amazon-eks-ami
amazon-eks-ami copied to clipboard
awslabs
CIS Compliance check failed - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file
Environment:
- AWS Region:
us-east-1 - Instance Type(s):
m5.2xlarge - EKS Platform version (use
aws eks describe-cluster --name <name> --query cluster.platformVersion):eks.7 - Kubernetes version (use
aws eks describe-cluster --name <name> --query cluster.version):1.21 - AMI Version:
1.21.12-20220526 - Kernel (e.g.
uname -a):Linux ip-10-XX.cfpb.local 5.4.190-107.353.amzn2.x86_64 #1 SMP Wed Apr 27 21:16:35 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux - Release information (run
cat /etc/eks/releaseon a node):
BASE_AMI_ID="ami-095b768df7dd20eee"
BUILD_TIME="Thu May 26 19:21:27 UTC 2022"
BUILD_KERNEL="5.4.190-107.353.amzn2.x86_64"
ARCH="x86_64"
tls cert and private key are not set in kubelet configuration
[root@ip-10/]# ps aux | grep kubelet root 3874 4.3 0.3 2358100 100628 ? Ssl Jun09 426:28 /usr/bin/kubelet --cloud-provider aws --config /etc/kubernetes/kubelet/kubelet-config.json --kubeconfig /var/lib/kubelet/kubeconfig --container-runtime docker --network-plugin cni --node-ip=10.XX --pod-infra-container-image=XXX.dkr.ecr.us-east-1.amazonaws.com/eks/pause:3.1-eksbuild.1 --v=2 --node-labels=eks.amazonaws.com/nodegroup-image=ami-06a8057d9b6a06ee6,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=awsdevhmda3applarge --max-pods=58
Addtional reference https://www.tenable.com/audits/items/CIS_Kubernetes_v1.3.0_Level_1.audit:d98d6193634db51e0f270fbb9cb85ff3
