CIS benchmark, ensure the appropriate flags are passed to the Kubelet. 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) 2.1.7 - Ensure that the --protect-kernel-defaults Kubelet containers on all hosts and verify that they are running with the following options: --streaming-connection-idle-timeout= --protect-kernel-defaults=false --make-ipta RKE cluster.yml kubelet section under services: services: kubelet: extra_args: streaming-connection-idle-timeout: "" protect-kernel-defaults: "true" make-iptables-util-chains:

4.2.4 Ensure that the --read-only-port argument is set to 0 (Automated) 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Automated) 4.2.6 Ensure that the --protect-kernel-defaults -fC kubelet Expected Result: '' is not present OR '' is not present 4.2.5 Ensure that the --streaming- connection-idle-timeout argument is not set to 0 (Automated) Result: pass CIS 1.6 Benchmark - d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. -- streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl

2.1.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) Audit docker inspect kubelet | jq -e '.[0].Args[] | match("--streaming-connection-idle-timeout=.*") *").string' Returned Value: --streaming-connection-idle-timeout=1800s Result: Pass 2.1.6 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) Audit docker inspect kubelet

/bin/cat /var/lib/kubelet/config.yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl Config: /bin/cat /var/lib/kubelet/config.yaml Expected result: '30m' is not equal to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument

gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u v e r i f y t h at t h e y ar e r u n n i n g w i t h t h e f ol l ow i n g op t i on s : • --streaming-connection-idle-timeout= • --authorization-mode=Webhook • --protect- gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u

/bin/cat /var/lib/kubelet/config.yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl Config: /bin/cat /var/lib/kubelet/config.yaml Expected result: '30m' is not equal to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument

e make-iptables-util-chains: 'true' protect-kernel-defaults: 'true' streaming-connection-idle-timeout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

e make-iptables-util-chains: 'true' protect-kernel-defaults: 'true' streaming-connection-idle-timeout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Access to a storage solution providing dynamically physical volumes If it is planned to use Vora’s streaming tables checkpoint store, an S3 bucket like object store is needed If it is planned to enable backup