diff --git a/assets/js/0480b142.c9f63c69.js b/assets/js/0480b142.4cd19da1.js
similarity index 99%
rename from assets/js/0480b142.c9f63c69.js
rename to assets/js/0480b142.4cd19da1.js
index d7f0e0655..1b6354ee7 100644
--- a/assets/js/0480b142.c9f63c69.js
+++ b/assets/js/0480b142.4cd19da1.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[836],{9665:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>t,metadata:()=>a,toc:()=>d});var i=s(5893),r=s(1151);const t={title:"FAQ"},o=void 0,a={id:"faq",title:"FAQ",description:"The FAQ is updated periodically and designed to answer the questions our users most frequently ask about K3s.",source:"@site/docs/faq.md",sourceDirName:".",slug:"/faq",permalink:"/faq",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/faq.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"FAQ"},sidebar:"mySidebar",previous:{title:"Known Issues",permalink:"/known-issues"}},l={},d=[{value:"Is K3s a suitable replacement for Kubernetes?",id:"is-k3s-a-suitable-replacement-for-kubernetes",level:3},{value:"How can I use my own Ingress instead of Traefik?",id:"how-can-i-use-my-own-ingress-instead-of-traefik",level:3},{value:"Does K3s support Windows?",id:"does-k3s-support-windows",level:3},{value:"What exactly are Servers and Agents?",id:"what-exactly-are-servers-and-agents",level:3},{value:"How can I build from source?",id:"how-can-i-build-from-source",level:3},{value:"Where are the K3s logs?",id:"where-are-the-k3s-logs",level:3},{value:"Can I run K3s in Docker?",id:"can-i-run-k3s-in-docker",level:3},{value:"What is the difference between K3s Server and Agent Tokens?",id:"what-is-the-difference-between-k3s-server-and-agent-tokens",level:3},{value:"How compatible are different versions of K3s?",id:"how-compatible-are-different-versions-of-k3s",level:3},{value:"I'm having an issue, where can I get help?",id:"im-having-an-issue-where-can-i-get-help",level:3}];function c(e){const n={a:"a",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"The FAQ is updated periodically and designed to answer the questions our users most frequently ask about K3s."}),"\n",(0,i.jsx)(n.h3,{id:"is-k3s-a-suitable-replacement-for-kubernetes",children:"Is K3s a suitable replacement for Kubernetes?"}),"\n",(0,i.jsxs)(n.p,{children:["K3s is a CNCF-certified Kubernetes distribution, and can do everything required of a standard Kubernetes cluster. It is just a more lightweight version. See the ",(0,i.jsx)(n.a,{href:"/",children:"main"})," docs page for more details."]}),"\n",(0,i.jsx)(n.h3,{id:"how-can-i-use-my-own-ingress-instead-of-traefik",children:"How can I use my own Ingress instead of Traefik?"}),"\n",(0,i.jsxs)(n.p,{children:["Simply start K3s server with ",(0,i.jsx)(n.code,{children:"--disable=traefik"})," and deploy your ingress."]}),"\n",(0,i.jsx)(n.h3,{id:"does-k3s-support-windows",children:"Does K3s support Windows?"}),"\n",(0,i.jsx)(n.p,{children:"At this time K3s does not natively support Windows, however we are open to the idea in the future."}),"\n",(0,i.jsx)(n.h3,{id:"what-exactly-are-servers-and-agents",children:"What exactly are Servers and Agents?"}),"\n",(0,i.jsxs)(n.p,{children:["For a breakdown on the components that make up a server and agent, see the ",(0,i.jsx)(n.a,{href:"/architecture",children:"Architecture page"}),"."]}),"\n",(0,i.jsx)(n.h3,{id:"how-can-i-build-from-source",children:"How can I build from source?"}),"\n",(0,i.jsxs)(n.p,{children:["Please reference the K3s ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/BUILDING.md",children:"BUILDING.md"})," with instructions."]}),"\n",(0,i.jsx)(n.h3,{id:"where-are-the-k3s-logs",children:"Where are the K3s logs?"}),"\n",(0,i.jsx)(n.p,{children:"The location of K3s logs will vary depending on how you run K3s and the node's OS."}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"When run from the command line, logs are sent to stdout and stderr."}),"\n",(0,i.jsxs)(n.li,{children:["When running under openrc, logs will be created at ",(0,i.jsx)(n.code,{children:"/var/log/k3s.log"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["When running under Systemd, logs will be sent to Journald and can be viewed using ",(0,i.jsx)(n.code,{children:"journalctl -u k3s"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["Pod logs can be found at ",(0,i.jsx)(n.code,{children:"/var/log/pods"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["Containerd logs can be found at ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"}),"."]}),"\n"]}),"\n",(0,i.jsxs)(n.p,{children:["You can generate more detailed logs by using the ",(0,i.jsx)(n.code,{children:"--debug"})," flag when starting K3s (or ",(0,i.jsx)(n.code,{children:"debug: true"})," in the configuration file)."]}),"\n",(0,i.jsxs)(n.p,{children:["Kubernetes uses a logging framework known as ",(0,i.jsx)(n.code,{children:"klog"}),", which uses a single logging configuration for all components within a process.\nSince K3s runs all Kubernetes components within a single process, it is not possible to configure different log levels or destinations for individual Kubernetes components.\nUse of the ",(0,i.jsx)(n.code,{children:"-v="})," or ",(0,i.jsx)(n.code,{children:"--vmodule=="})," component args will likely not have the desired effect."]}),"\n",(0,i.jsxs)(n.p,{children:["See ",(0,i.jsx)(n.a,{href:"/advanced#additional-logging-sources",children:"Additional Logging Sources"})," for even more log options."]}),"\n",(0,i.jsx)(n.h3,{id:"can-i-run-k3s-in-docker",children:"Can I run K3s in Docker?"}),"\n",(0,i.jsxs)(n.p,{children:["Yes, there are multiple ways to run K3s in Docker. See ",(0,i.jsx)(n.a,{href:"/advanced#running-k3s-in-docker",children:"Advanced Options"})," for more details."]}),"\n",(0,i.jsx)(n.h3,{id:"what-is-the-difference-between-k3s-server-and-agent-tokens",children:"What is the difference between K3s Server and Agent Tokens?"}),"\n",(0,i.jsxs)(n.p,{children:["For more information on managing K3s join tokens, see the ",(0,i.jsxs)(n.a,{href:"/cli/token",children:[(0,i.jsx)(n.code,{children:"k3s token"})," command documentation"]}),"."]}),"\n",(0,i.jsx)(n.h3,{id:"how-compatible-are-different-versions-of-k3s",children:"How compatible are different versions of K3s?"}),"\n",(0,i.jsxs)(n.p,{children:["In general, the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies."]}),"\n",(0,i.jsx)(n.p,{children:"In short, servers can be newer than agents, but agents cannot be newer than servers."}),"\n",(0,i.jsx)(n.h3,{id:"im-having-an-issue-where-can-i-get-help",children:"I'm having an issue, where can I get help?"}),"\n",(0,i.jsx)(n.p,{children:"If you are having an issue with deploying K3s, you should:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Check the ",(0,i.jsx)(n.a,{href:"/known-issues",children:"Known Issues"})," page."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Check that you have resolved any ",(0,i.jsx)(n.a,{href:"/installation/requirements#operating-systems",children:"Additional OS Preparation"}),". Run ",(0,i.jsx)(n.code,{children:"k3s check-config"})," and ensure that it passes."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Search the K3s ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues",children:"Issues"})," and ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/discussions",children:"Discussions"})," for one that matches your problem."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(n.ol,{start:"4",children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Join the ",(0,i.jsx)(n.a,{href:"https://slack.rancher.io/",children:"Rancher Slack"})," K3s channel to get help."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Submit a ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/new/choose",children:"New Issue"})," on the K3s Github describing your setup and the issue you are experiencing."]}),"\n"]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>a,a:()=>o});var i=s(7294);const r={},t=i.createContext(r);function o(e){const n=i.useContext(t);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),i.createElement(t.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[836],{9665:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>t,metadata:()=>a,toc:()=>d});var i=s(5893),r=s(1151);const t={title:"FAQ"},o=void 0,a={id:"faq",title:"FAQ",description:"The FAQ is updated periodically and designed to answer the questions our users most frequently ask about K3s.",source:"@site/docs/faq.md",sourceDirName:".",slug:"/faq",permalink:"/faq",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/faq.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"FAQ"},sidebar:"mySidebar",previous:{title:"Known Issues",permalink:"/known-issues"}},l={},d=[{value:"Is K3s a suitable replacement for Kubernetes?",id:"is-k3s-a-suitable-replacement-for-kubernetes",level:3},{value:"How can I use my own Ingress instead of Traefik?",id:"how-can-i-use-my-own-ingress-instead-of-traefik",level:3},{value:"Does K3s support Windows?",id:"does-k3s-support-windows",level:3},{value:"What exactly are Servers and Agents?",id:"what-exactly-are-servers-and-agents",level:3},{value:"How can I build from source?",id:"how-can-i-build-from-source",level:3},{value:"Where are the K3s logs?",id:"where-are-the-k3s-logs",level:3},{value:"Can I run K3s in Docker?",id:"can-i-run-k3s-in-docker",level:3},{value:"What is the difference between K3s Server and Agent Tokens?",id:"what-is-the-difference-between-k3s-server-and-agent-tokens",level:3},{value:"How compatible are different versions of K3s?",id:"how-compatible-are-different-versions-of-k3s",level:3},{value:"I'm having an issue, where can I get help?",id:"im-having-an-issue-where-can-i-get-help",level:3}];function c(e){const n={a:"a",code:"code",h3:"h3",li:"li",ol:"ol",p:"p",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"The FAQ is updated periodically and designed to answer the questions our users most frequently ask about K3s."}),"\n",(0,i.jsx)(n.h3,{id:"is-k3s-a-suitable-replacement-for-kubernetes",children:"Is K3s a suitable replacement for Kubernetes?"}),"\n",(0,i.jsxs)(n.p,{children:["K3s is a CNCF-certified Kubernetes distribution, and can do everything required of a standard Kubernetes cluster. It is just a more lightweight version. See the ",(0,i.jsx)(n.a,{href:"/",children:"main"})," docs page for more details."]}),"\n",(0,i.jsx)(n.h3,{id:"how-can-i-use-my-own-ingress-instead-of-traefik",children:"How can I use my own Ingress instead of Traefik?"}),"\n",(0,i.jsxs)(n.p,{children:["Simply start K3s server with ",(0,i.jsx)(n.code,{children:"--disable=traefik"})," and deploy your ingress."]}),"\n",(0,i.jsx)(n.h3,{id:"does-k3s-support-windows",children:"Does K3s support Windows?"}),"\n",(0,i.jsx)(n.p,{children:"At this time K3s does not natively support Windows, however we are open to the idea in the future."}),"\n",(0,i.jsx)(n.h3,{id:"what-exactly-are-servers-and-agents",children:"What exactly are Servers and Agents?"}),"\n",(0,i.jsxs)(n.p,{children:["For a breakdown on the components that make up a server and agent, see the ",(0,i.jsx)(n.a,{href:"/architecture",children:"Architecture page"}),"."]}),"\n",(0,i.jsx)(n.h3,{id:"how-can-i-build-from-source",children:"How can I build from source?"}),"\n",(0,i.jsxs)(n.p,{children:["Please reference the K3s ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/BUILDING.md",children:"BUILDING.md"})," with instructions."]}),"\n",(0,i.jsx)(n.h3,{id:"where-are-the-k3s-logs",children:"Where are the K3s logs?"}),"\n",(0,i.jsx)(n.p,{children:"The location of K3s logs will vary depending on how you run K3s and the node's OS."}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"When run from the command line, logs are sent to stdout and stderr."}),"\n",(0,i.jsxs)(n.li,{children:["When running under openrc, logs will be created at ",(0,i.jsx)(n.code,{children:"/var/log/k3s.log"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["When running under Systemd, logs will be sent to Journald and can be viewed using ",(0,i.jsx)(n.code,{children:"journalctl -u k3s"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["Pod logs can be found at ",(0,i.jsx)(n.code,{children:"/var/log/pods"}),"."]}),"\n",(0,i.jsxs)(n.li,{children:["Containerd logs can be found at ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"}),"."]}),"\n"]}),"\n",(0,i.jsxs)(n.p,{children:["You can generate more detailed logs by using the ",(0,i.jsx)(n.code,{children:"--debug"})," flag when starting K3s (or ",(0,i.jsx)(n.code,{children:"debug: true"})," in the configuration file)."]}),"\n",(0,i.jsxs)(n.p,{children:["Kubernetes uses a logging framework known as ",(0,i.jsx)(n.code,{children:"klog"}),", which uses a single logging configuration for all components within a process.\nSince K3s runs all Kubernetes components within a single process, it is not possible to configure different log levels or destinations for individual Kubernetes components.\nUse of the ",(0,i.jsx)(n.code,{children:"-v="})," or ",(0,i.jsx)(n.code,{children:"--vmodule=="})," component args will likely not have the desired effect."]}),"\n",(0,i.jsxs)(n.p,{children:["See ",(0,i.jsx)(n.a,{href:"/advanced#additional-logging-sources",children:"Additional Logging Sources"})," for even more log options."]}),"\n",(0,i.jsx)(n.h3,{id:"can-i-run-k3s-in-docker",children:"Can I run K3s in Docker?"}),"\n",(0,i.jsxs)(n.p,{children:["Yes, there are multiple ways to run K3s in Docker. See ",(0,i.jsx)(n.a,{href:"/advanced#running-k3s-in-docker",children:"Advanced Options"})," for more details."]}),"\n",(0,i.jsx)(n.h3,{id:"what-is-the-difference-between-k3s-server-and-agent-tokens",children:"What is the difference between K3s Server and Agent Tokens?"}),"\n",(0,i.jsxs)(n.p,{children:["For more information on managing K3s join tokens, see the ",(0,i.jsxs)(n.a,{href:"/cli/token",children:[(0,i.jsx)(n.code,{children:"k3s token"})," command documentation"]}),"."]}),"\n",(0,i.jsx)(n.h3,{id:"how-compatible-are-different-versions-of-k3s",children:"How compatible are different versions of K3s?"}),"\n",(0,i.jsxs)(n.p,{children:["In general, the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies."]}),"\n",(0,i.jsx)(n.p,{children:"In short, servers can be newer than agents, but agents cannot be newer than servers."}),"\n",(0,i.jsx)(n.h3,{id:"im-having-an-issue-where-can-i-get-help",children:"I'm having an issue, where can I get help?"}),"\n",(0,i.jsx)(n.p,{children:"If you are having an issue with deploying K3s, you should:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Check the ",(0,i.jsx)(n.a,{href:"/known-issues",children:"Known Issues"})," page."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Check that you have resolved any ",(0,i.jsx)(n.a,{href:"/installation/requirements#operating-systems",children:"Additional OS Preparation"}),". Run ",(0,i.jsx)(n.code,{children:"k3s check-config"})," and ensure that it passes."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Search the K3s ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues",children:"Issues"})," and ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/discussions",children:"Discussions"})," for one that matches your problem."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(n.ol,{start:"4",children:["\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Join the ",(0,i.jsx)(n.a,{href:"https://slack.rancher.io/",children:"Rancher Slack"})," K3s channel to get help."]}),"\n"]}),"\n",(0,i.jsxs)(n.li,{children:["\n",(0,i.jsxs)(n.p,{children:["Submit a ",(0,i.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/new/choose",children:"New Issue"})," on the K3s Github describing your setup and the issue you are experiencing."]}),"\n"]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>a,a:()=>o});var i=s(7294);const r={},t=i.createContext(r);function o(e){const n=i.useContext(t);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),i.createElement(t.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/06dc01b4.c0303864.js b/assets/js/06dc01b4.c0f89b5c.js
similarity index 99%
rename from assets/js/06dc01b4.c0303864.js
rename to assets/js/06dc01b4.c0f89b5c.js
index a96b5d3b3..650a277e3 100644
--- a/assets/js/06dc01b4.c0303864.js
+++ b/assets/js/06dc01b4.c0f89b5c.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9233],{6516:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>d});var s=i(5893),t=i(1151);const r={title:"Basic Network Options"},o=void 0,a={id:"networking/basic-network-options",title:"Basic Network Options",description:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.",source:"@site/docs/networking/basic-network-options.md",sourceDirName:"networking",slug:"/networking/basic-network-options",permalink:"/networking/basic-network-options",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/basic-network-options.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Basic Network Options"},sidebar:"mySidebar",previous:{title:"Networking",permalink:"/networking/"},next:{title:"Distributed hybrid or multicloud cluster",permalink:"/networking/distributed-multicloud"}},l={},d=[{value:"Flannel Options",id:"flannel-options",level:2},{value:"Migrating from wireguard or ipsec to wireguard-native",id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",level:3},{value:"Custom CNI",id:"custom-cni",level:2},{value:"Control-Plane Egress Selector configuration",id:"control-plane-egress-selector-configuration",level:2},{value:"Dual-stack (IPv4 + IPv6) Networking",id:"dual-stack-ipv4--ipv6-networking",level:2},{value:"Single-stack IPv6 Networking",id:"single-stack-ipv6-networking",level:2},{value:"Nodes Without a Hostname",id:"nodes-without-a-hostname",level:2}];function c(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components},{TabItem:i,Tabs:r}=n;return i||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack."}),"\n",(0,s.jsx)(n.h2,{id:"flannel-options",children:"Flannel Options"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/flannel-io/flannel/blob/master/README.md",children:"Flannel"})," is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin."]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"Flannel options can only be set on server nodes, and must be identical on all servers in the cluster."}),"\n",(0,s.jsxs)(n.li,{children:["The default backend for Flannel is ",(0,s.jsx)(n.code,{children:"vxlan"}),". To enable encryption, use the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"vxlan"})," on Rasperry Pi with recent versions of Ubuntu requires ",(0,s.jsx)(n.a,{href:"/installation/requirements?os=pi#operating-systems",children:"additional preparation"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"wireguard-native"})," as the Flannel backend may require additional modules on some Linux distributions. Please see the ",(0,s.jsx)(n.a,{href:"https://www.wireguard.com/install/",children:"WireGuard Install Guide"})," for details.\nThe WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system.\nYou must ensure that WireGuard kernel modules are available on every node, both servers and agents, before attempting to use the WireGuard Flannel backend."]}),"\n"]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"CLI Flag and Value"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-ipv6-masq"})}),(0,s.jsxs)(n.td,{children:["Apply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than ",(0,s.jsx)(n.code,{children:"none"}),"."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-external-ip"})}),(0,s.jsx)(n.td,{children:"Use node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=vxlan"})}),(0,s.jsx)(n.td,{children:"Use VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=host-gw"})}),(0,s.jsx)(n.td,{children:"Use IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=wireguard-native"})}),(0,s.jsx)(n.td,{children:"Use WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=ipsec"})}),(0,s.jsxs)(n.td,{children:["Use strongSwan IPSec via the ",(0,s.jsx)(n.code,{children:"swanctl"})," binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0)"]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=none"})}),(0,s.jsx)(n.td,{children:"Disable Flannel entirely."})]})]})]}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["K3s no longer includes strongSwan ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ",(0,s.jsx)(n.code,{children:"ipsec"})," backend."]})}),"\n",(0,s.jsxs)(n.h3,{id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",children:["Migrating from ",(0,s.jsx)(n.code,{children:"wireguard"})," or ",(0,s.jsx)(n.code,{children:"ipsec"})," to ",(0,s.jsx)(n.code,{children:"wireguard-native"})]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"wireguard"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"wg"})," tool on the host. This backend is not available in K3s v1.26 and higher, in favor of ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend, which directly interfaces with the kernel."]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"ipsec"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries on the host. This backend is not available in K3s v1.27 and higher, in favor of the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsx)(n.p,{children:"We recommend that users migrate to the new backend as soon as possible. The migration requires a short period of downtime while nodes come up with the new configuration. You should follow these two steps:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Update the K3s config on all server nodes. If using config files, the ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," should include ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard-native"})," instead of ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard"})," or ",(0,s.jsx)(n.code,{children:"flannel-backend: ipsec"}),". If you are configuring K3s via CLI flags in the systemd unit, the equivalent flags should be changed."]}),"\n",(0,s.jsx)(n.li,{children:"Reboot all nodes, starting with the servers."}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"custom-cni",children:"Custom CNI"}),"\n",(0,s.jsxs)(n.p,{children:["Start K3s with ",(0,s.jsx)(n.code,{children:"--flannel-backend=none"})," and install your CNI of choice. Most CNI plugins come with their own network policy engine, so it is recommended to set ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," as well to avoid conflicts. Some important information to take into consideration:"]}),"\n",(0,s.jsxs)(r,{queryString:"cni",children:[(0,s.jsxs)(i,{value:"Canal",default:!0,children:[(0,s.jsxs)(n.p,{children:["Visit the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/getting-started/kubernetes/flannel/install-for-flannel#installing-calico-for-policy-and-flannel-aka-canal-for-networking",children:"Canal Docs"})," website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Canal YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-canal.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Calico",default:!0,children:[(0,s.jsxs)(n.p,{children:["Follow the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/reference/configure-cni-plugins",children:"Calico CNI Plugins Guide"}),". Modify the Calico YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Calico YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-calico.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Cilium",default:!0,children:[(0,s.jsxs)(n.p,{children:["Before running ",(0,s.jsx)(n.code,{children:"k3s-killall.sh"})," or ",(0,s.jsx)(n.code,{children:"k3s-uninstall.sh"}),", you must manually remove ",(0,s.jsx)(n.code,{children:"cilium_host"}),", ",(0,s.jsx)(n.code,{children:"cilium_net"})," and ",(0,s.jsx)(n.code,{children:"cilium_vxlan"})," interfaces. If you fail to do this, you may lose network connectivity to the host when K3s is stopped"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ip link delete cilium_host\nip link delete cilium_net\nip link delete cilium_vxlan\n"})}),(0,s.jsx)(n.p,{children:"Additionally, iptables rules for cilium should be removed:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"iptables-save | grep -iv cilium | iptables-restore\nip6tables-save | grep -iv cilium | ip6tables-restore\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"control-plane-egress-selector-configuration",children:"Control-Plane Egress Selector configuration"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents and servers maintain websocket tunnels between nodes that are used to encapsulate bidirectional communication between the control-plane (apiserver) and agent (kubelet and containerd) components.\nThis allows agents to operate without exposing the kubelet and container runtime streaming ports to incoming connections, and for the control-plane to connect to cluster services when operating with the agent disabled.\nThis functionality is equivalent to the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/extend-kubernetes/setup-konnectivity/",children:"Konnectivity"})," service commonly used on other Kubernetes distributions, and is managed via the apiserver's egress selector configuration."]}),"\n",(0,s.jsxs)(n.p,{children:["The default mode is ",(0,s.jsx)(n.code,{children:"agent"}),". ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"})," modes are recommended when running ",(0,s.jsx)(n.a,{href:"/advanced#running-agentless-servers-experimental",children:"agentless servers"}),", in order to provide the apiserver with access to cluster service endpoints in the absence of flannel and kube-proxy."]}),"\n",(0,s.jsxs)(n.p,{children:["The egress selector mode may be configured on servers via the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," flag, and offers four modes:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"disabled"}),": The apiserver does not use agent tunnels to communicate with kubelets or cluster endpoints.\nThis mode requires that servers run the kubelet, CNI, and kube-proxy, and have direct connectivity to agents, or the apiserver will not be able to access service endpoints or perform ",(0,s.jsx)(n.code,{children:"kubectl exec"})," and ",(0,s.jsx)(n.code,{children:"kubectl logs"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"agent"})," (default): The apiserver uses agent tunnels to communicate with kubelets.\nThis mode requires that the servers also run the kubelet, CNI, and kube-proxy, or the apiserver will not be able to access service endpoints."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"pod"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Nodes and Endpoints.",(0,s.jsx)(n.br,{}),"\n",(0,s.jsx)(n.strong,{children:"NOTE"}),": This mode will not work when using a CNI that uses its own IPAM and does not respect the node's PodCIDR allocation. ",(0,s.jsx)(n.code,{children:"cluster"})," or ",(0,s.jsx)(n.code,{children:"agent"})," mode should be used with these CNIs instead."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"cluster"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Pods and Endpoints. This mode has the highest portability across different cluster configurations, at the cost of increased overhead."]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"dual-stack-ipv4--ipv6-networking",children:"Dual-stack (IPv4 + IPv6) Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Experimental support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"}),".",(0,s.jsx)(n.br,{}),"\n","Stable support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.23.7%2Bk3s1",children:"v1.23.7+k3s1"}),"."]})}),"\n",(0,s.jsxs)(n.admonition,{title:"Known Issue",type:"warning",children:[(0,s.jsxs)(n.p,{children:["Before 1.27, Kubernetes ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/111695",children:"Issue #111695"})," causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:'--kubelet-arg="node-ip=0.0.0.0" # To proritize IPv4 traffic\n#OR\n--kubelet-arg="node-ip=::" # To proritize IPv6 traffic\n'})})]}),"\n",(0,s.jsx)(n.p,{children:"Dual-stack networking must be configured when the cluster is first created. It cannot be enabled on an existing cluster once it has been started as IPv4-only."}),"\n",(0,s.jsxs)(n.p,{children:["To enable dual-stack in K3s, you must provide valid dual-stack ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," on all server nodes. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"--cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Note that you may configure any valid ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," values, but the above masks are recommended. If you change the ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," mask, you should also change the ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv4"})," and ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv6"})," values to match the planned pods per node and total node count. The largest supported ",(0,s.jsx)(n.code,{children:"service-cidr"})," mask is /12 for IPv4, and /112 for IPv6. Remember to allow ipv6 traffic if you are deploying in a public cloud."]}),"\n",(0,s.jsx)(n.p,{children:"If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the additional configuration may be required. Please consult your plugin's dual-stack documentation and verify if network policies can be enabled."}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsx)(n.p,{children:"When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family."})}),"\n",(0,s.jsx)(n.h2,{id:"single-stack-ipv6-networking",children:"Single-stack IPv6 Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.9%2Bk3s1",children:"v1.22.9+k3s1"})]})}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsxs)(n.p,{children:["If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl ",(0,s.jsx)(n.code,{children:"net.ipv6.conf.all.accept_ra=2"}),"; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/91507",children:"man-in-the-middle attacks"}),"."]})}),"\n",(0,s.jsxs)(n.p,{children:["Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"--service-cidr"})," flags. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"--cluster-cidr=2001:cafe:42::/56 --service-cidr=2001:cafe:43::/112\n"})}),"\n",(0,s.jsx)(n.h2,{id:"nodes-without-a-hostname",children:"Nodes Without a Hostname"}),"\n",(0,s.jsxs)(n.p,{children:['Some cloud providers, such as Linode, will create machines with "localhost" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run K3s with the ',(0,s.jsx)(n.code,{children:"--node-name"})," flag or ",(0,s.jsx)(n.code,{children:"K3S_NODE_NAME"})," environment variable and this will pass the node name to resolve this issue."]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,i)=>{i.d(n,{Z:()=>a,a:()=>o});var s=i(7294);const t={},r=s.createContext(t);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9233],{6516:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>d});var s=i(5893),t=i(1151);const r={title:"Basic Network Options"},o=void 0,a={id:"networking/basic-network-options",title:"Basic Network Options",description:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.",source:"@site/docs/networking/basic-network-options.md",sourceDirName:"networking",slug:"/networking/basic-network-options",permalink:"/networking/basic-network-options",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/basic-network-options.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Basic Network Options"},sidebar:"mySidebar",previous:{title:"Networking",permalink:"/networking/"},next:{title:"Distributed hybrid or multicloud cluster",permalink:"/networking/distributed-multicloud"}},l={},d=[{value:"Flannel Options",id:"flannel-options",level:2},{value:"Migrating from wireguard or ipsec to wireguard-native",id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",level:3},{value:"Custom CNI",id:"custom-cni",level:2},{value:"Control-Plane Egress Selector configuration",id:"control-plane-egress-selector-configuration",level:2},{value:"Dual-stack (IPv4 + IPv6) Networking",id:"dual-stack-ipv4--ipv6-networking",level:2},{value:"Single-stack IPv6 Networking",id:"single-stack-ipv6-networking",level:2},{value:"Nodes Without a Hostname",id:"nodes-without-a-hostname",level:2}];function c(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components},{TabItem:i,Tabs:r}=n;return i||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack."}),"\n",(0,s.jsx)(n.h2,{id:"flannel-options",children:"Flannel Options"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/flannel-io/flannel/blob/master/README.md",children:"Flannel"})," is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin."]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"Flannel options can only be set on server nodes, and must be identical on all servers in the cluster."}),"\n",(0,s.jsxs)(n.li,{children:["The default backend for Flannel is ",(0,s.jsx)(n.code,{children:"vxlan"}),". To enable encryption, use the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"vxlan"})," on Rasperry Pi with recent versions of Ubuntu requires ",(0,s.jsx)(n.a,{href:"/installation/requirements?os=pi#operating-systems",children:"additional preparation"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["Using ",(0,s.jsx)(n.code,{children:"wireguard-native"})," as the Flannel backend may require additional modules on some Linux distributions. Please see the ",(0,s.jsx)(n.a,{href:"https://www.wireguard.com/install/",children:"WireGuard Install Guide"})," for details.\nThe WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system.\nYou must ensure that WireGuard kernel modules are available on every node, both servers and agents, before attempting to use the WireGuard Flannel backend."]}),"\n"]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"CLI Flag and Value"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-ipv6-masq"})}),(0,s.jsxs)(n.td,{children:["Apply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than ",(0,s.jsx)(n.code,{children:"none"}),"."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-external-ip"})}),(0,s.jsx)(n.td,{children:"Use node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=vxlan"})}),(0,s.jsx)(n.td,{children:"Use VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=host-gw"})}),(0,s.jsx)(n.td,{children:"Use IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=wireguard-native"})}),(0,s.jsx)(n.td,{children:"Use WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=ipsec"})}),(0,s.jsxs)(n.td,{children:["Use strongSwan IPSec via the ",(0,s.jsx)(n.code,{children:"swanctl"})," binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0)"]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"--flannel-backend=none"})}),(0,s.jsx)(n.td,{children:"Disable Flannel entirely."})]})]})]}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["K3s no longer includes strongSwan ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ",(0,s.jsx)(n.code,{children:"ipsec"})," backend."]})}),"\n",(0,s.jsxs)(n.h3,{id:"migrating-from-wireguard-or-ipsec-to-wireguard-native",children:["Migrating from ",(0,s.jsx)(n.code,{children:"wireguard"})," or ",(0,s.jsx)(n.code,{children:"ipsec"})," to ",(0,s.jsx)(n.code,{children:"wireguard-native"})]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"wireguard"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"wg"})," tool on the host. This backend is not available in K3s v1.26 and higher, in favor of ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend, which directly interfaces with the kernel."]}),"\n",(0,s.jsxs)(n.p,{children:["The legacy ",(0,s.jsx)(n.code,{children:"ipsec"})," backend requires installation of the ",(0,s.jsx)(n.code,{children:"swanctl"})," and ",(0,s.jsx)(n.code,{children:"charon"})," binaries on the host. This backend is not available in K3s v1.27 and higher, in favor of the ",(0,s.jsx)(n.code,{children:"wireguard-native"})," backend."]}),"\n",(0,s.jsx)(n.p,{children:"We recommend that users migrate to the new backend as soon as possible. The migration requires a short period of downtime while nodes come up with the new configuration. You should follow these two steps:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Update the K3s config on all server nodes. If using config files, the ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," should include ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard-native"})," instead of ",(0,s.jsx)(n.code,{children:"flannel-backend: wireguard"})," or ",(0,s.jsx)(n.code,{children:"flannel-backend: ipsec"}),". If you are configuring K3s via CLI flags in the systemd unit, the equivalent flags should be changed."]}),"\n",(0,s.jsx)(n.li,{children:"Reboot all nodes, starting with the servers."}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"custom-cni",children:"Custom CNI"}),"\n",(0,s.jsxs)(n.p,{children:["Start K3s with ",(0,s.jsx)(n.code,{children:"--flannel-backend=none"})," and install your CNI of choice. Most CNI plugins come with their own network policy engine, so it is recommended to set ",(0,s.jsx)(n.code,{children:"--disable-network-policy"})," as well to avoid conflicts. Some important information to take into consideration:"]}),"\n",(0,s.jsxs)(r,{queryString:"cni",children:[(0,s.jsxs)(i,{value:"Canal",default:!0,children:[(0,s.jsxs)(n.p,{children:["Visit the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/getting-started/kubernetes/flannel/install-for-flannel#installing-calico-for-policy-and-flannel-aka-canal-for-networking",children:"Canal Docs"})," website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Canal YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-canal.