4. Worker node security configuration

4.1 Worker node configuration files

CIS ID	Recommendation	Resolution	Comments
4.1.1	Ensure that the kubelet service file permissions are set to 600 or more restrictive .	False Positive	Not applicable, as k0s does not use the kubelet service file.
4.1.2	Ensure that the kubelet service file ownership is set to root:root.	Pass	NA
4.1.3	If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive.	Warn	NA
4.1.4	If proxy kubeconfig file exists ensure ownership is set to root:root.	Warn	NA
4.1.5	Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive.	False Positive	In k0s, the kubelet.conf file exists under --kubeconfig=/var/lib/k0s/kubelet.conf, which is different from the usual k8s path. File permissions are set to 600.
4.1.6	Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root.	False Positive	Failure is only shown because kube-bench checks the wrong default path (/etc/kubernetes/kubelet.conf). The ownership is set as root:root for /var/lib/k0s/kubelet.conf.
4.1.7	Ensure that the certificate authorities file permissions are set to 644 or more restrictive.	Warn	NA
4.1.8	Ensure that the client certificate authorities file ownership is set to root:root.	Warn	NA
4.1.9	If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive.	Pass	NA
4.1.10	If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root	False Positive	In k0s, the kubelet is using the /run/k0s/kubelet/config.yaml config file, the ownership for which is correctly set to root:root. It is false positive because kube-bench default checks expect the file to be present under /etc/kubernetes/kubelet/config.yaml.

4.2 Kubelet

CIS ID	Recommendation	Resolution	Comments
4.2.1	Ensure that the --anonymous-auth argument is set to false.	False Positive	K0s uses the kubelet config file, /run/k0s/kubelet/config.yaml. The value --anonymous-auth=false is not explictly enabled and is instead an empty struct. An equiry made using the controller node kubelet configz endpoint revealed that the flag is set to false.
4.2.2	Ensure that the --authorization-mode argument is not set to AlwaysAllow.	False Positive	A check of the kubelet process args for --authorization-mode(not present) and the kubelet config file parameter authorization.mode showed that they were not explicitly set. To get specific results and verify the defaults for k0s, an enquiry was made using the kubelet configz endpoint, which revealed that the mode is set to webhook.
4.2.3	Ensure that the --client-ca-file argument is set as appropriate.	False Positive	A check of the kubelet process args for client-ca-file (not present) and the kubelet config file parameter authentication.x509.clientCAFile showed it to be set.
4.2.4	Verify that if defined, the --read-only-port argument is set to 0.	Pass	NA
4.2.5	Ensure that the --streaming-connection-idle-timeout argument is not set to 0.	Pass	NA
4.2.6	Ensure that the --make-iptables-util-chains argument is set to true.	Pass	NA
4.2.7	Ensure that the --hostname-override argument is not set.	Pass	NA
4.2.8	Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture.	Pass	NA
4.2.9	Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate.	Warn	NA
4.2.10	Ensure that the --rotate-certificates argument is not set to false.	Pass	NA
4.2.11	Verify that the RotateKubeletServerCertificate argument is set to true.	Pass	NA
4.2.12	Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers.	Warn	NA
4.2.13	nsure that a limit is set on pod PIDs.	Warn	NA
4.2.14	Ensure that the --seccomp-default parameter is set to true.	Warn	NA
4.2.15	Ensure that the --IPAddressDeny is set to any.	Warn	NA

4.3 kube-proxy

CIS ID	Recommendation	Resolution	Comments
4.3.1	Ensure that the kube-proxy metrics service is bound to localhost.	Pass	NA