable via the Kubelet config file.

Remediation

Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable.

Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

Impact Statement

Some cloud providers may require this flag to ensure that hostname matches names issued by the cloud provider. In these environments, this recommendation should not apply.

Default Value

By default, --hostname-override argument is not set.

Example

No example