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Calico",default:!0,children:[(0,s.jsxs)(n.p,{children:["Follow the ",(0,s.jsx)(n.a,{href:"https://docs.tigera.io/calico/latest/reference/configure-cni-plugins",children:"Calico CNI Plugins Guide"}),". Modify the Calico YAML so that IP forwarding is allowed in the ",(0,s.jsx)(n.code,{children:"container_settings"})," section, for example:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'"container_settings": {\n "allow_ip_forwarding": true\n}\n'})}),(0,s.jsx)(n.p,{children:"Apply the Calico YAML."}),(0,s.jsx)(n.p,{children:"Ensure the settings were applied by running the following command on the host:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"cat /etc/cni/net.d/10-calico.conflist\n"})}),(0,s.jsx)(n.p,{children:"You should see that IP forwarding is set to true."})]}),(0,s.jsxs)(i,{value:"Cilium",default:!0,children:[(0,s.jsxs)(n.p,{children:["Before running ",(0,s.jsx)(n.code,{children:"k3s-killall.sh"})," or ",(0,s.jsx)(n.code,{children:"k3s-uninstall.sh"}),", you must manually remove ",(0,s.jsx)(n.code,{children:"cilium_host"}),", ",(0,s.jsx)(n.code,{children:"cilium_net"})," and ",(0,s.jsx)(n.code,{children:"cilium_vxlan"})," interfaces. If you fail to do this, you may lose network connectivity to the host when K3s is stopped"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ip link delete cilium_host\nip link delete cilium_net\nip link delete cilium_vxlan\n"})}),(0,s.jsx)(n.p,{children:"Additionally, iptables rules for cilium should be removed:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"iptables-save | grep -iv cilium | iptables-restore\nip6tables-save | grep -iv cilium | ip6tables-restore\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"control-plane-egress-selector-configuration",children:"Control-Plane Egress Selector configuration"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents and servers maintain websocket tunnels between nodes that are used to encapsulate bidirectional communication between the control-plane (apiserver) and agent (kubelet and containerd) components.\nThis allows agents to operate without exposing the kubelet and container runtime streaming ports to incoming connections, and for the control-plane to connect to cluster services when operating with the agent disabled.\nThis functionality is equivalent to the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/extend-kubernetes/setup-konnectivity/",children:"Konnectivity"})," service commonly used on other Kubernetes distributions, and is managed via the apiserver's egress selector configuration."]}),"\n",(0,s.jsxs)(n.p,{children:["The default mode is ",(0,s.jsx)(n.code,{children:"agent"}),". ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"})," modes are recommended when running ",(0,s.jsx)(n.a,{href:"/advanced#running-agentless-servers-experimental",children:"agentless servers"}),", in order to provide the apiserver with access to cluster service endpoints in the absence of flannel and kube-proxy."]}),"\n",(0,s.jsxs)(n.p,{children:["The egress selector mode may be configured on servers via the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," flag, and offers four modes:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"disabled"}),": The apiserver does not use agent tunnels to communicate with kubelets or cluster endpoints.\nThis mode requires that servers run the kubelet, CNI, and kube-proxy, and have direct connectivity to agents, or the apiserver will not be able to access service endpoints or perform ",(0,s.jsx)(n.code,{children:"kubectl exec"})," and ",(0,s.jsx)(n.code,{children:"kubectl logs"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"agent"})," (default): The apiserver uses agent tunnels to communicate with kubelets.\nThis mode requires that the servers also run the kubelet, CNI, and kube-proxy, or the apiserver will not be able to access service endpoints."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"pod"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Nodes and Endpoints.",(0,s.jsx)(n.br,{}),"\n",(0,s.jsx)(n.strong,{children:"NOTE"}),": This mode will not work when using a CNI that uses its own IPAM and does not respect the node's PodCIDR allocation. ",(0,s.jsx)(n.code,{children:"cluster"})," or ",(0,s.jsx)(n.code,{children:"agent"})," mode should be used with these CNIs instead."]}),"\n",(0,s.jsxs)(n.li,{children:[(0,s.jsx)(n.code,{children:"cluster"}),": The apiserver uses agent tunnels to communicate with kubelets and service endpoints, routing endpoint connections to the correct agent by watching Pods and Endpoints. This mode has the highest portability across different cluster configurations, at the cost of increased overhead."]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"dual-stack-ipv4--ipv6-networking",children:"Dual-stack (IPv4 + IPv6) Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Experimental support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"}),".",(0,s.jsx)(n.br,{}),"\n","Stable support is available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.23.7%2Bk3s1",children:"v1.23.7+k3s1"}),"."]})}),"\n",(0,s.jsxs)(n.admonition,{title:"Known Issue",type:"warning",children:[(0,s.jsxs)(n.p,{children:["Before 1.27, Kubernetes ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/111695",children:"Issue #111695"})," causes the Kubelet to ignore the node IPv6 addresses if you have a dual-stack environment and you are not using the primary network interface for cluster traffic. To avoid this bug, use 1.27 or newer or add the following flag to both K3s servers and agents:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:'--kubelet-arg="node-ip=0.0.0.0" # To proritize IPv4 traffic\n#OR\n--kubelet-arg="node-ip=::" # To proritize IPv6 traffic\n'})})]}),"\n",(0,s.jsx)(n.p,{children:"Dual-stack networking must be configured when the cluster is first created. It cannot be enabled on an existing cluster once it has been started as IPv4-only."}),"\n",(0,s.jsxs)(n.p,{children:["To enable dual-stack in K3s, you must provide valid dual-stack ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," on all server nodes. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"--cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Note that you may configure any valid ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"service-cidr"})," values, but the above masks are recommended. If you change the ",(0,s.jsx)(n.code,{children:"cluster-cidr"})," mask, you should also change the ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv4"})," and ",(0,s.jsx)(n.code,{children:"node-cidr-mask-size-ipv6"})," values to match the planned pods per node and total node count. The largest supported ",(0,s.jsx)(n.code,{children:"service-cidr"})," mask is /12 for IPv4, and /112 for IPv6. Remember to allow ipv6 traffic if you are deploying in a public cloud."]}),"\n",(0,s.jsx)(n.p,{children:"If you are using a custom CNI plugin, i.e. a CNI plugin other than Flannel, the additional configuration may be required. Please consult your plugin's dual-stack documentation and verify if network policies can be enabled."}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsx)(n.p,{children:"When defining cluster-cidr and service-cidr with IPv6 as the primary family, the node-ip of all cluster members should be explicitly set, placing node's desired IPv6 address as the first address. By default, the kubelet always uses IPv4 as the primary address family."})}),"\n",(0,s.jsx)(n.h2,{id:"single-stack-ipv6-networking",children:"Single-stack IPv6 Networking"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.9%2Bk3s1",children:"v1.22.9+k3s1"})]})}),"\n",(0,s.jsx)(n.admonition,{title:"Known Issue",type:"warning",children:(0,s.jsxs)(n.p,{children:["If your IPv6 default route is set by a router advertisement (RA), you will need to set the sysctl ",(0,s.jsx)(n.code,{children:"net.ipv6.conf.all.accept_ra=2"}),"; otherwise, the node will drop the default route once it expires. Be aware that accepting RAs could increase the risk of ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/kubernetes/issues/91507",children:"man-in-the-middle attacks"}),"."]})}),"\n",(0,s.jsxs)(n.p,{children:["Single-stack IPv6 clusters (clusters without IPv4) are supported on K3s using the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," and ",(0,s.jsx)(n.code,{children:"--service-cidr"})," flags. This is an example of a valid configuration:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"--cluster-cidr=2001:cafe:42::/56 --service-cidr=2001:cafe:43::/112\n"})}),"\n",(0,s.jsx)(n.h2,{id:"nodes-without-a-hostname",children:"Nodes Without a Hostname"}),"\n",(0,s.jsxs)(n.p,{children:['Some cloud providers, such as Linode, will create machines with "localhost" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run K3s with the ',(0,s.jsx)(n.code,{children:"--node-name"})," flag or ",(0,s.jsx)(n.code,{children:"K3S_NODE_NAME"})," environment variable and this will pass the node name to resolve this issue."]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,i)=>{i.d(n,{Z:()=>a,a:()=>o});var s=i(7294);const t={},r=s.createContext(t);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/0759a3f5.61f27b73.js b/assets/js/0759a3f5.01299847.js
similarity index 99%
rename from assets/js/0759a3f5.61f27b73.js
rename to assets/js/0759a3f5.01299847.js
index 69ad66fa9..3b81a75e3 100644
--- a/assets/js/0759a3f5.61f27b73.js
+++ b/assets/js/0759a3f5.01299847.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2409],{2714:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>a,frontMatter:()=>n,metadata:()=>h,toc:()=>o});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:2},l="v1.29.X",h={id:"release-notes/v1.29.X",title:"v1.29.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.29.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.29.X",permalink:"/release-notes/v1.29.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.29.X.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,sidebarPosition:2,frontMatter:{hide_table_of_contents:!0,sidebar_position:2},sidebar:"mySidebar",previous:{title:"v1.30.X",permalink:"/release-notes/v1.30.X"},next:{title:"v1.28.X",permalink:"/release-notes/v1.28.X"}},c={},o=[{value:"Release v1.29.7+k3s1",id:"release-v1297k3s1",level:2},{value:"Changes since v1.29.6+k3s2:",id:"changes-since-v1296k3s2",level:3},{value:"Release v1.29.6+k3s2",id:"release-v1296k3s2",level:2},{value:"Changes since v1.29.6+k3s1:",id:"changes-since-v1296k3s1",level:3},{value:"Release v1.29.6+k3s1",id:"release-v1296k3s1",level:2},{value:"Changes since v1.29.5+k3s1:",id:"changes-since-v1295k3s1",level:3},{value:"Release v1.29.5+k3s1",id:"release-v1295k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3},{value:"Release v1.29.4+k3s1",id:"release-v1294k3s1",level:2},{value:"Changes since v1.29.3+k3s1:",id:"changes-since-v1293k3s1",level:3},{value:"Release v1.29.3+k3s1",id:"release-v1293k3s1",level:2},{value:"Changes since v1.29.2+k3s1:",id:"changes-since-v1292k3s1",level:3},{value:"Release v1.29.2+k3s1",id:"release-v1292k3s1",level:2},{value:"Changes since v1.29.1+k3s2:",id:"changes-since-v1291k3s2",level:3},{value:"Release v1.29.1+k3s2",id:"release-v1291k3s2",level:2},{value:"Changes since v1.29.0+k3s1:",id:"changes-since-v1290k3s1",level:3},{value:"Release v1.29.0+k3s1",id:"release-v1290k3s1",level:2},{value:"Changes since v1.28.4+k3s2:",id:"changes-since-v1284k3s2",level:3}];function d(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v129x",children:"v1.29.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1297k3s1",children:"v1.29.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1297",children:"v1.29.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1296k3s2",children:"v1.29.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12-"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1296k3s1",children:"v1.29.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1295k3s1",children:"v1.29.5+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1295",children:"v1.29.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1294k3s1",children:"v1.29.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1294",children:"v1.29.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1293k3s1",children:"v1.29.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1293",children:"v1.29.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1292k3s1",children:"v1.29.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1292",children:"v1.29.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1291k3s2",children:"v1.29.1+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1291",children:"v1.29.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1290k3s1",children:"v1.29.0+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 22 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1290",children:"v1.29.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1297k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.7+k3s1",children:"v1.29.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s2",children:"Changes since v1.29.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10498",children:"(#10498)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10508",children:"(#10508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.7-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10539",children:"(#10539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10597",children:"(#10597)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s2",children:"v1.29.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s1",children:"Changes since v1.29.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10427",children:"(#10427)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s1",children:"v1.29.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1295",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1295k3s1",children:"Changes since v1.29.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10142",children:"(#10142)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10220",children:"(#10220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10181",children:"(#10181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10212",children:"(#10212)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10249",children:"(#10249)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10288",children:"(#10288)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10316",children:"(#10316)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10329",children:"(#10329)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10322",children:"(#10322)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10298",children:"(#10298)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA go caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10334",children:"(#10334)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10348",children:"(#10348)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10354",children:"(#10354)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10376",children:"(#10376)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1295k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.5+k3s1",children:"v1.29.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1294",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10091",children:"(#10091)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10106",children:"(#10106)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10115",children:"(#10115)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.5-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10108",children:"(#10108)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1294k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.4+k3s1",children:"v1.29.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1293",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1293k3s1",children:"Changes since v1.29.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Send error response if member list cannot be retrieved ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9722",children:"(#9722)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Respect cloud-provider fields set by kubelet ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9721",children:"(#9721)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix error when image has already been pulled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9770",children:"(#9770)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9766",children:"(#9766)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s-root to v0.13.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9718",children:"(#9718)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ubuntu latest for better golang caching keys ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9711",children:"(#9711)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9780",children:"(#9780)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move to ubuntu 23.10 for E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9755",children:"(#9755)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9808",children:"(#9808)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add /etc/passwd and /etc/group to k3s docker image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9784",children:"(#9784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot reconcile for agentless servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9809",children:"(#9809)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add health-check support to loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9757",children:"(#9757)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9572",children:"(#9572)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kine is now able to use TLS"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9801",children:"(#9801)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9806",children:"(#9806)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Several E2E Matrix improvements ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9802",children:"(#9802)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add certificate expiry check, events, and metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9772",children:"(#9772)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add updatecli policy to update k3s-root ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9844",children:"(#9844)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9840",children:"(#9840)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add workaround for containerd hosts.toml bug when passing config for default registry endpoint ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9853",children:"(#9853)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: agent volume in example docker compose ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9838",children:"(#9838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9863",children:"(#9863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add supervisor cert/key to rotate list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9832",children:"(#9832)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add quotes to avoid useless updatecli updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9877",children:"(#9877)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd and cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9886",children:"(#9886)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Move etcd snapshot management CLI to request/response ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9816",children:"(#9816)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve etcd load-balancer startup behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9883",children:"(#9883)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Actually fix agent certificate rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9902",children:"(#9902)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump latest to v1.29.3+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9909",children:"(#9909)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update packaged manifests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9920",children:"(#9920)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow Local path provisioner to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9835",children:"(#9835)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9926",children:"(#9926)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Match setup-go caching key in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9890",children:"(#9890)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add startup testlet on preloaded images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9941",children:"(#9941)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.4-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9960",children:"(#9960)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9984",children:"(#9984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make ",(0,r.jsx)(s.code,{children:"/db/info"})," available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10001",children:"(#10001)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1293k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.3+k3s1",children:"v1.29.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1292",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1292k3s1",children:"Changes since v1.29.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Testing ADR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9562",children:"(#9562)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Unit Testing Matrix and Actions bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9479",children:"(#9479)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install test OS matrix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9480",children:"(#9480)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9488",children:"(#9488)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9582",children:"(#9582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Better GitHub CI caching strategy for golang ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9495",children:"(#9495)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Correct formatting of GH PR sha256sum artifact ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9472",children:"(#9472)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Rootless mode also bind service nodePort to host for LoadBalancer type ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9512",children:"(#9512)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix coredns NodeHosts on dual-stack clusters ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9584",children:"(#9584)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweak netpol node wait logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9581",children:"(#9581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with etcd node name missing hostname ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9522",children:"(#9522)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller/klipper-helm versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9595",children:"(#9595)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9615",children:"(#9615)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Reenable Install and Snapshotter Testing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9601",children:"(#9601)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move docker tests into tests folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9555",children:"(#9555)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix setup-go typo ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9634",children:"(#9634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix additional corner cases in registries handling ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9556",children:"(#9556)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot prune ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9502",children:"(#9502)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use and version flannel/cni-plugin properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9635",children:"(#9635)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9599",children:"(#9599)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVEs found by trivy; CVE-2023-45142 on otelrestful and CVE-2023-48795 on golang.org/x/crypto ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9513",children:"(#9513)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: use correct wasm shims names ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9519",children:"(#9519)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard with embedded registry test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9649",children:"(#9649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable color outputs using ",(0,r.jsx)(s.code,{children:"NO_COLOR"})," env var ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9357",children:"(#9357)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9586",children:"(#9586)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9520",children:"(#9520)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9528",children:"(#9528)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include flannel version in flannel cni plugin version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9648",children:"(#9648)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The flannel controller version is now reported as build metadata on the flannel cni plugin version."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Enable E2E tests on GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9660",children:"(#9660)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump metrics-server to v0.7.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9673",children:"(#9673)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump upload and download actions to v4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9666",children:"(#9666)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Warn and suppress duplicate registry mirror endpoints ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9697",children:"(#9697)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove repetitive words ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9671",children:"(#9671)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Run Subset of Docker tests in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9698",children:"(#9698)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9729",children:"(#9729)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.3-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9747",children:"(#9747)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1292k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.2+k3s1",children:"v1.29.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1291",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1291k3s2",children:"Changes since v1.29.1+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8953",children:"(#8953)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ability to install K3s PR Artifact from GitHub ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9185",children:"(#9185)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Adds ",(0,r.jsx)(s.code,{children:"INSTALL_K3S_PR"})," option to install a build of K3s from any open PR with CI approval"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9237",children:"(#9237)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump codecov/codecov-action from 3 to 4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9353",children:"(#9353)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9388",children:"(#9388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot reconcile retry ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9318",children:"(#9318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add check for etcd-snapshot-dir and fix panic in Walk ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9317",children:"(#9317)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump CNI plugins to v1.4.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9249",children:"(#9249)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with coredns node hosts controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9354",children:"(#9354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that could cause coredns pods to fail to start when the embedded helm controller is disabled, due to the configmap not being updated with node hosts entries."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots on ipv6-only nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9247",children:"(#9247)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9395",children:"(#9395)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped flannel to v0.24.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Build: Align drone base images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8959",children:"(#8959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9263",children:"(#9263)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9311",children:"(#9311)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9290",children:"(#9290)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add codcov secret for integration tests on Push ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9422",children:"(#9422)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define ",(0,r.jsx)(s.code,{children:"containerd"})," and ",(0,r.jsx)(s.code,{children:"cridockerd"})," behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9184",children:"(#9184)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9396",children:"(#9396)"})]}),"\n",(0,r.jsxs)(s.li,{children:[": Test_UnitApplyContainerdQoSClassConfigFileIfPresent (Created) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8945",children:"(#8945)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Readd ",(0,r.jsx)(s.code,{children:"k3s secrets-encrypt rotate-keys"})," with correct support for KMSv2 GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9340",children:"(#9340)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix iptables check when sbin isn't in user PATH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9344",children:"(#9344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't create NodePasswordValidationFailed event if agent is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9312",children:"(#9312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"NodePasswordValidationFailed"})," Events will no longer be emitted, if the agent is disabled."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless state dir under ~/.rancher/k3s/rootless ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9308",children:"(#9308)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["When running k3s in rootless mode, expose rootlesskit's state directory as ",(0,r.jsx)(s.code,{children:"~/.rancher/k3s/rootless"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless containerd socket directories for external access ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9309",children:"(#9309)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Mount k3s rootless containerd & cri-dockerd socket directories to ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/containerd"})," and ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/cri-dockerd"})," respectively."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine and set NotifyInterval to what the apiserver expects ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9349",children:"(#9349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9493",children:"(#9493)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9503",children:"(#9503)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9517",children:"(#9517)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9539",children:"(#9539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9571",children:"(#9571)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1291k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.1+k3s2",children:"v1.29.1+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1290k3s1",children:"Changes since v1.29.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8910",children:"(#8910)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump actions/setup-go from 4 to 5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9036",children:"(#9036)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore: Update Code of Conduct to Redirect to CNCF CoC ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9104",children:"(#9104)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"NONE"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.5+k3s1 and add v1.29 channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9110",children:"(#9110)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9070",children:"(#9070)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables are now taken into account by the agent loadbalancer if K3S_AGENT_HTTP_PROXY_ALLOWED env variable is set to true."}),"\n",(0,r.jsxs)(s.li,{children:["This however doesn't affect local requests as the function used prevents that: ",(0,r.jsx)(s.a,{href:"https://pkg.go.dev/net/http#ProxyFromEnvironment",children:"https://pkg.go.dev/net/http#ProxyFromEnvironment"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9039",children:"(#9039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Silence SELinux warning on INSTALL_K3S_SKIP_SELINUX_RPM ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8703",children:"(#8703)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceLB support for PodHostIPs FeatureGate ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8917",children:"(#8917)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9118",children:"(#9118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Redirect error stream to null when checking nm-cloud systemd unit ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8815",children:"(#8815)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'Remove confusing "nm-cloud-setup.service: No such file or directory" journalctl log'}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Dockerfile.dapper: set $HOME properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9090",children:"(#9090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add system-agent-installer-k3s step to GA release instructions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9153",children:"(#9153)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix install script checksum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9159",children:"(#9159)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix the OTHER etcd snapshot s3 log message that prints the wrong variable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8944",children:"(#8944)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle logging flags when parsing kube-proxy args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8916",children:"(#8916)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nil map in full snapshot configmap reconcile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9049",children:"(#9049)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for containerd cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8973",children:"(#8973)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add more paths to crun runtime detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9086",children:"(#9086)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add runtime checking of golang version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9054",children:"(#9054)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix OS PRETTY_NAME on tagged releases ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9062",children:"(#9062)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Print error when downloading file error inside install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6874",children:"(#6874)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cloud-provider taint to be gone before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9076",children:"(#9076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8812",children:"(#8812)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8984",children:"(#8984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle etcd status condition when node is not ready and disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9084",children:"(#9084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update s3 e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9025",children:"(#9025)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add e2e startup test for rootless k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8383",children:"(#8383)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add spegel distributed registry mirror ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8977",children:"(#8977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump quic-go for CVE-2023-49295 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9208",children:"(#9208)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable network policy controller metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9195",children:"(#9195)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kube-router network policy controller metrics are now exposed via the default node metrics endpoint"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nonexistent dependency repositories ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9213",children:"(#9213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash when using ",(0,r.jsx)(s.code,{children:"K3S_AGENT_HTTP_PROXY_ALLOWED=true"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9219",children:"(#9219)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Error getting node in setEtcdStatusCondition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9210",children:"(#9210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.1 and Go 1.21.