Security information

Mirantis has begun an initiative to align MKE with CIS Benchmarks, where pertinent. The following table details the CIS Benchmark resolutions and improvements that are introduced in MKE 3.5.11:

CIS Benchmark type/version	Recommendation	Ticket	Resolution/Improvement
Kubernetes 1.7	1.1.17	MKE-9906	The permission for /ucp-volume-mounts/ucp-node-certs/controller-manager.conf is now set to 600.
Kubernetes 1.7	1.3.7	MKE-9904	The --address argument is set to 127.0.0.1 in ucp-kube-controllermanager.
Kubernetes 1.7	5.1.6	MKE-9921	The use of service account tokens is restricted, allowing for mounting only where necessary in MKE system namespaces.
Kubernetes 1.7	5.2.8	MKE-9924	NET_RAW capability has been removed from all unprivileged system containers.