and --etcd-keyfile arguments are set as appropriate (Automated) 1.2.30 Ensure that the --tls-cert-file and --tls-private- key-file arguments are set as appropriate (Automated) 1.2.31 Ensure that the --client-ca-file Ensure that the --client-cert-auth argument is set to true (Automated) 2.3 Ensure that the --auto-tls argument is not set to true (Automated) 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments that the --peer-client-cert-auth argument is set to true (Automated) 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated) 2.7 Ensure that a unique Certificate Authority is used for

match("--kubelet-client-certificate=.*").string' Returned Value: --kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem Audit ( --kubelet-client-key ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--kubelet-client-key=.*").string' Returned Value: --kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem Result: Pass 1.1.23 Ensure that the --service-account-lookup argument is match("--service-account-key-file=.*").string' Returned Value: --service-account-key-file=/etc/kubernetes/ssl/kube-service-account- token-key.pem Result: Pass 1.1.26 - Ensure that the --etcd-certfile and

system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root' is present 1.1.20 Ensure that the Kubernetes on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the "${FILES_PERMISSIONS}" echo "true" exit Audit Execution: ./check_files_permissions.sh '/etc/kubernetes/ssl/*.pem' Expected result: 'true' is present 1.1.21 Ensure that the Kubernetes PKI key file permissions

system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root' is present 1.1.20 Ensure that the Kubernetes on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the "${FILES_PERMISSIONS}" echo "true" exit Audit Execution: ./check_files_permissions.sh '/etc/kubernetes/ssl/*.pem' Expected result: 'true' is present 1.1.21 Ensure that the Kubernetes PKI key file permissions

token Step5: 生成 SSL 证书的 secret //生成自签名 SSL 证书 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=k8s-dashboard.xxx.com" //生成 SSL 证书的 secret kubectl kubectl create secret tls k8s-dashboard-tls --cert=tls.crt --key=tls.key Step6: 重新配置 service vi service.yaml apiVersion: v1 kind: Service metadata: labels: k8s-app: kubernetes-dashboard yaml Step7: 创建 SSL 证书的 secret //生成自签名 SSL 证书 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=k8s-dashboard.xxx.com" //生成 SSL 证书的 secret kubectl

oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt- v3.1.1-os.html], and supports four access methods: TCP, SSL, WS, and WSS; The official module baetyl-remote-mqtt is used to bridge two MQTT Servers for message MQTT and HTTPS channels. MQTT enforces two-way authentication for SSL/TLS certificates. HTTPS enforces one-way authentication for SSL/TLS certificates. Developers can refer to this module to implement their capabilities for all services. Currently supports 4 access methods: TCP, SSL (TCP + SSL), WS (Websocket) and WSS (Websocket + SSL). The MQTT protocol support is as follows: Support Connect, Disconnect

oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt- v3.1.1-os.html], and supports four access methods: TCP, SSL, WS, and WSS; The official module baetyl-remote-mqtt is used to bridge two MQTT Servers for message MQTT and HTTPS channels. MQTT enforces two-way authentication for SSL/TLS certificates. HTTPS enforces one-way authentication for SSL/TLS certificates. Developers can refer to this module to implement their capabilities for all services. Currently supports 4 access methods: TCP, SSL (TCP + SSL), WS (Websocket) and WSS (Websocket + SSL). The MQTT protocol support is as follows: Support Connect, Disconnect

subscription and publishing functions based on the MQTT protocol, and supports four access methods: TCP, SSL, WS, and WSS; • The official module baetyl-remote-mqtt is used to bridge two MQTT Servers for message MQTT and HTTPS channels. MQTT enforces two-way authentication for SSL/TLS cer- tificates. HTTPS enforces one-way authentication for SSL/TLS certificates. Developers can refer to this module to implement their Modules 17 BAETYL Documentation Currently supports 4 access methods: TCP, SSL (TCP + SSL), WS (Websocket) and WSS (Websocket + SSL). The MQTT protocol support is as follows: • Support Connect, Disconnect

subscription and publishing functions based on the MQTT protocol, and supports four access methods: TCP, SSL, WS, and WSS; • The official module baetyl-remote-mqtt is used to bridge two MQTT Servers for message MQTT and HTTPS channels. MQTT enforces two-way authentication for SSL/TLS cer- tificates. HTTPS enforces one-way authentication for SSL/TLS certificates. Developers can refer to this module to implement their Modules 17 BAETYL Documentation Currently supports 4 access methods: TCP, SSL (TCP + SSL), WS (Websocket) and WSS (Websocket + SSL). The MQTT protocol support is as follows: • Support Connect, Disconnect

.sock 接口 #信任私有镜像仓库ssl证书，添加或修改以下几行配置 [plugins."io.containerd.grpc.v1.cri".registry.configs] [plugins."io.containerd.grpc.v1.cri".registry.configs."cof-lee.com:5443".tls] insecure_skip_verify ★如果不想配置信任私有镜像仓库，也可将服务器证书添加到操作系统的ca证 书库里 # cat ca.com.crt >> /etc/pki/tls/certs/ca-bundle.crt #将ca证书添加到centos系统证书信任列表中，链接到： /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ②安装k8s二进制组件 #使用aliyun的源（如果用的是RHEL8系列的系统，也是用的el7的仓库源，因为 apply -f myweb-ingress.yml #应用 ③创建tls类型的ingress资源 先创建tls证书，再把证书做成secret资源，tls类型的ingress不能直接使用私钥和 证书文件，可使用secret资源 # kubectl create secret tls web-inress-secret1 \ --cert=web.xxx.com.crt \ --key=web