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9259",children:"(#9259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["New stale action ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9278",children:"(#9278)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix handling of bare hostname or IP as endpoint address in registries.yaml ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9323",children:"(#9323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump runc to v1.1.12 and helm-controller to v0.15.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9332",children:"(#9332)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9345",children:"(#9345)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1290k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.0+k3s1",children:"v1.29.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.29 line. This release updates Kubernetes to v1.29.0."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release removes the experimental ",(0,r.jsx)(s.code,{children:"rotate-keys"})," subcommand due to changes in Kubernetes upstream for ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/117728",children:"KMSv2"}),", the subcommand should be added back in future releases."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release also removes the ",(0,r.jsx)(s.code,{children:"multi-cluster-cidr"})," flag, since the support for this alpha feature has been removed completely from ",(0,r.jsx)(s.a,{href:"https://groups.google.com/g/kubernetes-sig-network/c/nts1xEZ--gQ/m/2aTOUNFFAAAJ",children:"Kubernetes upstream"}),", this flag should be removed from the configuration before upgrade."]})}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s2",children:"Changes since v1.28.4+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove GA feature-gates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8970",children:"(#8970)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Only publish to code_cov on merged E2E builds ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9051",children:"(#9051)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.0+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9052",children:"(#9052)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.24.0 and remove multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9075",children:"(#9075)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove rotate-keys subcommand ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9079",children:"(#9079)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function a(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2409],{2714:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>a,frontMatter:()=>n,metadata:()=>h,toc:()=>o});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:2},l="v1.29.X",h={id:"release-notes/v1.29.X",title:"v1.29.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.29.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.29.X",permalink:"/release-notes/v1.29.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.29.X.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,sidebarPosition:2,frontMatter:{hide_table_of_contents:!0,sidebar_position:2},sidebar:"mySidebar",previous:{title:"v1.30.X",permalink:"/release-notes/v1.30.X"},next:{title:"v1.28.X",permalink:"/release-notes/v1.28.X"}},c={},o=[{value:"Release v1.29.7+k3s1",id:"release-v1297k3s1",level:2},{value:"Changes since v1.29.6+k3s2:",id:"changes-since-v1296k3s2",level:3},{value:"Release v1.29.6+k3s2",id:"release-v1296k3s2",level:2},{value:"Changes since v1.29.6+k3s1:",id:"changes-since-v1296k3s1",level:3},{value:"Release v1.29.6+k3s1",id:"release-v1296k3s1",level:2},{value:"Changes since v1.29.5+k3s1:",id:"changes-since-v1295k3s1",level:3},{value:"Release v1.29.5+k3s1",id:"release-v1295k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3},{value:"Release v1.29.4+k3s1",id:"release-v1294k3s1",level:2},{value:"Changes since v1.29.3+k3s1:",id:"changes-since-v1293k3s1",level:3},{value:"Release v1.29.3+k3s1",id:"release-v1293k3s1",level:2},{value:"Changes since v1.29.2+k3s1:",id:"changes-since-v1292k3s1",level:3},{value:"Release v1.29.2+k3s1",id:"release-v1292k3s1",level:2},{value:"Changes since v1.29.1+k3s2:",id:"changes-since-v1291k3s2",level:3},{value:"Release v1.29.1+k3s2",id:"release-v1291k3s2",level:2},{value:"Changes since v1.29.0+k3s1:",id:"changes-since-v1290k3s1",level:3},{value:"Release v1.29.0+k3s1",id:"release-v1290k3s1",level:2},{value:"Changes since v1.28.4+k3s2:",id:"changes-since-v1284k3s2",level:3}];function d(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v129x",children:"v1.29.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1297k3s1",children:"v1.29.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1297",children:"v1.29.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1296k3s2",children:"v1.29.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12-"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1296k3s1",children:"v1.29.6+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1296",children:"v1.29.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1295k3s1",children:"v1.29.5+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1295",children:"v1.29.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1294k3s1",children:"v1.29.4+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1294",children:"v1.29.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1293k3s1",children:"v1.29.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1293",children:"v1.29.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1292k3s1",children:"v1.29.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1292",children:"v1.29.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1291k3s2",children:"v1.29.1+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1291",children:"v1.29.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.29.X#release-v1290k3s1",children:"v1.29.0+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 22 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1290",children:"v1.29.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.0",children:"v0.24.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1297k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.7+k3s1",children:"v1.29.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s2",children:"Changes since v1.29.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10498",children:"(#10498)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10508",children:"(#10508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.7-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10539",children:"(#10539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10597",children:"(#10597)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s2",children:"v1.29.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1296",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1296k3s1",children:"Changes since v1.29.6+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10427",children:"(#10427)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1296k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.6+k3s1",children:"v1.29.6+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1295",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1295k3s1",children:"Changes since v1.29.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10142",children:"(#10142)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10220",children:"(#10220)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10181",children:"(#10181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10212",children:"(#10212)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10249",children:"(#10249)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10288",children:"(#10288)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10316",children:"(#10316)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10329",children:"(#10329)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10322",children:"(#10322)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10298",children:"(#10298)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA go caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10334",children:"(#10334)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10348",children:"(#10348)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10354",children:"(#10354)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10376",children:"(#10376)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1295k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.5+k3s1",children:"v1.29.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1294",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10091",children:"(#10091)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10106",children:"(#10106)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10115",children:"(#10115)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.5-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10108",children:"(#10108)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1294k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.4+k3s1",children:"v1.29.4+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1293",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1293k3s1",children:"Changes since v1.29.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Send error response if member list cannot be retrieved ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9722",children:"(#9722)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Respect cloud-provider fields set by kubelet ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9721",children:"(#9721)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix error when image has already been pulled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9770",children:"(#9770)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9766",children:"(#9766)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump k3s-root to v0.13.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9718",children:"(#9718)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ubuntu latest for better golang caching keys ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9711",children:"(#9711)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9780",children:"(#9780)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move to ubuntu 23.10 for E2E tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9755",children:"(#9755)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9808",children:"(#9808)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add /etc/passwd and /etc/group to k3s docker image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9784",children:"(#9784)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot reconcile for agentless servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9809",children:"(#9809)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add health-check support to loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9757",children:"(#9757)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9572",children:"(#9572)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kine is now able to use TLS"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9801",children:"(#9801)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9806",children:"(#9806)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Several E2E Matrix improvements ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9802",children:"(#9802)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add certificate expiry check, events, and metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9772",children:"(#9772)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add updatecli policy to update k3s-root ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9844",children:"(#9844)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9840",children:"(#9840)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add workaround for containerd hosts.toml bug when passing config for default registry endpoint ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9853",children:"(#9853)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: agent volume in example docker compose ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9838",children:"(#9838)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9863",children:"(#9863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add supervisor cert/key to rotate list ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9832",children:"(#9832)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add quotes to avoid useless updatecli updates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9877",children:"(#9877)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd and cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9886",children:"(#9886)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Move etcd snapshot management CLI to request/response ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9816",children:"(#9816)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve etcd load-balancer startup behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9883",children:"(#9883)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Actually fix agent certificate rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9902",children:"(#9902)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump latest to v1.29.3+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9909",children:"(#9909)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update packaged manifests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9920",children:"(#9920)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow Local path provisioner to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9835",children:"(#9835)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9926",children:"(#9926)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Match setup-go caching key in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9890",children:"(#9890)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add startup testlet on preloaded images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9941",children:"(#9941)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.4-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9960",children:"(#9960)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9984",children:"(#9984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make ",(0,r.jsx)(s.code,{children:"/db/info"})," available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10001",children:"(#10001)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1293k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.3+k3s1",children:"v1.29.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1292",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1292k3s1",children:"Changes since v1.29.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Testing ADR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9562",children:"(#9562)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Unit Testing Matrix and Actions bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9479",children:"(#9479)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install test OS matrix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9480",children:"(#9480)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9488",children:"(#9488)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9582",children:"(#9582)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Better GitHub CI caching strategy for golang ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9495",children:"(#9495)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Correct formatting of GH PR sha256sum artifact ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9472",children:"(#9472)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Rootless mode also bind service nodePort to host for LoadBalancer type ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9512",children:"(#9512)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix coredns NodeHosts on dual-stack clusters ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9584",children:"(#9584)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweak netpol node wait logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9581",children:"(#9581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with etcd node name missing hostname ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9522",children:"(#9522)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller/klipper-helm versions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9595",children:"(#9595)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9615",children:"(#9615)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Reenable Install and Snapshotter Testing ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9601",children:"(#9601)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move docker tests into tests folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9555",children:"(#9555)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix setup-go typo ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9634",children:"(#9634)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix additional corner cases in registries handling ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9556",children:"(#9556)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot prune ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9502",children:"(#9502)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use and version flannel/cni-plugin properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9635",children:"(#9635)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9599",children:"(#9599)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVEs found by trivy; CVE-2023-45142 on otelrestful and CVE-2023-48795 on golang.org/x/crypto ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9513",children:"(#9513)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: use correct wasm shims names ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9519",children:"(#9519)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard with embedded registry test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9649",children:"(#9649)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Disable color outputs using ",(0,r.jsx)(s.code,{children:"NO_COLOR"})," env var ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9357",children:"(#9357)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9586",children:"(#9586)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9520",children:"(#9520)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9528",children:"(#9528)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include flannel version in flannel cni plugin version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9648",children:"(#9648)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The flannel controller version is now reported as build metadata on the flannel cni plugin version."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Enable E2E tests on GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9660",children:"(#9660)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump metrics-server to v0.7.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9673",children:"(#9673)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump upload and download actions to v4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9666",children:"(#9666)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Warn and suppress duplicate registry mirror endpoints ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9697",children:"(#9697)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove repetitive words ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9671",children:"(#9671)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Run Subset of Docker tests in GitHub Actions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9698",children:"(#9698)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9729",children:"(#9729)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.3-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9747",children:"(#9747)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1292k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.2+k3s1",children:"v1.29.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1291",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1291k3s2",children:"Changes since v1.29.1+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8953",children:"(#8953)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ability to install K3s PR Artifact from GitHub ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9185",children:"(#9185)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Adds ",(0,r.jsx)(s.code,{children:"INSTALL_K3S_PR"})," option to install a build of K3s from any open PR with CI approval"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9237",children:"(#9237)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump codecov/codecov-action from 3 to 4 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9353",children:"(#9353)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9388",children:"(#9388)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix snapshot reconcile retry ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9318",children:"(#9318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add check for etcd-snapshot-dir and fix panic in Walk ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9317",children:"(#9317)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump CNI plugins to v1.4.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9249",children:"(#9249)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with coredns node hosts controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9354",children:"(#9354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that could cause coredns pods to fail to start when the embedded helm controller is disabled, due to the configmap not being updated with node hosts entries."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots on ipv6-only nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9247",children:"(#9247)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9395",children:"(#9395)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped flannel to v0.24.2"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Build: Align drone base images ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8959",children:"(#8959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9263",children:"(#9263)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9311",children:"(#9311)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9290",children:"(#9290)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add codcov secret for integration tests on Push ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9422",children:"(#9422)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define ",(0,r.jsx)(s.code,{children:"containerd"})," and ",(0,r.jsx)(s.code,{children:"cridockerd"})," behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9184",children:"(#9184)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9396",children:"(#9396)"})]}),"\n",(0,r.jsxs)(s.li,{children:[": Test_UnitApplyContainerdQoSClassConfigFileIfPresent (Created) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8945",children:"(#8945)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Readd ",(0,r.jsx)(s.code,{children:"k3s secrets-encrypt rotate-keys"})," with correct support for KMSv2 GA ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9340",children:"(#9340)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix iptables check when sbin isn't in user PATH ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9344",children:"(#9344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't create NodePasswordValidationFailed event if agent is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9312",children:"(#9312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"NodePasswordValidationFailed"})," Events will no longer be emitted, if the agent is disabled."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless state dir under ~/.rancher/k3s/rootless ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9308",children:"(#9308)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["When running k3s in rootless mode, expose rootlesskit's state directory as ",(0,r.jsx)(s.code,{children:"~/.rancher/k3s/rootless"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Expose rootless containerd socket directories for external access ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9309",children:"(#9309)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Mount k3s rootless containerd & cri-dockerd socket directories to ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/containerd"})," and ",(0,r.jsx)(s.code,{children:"$XDG_RUNTIME_DIR/k3s/cri-dockerd"})," respectively."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine and set NotifyInterval to what the apiserver expects ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9349",children:"(#9349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9493",children:"(#9493)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9503",children:"(#9503)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9517",children:"(#9517)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9539",children:"(#9539)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9571",children:"(#9571)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1291k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.1+k3s2",children:"v1.29.1+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.29.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1290k3s1",children:"Changes since v1.29.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8910",children:"(#8910)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump actions/setup-go from 4 to 5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9036",children:"(#9036)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore: Update Code of Conduct to Redirect to CNCF CoC ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9104",children:"(#9104)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"NONE"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.28.5+k3s1 and add v1.29 channel ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9110",children:"(#9110)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9070",children:"(#9070)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables are now taken into account by the agent loadbalancer if K3S_AGENT_HTTP_PROXY_ALLOWED env variable is set to true."}),"\n",(0,r.jsxs)(s.li,{children:["This however doesn't affect local requests as the function used prevents that: ",(0,r.jsx)(s.a,{href:"https://pkg.go.dev/net/http#ProxyFromEnvironment",children:"https://pkg.go.dev/net/http#ProxyFromEnvironment"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9039",children:"(#9039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Silence SELinux warning on INSTALL_K3S_SKIP_SELINUX_RPM ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8703",children:"(#8703)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ServiceLB support for PodHostIPs FeatureGate ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8917",children:"(#8917)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9118",children:"(#9118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Redirect error stream to null when checking nm-cloud systemd unit ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8815",children:"(#8815)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:'Remove confusing "nm-cloud-setup.service: No such file or directory" journalctl log'}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Dockerfile.dapper: set $HOME properly ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9090",children:"(#9090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add system-agent-installer-k3s step to GA release instructions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9153",children:"(#9153)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix install script checksum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9159",children:"(#9159)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix the OTHER etcd snapshot s3 log message that prints the wrong variable ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8944",children:"(#8944)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle logging flags when parsing kube-proxy args ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8916",children:"(#8916)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nil map in full snapshot configmap reconcile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9049",children:"(#9049)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for containerd cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8973",children:"(#8973)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add more paths to crun runtime detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9086",children:"(#9086)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add runtime checking of golang version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9054",children:"(#9054)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix OS PRETTY_NAME on tagged releases ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9062",children:"(#9062)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Print error when downloading file error inside install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6874",children:"(#6874)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for cloud-provider taint to be gone before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9076",children:"(#9076)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8812",children:"(#8812)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8984",children:"(#8984)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle etcd status condition when node is not ready and disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9084",children:"(#9084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update s3 e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9025",children:"(#9025)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add e2e startup test for rootless k3s ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8383",children:"(#8383)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add spegel distributed registry mirror ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8977",children:"(#8977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump quic-go for CVE-2023-49295 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9208",children:"(#9208)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable network policy controller metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9195",children:"(#9195)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Kube-router network policy controller metrics are now exposed via the default node metrics endpoint"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix nonexistent dependency repositories ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9213",children:"(#9213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash when using ",(0,r.jsx)(s.code,{children:"K3S_AGENT_HTTP_PROXY_ALLOWED=true"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9219",children:"(#9219)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Error getting node in setEtcdStatusCondition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9210",children:"(#9210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.29.1 and Go 1.21.6 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9259",children:"(#9259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["New stale action ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9278",children:"(#9278)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix handling of bare hostname or IP as endpoint address in registries.yaml ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9323",children:"(#9323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump runc to v1.1.12 and helm-controller to v0.15.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9332",children:"(#9332)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9345",children:"(#9345)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1290k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.29.0+k3s1",children:"v1.29.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.29 line. This release updates Kubernetes to v1.29.0."}),"\n",(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release removes the experimental ",(0,r.jsx)(s.code,{children:"rotate-keys"})," subcommand due to changes in Kubernetes upstream for ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/117728",children:"KMSv2"}),", the subcommand should be added back in future releases."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release also removes the ",(0,r.jsx)(s.code,{children:"multi-cluster-cidr"})," flag, since the support for this alpha feature has been removed completely from ",(0,r.jsx)(s.a,{href:"https://groups.google.com/g/kubernetes-sig-network/c/nts1xEZ--gQ/m/2aTOUNFFAAAJ",children:"Kubernetes upstream"}),", this flag should be removed from the configuration before upgrade."]})}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s2",children:"Changes since v1.28.4+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove GA feature-gates ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8970",children:"(#8970)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Only publish to code_cov on merged E2E builds ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9051",children:"(#9051)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.29.0+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9052",children:"(#9052)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.24.0 and remove multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9075",children:"(#9075)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove rotate-keys subcommand ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9079",children:"(#9079)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function a(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/0ce5aa86.c1c9bf25.js b/assets/js/0ce5aa86.46b1828e.js
similarity index 99%
rename from assets/js/0ce5aa86.c1c9bf25.js
rename to assets/js/0ce5aa86.46b1828e.js
index 74ea849e2..5738e1bb1 100644
--- a/assets/js/0ce5aa86.c1c9bf25.js
