1) SSH to the right node
ssh cks000002
sudo -i
2) Fix kubelet CIS findings
2.1 Edit kubelet config (MAIN place in kubeadm clusters)
vi /var/lib/kubelet/config.yaml
A) Set anonymous-auth to false
Find (or add) this block exactly:
authentication:
anonymous:
enabled: false
B) Use Webhook authentication (recommended by task)
Ensure this exists under authentication:
webhook:
enabled: true
C) Use Webhook authorization and NOT AlwaysAllow
Find (or add) this block exactly:
authorization:
mode: Webhook
When done, your file should contain something like this (exact structure to aim for):
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
If x509: section isn’t there, it’s usually already present in kubeadm; don’t panic. Only the task-required parts are: anonymous false + webhook enabled + authorization mode Webhook.
2.2 Restart kubelet (required for config.yaml changes)
systemctl daemon-reload
systemctl restart kubelet
systemctl status kubelet --no-pager
Quick confirm (optional but fast):
grep -nE "anonymous|webhook|authorization|mode" /var/lib/kubelet/config.yaml
3) Fix etcd CIS finding: --client-cert-auth=true
3.1 Edit etcd static pod manifest (kubeadm path)
vi /etc/kubernetes/manifests/etcd.yaml
Find the container command: args that look like:
- command:
- etcd
- --something=...
Ensure this line exists exactly in the list:
- --client-cert-auth=true
Also ensure this is present (usually already is, but add if missing):
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
Example snippet (what you want the args area to include):
- command:
- etcd
- --client-cert-auth=true
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
3.2 Apply etcd change (auto-restart happens)
Just save the file. Kubelet will restart etcd automatically.
Watch it restart (pick one depending on runtime):
If Docker runtime (your task mentions Docker):
docker ps | grep etcd
If you don’t see it briefly, wait 2–5 seconds and rerun:
docker ps | grep etcd
(Alternative if available)
crictl ps | grep etcd
4) Final quick validation (fast exam check)
Kubelet config check
grep -n "enabled: false" -n /var/lib/kubelet/config.yaml | head
grep -n "webhook" /var/lib/kubelet/config.yaml
grep -n "authorization" /var/lib/kubelet/config.yaml
etcd arg check
grep -n "client-cert-auth" /etc/kubernetes/manifests/etcd.yaml
Submit