An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/kubernetes/kubelet/kubelet-config.json
authentication: ... anonymous: enabled: false ...
authorization
Webhook
authorization: mode: Webhook ...
authentication: ... x509: clientCAFile: /etc/kubernetes/pki/ca.crt ...
... rotateCertificates: true ...
featureGates: ... RotateKubeletClientCertificate: true ...
makeIPTablesUtilChains: true
Protect tuned kernel parameters from being overwritten by the kubelet.
serverTLSBootstrap: true
streamingConnectionIdleTimeout
KubeletConfig
apiVersion: machineconfiguration.openshift.io/v1 kind: KubeletConfig metadata: name: kubelet-config-$pool spec: machineConfigPoolSelector: matchLabels: pools.operator.machineconfiguration.openshift.io/$pool_name: "" kubeletConfig: streamingConnectionIdleTimeout:
streamingConnectionIdleTimeout:
$ sudo chgrp root /etc/kubernetes/kubelet/kubelet-config.json
/var/lib/kubelet/kubeconfig
$ sudo chgrp root /var/lib/kubelet/kubeconfig
$ sudo chown root /etc/kubernetes/kubelet/kubelet-config.json
$ sudo chown root /var/lib/kubelet/kubeconfig
$ sudo chmod 0644 /etc/kubernetes/kubelet/kubelet-config.json
$ sudo chmod 0644 /var/lib/kubelet/kubeconfig