+++ b/assets/js/0ce5aa86.46b1828e.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1620],{3012:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var i=t(5893),r=t(1151);const n={hide_table_of_contents:!0,sidebar_position:5},l="v1.26.X",h={id:"release-notes/v1.26.X",title:"v1.26.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.26.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.26.X",permalink:"/release-notes/v1.26.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.26.X.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,sidebarPosition:5,frontMatter:{hide_table_of_contents:!0,sidebar_position:5},sidebar:"mySidebar",previous:{title:"v1.27.X",permalink:"/release-notes/v1.27.X"},next:{title:"v1.25.X",permalink:"/release-notes/v1.25.X"}},c={},d=[{value:"Release v1.26.15+k3s1",id:"release-v12615k3s1",level:2},{value:"Changes since v1.26.14+k3s1:",id:"changes-since-v12614k3s1",level:3},{value:"Release v1.26.14+k3s1",id:"release-v12614k3s1",level:2},{value:"Changes since v1.26.13+k3s2:",id:"changes-since-v12613k3s2",level:3},{value:"Release v1.26.13+k3s2",id:"release-v12613k3s2",level:2},{value:"Changes since v1.26.12+k3s1:",id:"changes-since-v12612k3s1",level:3},{value:"Release v1.26.12+k3s1",id:"release-v12612k3s1",level:2},{value:"Changes since v1.26.11+k3s2:",id:"changes-since-v12611k3s2",level:3},{value:"Release v1.26.11+k3s2",id:"release-v12611k3s2",level:2},{value:"Changes since v1.26.10+k3s2:",id:"changes-since-v12610k3s2",level:3},{value:"Release v1.26.10+k3s2",id:"release-v12610k3s2",level:2},{value:"Changes since v1.26.10+k3s1:",id:"changes-since-v12610k3s1",level:3},{value:"Release v1.26.10+k3s1",id:"release-v12610k3s1",level:2},{value:"Changes since v1.26.9+k3s1:",id:"changes-since-v1269k3s1",level:3},{value:"Release v1.26.9+k3s1",id:"release-v1269k3s1",level:2},{value:"Changes since v1.26.8+k3s1:",id:"changes-since-v1268k3s1",level:3},{value:"Release v1.26.8+k3s1",id:"release-v1268k3s1",level:2},{value:"Changes since v1.26.7+k3s1:",id:"changes-since-v1267k3s1",level:3},{value:"Release v1.26.7+k3s1",id:"release-v1267k3s1",level:2},{value:"Changes since v1.26.6+k3s1:",id:"changes-since-v1266k3s1",level:3},{value:"Release v1.26.6+k3s1",id:"release-v1266k3s1",level:2},{value:"Changes since v1.26.5+k3s1:",id:"changes-since-v1265k3s1",level:3},{value:"Release v1.26.5+k3s1",id:"release-v1265k3s1",level:2},{value:"Changes since v1.26.4+k3s1:",id:"changes-since-v1264k3s1",level:3},{value:"Release v1.26.4+k3s1",id:"release-v1264k3s1",level:2},{value:"Changes since v1.26.3+k3s1:",id:"changes-since-v1263k3s1",level:3},{value:"Release v1.26.3+k3s1",id:"release-v1263k3s1",level:2},{value:"Changes since v1.26.2+k3s1:",id:"changes-since-v1262k3s1",level:3},{value:"Release v1.26.2+k3s1",id:"release-v1262k3s1",level:2},{value:"Changes since v1.26.1+k3s1:",id:"changes-since-v1261k3s1",level:3},{value:"Release v1.26.1+k3s1",id:"release-v1261k3s1",level:2},{value:"Changes since v1.26.0+k3s2:",id:"changes-since-v1260k3s2",level:3},{value:"Release v1.26.0+k3s2",id:"release-v1260k3s2",level:2},{value:"Changes since v1.26.0+k3s1:",id:"changes-since-v1260k3s1",level:3},{value:"Release v1.26.0+k3s1",id:"release-v1260k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.header,{children:(0,i.jsx)(s.h1,{id:"v126x",children:"v1.26.X"})}),"\n",(0,i.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,i.jsxs)(s.table,{children:[(0,i.jsx)(s.thead,{children:(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.th,{children:"Version"}),(0,i.jsx)(s.th,{children:"Release date"}),(0,i.jsx)(s.th,{children:"Kubernetes"}),(0,i.jsx)(s.th,{children:"Kine"}),(0,i.jsx)(s.th,{children:"SQLite"}),(0,i.jsx)(s.th,{children:"Etcd"}),(0,i.jsx)(s.th,{children:"Containerd"}),(0,i.jsx)(s.th,{children:"Runc"}),(0,i.jsx)(s.th,{children:"Flannel"}),(0,i.jsx)(s.th,{children:"Metrics-server"}),(0,i.jsx)(s.th,{children:"Traefik"}),(0,i.jsx)(s.th,{children:"CoreDNS"}),(0,i.jsx)(s.th,{children:"Helm-controller"}),(0,i.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,i.jsxs)(s.tbody,{children:[(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12615k3s1",children:"v1.26.15+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 25 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12615",children:"v1.26.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12614k3s1",children:"v1.26.14+k3s1"})}),(0,i.jsx)(s.td,{children:"Feb 29 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12614",children:"v1.26.14"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12613k3s2",children:"v1.26.13+k3s2"})}),(0,i.jsx)(s.td,{children:"Feb 06 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12613",children:"v1.26.13"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12612k3s1",children:"v1.26.12+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12612",children:"v1.26.12"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12611k3s2",children:"v1.26.11+k3s2"})}),(0,i.jsx)(s.td,{children:"Dec 07 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12611",children:"v1.26.11"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12610k3s2",children:"v1.26.10+k3s2"})}),(0,i.jsx)(s.td,{children:"Nov 08 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12610k3s1",children:"v1.26.10+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 30 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1269k3s1",children:"v1.26.9+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1269",children:"v1.26.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1.26",children:"v1.7.6-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1268k3s1",children:"v1.26.8+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 05 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1268",children:"v1.26.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1267k3s1",children:"v1.26.7+k3s1"})}),(0,i.jsx)(s.td,{children:"Jul 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1267",children:"v1.26.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1266k3s1",children:"v1.26.6+k3s1"})}),(0,i.jsx)(s.td,{children:"Jun 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1266",children:"v1.26.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1265k3s1",children:"v1.26.5+k3s1"})}),(0,i.jsx)(s.td,{children:"May 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1265",children:"v1.26.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1264k3s1",children:"v1.26.4+k3s1"})}),(0,i.jsx)(s.td,{children:"Apr 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1264",children:"v1.26.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1263k3s1",children:"v1.26.3+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1263",children:"v1.26.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1262k3s1",children:"v1.26.2+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 10 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1262",children:"v1.26.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1261k3s1",children:"v1.26.1+k3s1"})}),(0,i.jsx)(s.td,{children:"Jan 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1261",children:"v1.26.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1260k3s2",children:"v1.26.0+k3s2"})}),(0,i.jsx)(s.td,{children:"Jan 11 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1260k3s1",children:"v1.26.0+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 21 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]})]})]}),"\n",(0,i.jsx)("br",{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12615k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.15+k3s1",children:"v1.26.15+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12614",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12614k3s1",children:"Changes since v1.26.14+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9607",children:"(#9607)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Install and Unit test backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9645",children:"(#9645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9633",children:"(#9633)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9610",children:"(#9610)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9655",children:"(#9655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9692",children:"(#9692)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,i.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,i.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,i.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,i.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,i.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,i.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,i.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,i.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,i.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,i.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,i.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,i.jsxs)(s.li,{children:["To enable raw output for the ",(0,i.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,i.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,i.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,i.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9735",children:"(#9735)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.15-k3s1 and Go 1.21.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9740",children:"(#9740)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12614k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.14+k3s1",children:"v1.26.14+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.14, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12613",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12613k3s2",children:"Changes since v1.26.13+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9428",children:"(#9428)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9292",children:"(#9292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9421",children:"(#9421)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9429",children:"(#9429)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9423",children:"(#9423)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9252",children:"(#9252)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9406",children:"(#9406)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9464",children:"(#9464)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump flannel version + remove multiclustercidr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9409",children:"(#9409)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9446",children:"(#9446)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9442",children:"(#9442)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support PR testing installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9471",children:"(#9471)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.14 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9490",children:"(#9490)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9510",children:"(#9510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove failing Drone step ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9514",children:"(#9514)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9547",children:"(#9547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9580",children:"(#9580)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12613k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.13+k3s2",children:"v1.26.13+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.13, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12612",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.p,{children:(0,i.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,i.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,i.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12612k3s1",children:"Changes since v1.26.12+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9123",children:"(#9123)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9116",children:"(#9116)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9177",children:"(#9177)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9183",children:"(#9183)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9212",children:"(#9212)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9221",children:"(#9221)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9218",children:"(#9218)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd node is nil ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9230",children:"(#9230)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.13 and Go 1.20.13 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9262",children:"(#9262)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9271",children:"(#9271)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9338",children:"(#9338)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,i.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9348",children:"(#9348)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12612k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.12+k3s1",children:"v1.26.12+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.12, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12611",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12611k3s2",children:"Changes since v1.26.11+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Runtimes backport ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9014",children:"(#9014)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,i.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8964",children:"(#8964)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix overlapping address range ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9019",children:"(#9019)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9028",children:"(#9028)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9042",children:"(#9042)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9077",children:"(#9077)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12611k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.11+k3s2",children:"v1.26.11+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.11, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s2",children:"Changes since v1.26.10+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Etcd status condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8820",children:"(#8820)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8879",children:"(#8879)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,i.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,i.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,i.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,i.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,i.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,i.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,i.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,i.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,i.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8760",children:"(#8760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8888",children:"(#8888)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve dualStack log ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8829",children:"(#8829)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8903",children:"(#8903)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,i.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8938",children:"(#8938)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,i.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,i.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.11 and Go to 1.20.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8922",children:"(#8922)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9000",children:"(#9000)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s2",children:"v1.26.10+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s1",children:"Changes since v1.26.10+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8766",children:"(#8766)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8776",children:"(#8776)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8790",children:"(#8790)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s1",children:"v1.26.10+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1269",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1269k3s1",children:"Changes since v1.26.9+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix error reporting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8412",children:"(#8412)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add context to flannel errors ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8420",children:"(#8420)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Testing Backports for September ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8300",children:"(#8300)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8436",children:"(#8436)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8444",children:"(#8444)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8465",children:"(#8465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8456",children:"(#8456)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8453",children:"(#8453)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8510",children:"(#8510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8505",children:"(#8505)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8552",children:"(#8552)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Advertise address integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8517",children:"(#8517)"})]}),"\n",(0,i.jsxs)(s.li,{children:["System agent push tags fix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8570",children:"(#8570)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8559",children:"(#8559)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Server Token Rotation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8577",children:"(#8577)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,i.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8590",children:"(#8590)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8598",children:"(#8598)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8616",children:"(#8616)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8583",children:"(#8583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8635",children:"(#8635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8643",children:"(#8643)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8655",children:"(#8655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Windows agent support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8647",children:"(#8647)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8663",children:"(#8663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport etcd fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8691",children:"(#8691)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,i.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.10 and Go to v1.20.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8680",children:"(#8680)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8734",children:"(#8734)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1269k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.9+k3s1",children:"v1.26.9+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.9, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1268",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1268k3s1",children:"Changes since v1.26.8+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8325",children:"(#8325)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.9 and go to v1.20.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8357",children:"(#8357)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,i.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,i.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,i.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1268k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.8+k3s1",children:"v1.26.8+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.8, and fixes a number of issues."}),"\n",(0,i.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,i.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1267",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1267k3s1",children:"Changes since v1.26.7+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and plugins ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8075",children:"(#8075)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8097",children:"(#8097)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8122",children:"(#8122)"})]}),"\n",(0,i.jsxs)(s.li,{children:["August Test Backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8126",children:"(#8126)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8129",children:"(#8129)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,i.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,i.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded etcd to v3.5.9+k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,i.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,i.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,i.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8144",children:"(#8144)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8170",children:"(#8170)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8189",children:"(#8189)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8212",children:"(#8212)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The version of ",(0,i.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,i.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8222",children:"(#8222)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8235",children:"(#8235)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8258",children:"(#8258)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Added a new ",(0,i.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8274",children:"(#8274)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1267k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.7+k3s1",children:"v1.26.7+k3s1"})]}),"\n",(0,i.jsxs)(s.p,{children:["This release updates Kubernetes to v1.26.7, and fixes a number of issues.\r\n\u200b\r\nFor more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1266",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1266k3s1",children:"Changes since v1.26.6+k3s1:"}),"\n",(0,i.jsx)(s.p,{children:"\u200b"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove file_windows.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7855",children:"(#7855)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix code spell check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7859",children:"(#7859)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7874",children:"(#7874)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7882",children:"(#7882)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7893",children:"(#7893)"})]}),"\n",(0,i.jsxs)(s.li,{children:["S3 and Startup tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7885",children:"(#7885)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix rootless node password ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7901",children:"(#7901)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7908",children:"(#7908)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7914",children:"(#7914)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7944",children:"(#7944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Don't use zgrep in ",(0,i.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7956",children:"(#7956)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7968",children:"(#7968)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7983",children:"(#7983)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8022",children:"(#8022)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1266k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.6+k3s1",children:"v1.26.6+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.6, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1265",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1265k3s1",children:"Changes since v1.26.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7648",children:"(#7648)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7658",children:"(#7658)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E and Dep Backports - June ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7693",children:"(#7693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump docker go.mod #7681"}),"\n",(0,i.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,i.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,i.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["VPN integration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7727",children:"(#7727)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2e: Private registry test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7721",children:"(#7721)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spelling check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7751",children:"(#7751)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7757",children:"(#7757)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7717",children:"(#7717)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,i.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,i.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,i.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,i.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,i.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,i.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,i.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,i.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add format command on makefile ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7762",children:"(#7762)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7782",children:"(#7782)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.6 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7789",children:"(#7789)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1265k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.5+k3s1",children:"v1.26.5+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.5, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1264",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1264k3s1",children:"Changes since v1.26.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7360",children:"(#7360)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Prepend release branch to dependabot ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7374",children:"(#7374)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7377",children:"(#7377)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Runc and Containerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7399",children:"(#7399)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7403",children:"(#7403)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,i.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,i.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7432",children:"(#7432)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7460",children:"(#7460)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Kube flags and longhorn storage tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7465",children:"(#7465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7474",children:"(#7474)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.0 and move back into multicall binary ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7444",children:"(#7444)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to ",(0,i.jsx)(s.code,{children:"v1.7.0-k3s1"}),", and has been reintegrated into the main k3s binary for a significant savings in release artifact size."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7514",children:"(#7514)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,i.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,i.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,i.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,i.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,i.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,i.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,i.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,i.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,i.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,i.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,i.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,i.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,i.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,i.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7534",children:"(#7534)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7547",children:"(#7547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7573",children:"(#7573)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.5-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7576",children:"(#7576)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin emicklei/go-restful to v3.9.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7598",children:"(#7598)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1264k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.4+k3s1",children:"v1.26.4+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.4, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1263",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1263k3s1",children:"Changes since v1.26.3+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Enhance ",(0,i.jsx)(s.code,{children:"k3s check-config"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7091",children:"(#7091)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.8+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7161",children:"(#7161)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone Pipelines enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7169",children:"(#7169)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix_get_sha_url ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7187",children:"(#7187)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Updatecli local-path-provisioner pipeline ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7181",children:"(#7181)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve workflow ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7142",children:"(#7142)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Trivy configuration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7154",children:"(#7154)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7167",children:"(#7167)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump etcd to v3.5.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7170",children:"(#7170)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded etcd version has been bumped to v3.5.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump runc to v1.1.5 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7171",children:"(#7171)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix race condition caused by etcd advertising addresses that it does not listen on ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7147",children:"(#7147)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump coredns to v1.10.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7168",children:"(#7168)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Don't apply hardened args to agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7089",children:"(#7089)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Upgrade helm-controller to v0.13.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7209",children:"(#7209)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Klipper Helm and Helm controller bumps ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7146",children:"(#7146)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with stale connections to removed LB server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7194",children:"(#7194)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump actions/setup-go from 3 to 4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7111",children:"(#7111)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Lock bootstrap data with empty key to prevent conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7215",children:"(#7215)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7218",children:"(#7218)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add make commands to terraform automation and fix external dbs related issue ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7159",children:"(#7159)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update klipper lb to v0.4.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7210",children:"(#7210)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add coreos and sle micro to selinux support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6945",children:"(#6945)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix call for k3s-selinux versions in airgapped environments ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7264",children:"(#7264)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7274",children:"(#7274)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.4-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7282",children:"(#7282)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7292",children:"(#7292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7256",children:"(#7256)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Trivy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7257",children:"(#7257)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1263k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.3+k3s1",children:"v1.26.3+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.3, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1262",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1262k3s1",children:"Changes since v1.26.2+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add E2E to Drone ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6890",children:"(#6890)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add flannel adr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6973",children:"(#6973)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7039",children:"(#7039)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7044",children:"(#7044)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7057",children:"(#7057)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable version in channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7066",children:"(#7066)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7041",children:"(#7041)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7032",children:"(#7032)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,i.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Skip all pipelines based on what is in the PR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6996",children:"(#6996)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add missing kernel config checks ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6946",children:"(#6946)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6970",children:"(#6970)"})]}),"\n",(0,i.jsxs)(s.li,{children:["MultiClusterCIDR for v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6885",children:"(#6885)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"MultiClusterCIDR feature"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Remove Nikolai from MAINTAINERS list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7088",children:"(#7088)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add automation for Restart command for K3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7002",children:"(#7002)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix to Rotate CA e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7101",children:"(#7101)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone: Cleanup E2E VMs on test panic ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7104",children:"(#7104)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.3-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7108",children:"(#7108)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin golangci-lint version to v1.51.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7113",children:"(#7113)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Clean E2E VMs before testing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7109",children:"(#7109)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7136",children:"(#7136)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1262k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.2+k3s1",children:"v1.26.2+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.2, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1261",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1261k3s1",children:"Changes since v1.26.1+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add build tag to disable cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6760",children:"(#6760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6797",children:"(#6797)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.6+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6828",children:"(#6828)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Rancher and Hardened script improvements ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6778",children:"(#6778)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Ayedo to Adopters ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6801",children:"(#6801)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Consolidate E2E tests and GH Actions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6772",children:"(#6772)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,i.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6726",children:"(#6726)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix cronjob example ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6707",children:"(#6707)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6832",children:"(#6832)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6852",children:"(#6852)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E: Consoldiate docker and prefer bundled tests into new startup test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6851",children:"(#6851)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix reference to documentation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6860",children:"(#6860)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump deps: trivy, sonobuoy, dapper, golangci-lint, gopls ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6807",children:"(#6807)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix check for (open)SUSE version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6791",children:"(#6791)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add support for user-provided CA certificates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6615",children:"(#6615)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6850",children:"(#6850)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"kubeadm"})," style bootstrap token secret support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6663",children:"(#6663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now supports ",(0,i.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,i.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,i.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add NATS to the list of supported data stores ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6876",children:"(#6876)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6857",children:"(#6857)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6911",children:"(#6911)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6829",children:"(#6829)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for server to become ready before creating token ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6932",children:"(#6932)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6922",children:"(#6922)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel to v0.21.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6944",children:"(#6944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Nightly E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6950",children:"(#6950)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6952",children:"(#6952)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6979",children:"(#6979)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6974",children:"(#6974)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,i.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.2-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7011",children:"(#7011)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1261k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.1+k3s1",children:"v1.26.1+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.1, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1260",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s2",children:"Changes since v1.26.0+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6715",children:"(#6715)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust e2e test run script and fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6718",children:"(#6718)"})]}),"\n",(0,i.jsxs)(s.li,{children:["RIP Codespell ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6701",children:"(#6701)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /package ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6688",children:"(#6688)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /conformance ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6687",children:"(#6687)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6722",children:"(#6722)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Containerd restart testlet ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6696",children:"(#6696)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump ubuntu from 20.04 to 22.04 in /tests/e2e/scripts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6686",children:"(#6686)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add explicit read permissions to workflows ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6700",children:"(#6700)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6725",children:"(#6725)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6683",children:"(#6683)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6635",children:"(#6635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix CI tests on Alpine 3.17 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6744",children:"(#6744)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Stable to 1.25.5+k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6753",children:"(#6753)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6746",children:"(#6746)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Generate report and upload test results ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6737",children:"(#6737)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Slow dependency CI to weekly ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6764",children:"(#6764)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6769",children:"(#6769)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.1-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6774",children:"(#6774)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s2",children:"v1.26.0+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted, as well as a number of other stability and administrative changes."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s1",children:"Changes since v1.26.0+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Current status badges ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6653",children:"(#6653)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add initial Updatecli ADR automation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6583",children:"(#6583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["December 2022 channels update ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6618",children:"(#6618)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Change Updatecli GH action reference branch ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6682",children:"(#6682)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix OpenRC init script error 'openrc-run.sh: source: not found' ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6614",children:"(#6614)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Dependabot config for security ADR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6560",children:"(#6560)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6693",children:"(#6693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Exclude December r1 releases from channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6706",children:"(#6706)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s1",children:"v1.26.0+k3s1"})]}),"\n",(0,i.jsxs)(s.blockquote,{children:["\n",(0,i.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,i.jsxs)(s.p,{children:["This release is affected by ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,i.jsx)(s.code,{children:"v1.26.0+k3s2"})," instead."]}),"\n"]}),"\n",(0,i.jsx)(s.p,{children:"This release is K3S's first in the v1.26 line. This release updates Kubernetes to v1.26.0."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove deprecated flags in v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6574",children:"(#6574)"})]}),"\n",(0,i.jsxs)(s.li,{children:['Using "etcd-snapshot" for saving snapshots is now deprecated, use "etcd-snapshot save" instead. ',(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6575",children:"(#6575)"})]}),"\n",(0,i.jsx)(s.li,{children:"Update to v1.26.0-k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update kubernetes to v1.26.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-tools to v1.26.0-rc.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update helm controller to v0.13.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update etcd to v3.5.5-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-dockerd to the latest 1.26.0"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cadvisor"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update containerd to v1.6.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6370",children:"(#6370)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6645",children:"(#6645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump k3s-root version to v0.12.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6651",children:"(#6651)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var i=t(7294);const r={},n=i.createContext(r);function l(e){const s=i.useContext(n);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(n.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1620],{3012:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var i=t(5893),r=t(1151);const n={hide_table_of_contents:!0,sidebar_position:5},l="v1.26.X",h={id:"release-notes/v1.26.X",title:"v1.26.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.26.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.26.X",permalink:"/release-notes/v1.26.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.26.X.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,sidebarPosition:5,frontMatter:{hide_table_of_contents:!0,sidebar_position:5},sidebar:"mySidebar",previous:{title:"v1.27.X",permalink:"/release-notes/v1.27.X"},next:{title:"v1.25.X",permalink:"/release-notes/v1.25.X"}},c={},d=[{value:"Release v1.26.15+k3s1",id:"release-v12615k3s1",level:2},{value:"Changes since v1.26.14+k3s1:",id:"changes-since-v12614k3s1",level:3},{value:"Release v1.26.14+k3s1",id:"release-v12614k3s1",level:2},{value:"Changes since v1.26.13+k3s2:",id:"changes-since-v12613k3s2",level:3},{value:"Release v1.26.13+k3s2",id:"release-v12613k3s2",level:2},{value:"Changes since v1.26.12+k3s1:",id:"changes-since-v12612k3s1",level:3},{value:"Release v1.26.12+k3s1",id:"release-v12612k3s1",level:2},{value:"Changes since v1.26.11+k3s2:",id:"changes-since-v12611k3s2",level:3},{value:"Release v1.26.11+k3s2",id:"release-v12611k3s2",level:2},{value:"Changes since v1.26.10+k3s2:",id:"changes-since-v12610k3s2",level:3},{value:"Release v1.26.10+k3s2",id:"release-v12610k3s2",level:2},{value:"Changes since v1.26.10+k3s1:",id:"changes-since-v12610k3s1",level:3},{value:"Release v1.26.10+k3s1",id:"release-v12610k3s1",level:2},{value:"Changes since v1.26.9+k3s1:",id:"changes-since-v1269k3s1",level:3},{value:"Release v1.26.9+k3s1",id:"release-v1269k3s1",level:2},{value:"Changes since v1.26.8+k3s1:",id:"changes-since-v1268k3s1",level:3},{value:"Release v1.26.8+k3s1",id:"release-v1268k3s1",level:2},{value:"Changes since v1.26.7+k3s1:",id:"changes-since-v1267k3s1",level:3},{value:"Release v1.26.7+k3s1",id:"release-v1267k3s1",level:2},{value:"Changes since v1.26.6+k3s1:",id:"changes-since-v1266k3s1",level:3},{value:"Release v1.26.6+k3s1",id:"release-v1266k3s1",level:2},{value:"Changes since v1.26.5+k3s1:",id:"changes-since-v1265k3s1",level:3},{value:"Release v1.26.5+k3s1",id:"release-v1265k3s1",level:2},{value:"Changes since v1.26.4+k3s1:",id:"changes-since-v1264k3s1",level:3},{value:"Release v1.26.4+k3s1",id:"release-v1264k3s1",level:2},{value:"Changes since v1.26.3+k3s1:",id:"changes-since-v1263k3s1",level:3},{value:"Release v1.26.3+k3s1",id:"release-v1263k3s1",level:2},{value:"Changes since v1.26.2+k3s1:",id:"changes-since-v1262k3s1",level:3},{value:"Release v1.26.2+k3s1",id:"release-v1262k3s1",level:2},{value:"Changes since v1.26.1+k3s1:",id:"changes-since-v1261k3s1",level:3},{value:"Release v1.26.1+k3s1",id:"release-v1261k3s1",level:2},{value:"Changes since v1.26.0+k3s2:",id:"changes-since-v1260k3s2",level:3},{value:"Release v1.26.0+k3s2",id:"release-v1260k3s2",level:2},{value:"Changes since v1.26.0+k3s1:",id:"changes-since-v1260k3s1",level:3},{value:"Release v1.26.0+k3s1",id:"release-v1260k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.header,{children:(0,i.jsx)(s.h1,{id:"v126x",children:"v1.26.X"})}),"\n",(0,i.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,i.jsxs)(s.table,{children:[(0,i.jsx)(s.thead,{children:(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.th,{children:"Version"}),(0,i.jsx)(s.th,{children:"Release date"}),(0,i.jsx)(s.th,{children:"Kubernetes"}),(0,i.jsx)(s.th,{children:"Kine"}),(0,i.jsx)(s.th,{children:"SQLite"}),(0,i.jsx)(s.th,{children:"Etcd"}),(0,i.jsx)(s.th,{children:"Containerd"}),(0,i.jsx)(s.th,{children:"Runc"}),(0,i.jsx)(s.th,{children:"Flannel"}),(0,i.jsx)(s.th,{children:"Metrics-server"}),(0,i.jsx)(s.th,{children:"Traefik"}),(0,i.jsx)(s.th,{children:"CoreDNS"}),(0,i.jsx)(s.th,{children:"Helm-controller"}),(0,i.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,i.jsxs)(s.tbody,{children:[(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12615k3s1",children:"v1.26.15+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 25 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12615",children:"v1.26.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12614k3s1",children:"v1.26.14+k3s1"})}),(0,i.jsx)(s.td,{children:"Feb 29 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12614",children:"v1.26.14"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12613k3s2",children:"v1.26.13+k3s2"})}),(0,i.jsx)(s.td,{children:"Feb 06 2024"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12613",children:"v1.26.13"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12612k3s1",children:"v1.26.12+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12612",children:"v1.26.12"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2.26",children:"v1.7.11-k3s2.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12611k3s2",children:"v1.26.11+k3s2"})}),(0,i.jsx)(s.td,{children:"Dec 07 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12611",children:"v1.26.11"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12610k3s2",children:"v1.26.10+k3s2"})}),(0,i.jsx)(s.td,{children:"Nov 08 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v12610k3s1",children:"v1.26.10+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 30 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v12610",children:"v1.26.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1.26",children:"v1.7.7-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1269k3s1",children:"v1.26.9+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1269",children:"v1.26.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1.26",children:"v1.7.6-k3s1.26"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1268k3s1",children:"v1.26.8+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 05 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1268",children:"v1.26.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1267k3s1",children:"v1.26.7+k3s1"})}),(0,i.jsx)(s.td,{children:"Jul 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1267",children:"v1.26.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1266k3s1",children:"v1.26.6+k3s1"})}),(0,i.jsx)(s.td,{children:"Jun 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1266",children:"v1.26.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1265k3s1",children:"v1.26.5+k3s1"})}),(0,i.jsx)(s.td,{children:"May 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1265",children:"v1.26.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1264k3s1",children:"v1.26.4+k3s1"})}),(0,i.jsx)(s.td,{children:"Apr 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1264",children:"v1.26.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.7-k3s1",children:"v3.5.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1263k3s1",children:"v1.26.3+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1263",children:"v1.26.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1262k3s1",children:"v1.26.2+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 10 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1262",children:"v1.26.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1261k3s1",children:"v1.26.1+k3s1"})}),(0,i.jsx)(s.td,{children:"Jan 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1261",children:"v1.26.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1260k3s2",children:"v1.26.0+k3s2"})}),(0,i.jsx)(s.td,{children:"Jan 11 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.26.X#release-v1260k3s1",children:"v1.26.0+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 21 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1260",children:"v1.26.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.8",children:"v0.9.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.5-k3s1",children:"v3.5.5-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]})]})]}),"\n",(0,i.jsx)("br",{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12615k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.15+k3s1",children:"v1.26.15+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12614",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12614k3s1",children:"Changes since v1.26.14+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9607",children:"(#9607)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Install and Unit test backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9645",children:"(#9645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9633",children:"(#9633)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9610",children:"(#9610)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9655",children:"(#9655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9692",children:"(#9692)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,i.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,i.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,i.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,i.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,i.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,i.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,i.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,i.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,i.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,i.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,i.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,i.jsxs)(s.li,{children:["To enable raw output for the ",(0,i.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,i.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,i.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,i.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9735",children:"(#9735)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.15-k3s1 and Go 1.21.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9740",children:"(#9740)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12614k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.14+k3s1",children:"v1.26.14+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.14, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12613",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12613k3s2",children:"Changes since v1.26.13+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9428",children:"(#9428)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9292",children:"(#9292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9421",children:"(#9421)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9429",children:"(#9429)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9423",children:"(#9423)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9252",children:"(#9252)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9406",children:"(#9406)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9464",children:"(#9464)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump flannel version + remove multiclustercidr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9409",children:"(#9409)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9446",children:"(#9446)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9442",children:"(#9442)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support PR testing installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9471",children:"(#9471)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.14 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9490",children:"(#9490)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9510",children:"(#9510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove failing Drone step ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9514",children:"(#9514)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9547",children:"(#9547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9580",children:"(#9580)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12613k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.13+k3s2",children:"v1.26.13+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.13, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12612",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.p,{children:(0,i.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,i.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,i.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12612k3s1",children:"Changes since v1.26.12+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9123",children:"(#9123)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9116",children:"(#9116)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9177",children:"(#9177)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9183",children:"(#9183)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9212",children:"(#9212)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Move proxy dialer out of init() and fix crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9221",children:"(#9221)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9218",children:"(#9218)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd node is nil ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9230",children:"(#9230)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.13 and Go 1.20.13 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9262",children:"(#9262)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9271",children:"(#9271)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9338",children:"(#9338)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,i.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9348",children:"(#9348)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12612k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.12+k3s1",children:"v1.26.12+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.12, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12611",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12611k3s2",children:"Changes since v1.26.11+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Runtimes backport ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9014",children:"(#9014)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,i.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8964",children:"(#8964)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix overlapping address range ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9019",children:"(#9019)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9028",children:"(#9028)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9042",children:"(#9042)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9077",children:"(#9077)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12611k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.11+k3s2",children:"v1.26.11+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.11, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s2",children:"Changes since v1.26.10+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Etcd status condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8820",children:"(#8820)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8879",children:"(#8879)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,i.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,i.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,i.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,i.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,i.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,i.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,i.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,i.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,i.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8760",children:"(#8760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8888",children:"(#8888)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve dualStack log ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8829",children:"(#8829)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8903",children:"(#8903)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,i.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8938",children:"(#8938)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,i.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,i.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.11 and Go to 1.20.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8922",children:"(#8922)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9000",children:"(#9000)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s2",children:"v1.26.10+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v12610",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12610k3s1",children:"Changes since v1.26.10+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8766",children:"(#8766)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8776",children:"(#8776)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8790",children:"(#8790)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12610k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.10+k3s1",children:"v1.26.10+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1269",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1269k3s1",children:"Changes since v1.26.9+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix error reporting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8412",children:"(#8412)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add context to flannel errors ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8420",children:"(#8420)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Testing Backports for September ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8300",children:"(#8300)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8436",children:"(#8436)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8444",children:"(#8444)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8465",children:"(#8465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8456",children:"(#8456)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8453",children:"(#8453)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8510",children:"(#8510)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8505",children:"(#8505)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8552",children:"(#8552)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Advertise address integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8517",children:"(#8517)"})]}),"\n",(0,i.jsxs)(s.li,{children:["System agent push tags fix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8570",children:"(#8570)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8559",children:"(#8559)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Server Token Rotation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8577",children:"(#8577)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,i.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8590",children:"(#8590)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8598",children:"(#8598)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8616",children:"(#8616)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8583",children:"(#8583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8635",children:"(#8635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8643",children:"(#8643)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8655",children:"(#8655)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Windows agent support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8647",children:"(#8647)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8663",children:"(#8663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport etcd fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8691",children:"(#8691)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,i.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.10 and Go to v1.20.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8680",children:"(#8680)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8734",children:"(#8734)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1269k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.9+k3s1",children:"v1.26.9+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.9, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1268",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1268k3s1",children:"Changes since v1.26.8+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8325",children:"(#8325)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.9 and go to v1.20.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8357",children:"(#8357)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,i.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,i.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,i.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1268k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.8+k3s1",children:"v1.26.8+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.8, and fixes a number of issues."}),"\n",(0,i.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,i.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1267",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1267k3s1",children:"Changes since v1.26.7+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and plugins ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8075",children:"(#8075)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8097",children:"(#8097)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8122",children:"(#8122)"})]}),"\n",(0,i.jsxs)(s.li,{children:["August Test Backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8126",children:"(#8126)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8129",children:"(#8129)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,i.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,i.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded etcd to v3.5.9+k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,i.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,i.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,i.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8144",children:"(#8144)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8170",children:"(#8170)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8189",children:"(#8189)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8212",children:"(#8212)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The version of ",(0,i.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,i.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8222",children:"(#8222)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8235",children:"(#8235)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8258",children:"(#8258)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Added a new ",(0,i.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8274",children:"(#8274)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1267k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.7+k3s1",children:"v1.26.7+k3s1"})]}),"\n",(0,i.jsxs)(s.p,{children:["This release updates Kubernetes to v1.26.7, and fixes a number of issues.\r\n\u200b\r\nFor more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1266",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1266k3s1",children:"Changes since v1.26.6+k3s1:"}),"\n",(0,i.jsx)(s.p,{children:"\u200b"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove file_windows.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7855",children:"(#7855)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix code spell check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7859",children:"(#7859)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7874",children:"(#7874)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7882",children:"(#7882)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7893",children:"(#7893)"})]}),"\n",(0,i.jsxs)(s.li,{children:["S3 and Startup tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7885",children:"(#7885)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix rootless node password ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7901",children:"(#7901)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7908",children:"(#7908)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7914",children:"(#7914)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7944",children:"(#7944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Don't use zgrep in ",(0,i.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7956",children:"(#7956)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7968",children:"(#7968)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7983",children:"(#7983)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8022",children:"(#8022)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1266k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.6+k3s1",children:"v1.26.6+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.6, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1265",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1265k3s1",children:"Changes since v1.26.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7648",children:"(#7648)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7658",children:"(#7658)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E and Dep Backports - June ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7693",children:"(#7693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump docker go.mod #7681"}),"\n",(0,i.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,i.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,i.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["VPN integration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7727",children:"(#7727)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2e: Private registry test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7721",children:"(#7721)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spelling check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7751",children:"(#7751)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7757",children:"(#7757)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7717",children:"(#7717)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,i.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,i.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,i.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,i.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,i.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,i.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,i.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,i.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add format command on makefile ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7762",children:"(#7762)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7782",children:"(#7782)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.26.6 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7789",children:"(#7789)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1265k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.5+k3s1",children:"v1.26.5+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.5, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1264",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1264k3s1",children:"Changes since v1.26.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7360",children:"(#7360)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Prepend release branch to dependabot ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7374",children:"(#7374)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7377",children:"(#7377)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Runc and Containerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7399",children:"(#7399)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7403",children:"(#7403)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,i.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,i.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7432",children:"(#7432)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7460",children:"(#7460)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Kube flags and longhorn storage tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7465",children:"(#7465)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7474",children:"(#7474)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.7.0 and move back into multicall binary ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7444",children:"(#7444)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to ",(0,i.jsx)(s.code,{children:"v1.7.0-k3s1"}),", and has been reintegrated into the main k3s binary for a significant savings in release artifact size."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7514",children:"(#7514)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,i.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,i.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,i.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,i.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,i.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,i.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,i.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,i.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,i.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,i.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,i.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,i.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,i.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,i.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7534",children:"(#7534)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7547",children:"(#7547)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7573",children:"(#7573)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.5-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7576",children:"(#7576)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin emicklei/go-restful to v3.9.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7598",children:"(#7598)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1264k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.4+k3s1",children:"v1.26.4+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.4, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1263",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1263k3s1",children:"Changes since v1.26.3+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Enhance ",(0,i.jsx)(s.code,{children:"k3s check-config"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7091",children:"(#7091)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.8+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7161",children:"(#7161)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone Pipelines enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7169",children:"(#7169)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix_get_sha_url ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7187",children:"(#7187)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Updatecli local-path-provisioner pipeline ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7181",children:"(#7181)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve workflow ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7142",children:"(#7142)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Trivy configuration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7154",children:"(#7154)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7167",children:"(#7167)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump etcd to v3.5.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7170",children:"(#7170)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded etcd version has been bumped to v3.5.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump runc to v1.1.5 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7171",children:"(#7171)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix race condition caused by etcd advertising addresses that it does not listen on ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7147",children:"(#7147)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump coredns to v1.10.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7168",children:"(#7168)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Don't apply hardened args to agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7089",children:"(#7089)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Upgrade helm-controller to v0.13.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7209",children:"(#7209)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve Klipper Helm and Helm controller bumps ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7146",children:"(#7146)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with stale connections to removed LB server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7194",children:"(#7194)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump actions/setup-go from 3 to 4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7111",children:"(#7111)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Lock bootstrap data with empty key to prevent conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7215",children:"(#7215)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7218",children:"(#7218)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add make commands to terraform automation and fix external dbs related issue ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7159",children:"(#7159)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update klipper lb to v0.4.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7210",children:"(#7210)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add coreos and sle micro to selinux support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6945",children:"(#6945)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix call for k3s-selinux versions in airgapped environments ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7264",children:"(#7264)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7274",children:"(#7274)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.4-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7282",children:"(#7282)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7292",children:"(#7292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7256",children:"(#7256)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Trivy version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7257",children:"(#7257)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1263k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.3+k3s1",children:"v1.26.3+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.3, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1262",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1262k3s1",children:"Changes since v1.26.2+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add E2E to Drone ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6890",children:"(#6890)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add flannel adr ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6973",children:"(#6973)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7039",children:"(#7039)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7044",children:"(#7044)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7057",children:"(#7057)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable version in channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7066",children:"(#7066)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7041",children:"(#7041)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7032",children:"(#7032)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,i.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Skip all pipelines based on what is in the PR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6996",children:"(#6996)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add missing kernel config checks ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6946",children:"(#6946)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6970",children:"(#6970)"})]}),"\n",(0,i.jsxs)(s.li,{children:["MultiClusterCIDR for v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6885",children:"(#6885)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"MultiClusterCIDR feature"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Remove Nikolai from MAINTAINERS list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7088",children:"(#7088)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add automation for Restart command for K3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7002",children:"(#7002)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix to Rotate CA e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7101",children:"(#7101)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Drone: Cleanup E2E VMs on test panic ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7104",children:"(#7104)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.3-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7108",children:"(#7108)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pin golangci-lint version to v1.51.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7113",children:"(#7113)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Clean E2E VMs before testing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7109",children:"(#7109)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7136",children:"(#7136)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1262k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.2+k3s1",children:"v1.26.2+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.2, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1261",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1261k3s1",children:"Changes since v1.26.1+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add build tag to disable cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6760",children:"(#6760)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6797",children:"(#6797)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update stable channel to v1.25.6+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6828",children:"(#6828)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Rancher and Hardened script improvements ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6778",children:"(#6778)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Ayedo to Adopters ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6801",children:"(#6801)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Consolidate E2E tests and GH Actions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6772",children:"(#6772)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,i.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6726",children:"(#6726)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix cronjob example ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6707",children:"(#6707)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6832",children:"(#6832)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6852",children:"(#6852)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E: Consoldiate docker and prefer bundled tests into new startup test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6851",children:"(#6851)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix reference to documentation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6860",children:"(#6860)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump deps: trivy, sonobuoy, dapper, golangci-lint, gopls ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6807",children:"(#6807)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix check for (open)SUSE version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6791",children:"(#6791)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add support for user-provided CA certificates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6615",children:"(#6615)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6850",children:"(#6850)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"kubeadm"})," style bootstrap token secret support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6663",children:"(#6663)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now supports ",(0,i.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,i.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,i.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add NATS to the list of supported data stores ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6876",children:"(#6876)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6857",children:"(#6857)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6911",children:"(#6911)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6829",children:"(#6829)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for server to become ready before creating token ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6932",children:"(#6932)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6922",children:"(#6922)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel to v0.21.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6944",children:"(#6944)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Nightly E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6950",children:"(#6950)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6952",children:"(#6952)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6979",children:"(#6979)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6974",children:"(#6974)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,i.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.2-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7011",children:"(#7011)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1261k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.1+k3s1",children:"v1.26.1+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.26.1, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1260",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s2",children:"Changes since v1.26.0+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6715",children:"(#6715)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust e2e test run script and fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6718",children:"(#6718)"})]}),"\n",(0,i.jsxs)(s.li,{children:["RIP Codespell ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6701",children:"(#6701)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /package ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6688",children:"(#6688)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump alpine from 3.16 to 3.17 in /conformance ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6687",children:"(#6687)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6722",children:"(#6722)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Containerd restart testlet ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6696",children:"(#6696)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump ubuntu from 20.04 to 22.04 in /tests/e2e/scripts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6686",children:"(#6686)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add explicit read permissions to workflows ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6700",children:"(#6700)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6725",children:"(#6725)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump golang",":alpine"," image version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6683",children:"(#6683)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6635",children:"(#6635)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix CI tests on Alpine 3.17 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6744",children:"(#6744)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Stable to 1.25.5+k3s2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6753",children:"(#6753)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6746",children:"(#6746)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Generate report and upload test results ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6737",children:"(#6737)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Slow dependency CI to weekly ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6764",children:"(#6764)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6769",children:"(#6769)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.26.1-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6774",children:"(#6774)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s2",children:"v1.26.0+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted, as well as a number of other stability and administrative changes."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1260k3s1",children:"Changes since v1.26.0+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Current status badges ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6653",children:"(#6653)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add initial Updatecli ADR automation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6583",children:"(#6583)"})]}),"\n",(0,i.jsxs)(s.li,{children:["December 2022 channels update ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6618",children:"(#6618)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Change Updatecli GH action reference branch ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6682",children:"(#6682)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix OpenRC init script error 'openrc-run.sh: source: not found' ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6614",children:"(#6614)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Dependabot config for security ADR ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6560",children:"(#6560)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6693",children:"(#6693)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Exclude December r1 releases from channel server ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6706",children:"(#6706)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1260k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.26.0+k3s1",children:"v1.26.0+k3s1"})]}),"\n",(0,i.jsxs)(s.blockquote,{children:["\n",(0,i.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,i.jsxs)(s.p,{children:["This release is affected by ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,i.jsx)(s.code,{children:"v1.26.0+k3s2"})," instead."]}),"\n"]}),"\n",(0,i.jsx)(s.p,{children:"This release is K3S's first in the v1.26 line. This release updates Kubernetes to v1.26.0."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove deprecated flags in v1.26 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6574",children:"(#6574)"})]}),"\n",(0,i.jsxs)(s.li,{children:['Using "etcd-snapshot" for saving snapshots is now deprecated, use "etcd-snapshot save" instead. ',(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6575",children:"(#6575)"})]}),"\n",(0,i.jsx)(s.li,{children:"Update to v1.26.0-k3s1"}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update kubernetes to v1.26.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-tools to v1.26.0-rc.0-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update helm controller to v0.13.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update etcd to v3.5.5-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cri-dockerd to the latest 1.26.0"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Update cadvisor"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update containerd to v1.6.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6370",children:"(#6370)"})]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6645",children:"(#6645)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump k3s-root version to v0.12.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6651",children:"(#6651)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var i=t(7294);const r={},n=i.createContext(r);function l(e){const s=i.useContext(n);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(n.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/0e4359fd.c616c97c.js b/assets/js/0e4359fd.bd0b3018.js
similarity index 99%
rename from assets/js/0e4359fd.c616c97c.js
rename to assets/js/0e4359fd.bd0b3018.js
index 23237bad7..ef3dd6052 100644
--- a/assets/js/0e4359fd.c616c97c.js
+++ b/assets/js/0e4359fd.bd0b3018.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9751],{8495:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>o,contentTitle:()=>a,default:()=>h,frontMatter:()=>i,metadata:()=>c,toc:()=>l});var s=n(5893),r=n(1151);const i={title:"Helm"},a=void 0,c={id:"helm",title:"Helm",description:"Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at https://helm.sh/docs/intro/quickstart/.",source:"@site/docs/helm.md",sourceDirName:".",slug:"/helm",permalink:"/helm",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/helm.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Helm"},sidebar:"mySidebar",previous:{title:"Networking Services",permalink:"/networking/networking-services"},next:{title:"Advanced Options / Configuration",permalink:"/advanced"}},o={},l=[{value:"Using the Helm Controller",id:"using-the-helm-controller",level:3},{value:"HelmChart Field Definitions",id:"helmchart-field-definitions",level:4},{value:"Customizing Packaged Components with HelmChartConfig",id:"customizing-packaged-components-with-helmchartconfig",level:3},{value:"Migrating from Helm v2",id:"migrating-from-helm-v2",level:3}];function d(e){const t={a:"a",admonition:"admonition",code:"code",h3:"h3",h4:"h4",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(t.p,{children:["Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/intro/quickstart/",children:"https://helm.sh/docs/intro/quickstart/"}),"."]}),"\n",(0,s.jsxs)(t.p,{children:["K3s does not require any special configuration to support Helm. Just be sure you have properly set the kubeconfig path as per the ",(0,s.jsx)(t.a,{href:"/cluster-access",children:"cluster access"})," documentation."]}),"\n",(0,s.jsxs)(t.p,{children:["K3s includes a ",(0,s.jsx)(t.a,{href:"https://github.com/k3s-io/helm-controller/",children:"Helm Controller"})," that manages installing, upgrading/reconfiguring, and uninstalling Helm charts using a HelmChart Custom Resource Definition (CRD). Paired with ",(0,s.jsx)(t.a,{href:"/installation/packaged-components",children:"auto-deploying AddOn manifests"}),", installing a Helm chart on your cluster can be automated by creating a single file on disk."]}),"\n",(0,s.jsx)(t.h3,{id:"using-the-helm-controller",children:"Using the Helm Controller"}),"\n",(0,s.jsxs)(t.p,{children:["The ",(0,s.jsx)(t.a,{href:"https://github.com/k3s-io/helm-controller#helm-controller",children:"HelmChart Custom Resource"})," captures most of the options you would normally pass to the ",(0,s.jsx)(t.code,{children:"helm"})," command-line tool. Here's an example of how you might deploy Apache from the Bitnami chart repository, overriding some of the default chart values. Note that the HelmChart resource itself is in the ",(0,s.jsx)(t.code,{children:"kube-system"})," namespace, but the chart's resources will be deployed to the ",(0,s.jsx)(t.code,{children:"web"})," namespace, which is created in the same manifest. This can be useful if you want to keep your HelmChart resources separated from the the resources they deploy."]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Namespace\nmetadata:\n name: web\n---\napiVersion: helm.cattle.io/v1\nkind: HelmChart\nmetadata:\n name: apache\n namespace: kube-system\nspec:\n repo: https://charts.bitnami.com/bitnami\n chart: apache\n targetNamespace: web\n valuesContent: |-\n service:\n type: ClusterIP\n ingress:\n enabled: true\n hostname: www.example.com\n metrics:\n enabled: true\n"})}),"\n",(0,s.jsx)(t.p,{children:"An example of deploying a helm chart from a private repo with authentication:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: helm.cattle.io/v1\nkind: HelmChart\nmetadata:\n namespace: kube-system\n name: example-app\nspec:\n targetNamespace: example-space\n createNamespace: true\n version: v1.2.3\n chart: example-app\n repo: https://secure-repo.example.com\n authSecret:\n name: example-repo-auth\n repoCAConfigMap:\n name: example-repo-ca\n valuesContent: |-\n image:\n tag: v1.2.2\n---\napiVersion: v1\nkind: Secret\nmetadata:\n namespace: kube-system\n name: example-repo-auth\ntype: kubernetes.io/basic-auth\nstringData:\n username: user\n password: pass\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n namespace: kube-system\n name: example-repo-ca\ndata:\n ca.crt: |-\n -----BEGIN CERTIFICATE-----\n \n -----END CERTIFICATE-----\n"})}),"\n",(0,s.jsx)(t.h4,{id:"helmchart-field-definitions",children:"HelmChart Field Definitions"}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Field"}),(0,s.jsx)(t.th,{children:"Default"}),(0,s.jsx)(t.th,{children:"Description"}),(0,s.jsx)(t.th,{children:"Helm Argument / Flag Equivalent"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"metadata.name"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart name"}),(0,s.jsx)(t.td,{children:"NAME"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.chart"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart name in repository, or complete HTTPS URL to chart archive (.tgz)"}),(0,s.jsx)(t.td,{children:"CHART"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.targetNamespace"}),(0,s.jsx)(t.td,{children:"default"}),(0,s.jsx)(t.td,{children:"Helm Chart target namespace"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--namespace"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.createNamespace"}),(0,s.jsx)(t.td,{children:"false"}),(0,s.jsx)(t.td,{children:"Create target namespace if not present"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--create-namespace"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.version"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart version (when installing from repository)"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--version"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repo"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart repository URL"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--repo"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repoCA"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Verify certificates of HTTPS-enabled servers using this CA bundle. Should be a string containing one or more PEM-encoded CA Certificates."}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--ca-file"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repoCAConfigMap"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to a ConfigMap containing CA Certificates to be be trusted by Helm. Can be used along with or instead of ",(0,s.jsx)(t.code,{children:"repoCA"})]}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--ca-file"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.helmVersion"}),(0,s.jsx)(t.td,{children:"v3"}),(0,s.jsxs)(t.td,{children:["Helm version to use (",(0,s.jsx)(t.code,{children:"v2"})," or ",(0,s.jsx)(t.code,{children:"v3"}),")"]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.bootstrap"}),(0,s.jsx)(t.td,{children:"False"}),(0,s.jsx)(t.td,{children:"Set to True if this chart is needed to bootstrap the cluster (Cloud Controller Manager, etc)"}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.set"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Override simple default Chart values. These take precedence over options set via valuesContent."}),(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--set"})," / ",(0,s.jsx)(t.code,{children:"--set-string"})]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.jobImage"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Specify the image to use when installing the helm chart. E.g. rancher/klipper-helm",":v0",".3.0 ."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.backOffLimit"}),(0,s.jsx)(t.td,{children:"1000"}),(0,s.jsx)(t.td,{children:"Specify the number of retries before considering a job failed."}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.timeout"}),(0,s.jsx)(t.td,{children:"300s"}),(0,s.jsxs)(t.td,{children:["Timeout for Helm operations, as a ",(0,s.jsx)(t.a,{href:"https://pkg.go.dev/time#ParseDuration",children:"duration string"})," (",(0,s.jsx)(t.code,{children:"300s"}),", ",(0,s.jsx)(t.code,{children:"10m"}),", ",(0,s.jsx)(t.code,{children:"1h"}),", etc)"]}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--timeout"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.failurePolicy"}),(0,s.jsx)(t.td,{children:"reinstall"}),(0,s.jsxs)(t.td,{children:["Set to ",(0,s.jsx)(t.code,{children:"abort"})," which case the Helm operation is aborted, pending manual intervention by the operator."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.authSecret"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to Secret of type ",(0,s.jsx)(t.code,{children:"kubernetes.io/basic-auth"})," holding Basic auth credentials for the Chart repo."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.authPassCredentials"}),(0,s.jsx)(t.td,{children:"false"}),(0,s.jsx)(t.td,{children:"Pass Basic auth credentials to all domains."}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--pass-credentials"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.dockerRegistrySecret"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to Secret of type ",(0,s.jsx)(t.code,{children:"kubernetes.io/dockerconfigjson"})," holding Docker auth credentials for the OCI-based registry acting as the Chart repo."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.valuesContent"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Override complex default Chart values via YAML file content"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--values"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.chartContent"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Base64-encoded chart archive .tgz - overrides spec.chart"}),(0,s.jsx)(t.td,{children:"CHART"})]})]})]}),"\n",(0,s.jsxs)(t.p,{children:["Content placed in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/static/"})," can be accessed anonymously via the Kubernetes APIServer from within the cluster. This URL can be templated using the special variable ",(0,s.jsx)(t.code,{children:"%{KUBERNETES_API}%"})," in the ",(0,s.jsx)(t.code,{children:"spec.chart"})," field. For example, the packaged Traefik component loads its chart from ",(0,s.jsx)(t.code,{children:"https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz"}),"."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["The ",(0,s.jsx)(t.code,{children:"name"})," field should follow the Helm chart naming conventions. Refer to the ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/chart_best_practices/conventions/#chart-names",children:"Helm Best Practices documentation"})," to learn more."]})}),"\n",(0,s.jsx)(t.h3,{id:"customizing-packaged-components-with-helmchartconfig",children:"Customizing Packaged Components with HelmChartConfig"}),"\n",(0,s.jsxs)(t.p,{children:["To allow overriding values for packaged components that are deployed as HelmCharts (such as Traefik), K3s supports customizing deployments via a HelmChartConfig resources. The HelmChartConfig resource must match the name and namespace of its corresponding HelmChart, and it supports providing additional ",(0,s.jsx)(t.code,{children:"valuesContent"}),", which is passed to the ",(0,s.jsx)(t.code,{children:"helm"})," command as an additional value file."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["HelmChart ",(0,s.jsx)(t.code,{children:"spec.set"})," values override HelmChart and HelmChartConfig ",(0,s.jsx)(t.code,{children:"spec.valuesContent"})," settings."]})}),"\n",(0,s.jsxs)(t.p,{children:["For example, to customize the packaged Traefik ingress configuration, you can create a file named ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik-config.yaml"})," and populate it with the following content:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: helm.cattle.io/v1\nkind: HelmChartConfig\nmetadata:\n name: traefik\n namespace: kube-system\nspec:\n valuesContent: |-\n image:\n name: traefik\n tag: 2.9.10\n ports:\n web:\n forwardedHeaders:\n trustedIPs:\n - 10.0.0.0/8\n"})}),"\n",(0,s.jsx)(t.h3,{id:"migrating-from-helm-v2",children:"Migrating from Helm v2"}),"\n",(0,s.jsxs)(t.p,{children:["K3s can handle either Helm v2 or Helm v3. If you wish to migrate to Helm v3, ",(0,s.jsx)(t.a,{href:"https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/",children:"this"})," blog post by Helm explains how to use a plugin to successfully migrate. Refer to the official Helm 3 documentation ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/",children:"here"})," for more information. Just be sure you have properly set your kubeconfig as per the section about ",(0,s.jsx)(t.a,{href:"/cluster-access",children:"cluster access."})]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["Helm 3 no longer requires Tiller and the ",(0,s.jsx)(t.code,{children:"helm init"})," command. Refer to the official documentation for details."]})})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>c,a:()=>a});var s=n(7294);const r={},i=s.createContext(r);function a(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function c(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9751],{8495:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>o,contentTitle:()=>a,default:()=>h,frontMatter:()=>i,metadata:()=>c,toc:()=>l});var s=n(5893),r=n(1151);const i={title:"Helm"},a=void 0,c={id:"helm",title:"Helm",description:"Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at https://helm.sh/docs/intro/quickstart/.",source:"@site/docs/helm.md",sourceDirName:".",slug:"/helm",permalink:"/helm",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/helm.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Helm"},sidebar:"mySidebar",previous:{title:"Networking Services",permalink:"/networking/networking-services"},next:{title:"Advanced Options / Configuration",permalink:"/advanced"}},o={},l=[{value:"Using the Helm Controller",id:"using-the-helm-controller",level:3},{value:"HelmChart Field Definitions",id:"helmchart-field-definitions",level:4},{value:"Customizing Packaged Components with HelmChartConfig",id:"customizing-packaged-components-with-helmchartconfig",level:3},{value:"Migrating from Helm v2",id:"migrating-from-helm-v2",level:3}];function d(e){const t={a:"a",admonition:"admonition",code:"code",h3:"h3",h4:"h4",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(t.p,{children:["Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/intro/quickstart/",children:"https://helm.sh/docs/intro/quickstart/"}),"."]}),"\n",(0,s.jsxs)(t.p,{children:["K3s does not require any special configuration to support Helm. Just be sure you have properly set the kubeconfig path as per the ",(0,s.jsx)(t.a,{href:"/cluster-access",children:"cluster access"})," documentation."]}),"\n",(0,s.jsxs)(t.p,{children:["K3s includes a ",(0,s.jsx)(t.a,{href:"https://github.com/k3s-io/helm-controller/",children:"Helm Controller"})," that manages installing, upgrading/reconfiguring, and uninstalling Helm charts using a HelmChart Custom Resource Definition (CRD). Paired with ",(0,s.jsx)(t.a,{href:"/installation/packaged-components",children:"auto-deploying AddOn manifests"}),", installing a Helm chart on your cluster can be automated by creating a single file on disk."]}),"\n",(0,s.jsx)(t.h3,{id:"using-the-helm-controller",children:"Using the Helm Controller"}),"\n",(0,s.jsxs)(t.p,{children:["The ",(0,s.jsx)(t.a,{href:"https://github.com/k3s-io/helm-controller#helm-controller",children:"HelmChart Custom Resource"})," captures most of the options you would normally pass to the ",(0,s.jsx)(t.code,{children:"helm"})," command-line tool. Here's an example of how you might deploy Apache from the Bitnami chart repository, overriding some of the default chart values. Note that the HelmChart resource itself is in the ",(0,s.jsx)(t.code,{children:"kube-system"})," namespace, but the chart's resources will be deployed to the ",(0,s.jsx)(t.code,{children:"web"})," namespace, which is created in the same manifest. This can be useful if you want to keep your HelmChart resources separated from the the resources they deploy."]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Namespace\nmetadata:\n name: web\n---\napiVersion: helm.cattle.io/v1\nkind: HelmChart\nmetadata:\n name: apache\n namespace: kube-system\nspec:\n repo: https://charts.bitnami.com/bitnami\n chart: apache\n targetNamespace: web\n valuesContent: |-\n service:\n type: ClusterIP\n ingress:\n enabled: true\n hostname: www.example.com\n metrics:\n enabled: true\n"})}),"\n",(0,s.jsx)(t.p,{children:"An example of deploying a helm chart from a private repo with authentication:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: helm.cattle.io/v1\nkind: HelmChart\nmetadata:\n namespace: kube-system\n name: example-app\nspec:\n targetNamespace: example-space\n createNamespace: true\n version: v1.2.3\n chart: example-app\n repo: https://secure-repo.example.com\n authSecret:\n name: example-repo-auth\n repoCAConfigMap:\n name: example-repo-ca\n valuesContent: |-\n image:\n tag: v1.2.2\n---\napiVersion: v1\nkind: Secret\nmetadata:\n namespace: kube-system\n name: example-repo-auth\ntype: kubernetes.io/basic-auth\nstringData:\n username: user\n password: pass\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n namespace: kube-system\n name: example-repo-ca\ndata:\n ca.crt: |-\n -----BEGIN CERTIFICATE-----\n \n -----END CERTIFICATE-----\n"})}),"\n",(0,s.jsx)(t.h4,{id:"helmchart-field-definitions",children:"HelmChart Field Definitions"}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Field"}),(0,s.jsx)(t.th,{children:"Default"}),(0,s.jsx)(t.th,{children:"Description"}),(0,s.jsx)(t.th,{children:"Helm Argument / Flag Equivalent"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"metadata.name"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart name"}),(0,s.jsx)(t.td,{children:"NAME"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.chart"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart name in repository, or complete HTTPS URL to chart archive (.tgz)"}),(0,s.jsx)(t.td,{children:"CHART"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.targetNamespace"}),(0,s.jsx)(t.td,{children:"default"}),(0,s.jsx)(t.td,{children:"Helm Chart target namespace"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--namespace"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.createNamespace"}),(0,s.jsx)(t.td,{children:"false"}),(0,s.jsx)(t.td,{children:"Create target namespace if not present"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--create-namespace"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.version"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart version (when installing from repository)"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--version"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repo"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Helm Chart repository URL"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--repo"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repoCA"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Verify certificates of HTTPS-enabled servers using this CA bundle. Should be a string containing one or more PEM-encoded CA Certificates."}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--ca-file"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.repoCAConfigMap"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to a ConfigMap containing CA Certificates to be be trusted by Helm. Can be used along with or instead of ",(0,s.jsx)(t.code,{children:"repoCA"})]}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--ca-file"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.helmVersion"}),(0,s.jsx)(t.td,{children:"v3"}),(0,s.jsxs)(t.td,{children:["Helm version to use (",(0,s.jsx)(t.code,{children:"v2"})," or ",(0,s.jsx)(t.code,{children:"v3"}),")"]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.bootstrap"}),(0,s.jsx)(t.td,{children:"False"}),(0,s.jsx)(t.td,{children:"Set to True if this chart is needed to bootstrap the cluster (Cloud Controller Manager, etc)"}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.set"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Override simple default Chart values. These take precedence over options set via valuesContent."}),(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--set"})," / ",(0,s.jsx)(t.code,{children:"--set-string"})]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.jobImage"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Specify the image to use when installing the helm chart. E.g. rancher/klipper-helm",":v0",".3.0 ."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.backOffLimit"}),(0,s.jsx)(t.td,{children:"1000"}),(0,s.jsx)(t.td,{children:"Specify the number of retries before considering a job failed."}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.timeout"}),(0,s.jsx)(t.td,{children:"300s"}),(0,s.jsxs)(t.td,{children:["Timeout for Helm operations, as a ",(0,s.jsx)(t.a,{href:"https://pkg.go.dev/time#ParseDuration",children:"duration string"})," (",(0,s.jsx)(t.code,{children:"300s"}),", ",(0,s.jsx)(t.code,{children:"10m"}),", ",(0,s.jsx)(t.code,{children:"1h"}),", etc)"]}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--timeout"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.failurePolicy"}),(0,s.jsx)(t.td,{children:"reinstall"}),(0,s.jsxs)(t.td,{children:["Set to ",(0,s.jsx)(t.code,{children:"abort"})," which case the Helm operation is aborted, pending manual intervention by the operator."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.authSecret"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to Secret of type ",(0,s.jsx)(t.code,{children:"kubernetes.io/basic-auth"})," holding Basic auth credentials for the Chart repo."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.authPassCredentials"}),(0,s.jsx)(t.td,{children:"false"}),(0,s.jsx)(t.td,{children:"Pass Basic auth credentials to all domains."}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--pass-credentials"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.dockerRegistrySecret"}),(0,s.jsx)(t.td,{}),(0,s.jsxs)(t.td,{children:["Reference to Secret of type ",(0,s.jsx)(t.code,{children:"kubernetes.io/dockerconfigjson"})," holding Docker auth credentials for the OCI-based registry acting as the Chart repo."]}),(0,s.jsx)(t.td,{})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.valuesContent"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Override complex default Chart values via YAML file content"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--values"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"spec.chartContent"}),(0,s.jsx)(t.td,{}),(0,s.jsx)(t.td,{children:"Base64-encoded chart archive .tgz - overrides spec.chart"}),(0,s.jsx)(t.td,{children:"CHART"})]})]})]}),"\n",(0,s.jsxs)(t.p,{children:["Content placed in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/static/"})," can be accessed anonymously via the Kubernetes APIServer from within the cluster. This URL can be templated using the special variable ",(0,s.jsx)(t.code,{children:"%{KUBERNETES_API}%"})," in the ",(0,s.jsx)(t.code,{children:"spec.chart"})," field. For example, the packaged Traefik component loads its chart from ",(0,s.jsx)(t.code,{children:"https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz"}),"."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["The ",(0,s.jsx)(t.code,{children:"name"})," field should follow the Helm chart naming conventions. Refer to the ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/chart_best_practices/conventions/#chart-names",children:"Helm Best Practices documentation"})," to learn more."]})}),"\n",(0,s.jsx)(t.h3,{id:"customizing-packaged-components-with-helmchartconfig",children:"Customizing Packaged Components with HelmChartConfig"}),"\n",(0,s.jsxs)(t.p,{children:["To allow overriding values for packaged components that are deployed as HelmCharts (such as Traefik), K3s supports customizing deployments via a HelmChartConfig resources. The HelmChartConfig resource must match the name and namespace of its corresponding HelmChart, and it supports providing additional ",(0,s.jsx)(t.code,{children:"valuesContent"}),", which is passed to the ",(0,s.jsx)(t.code,{children:"helm"})," command as an additional value file."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["HelmChart ",(0,s.jsx)(t.code,{children:"spec.set"})," values override HelmChart and HelmChartConfig ",(0,s.jsx)(t.code,{children:"spec.valuesContent"})," settings."]})}),"\n",(0,s.jsxs)(t.p,{children:["For example, to customize the packaged Traefik ingress configuration, you can create a file named ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik-config.yaml"})," and populate it with the following content:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-yaml",children:"apiVersion: helm.cattle.io/v1\nkind: HelmChartConfig\nmetadata:\n name: traefik\n namespace: kube-system\nspec:\n valuesContent: |-\n image:\n name: traefik\n tag: 2.9.10\n ports:\n web:\n forwardedHeaders:\n trustedIPs:\n - 10.0.0.0/8\n"})}),"\n",(0,s.jsx)(t.h3,{id:"migrating-from-helm-v2",children:"Migrating from Helm v2"}),"\n",(0,s.jsxs)(t.p,{children:["K3s can handle either Helm v2 or Helm v3. If you wish to migrate to Helm v3, ",(0,s.jsx)(t.a,{href:"https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/",children:"this"})," blog post by Helm explains how to use a plugin to successfully migrate. Refer to the official Helm 3 documentation ",(0,s.jsx)(t.a,{href:"https://helm.sh/docs/",children:"here"})," for more information. Just be sure you have properly set your kubeconfig as per the section about ",(0,s.jsx)(t.a,{href:"/cluster-access",children:"cluster access."})]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["Helm 3 no longer requires Tiller and the ",(0,s.jsx)(t.code,{children:"helm init"})," command. Refer to the official documentation for details."]})})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>c,a:()=>a});var s=n(7294);const r={},i=s.createContext(r);function a(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function c(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/10b61a3f.f8f724d1.js b/assets/js/10b61a3f.4b9b71cb.js
similarity index 99%
rename from assets/js/10b61a3f.f8f724d1.js
rename to assets/js/10b61a3f.4b9b71cb.js
index 3987e23bb..312e92c06 100644
--- a/assets/js/10b61a3f.f8f724d1.js
+++ b/assets/js/10b61a3f.4b9b71cb.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4902],{8040:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>s,metadata:()=>a,toc:()=>d});var t=i(5893),n=i(1151);const s={title:"Private Registry Configuration"},o=void 0,a={id:"installation/private-registry",title:"Private Registry Configuration",description:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.",source:"@site/docs/installation/private-registry.md",sourceDirName:"installation",slug:"/installation/private-registry",permalink:"/installation/private-registry",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/private-registry.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Private Registry Configuration"},sidebar:"mySidebar",previous:{title:"Configuration Options",permalink:"/installation/configuration"},next:{title:"Embedded Registry Mirror",permalink:"/installation/registry-mirror"}},l={},d=[{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:2},{value:"Registries Configuration File",id:"registries-configuration-file",level:2},{value:"Mirrors",id:"mirrors",level:3},{value:"Redirects",id:"redirects",level:4},{value:"Rewrites",id:"rewrites",level:4},{value:"Configs",id:"configs",level:3},{value:"Wildcard Support",id:"wildcard-support",level:3},{value:"With TLS",id:"with-tls",level:3},{value:"Without TLS",id:"without-tls",level:3},{value:"Troubleshooting Image Pulls",id:"troubleshooting-image-pulls",level:2},{value:"Adding Images to the Private Registry",id:"adding-images-to-the-private-registry",level:2}];function c(e){const r={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components},{TabItem:i,Tabs:s}=r;return i||p("TabItem",!0),s||p("Tabs",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.p,{children:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet."}),"\n",(0,t.jsxs)(r.p,{children:["Upon startup, K3s will check to see if ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," exists. If so, the registry configuration contained in this file is used when generating the containerd configuration."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that you want to use the mirror."]}),"\n",(0,t.jsxs)(r.li,{children:["If your private registry requires authentication, uses custom TLS certificates, or does not use TLS, you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that will pull images from your registry."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["Note that server nodes are schedulable by default. If you have not tainted the server nodes and will be running workloads on them,\nplease ensure you also create the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file on each server as well."]}),"\n",(0,t.jsx)(r.h2,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:['Containerd has an implicit "default endpoint" for all registries.\nThe default endpoint is always tried as a last resort, even if there are other endpoints listed for that registry in ',(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nFor example, when pulling ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),", containerd will use a default endpoint of ",(0,t.jsx)(r.code,{children:"https://registry.example.com:5000/v2"}),"."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["The default endpoint for ",(0,t.jsx)(r.code,{children:"docker.io"})," is ",(0,t.jsx)(r.code,{children:"https://index.docker.io/v2"}),"."]}),"\n",(0,t.jsxs)(r.li,{children:["The default endpoint for all other registries is ",(0,t.jsx)(r.code,{children:"https:///v2"}),", where ",(0,t.jsx)(r.code,{children:""})," is the registry hostname and optional port."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["In order to be recognized as a registry, the first component of the image name must contain at least one period or colon.\nFor historical reasons, images without a registry specified in their name are implicitly identified as being from ",(0,t.jsx)(r.code,{children:"docker.io"}),"."]}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"]})}),"\n",(0,t.jsxs)(r.p,{children:["Nodes may be started with the ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option.\nWhen this is set, containerd will not fall back to the default registry endpoint, and will only pull from configured mirror endpoints,\nalong with the distributed registry if it is enabled."]}),"\n",(0,t.jsx)(r.p,{children:"This may be desired if your cluster is in a true air-gapped environment where the upstream registry is not available,\nor if you wish to have only some nodes pull from the upstream registry."}),"\n",(0,t.jsxs)(r.p,{children:["Disabling the default registry endpoint applies only to registries configured via ",(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nIf the registry is not explicitly configured via mirror entry in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),", the default fallback behavior will still be used."]}),"\n",(0,t.jsx)(r.h2,{id:"registries-configuration-file",children:"Registries Configuration File"}),"\n",(0,t.jsx)(r.p,{children:"The file consists of two top-level keys, with subkeys for each registry:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n :\n endpoint:\n - https:///v2\nconfigs:\n :\n auth:\n username: \n password: \n token: \n tls:\n ca_file: \n cert_file: \n key_file: \n insecure_skip_verify: \n"})}),"\n",(0,t.jsx)(r.h3,{id:"mirrors",children:"Mirrors"}),"\n",(0,t.jsx)(r.p,{children:"The mirrors section defines the names and endpoints of registries, for example:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n registry.example.com:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsx)(r.p,{children:"Each mirror must have a name and set of endpoints. When pulling an image from a registry, containerd will try these endpoint URLs, plus the default endpoint, and use the first working one."}),"\n",(0,t.jsx)(r.h4,{id:"redirects",children:"Redirects"}),"\n",(0,t.jsxs)(r.p,{children:["If the private registry is used as a mirror for another registry, such as when configuring a ",(0,t.jsx)(r.a,{href:"https://docs.docker.com/registry/recipes/mirror/",children:"pull through cache"}),",\nimages pulls are transparently redirected to the listed endpoints. The original registry name is passed to the mirror endpoint via the ",(0,t.jsx)(r.code,{children:"ns"})," query parameter."]}),"\n",(0,t.jsxs)(r.p,{children:["For example, if you have a mirror configured for ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["Then pulling ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," will transparently pull the image as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),"."]}),"\n",(0,t.jsx)(r.h4,{id:"rewrites",children:"Rewrites"}),"\n",(0,t.jsx)(r.p,{children:"Each mirror can have a set of rewrites. Rewrites can change the name of an image based on regular expressions.\nThis is useful if the organization/project structure in the private registry is different than the registry it is mirroring."}),"\n",(0,t.jsxs)(r.p,{children:["For example, the following configuration would transparently pull the image ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/mirrorproject/rancher-images/mirrored-pause:3.6"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n rewrite:\n "^rancher/(.*)": "mirrorproject/rancher-images/$1"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["When using redirects and rewrites, images will still be stored under the original name.\nFor example, ",(0,t.jsx)(r.code,{children:"crictl image ls"})," will show ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as available on the node, even though the image was pulled from the mirrored registry with a different name."]}),"\n",(0,t.jsx)(r.h3,{id:"configs",children:"Configs"}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"configs"})," section defines the TLS and credential configuration for each mirror. For each mirror you can define ",(0,t.jsx)(r.code,{children:"auth"})," and/or ",(0,t.jsx)(r.code,{children:"tls"}),"."]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"tls"})," part consists of:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"cert_file"})}),(0,t.jsx)(r.td,{children:"The client certificate path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"key_file"})}),(0,t.jsx)(r.td,{children:"The client key path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"ca_file"})}),(0,t.jsx)(r.td,{children:"Defines the CA certificate path to be used to verify the registry's server cert file"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"insecure_skip_verify"})}),(0,t.jsx)(r.td,{children:"Boolean that defines if TLS verification should be skipped for the registry"})]})]})]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"auth"})," part consists of either username/password or authentication token:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"username"})}),(0,t.jsx)(r.td,{children:"user name of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"password"})}),(0,t.jsx)(r.td,{children:"user password of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"auth"})}),(0,t.jsx)(r.td,{children:"authentication token of the private registry basic auth"})]})]})]}),"\n",(0,t.jsx)(r.p,{children:"Below are basic examples of using private registries in different modes:"}),"\n",(0,t.jsx)(r.h3,{id:"wildcard-support",children:"Wildcard Support"}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"Wildcard support is available as of the March 2024 releases: v1.26.15+k3s1, v1.27.12+k3s1, v1.28.8+k3s1, v1.29.3+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:'"*"'})," wildcard entry can be used in the ",(0,t.jsx)(r.code,{children:"mirrors"})," and ",(0,t.jsx)(r.code,{children:"configs"})," sections to provide default configuration for all registries.\nThe default configuration will only be used if there is no specific entry for that registry. Note that the asterisk MUST be quoted."]}),"\n",(0,t.jsxs)(r.p,{children:["In the following example, a local registry mirror will be used for all registries. TLS verification will be disabled for all registries, except ",(0,t.jsx)(r.code,{children:"docker.io"}),"."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n "*":\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "docker.io":\n "*":\n tls:\n insecure_skip_verify: true\n'})}),"\n",(0,t.jsx)(r.h3,{id:"with-tls",children:"With TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})})]}),"\n",(0,t.jsx)(r.h3,{id:"without-tls",children:"Without TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when ",(0,t.jsx)(r.em,{children:"not"})," using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\n'})})})]}),"\n",(0,t.jsxs)(r.blockquote,{children:["\n",(0,t.jsxs)(r.p,{children:["In case of no TLS communication, you need to specify ",(0,t.jsx)(r.code,{children:"http://"})," for the endpoints, otherwise it will default to https."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:"In order for the registry changes to take effect, you need to restart K3s on each node."}),"\n",(0,t.jsx)(r.h2,{id:"troubleshooting-image-pulls",children:"Troubleshooting Image Pulls"}),"\n",(0,t.jsx)(r.p,{children:"When Kubernetes experiences problems pulling an image, the error displayed by the kubelet may only reflect the terminal error returned\nby the pull attempt made against the default endpoint, making it appear that the configured endpoints are not being used."}),"\n",(0,t.jsxs)(r.p,{children:["Check the containerd log on the node at ",(0,t.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"})," for detailed information on the root cause of the failure."]}),"\n",(0,t.jsx)(r.h2,{id:"adding-images-to-the-private-registry",children:"Adding Images to the Private Registry"}),"\n",(0,t.jsxs)(r.p,{children:["Mirroring images to a private registry requires a host with Docker or other 3rd party tooling that is capable of pulling and pushing images.",(0,t.jsx)(r.br,{}),"\n","The steps below assume you have a host with dockerd and the docker CLI tools, and access to both docker.io and your private registry."]}),"\n",(0,t.jsxs)(r.ol,{children:["\n",(0,t.jsxs)(r.li,{children:["Obtain the ",(0,t.jsx)(r.code,{children:"k3s-images.txt"})," file from GitHub for the release you are working with."]}),"\n",(0,t.jsxs)(r.li,{children:["Pull each of the K3s images listed on the k3s-images.txt file from docker.io.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker pull docker.io/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Retag the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker tag docker.io/rancher/mirrored-pause:3.6 registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Push the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker push registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n"]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}function p(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,i)=>{i.d(r,{Z:()=>a,a:()=>o});var t=i(7294);const n={},s=t.createContext(n);function o(e){const r=t.useContext(s);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function a(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:o(e.components),t.createElement(s.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4902],{8040:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>s,metadata:()=>a,toc:()=>d});var t=i(5893),n=i(1151);const s={title:"Private Registry Configuration"},o=void 0,a={id:"installation/private-registry",title:"Private Registry Configuration",description:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.",source:"@site/docs/installation/private-registry.md",sourceDirName:"installation",slug:"/installation/private-registry",permalink:"/installation/private-registry",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/private-registry.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Private Registry Configuration"},sidebar:"mySidebar",previous:{title:"Configuration Options",permalink:"/installation/configuration"},next:{title:"Embedded Registry Mirror",permalink:"/installation/registry-mirror"}},l={},d=[{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:2},{value:"Registries Configuration File",id:"registries-configuration-file",level:2},{value:"Mirrors",id:"mirrors",level:3},{value:"Redirects",id:"redirects",level:4},{value:"Rewrites",id:"rewrites",level:4},{value:"Configs",id:"configs",level:3},{value:"Wildcard Support",id:"wildcard-support",level:3},{value:"With TLS",id:"with-tls",level:3},{value:"Without TLS",id:"without-tls",level:3},{value:"Troubleshooting Image Pulls",id:"troubleshooting-image-pulls",level:2},{value:"Adding Images to the Private Registry",id:"adding-images-to-the-private-registry",level:2}];function c(e){const r={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,n.a)(),...e.components},{TabItem:i,Tabs:s}=r;return i||p("TabItem",!0),s||p("Tabs",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.p,{children:"Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet."}),"\n",(0,t.jsxs)(r.p,{children:["Upon startup, K3s will check to see if ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," exists. If so, the registry configuration contained in this file is used when generating the containerd configuration."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that you want to use the mirror."]}),"\n",(0,t.jsxs)(r.li,{children:["If your private registry requires authentication, uses custom TLS certificates, or does not use TLS, you will need to configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," on each node that will pull images from your registry."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["Note that server nodes are schedulable by default. If you have not tainted the server nodes and will be running workloads on them,\nplease ensure you also create the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file on each server as well."]}),"\n",(0,t.jsx)(r.h2,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:['Containerd has an implicit "default endpoint" for all registries.\nThe default endpoint is always tried as a last resort, even if there are other endpoints listed for that registry in ',(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nFor example, when pulling ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),", containerd will use a default endpoint of ",(0,t.jsx)(r.code,{children:"https://registry.example.com:5000/v2"}),"."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["The default endpoint for ",(0,t.jsx)(r.code,{children:"docker.io"})," is ",(0,t.jsx)(r.code,{children:"https://index.docker.io/v2"}),"."]}),"\n",(0,t.jsxs)(r.li,{children:["The default endpoint for all other registries is ",(0,t.jsx)(r.code,{children:"https:///v2"}),", where ",(0,t.jsx)(r.code,{children:""})," is the registry hostname and optional port."]}),"\n"]}),"\n",(0,t.jsxs)(r.p,{children:["In order to be recognized as a registry, the first component of the image name must contain at least one period or colon.\nFor historical reasons, images without a registry specified in their name are implicitly identified as being from ",(0,t.jsx)(r.code,{children:"docker.io"}),"."]}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"]})}),"\n",(0,t.jsxs)(r.p,{children:["Nodes may be started with the ",(0,t.jsx)(r.code,{children:"--disable-default-registry-endpoint"})," option.\nWhen this is set, containerd will not fall back to the default registry endpoint, and will only pull from configured mirror endpoints,\nalong with the distributed registry if it is enabled."]}),"\n",(0,t.jsx)(r.p,{children:"This may be desired if your cluster is in a true air-gapped environment where the upstream registry is not available,\nor if you wish to have only some nodes pull from the upstream registry."}),"\n",(0,t.jsxs)(r.p,{children:["Disabling the default registry endpoint applies only to registries configured via ",(0,t.jsx)(r.code,{children:"registries.yaml"}),".\nIf the registry is not explicitly configured via mirror entry in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),", the default fallback behavior will still be used."]}),"\n",(0,t.jsx)(r.h2,{id:"registries-configuration-file",children:"Registries Configuration File"}),"\n",(0,t.jsx)(r.p,{children:"The file consists of two top-level keys, with subkeys for each registry:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n :\n endpoint:\n - https:///v2\nconfigs:\n :\n auth:\n username: \n password: \n token: \n tls:\n ca_file: \n cert_file: \n key_file: \n insecure_skip_verify: \n"})}),"\n",(0,t.jsx)(r.h3,{id:"mirrors",children:"Mirrors"}),"\n",(0,t.jsx)(r.p,{children:"The mirrors section defines the names and endpoints of registries, for example:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n registry.example.com:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsx)(r.p,{children:"Each mirror must have a name and set of endpoints. When pulling an image from a registry, containerd will try these endpoint URLs, plus the default endpoint, and use the first working one."}),"\n",(0,t.jsx)(r.h4,{id:"redirects",children:"Redirects"}),"\n",(0,t.jsxs)(r.p,{children:["If the private registry is used as a mirror for another registry, such as when configuring a ",(0,t.jsx)(r.a,{href:"https://docs.docker.com/registry/recipes/mirror/",children:"pull through cache"}),",\nimages pulls are transparently redirected to the listed endpoints. The original registry name is passed to the mirror endpoint via the ",(0,t.jsx)(r.code,{children:"ns"})," query parameter."]}),"\n",(0,t.jsxs)(r.p,{children:["For example, if you have a mirror configured for ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["Then pulling ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," will transparently pull the image as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/rancher/mirrored-pause:3.6"}),"."]}),"\n",(0,t.jsx)(r.h4,{id:"rewrites",children:"Rewrites"}),"\n",(0,t.jsx)(r.p,{children:"Each mirror can have a set of rewrites. Rewrites can change the name of an image based on regular expressions.\nThis is useful if the organization/project structure in the private registry is different than the registry it is mirroring."}),"\n",(0,t.jsxs)(r.p,{children:["For example, the following configuration would transparently pull the image ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as ",(0,t.jsx)(r.code,{children:"registry.example.com:5000/mirrorproject/rancher-images/mirrored-pause:3.6"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\n rewrite:\n "^rancher/(.*)": "mirrorproject/rancher-images/$1"\n'})}),"\n",(0,t.jsxs)(r.p,{children:["When using redirects and rewrites, images will still be stored under the original name.\nFor example, ",(0,t.jsx)(r.code,{children:"crictl image ls"})," will show ",(0,t.jsx)(r.code,{children:"docker.io/rancher/mirrored-pause:3.6"})," as available on the node, even though the image was pulled from the mirrored registry with a different name."]}),"\n",(0,t.jsx)(r.h3,{id:"configs",children:"Configs"}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"configs"})," section defines the TLS and credential configuration for each mirror. For each mirror you can define ",(0,t.jsx)(r.code,{children:"auth"})," and/or ",(0,t.jsx)(r.code,{children:"tls"}),"."]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"tls"})," part consists of:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"cert_file"})}),(0,t.jsx)(r.td,{children:"The client certificate path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"key_file"})}),(0,t.jsx)(r.td,{children:"The client key path that will be used to authenticate with the registry"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"ca_file"})}),(0,t.jsx)(r.td,{children:"Defines the CA certificate path to be used to verify the registry's server cert file"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"insecure_skip_verify"})}),(0,t.jsx)(r.td,{children:"Boolean that defines if TLS verification should be skipped for the registry"})]})]})]}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:"auth"})," part consists of either username/password or authentication token:"]}),"\n",(0,t.jsxs)(r.table,{children:[(0,t.jsx)(r.thead,{children:(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.th,{children:"Directive"}),(0,t.jsx)(r.th,{children:"Description"})]})}),(0,t.jsxs)(r.tbody,{children:[(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"username"})}),(0,t.jsx)(r.td,{children:"user name of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"password"})}),(0,t.jsx)(r.td,{children:"user password of the private registry basic auth"})]}),(0,t.jsxs)(r.tr,{children:[(0,t.jsx)(r.td,{children:(0,t.jsx)(r.code,{children:"auth"})}),(0,t.jsx)(r.td,{children:"authentication token of the private registry basic auth"})]})]})]}),"\n",(0,t.jsx)(r.p,{children:"Below are basic examples of using private registries in different modes:"}),"\n",(0,t.jsx)(r.h3,{id:"wildcard-support",children:"Wildcard Support"}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"Wildcard support is available as of the March 2024 releases: v1.26.15+k3s1, v1.27.12+k3s1, v1.28.8+k3s1, v1.29.3+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:'"*"'})," wildcard entry can be used in the ",(0,t.jsx)(r.code,{children:"mirrors"})," and ",(0,t.jsx)(r.code,{children:"configs"})," sections to provide default configuration for all registries.\nThe default configuration will only be used if there is no specific entry for that registry. Note that the asterisk MUST be quoted."]}),"\n",(0,t.jsxs)(r.p,{children:["In the following example, a local registry mirror will be used for all registries. TLS verification will be disabled for all registries, except ",(0,t.jsx)(r.code,{children:"docker.io"}),"."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n "*":\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "docker.io":\n "*":\n tls:\n insecure_skip_verify: true\n'})}),"\n",(0,t.jsx)(r.h3,{id:"with-tls",children:"With TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "https://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n tls:\n cert_file: # path to the cert file used in the registry\n key_file: # path to the key file used in the registry\n ca_file: # path to the ca file used in the registry\n'})})})]}),"\n",(0,t.jsx)(r.h3,{id:"without-tls",children:"Without TLS"}),"\n",(0,t.jsxs)(r.p,{children:["Below are examples showing how you may configure ",(0,t.jsx)(r.code,{children:"/etc/rancher/k3s/registries.yaml"})," on each node when ",(0,t.jsx)(r.em,{children:"not"})," using TLS."]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)(i,{value:"With Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\nconfigs:\n "registry.example.com:5000":\n auth:\n username: xxxxxx # this is the registry username\n password: xxxxxx # this is the registry password\n'})})}),(0,t.jsx)(i,{value:"Without Authentication",children:(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n docker.io:\n endpoint:\n - "http://registry.example.com:5000"\n'})})})]}),"\n",(0,t.jsxs)(r.blockquote,{children:["\n",(0,t.jsxs)(r.p,{children:["In case of no TLS communication, you need to specify ",(0,t.jsx)(r.code,{children:"http://"})," for the endpoints, otherwise it will default to https."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:"In order for the registry changes to take effect, you need to restart K3s on each node."}),"\n",(0,t.jsx)(r.h2,{id:"troubleshooting-image-pulls",children:"Troubleshooting Image Pulls"}),"\n",(0,t.jsx)(r.p,{children:"When Kubernetes experiences problems pulling an image, the error displayed by the kubelet may only reflect the terminal error returned\nby the pull attempt made against the default endpoint, making it appear that the configured endpoints are not being used."}),"\n",(0,t.jsxs)(r.p,{children:["Check the containerd log on the node at ",(0,t.jsx)(r.code,{children:"/var/lib/rancher/k3s/agent/containerd/containerd.log"})," for detailed information on the root cause of the failure."]}),"\n",(0,t.jsx)(r.h2,{id:"adding-images-to-the-private-registry",children:"Adding Images to the Private Registry"}),"\n",(0,t.jsxs)(r.p,{children:["Mirroring images to a private registry requires a host with Docker or other 3rd party tooling that is capable of pulling and pushing images.",(0,t.jsx)(r.br,{}),"\n","The steps below assume you have a host with dockerd and the docker CLI tools, and access to both docker.io and your private registry."]}),"\n",(0,t.jsxs)(r.ol,{children:["\n",(0,t.jsxs)(r.li,{children:["Obtain the ",(0,t.jsx)(r.code,{children:"k3s-images.txt"})," file from GitHub for the release you are working with."]}),"\n",(0,t.jsxs)(r.li,{children:["Pull each of the K3s images listed on the k3s-images.txt file from docker.io.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker pull docker.io/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Retag the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker tag docker.io/rancher/mirrored-pause:3.6 registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n",(0,t.jsxs)(r.li,{children:["Push the images to the private registry.",(0,t.jsx)(r.br,{}),"\n","Example: ",(0,t.jsx)(r.code,{children:"docker push registry.example.com:5000/rancher/mirrored-pause:3.6"})]}),"\n"]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}function p(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,r,i)=>{i.d(r,{Z:()=>a,a:()=>o});var t=i(7294);const n={},s=t.createContext(n);function o(e){const r=t.useContext(s);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function a(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:o(e.components),t.createElement(s.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/17035653.1e012ca4.js b/assets/js/17035653.429e9619.js
similarity index 99%
rename from assets/js/17035653.1e012ca4.js
rename to assets/js/17035653.429e9619.js
index a06fa51c7..6c49ac191 100644
--- a/assets/js/17035653.1e012ca4.js
+++ b/assets/js/17035653.429e9619.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8380],{4877:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>l,default:()=>d,frontMatter:()=>r,metadata:()=>a,toc:()=>u});var s=t(5893),i=t(1151);const r={title:"Multus and IPAM plugins"},l=void 0,a={id:"networking/multus-ipams",title:"Multus and IPAM plugins",description:"Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV.",source:"@site/docs/networking/multus-ipams.md",sourceDirName:"networking",slug:"/networking/multus-ipams",permalink:"/networking/multus-ipams",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/multus-ipams.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Multus and IPAM plugins"},sidebar:"mySidebar",previous:{title:"Distributed hybrid or multicloud cluster",permalink:"/networking/distributed-multicloud"},next:{title:"Networking Services",permalink:"/networking/networking-services"}},o={},u=[{value:"Add the Helm Repository",id:"add-the-helm-repository",level:3},{value:"Configure the IPAM plugin",id:"configure-the-ipam-plugin",level:3},{value:"Deploy Multus",id:"deploy-multus",level:3}];function c(e){const n={a:"a",code:"code",h3:"h3",p:"p",pre:"pre",...(0,i.a)(),...e.components},{TabItem:t,Tabs:r}=n;return t||h("TabItem",!0),r||h("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni",children:"Multus CNI"})," is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV."]}),"\n",(0,s.jsx)(n.p,{children:"Multus can not be deployed standalone. It always requires at least one conventional CNI plugin that fulfills the Kubernetes cluster network requirements. That CNI plugin becomes the default for Multus, and will be used to provide the primary interface for all pods. When deploying K3s with default options, that CNI plugin is Flannel."}),"\n",(0,s.jsx)(n.h3,{id:"add-the-helm-repository",children:"Add the Helm Repository"}),"\n",(0,s.jsx)(n.p,{children:"To deploy Multus, we recommend using the following helm repo:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm repo add rke2-charts https://rke2-charts.rancher.io\nhelm repo update\n"})}),"\n",(0,s.jsx)(n.h3,{id:"configure-the-ipam-plugin",children:"Configure the IPAM plugin"}),"\n",(0,s.jsx)(n.p,{children:"An IPAM plugin is required to assign IP addresses on the extra interfaces created by Multus."}),"\n",(0,s.jsxs)(r,{groupId:"MultusIPAMplugins",children:[(0,s.jsxs)(t,{value:"host-local",default:!0,children:[(0,s.jsxs)(n.p,{children:["The host-local IPAM plugin allocates ip addresses out of a set of address ranges. It stores the state locally on the host filesystem, hence ensuring uniqueness of IP addresses on a single host. Therefore, we don't recommend it for multi-node clusters. This IPAM plugin does not require any extra deployment. For more information: ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/host-local/",children:"https://www.cni.dev/plugins/current/ipam/host-local/"}),"."]}),(0,s.jsxs)(n.p,{children:["To use the host-local plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\n"})})]}),(0,s.jsxs)(t,{value:"Whereabouts",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/whereabouts",children:"Whereabouts"})," is an IP Address Management (IPAM) CNI plugin that assigns IP addresses cluster-wide."]}),(0,s.jsxs)(n.p,{children:["To use the Whereabouts IPAM plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nrke2-whereabouts:\n fullnameOverride: whereabouts\n enabled: true\n cniConf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n"})})]}),(0,s.jsxs)(t,{value:"Multus DHCP daemon",default:!0,children:[(0,s.jsxs)(n.p,{children:["The dhcp IPAM plugin can be deployed when there is already a DHCP server running on the network. This daemonset takes care of periodically renewing the DHCP lease. For more information please check the official docs of ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/dhcp/",children:"DHCP IPAM plugin"}),"."]}),(0,s.jsxs)(n.p,{children:["To use the DHCP plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nmanifests:\n dhcpDaemonSet: true\n"})})]})]}),"\n",(0,s.jsx)(n.h3,{id:"deploy-multus",children:"Deploy Multus"}),"\n",(0,s.jsxs)(n.p,{children:["After creating the ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," file, everything is ready to install Multus:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm install multus rke2-charts/rke2-multus -n kube-system --kubeconfig /etc/rancher/k3s/k3s.yaml --values multus-values.yaml\n"})}),"\n",(0,s.jsxs)(n.p,{children:["The helm chart install will deploy a DaemonSet to create Multus pods for installing the required CNI binaries in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/data/current/"})," and Multus CNI config in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/etc/cni/net.d"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["For more information about Multus, refer to the ",(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni/tree/master/docs",children:"multus-cni"})," documentation."]})]})}function d(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function h(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>a,a:()=>l});var s=t(7294);const i={},r=s.createContext(i);function l(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8380],{4877:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>l,default:()=>d,frontMatter:()=>r,metadata:()=>a,toc:()=>u});var s=t(5893),i=t(1151);const r={title:"Multus and IPAM plugins"},l=void 0,a={id:"networking/multus-ipams",title:"Multus and IPAM plugins",description:"Multus CNI is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV.",source:"@site/docs/networking/multus-ipams.md",sourceDirName:"networking",slug:"/networking/multus-ipams",permalink:"/networking/multus-ipams",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/multus-ipams.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Multus and IPAM plugins"},sidebar:"mySidebar",previous:{title:"Distributed hybrid or multicloud cluster",permalink:"/networking/distributed-multicloud"},next:{title:"Networking Services",permalink:"/networking/networking-services"}},o={},u=[{value:"Add the Helm Repository",id:"add-the-helm-repository",level:3},{value:"Configure the IPAM plugin",id:"configure-the-ipam-plugin",level:3},{value:"Deploy Multus",id:"deploy-multus",level:3}];function c(e){const n={a:"a",code:"code",h3:"h3",p:"p",pre:"pre",...(0,i.a)(),...e.components},{TabItem:t,Tabs:r}=n;return t||h("TabItem",!0),r||h("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni",children:"Multus CNI"})," is a CNI plugin that enables attaching multiple network interfaces to pods. Multus does not replace CNI plugins, instead it acts as a CNI plugin multiplexer. Multus is useful in certain use cases, especially when pods are network intensive and require extra network interfaces that support dataplane acceleration techniques such as SR-IOV."]}),"\n",(0,s.jsx)(n.p,{children:"Multus can not be deployed standalone. It always requires at least one conventional CNI plugin that fulfills the Kubernetes cluster network requirements. That CNI plugin becomes the default for Multus, and will be used to provide the primary interface for all pods. When deploying K3s with default options, that CNI plugin is Flannel."}),"\n",(0,s.jsx)(n.h3,{id:"add-the-helm-repository",children:"Add the Helm Repository"}),"\n",(0,s.jsx)(n.p,{children:"To deploy Multus, we recommend using the following helm repo:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm repo add rke2-charts https://rke2-charts.rancher.io\nhelm repo update\n"})}),"\n",(0,s.jsx)(n.h3,{id:"configure-the-ipam-plugin",children:"Configure the IPAM plugin"}),"\n",(0,s.jsx)(n.p,{children:"An IPAM plugin is required to assign IP addresses on the extra interfaces created by Multus."}),"\n",(0,s.jsxs)(r,{groupId:"MultusIPAMplugins",children:[(0,s.jsxs)(t,{value:"host-local",default:!0,children:[(0,s.jsxs)(n.p,{children:["The host-local IPAM plugin allocates ip addresses out of a set of address ranges. It stores the state locally on the host filesystem, hence ensuring uniqueness of IP addresses on a single host. Therefore, we don't recommend it for multi-node clusters. This IPAM plugin does not require any extra deployment. For more information: ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/host-local/",children:"https://www.cni.dev/plugins/current/ipam/host-local/"}),"."]}),(0,s.jsxs)(n.p,{children:["To use the host-local plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\n"})})]}),(0,s.jsxs)(t,{value:"Whereabouts",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/whereabouts",children:"Whereabouts"})," is an IP Address Management (IPAM) CNI plugin that assigns IP addresses cluster-wide."]}),(0,s.jsxs)(n.p,{children:["To use the Whereabouts IPAM plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nrke2-whereabouts:\n fullnameOverride: whereabouts\n enabled: true\n cniConf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n"})})]}),(0,s.jsxs)(t,{value:"Multus DHCP daemon",default:!0,children:[(0,s.jsxs)(n.p,{children:["The dhcp IPAM plugin can be deployed when there is already a DHCP server running on the network. This daemonset takes care of periodically renewing the DHCP lease. For more information please check the official docs of ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/ipam/dhcp/",children:"DHCP IPAM plugin"}),"."]}),(0,s.jsxs)(n.p,{children:["To use the DHCP plugin, please create a file called ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," with the following content:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"config:\n cni_conf:\n confDir: /var/lib/rancher/k3s/agent/etc/cni/net.d\n binDir: /var/lib/rancher/k3s/data/current/bin/\n kubeconfig: /var/lib/rancher/k3s/agent/etc/cni/net.d/multus.d/multus.kubeconfig\nmanifests:\n dhcpDaemonSet: true\n"})})]})]}),"\n",(0,s.jsx)(n.h3,{id:"deploy-multus",children:"Deploy Multus"}),"\n",(0,s.jsxs)(n.p,{children:["After creating the ",(0,s.jsx)(n.code,{children:"multus-values.yaml"})," file, everything is ready to install Multus:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"helm install multus rke2-charts/rke2-multus -n kube-system --kubeconfig /etc/rancher/k3s/k3s.yaml --values multus-values.yaml\n"})}),"\n",(0,s.jsxs)(n.p,{children:["The helm chart install will deploy a DaemonSet to create Multus pods for installing the required CNI binaries in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/data/current/"})," and Multus CNI config in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/etc/cni/net.d"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["For more information about Multus, refer to the ",(0,s.jsx)(n.a,{href:"https://github.com/k8snetworkplumbingwg/multus-cni/tree/master/docs",children:"multus-cni"})," documentation."]})]})}function d(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function h(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>a,a:()=>l});var s=t(7294);const i={},r=s.createContext(i);function l(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/179ec51e.d1de3cd3.js b/assets/js/179ec51e.9f620303.js
similarity index 99%
rename from assets/js/179ec51e.d1de3cd3.js
rename to assets/js/179ec51e.9f620303.js
index 475c87f9e..c9cc4df11 100644
--- a/assets/js/179ec51e.d1de3cd3.js
+++ b/assets/js/179ec51e.9f620303.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7176],{6790:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>a,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var r=s(5893),t=s(1151);const i={title:"secrets-encrypt"},c="k3s secrets-encrypt",l={id:"cli/secrets-encrypt",title:"secrets-encrypt",description:"K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.",source:"@site/docs/cli/secrets-encrypt.md",sourceDirName:"cli",slug:"/cli/secrets-encrypt",permalink:"/cli/secrets-encrypt",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/secrets-encrypt.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"secrets-encrypt"},sidebar:"mySidebar",previous:{title:"etcd-snapshot",permalink:"/cli/etcd-snapshot"},next:{title:"token",permalink:"/cli/token"}},a={},o=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2},{value:"New Encryption Key Rotation (Experimental)",id:"new-encryption-key-rotation-experimental",level:3},{value:"Encryption Key Rotation Classic",id:"encryption-key-rotation-classic",level:3},{value:"Secrets Encryption Disable/Re-enable",id:"secrets-encryption-disablere-enable",level:3},{value:"Secrets Encryption Status",id:"secrets-encryption-status",level:3}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",header:"header",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,t.a)(),...e.components},{TabItem:s,Tabs:i}=n;return s||p("TabItem",!0),i||p("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.header,{children:(0,r.jsx)(n.h1,{id:"k3s-secrets-encrypt",children:"k3s secrets-encrypt"})}),"\n",(0,r.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. For more information, see ",(0,r.jsx)(n.a,{href:"/security/secrets-encryption",children:"Secrets Encryption"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,r.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,r.jsxs)(n.p,{children:["Available as of ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.8%2Bk3s1",children:"v1.21.8+k3s1"})]})}),"\n",(0,r.jsxs)(n.p,{children:["K3s contains a CLI tool ",(0,r.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,r.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,r.jsx)(n.admonition,{type:"warning",children:(0,r.jsx)(n.p,{children:"Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution."})}),"\n",(0,r.jsx)(n.h3,{id:"new-encryption-key-rotation-experimental",children:"New Encryption Key Rotation (Experimental)"}),"\n",(0,r.jsxs)(n.admonition,{title:"Version Gate",type:"info",children:[(0,r.jsxs)(n.p,{children:["Available as of ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.1%2Bk3s1",children:"v1.28.1+k3s1"}),". This new version of the tool utilized K8s ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#configure-automatic-reloading",children:"automatic config reloading"})," which is currently in beta. GA is expected in v1.29.0"]}),(0,r.jsxs)(n.p,{children:["For older releases, see ",(0,r.jsx)(n.a,{href:"#encryption-key-rotation-classic",children:"Encryption Key Rotation Classic"})]})]}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on a single-server cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start the K3s server with the flag ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n",(0,r.jsxs)(n.admonition,{type:"note",children:[(0,r.jsx)(n.mdxAdmonitionTitle,{}),(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate secrets encryption keys"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"k3s secrets-encrypt rotate-keys\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Wait for reencryption to finish. Watch the server logs, or wait for:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: reencrypt_finished\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on HA setups:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start up all three K3s servers with the ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag. For brevity, the servers will be referred to as S1, S2, S3."]}),"\n",(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate secrets encryption keys on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate-keys\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Wait for reencryption to finish. Watch the server logs, or wait for:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: reencrypt_finished\n"})}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsx)(n.p,{children:"K3s will reencrypt ~5 secrets per second. Clusters with large # of secrets can take several minutes to reencrypt. You can track progress in the server logs."})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Restart K3s on S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, restart K3s on S2 and S3"}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"encryption-key-rotation-classic",children:"Encryption Key Rotation Classic"}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on a single-server cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start the K3s server with the flag ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n",(0,r.jsxs)(n.admonition,{type:"note",children:[(0,r.jsx)(n.mdxAdmonitionTitle,{}),(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsx)(n.p,{children:"The steps are the same for both embedded DB and external DB clusters."}),(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on HA setups:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start up all three K3s servers with the ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag. For brevity, the servers will be referred to as S1, S2, S3."]}),"\n",(0,r.jsx)(n.admonition,{title:"Notes",type:"note",children:(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]}),"\n",(0,r.jsxs)(n.li,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]}),"\n"]})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt on S1"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-disablere-enable",children:"Secrets Encryption Disable/Re-enable"}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsxs)(n.p,{children:["After launching a server with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag, secrets encryption can be disabled."]}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a single-node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a single node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsxs)(n.p,{children:["After launching a HA cluster with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flags, secrets encryption can be disabled."]}),(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]})}),(0,r.jsx)(n.p,{children:"For brevity, the three servers used in this guide will be referred to as S1, S2, S3."}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-status",children:"Secrets Encryption Status"}),"\n",(0,r.jsxs)(n.p,{children:["The secrets-encrypt tool includes a ",(0,r.jsx)(n.code,{children:"status"})," command that displays information about the current status of secrets encryption on the node."]}),"\n",(0,r.jsx)(n.p,{children:"An example of the command on a single-server node:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: start\nServer Encryption Hashes: All hashes match\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Another example on HA cluster, after rotating the keys, but before restarting the servers:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: rotate\nServer Encryption Hashes: hash does not match between node-1 and node-2\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey-2021-12-10T22:54:38Z\n AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Details on each section are as follows:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Encryption Status"}),": Displayed whether secrets encryption is disabled or enabled on the node"]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Current Rotation Stage"}),": Indicates the current rotation stage on the node.",(0,r.jsx)(n.br,{}),"\n","Stages are: ",(0,r.jsx)(n.code,{children:"start"}),", ",(0,r.jsx)(n.code,{children:"prepare"}),", ",(0,r.jsx)(n.code,{children:"rotate"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_request"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_active"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_finished"})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Server Encryption Hashes"}),": Useful for HA clusters, this indicates whether all servers are on the same stage with their local files. This can be used to identify whether a restart of servers is required before proceeding to the next stage. In the HA example above, node-1 and node-2 have different hashes, indicating that they currently do not have the same encryption configuration. Restarting the servers will sync up their configuration."]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Table"}),": Summarizes information about the secrets encryption keys found on the node.","\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Active"}),': The "*" indicates which, if any, of the keys are currently used for secrets encryption. An active key is used by Kubernetes to encrypt any new secrets.']}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Type"}),": All keys using this tool are ",(0,r.jsx)(n.code,{children:"AES-CBC"})," type. See more info ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers",children:"here."})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Name"}),": Name of the encryption key."]}),"\n"]}),"\n"]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}function p(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>c});var r=s(7294);const t={},i=r.createContext(t);function c(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:c(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7176],{6790:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>a,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var r=s(5893),t=s(1151);const i={title:"secrets-encrypt"},c="k3s secrets-encrypt",l={id:"cli/secrets-encrypt",title:"secrets-encrypt",description:"K3s supports enabling secrets encryption at rest. For more information, see Secrets Encryption.",source:"@site/docs/cli/secrets-encrypt.md",sourceDirName:"cli",slug:"/cli/secrets-encrypt",permalink:"/cli/secrets-encrypt",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/secrets-encrypt.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"secrets-encrypt"},sidebar:"mySidebar",previous:{title:"etcd-snapshot",permalink:"/cli/etcd-snapshot"},next:{title:"token",permalink:"/cli/token"}},a={},o=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2},{value:"New Encryption Key Rotation (Experimental)",id:"new-encryption-key-rotation-experimental",level:3},{value:"Encryption Key Rotation Classic",id:"encryption-key-rotation-classic",level:3},{value:"Secrets Encryption Disable/Re-enable",id:"secrets-encryption-disablere-enable",level:3},{value:"Secrets Encryption Status",id:"secrets-encryption-status",level:3}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",header:"header",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,t.a)(),...e.components},{TabItem:s,Tabs:i}=n;return s||p("TabItem",!0),i||p("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.header,{children:(0,r.jsx)(n.h1,{id:"k3s-secrets-encrypt",children:"k3s secrets-encrypt"})}),"\n",(0,r.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. For more information, see ",(0,r.jsx)(n.a,{href:"/security/secrets-encryption",children:"Secrets Encryption"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,r.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,r.jsxs)(n.p,{children:["Available as of ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.8%2Bk3s1",children:"v1.21.8+k3s1"})]})}),"\n",(0,r.jsxs)(n.p,{children:["K3s contains a CLI tool ",(0,r.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,r.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,r.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,r.jsx)(n.admonition,{type:"warning",children:(0,r.jsx)(n.p,{children:"Failure to follow proper procedure for rotating encryption keys can leave your cluster permanently corrupted. Proceed with caution."})}),"\n",(0,r.jsx)(n.h3,{id:"new-encryption-key-rotation-experimental",children:"New Encryption Key Rotation (Experimental)"}),"\n",(0,r.jsxs)(n.admonition,{title:"Version Gate",type:"info",children:[(0,r.jsxs)(n.p,{children:["Available as of ",(0,r.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.1%2Bk3s1",children:"v1.28.1+k3s1"}),". This new version of the tool utilized K8s ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#configure-automatic-reloading",children:"automatic config reloading"})," which is currently in beta. GA is expected in v1.29.0"]}),(0,r.jsxs)(n.p,{children:["For older releases, see ",(0,r.jsx)(n.a,{href:"#encryption-key-rotation-classic",children:"Encryption Key Rotation Classic"})]})]}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on a single-server cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start the K3s server with the flag ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n",(0,r.jsxs)(n.admonition,{type:"note",children:[(0,r.jsx)(n.mdxAdmonitionTitle,{}),(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate secrets encryption keys"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"k3s secrets-encrypt rotate-keys\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Wait for reencryption to finish. Watch the server logs, or wait for:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: reencrypt_finished\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on HA setups:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start up all three K3s servers with the ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag. For brevity, the servers will be referred to as S1, S2, S3."]}),"\n",(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate secrets encryption keys on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate-keys\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Wait for reencryption to finish. Watch the server logs, or wait for:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: reencrypt_finished\n"})}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsx)(n.p,{children:"K3s will reencrypt ~5 secrets per second. Clusters with large # of secrets can take several minutes to reencrypt. You can track progress in the server logs."})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Restart K3s on S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, restart K3s on S2 and S3"}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"encryption-key-rotation-classic",children:"Encryption Key Rotation Classic"}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on a single-server cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start the K3s server with the flag ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})]}),"\n",(0,r.jsxs)(n.admonition,{type:"note",children:[(0,r.jsx)(n.mdxAdmonitionTitle,{}),(0,r.jsxs)(n.p,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]})]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsx)(n.p,{children:"The steps are the same for both embedded DB and external DB clusters."}),(0,r.jsx)(n.p,{children:"To rotate secrets encryption keys on HA setups:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Start up all three K3s servers with the ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag. For brevity, the servers will be referred to as S1, S2, S3."]}),"\n",(0,r.jsx)(n.admonition,{title:"Notes",type:"note",children:(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["Starting K3s without encryption and enabling it at a later time is currently ",(0,r.jsx)(n.em,{children:"not"})," supported."]}),"\n",(0,r.jsxs)(n.li,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]}),"\n"]})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Prepare on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt prepare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Rotate on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt rotate\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt on S1"}),"\n",(0,r.jsx)(n.admonition,{type:"info",children:(0,r.jsxs)(n.p,{children:["K3s will reencrypt ~5 secrets per second.",(0,r.jsx)(n.br,{}),"\n","Clusters with large # of secrets can take several minutes to reencrypt."]})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-disablere-enable",children:"Secrets Encryption Disable/Re-enable"}),"\n",(0,r.jsxs)(i,{groupId:"se",queryString:!0,children:[(0,r.jsxs)(s,{value:"Single-Server",default:!0,children:[(0,r.jsxs)(n.p,{children:["After launching a server with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flag, secrets encryption can be disabled."]}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a single-node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a single node cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart the K3s server with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]}),(0,r.jsxs)(s,{value:"High-Availability",children:[(0,r.jsxs)(n.p,{children:["After launching a HA cluster with ",(0,r.jsx)(n.code,{children:"--secrets-encryption"})," flags, secrets encryption can be disabled."]}),(0,r.jsx)(n.admonition,{type:"note",children:(0,r.jsxs)(n.p,{children:["While not required, it is recommended that you pick one server node from which to run the ",(0,r.jsx)(n.code,{children:"secrets-encrypt"})," commands."]})}),(0,r.jsx)(n.p,{children:"For brevity, the three servers used in this guide will be referred to as S1, S2, S3."}),(0,r.jsx)(n.p,{children:"To disable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Disable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt disable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments. If running K3s as a service:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"# If using systemd\nsystemctl restart k3s\n# If using openrc\nrc-service k3s restart\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]}),(0,r.jsx)(n.p,{children:"To re-enable secrets encryption on a HA cluster:"}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt enable\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Kill and restart S1 with same arguments"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Once S1 is up, kill and restart the S2 and S3"}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Reencrypt with flags on S1"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"k3s secrets-encrypt reencrypt --force --skip\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"secrets-encryption-status",children:"Secrets Encryption Status"}),"\n",(0,r.jsxs)(n.p,{children:["The secrets-encrypt tool includes a ",(0,r.jsx)(n.code,{children:"status"})," command that displays information about the current status of secrets encryption on the node."]}),"\n",(0,r.jsx)(n.p,{children:"An example of the command on a single-server node:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: start\nServer Encryption Hashes: All hashes match\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Another example on HA cluster, after rotating the keys, but before restarting the servers:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"$ k3s secrets-encrypt status\nEncryption Status: Enabled\nCurrent Rotation Stage: rotate\nServer Encryption Hashes: hash does not match between node-1 and node-2\n\nActive Key Type Name\n------ -------- ----\n * AES-CBC aescbckey-2021-12-10T22:54:38Z\n AES-CBC aescbckey\n\n"})}),"\n",(0,r.jsx)(n.p,{children:"Details on each section are as follows:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Encryption Status"}),": Displayed whether secrets encryption is disabled or enabled on the node"]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Current Rotation Stage"}),": Indicates the current rotation stage on the node.",(0,r.jsx)(n.br,{}),"\n","Stages are: ",(0,r.jsx)(n.code,{children:"start"}),", ",(0,r.jsx)(n.code,{children:"prepare"}),", ",(0,r.jsx)(n.code,{children:"rotate"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_request"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_active"}),", ",(0,r.jsx)(n.code,{children:"reencrypt_finished"})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Server Encryption Hashes"}),": Useful for HA clusters, this indicates whether all servers are on the same stage with their local files. This can be used to identify whether a restart of servers is required before proceeding to the next stage. In the HA example above, node-1 and node-2 have different hashes, indicating that they currently do not have the same encryption configuration. Restarting the servers will sync up their configuration."]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Table"}),": Summarizes information about the secrets encryption keys found on the node.","\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Active"}),': The "*" indicates which, if any, of the keys are currently used for secrets encryption. An active key is used by Kubernetes to encrypt any new secrets.']}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Key Type"}),": All keys using this tool are ",(0,r.jsx)(n.code,{children:"AES-CBC"})," type. See more info ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers",children:"here."})]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.strong,{children:"Name"}),": Name of the encryption key."]}),"\n"]}),"\n"]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}function p(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>c});var r=s(7294);const t={},i=r.createContext(t);function c(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:c(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/1be8dcfa.2f0d0788.js b/assets/js/1be8dcfa.e2983c45.js
similarity index 99%
rename from assets/js/1be8dcfa.2f0d0788.js
rename to assets/js/1be8dcfa.e2983c45.js
index 667bbdf06..e4d10d3c7 100644
--- a/assets/js/1be8dcfa.2f0d0788.js
+++ b/assets/js/1be8dcfa.e2983c45.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7628],{2023:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>i,default:()=>h,frontMatter:()=>l,metadata:()=>s,toc:()=>o});var r=t(5893),d=t(1151);const l={title:"agent"},i="k3s agent",s={id:"cli/agent",title:"agent",description:"In this section, you'll learn how to configure the K3s agent.",source:"@site/docs/cli/agent.md",sourceDirName:"cli",slug:"/cli/agent",permalink:"/cli/agent",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/agent.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"agent"},sidebar:"mySidebar",previous:{title:"server",permalink:"/cli/server"},next:{title:"certificate",permalink:"/cli/certificate"}},a={},o=[{value:"Logging",id:"logging",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Data",id:"data",level:3},{value:"Node",id:"node",level:3},{value:"Runtime",id:"runtime",level:3},{value:"Networking",id:"networking",level:3},{value:"Customized Flags",id:"customized-flags",level:3},{value:"Experimental",id:"experimental",level:3},{value:"Deprecated",id:"deprecated",level:3},{value:"Node Labels and Taints for Agents",id:"node-labels-and-taints-for-agents",level:3},{value:"K3s Agent CLI Help",id:"k3s-agent-cli-help",level:3}];function c(e){const n={a:"a",blockquote:"blockquote",code:"code",h1:"h1",h3:"h3",header:"header",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,d.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.header,{children:(0,r.jsx)(n.h1,{id:"k3s-agent",children:"k3s agent"})}),"\n",(0,r.jsx)(n.p,{children:"In this section, you'll learn how to configure the K3s agent."}),"\n",(0,r.jsx)(n.p,{children:"Note that servers also run an agent, so all flags listed on this page are also valid for use on servers."}),"\n",(0,r.jsxs)(n.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(n.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"-v"})," value"]}),(0,r.jsx)(n.td,{children:"0"}),(0,r.jsx)(n.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--alsologtostderr"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token value, -t"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(n.td,{children:"Token to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token-file"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(n.td,{children:"Token file to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--server value, -s"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_URL"})}),(0,r.jsx)(n.td,{children:"Server to connect to"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsx)(n.tbody,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsx)(n.td,{children:'"/var/lib/rancher/k3s"'}),(0,r.jsx)(n.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(n.h3,{id:"node",children:"Node"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-name"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_NODE_NAME"})}),(0,r.jsx)(n.td,{children:"Node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--with-node-id"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Append id to node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-label"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering and starting kubelet with set of labels"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-taint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering kubelet with set of taints"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--protect-kernel-defaults"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Kernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--selinux"})}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_SELINUX"})}),(0,r.jsx)(n.td,{children:"Enable SELinux in containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--lb-server-port"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_LB_SERVER_PORT"})}),(0,r.jsx)(n.td,{children:"Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"runtime",children:"Runtime"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--container-runtime-endpoint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the cri-docker socket path"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--pause-image"})," value"]}),(0,r.jsx)(n.td,{children:'"docker.io/rancher/pause:3.1"'}),(0,r.jsx)(n.td,{children:"Customized pause image for containerd or docker sandbox"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--private-registry"})," value"]}),(0,r.jsx)(n.td,{children:'"/etc/rancher/k3s/registries.yaml"'}),(0,r.jsx)(n.td,{children:"Private registry configuration file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-ip value, -i"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-external-ip"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"External IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--resolv-conf"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_RESOLV_CONF"})}),(0,r.jsx)(n.td,{children:"Kubelet resolv.conf file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-iface"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel interface"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel config file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-cni-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel cni config file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"customized-flags",children:"Customized Flags"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"experimental",children:"Experimental"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--rootless"})}),(0,r.jsx)(n.td,{children:"Run rootless"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--docker"})}),(0,r.jsx)(n.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(n.td,{children:"Prefer bundled userspace binaries over host binaries"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--disable-default-registry-endpoint"})}),(0,r.jsxs)(n.td,{children:['See "',(0,r.jsx)(n.a,{href:"/installation/private-registry#default-endpoint-fallback",children:"Default Endpoint Fallback"}),'"']})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"deprecated",children:"Deprecated"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--no-flannel"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--token"})]})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"node-labels-and-taints-for-agents",children:"Node Labels and Taints for Agents"}),"\n",(0,r.jsxs)(n.p,{children:["K3s agents can be configured with the options ",(0,r.jsx)(n.code,{children:"--node-label"})," and ",(0,r.jsx)(n.code,{children:"--node-taint"})," which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands."]}),"\n",(0,r.jsx)(n.p,{children:"Below is an example showing how to add labels and a taint:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:" --node-label foo=bar \\\n --node-label hello=world \\\n --node-taint key1=value1:NoExecute\n"})}),"\n",(0,r.jsxs)(n.p,{children:["If you want to change node labels and taints after node registration you should use ",(0,r.jsx)(n.code,{children:"kubectl"}),". Refer to the official Kubernetes documentation for details on how to add ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/",children:"taints"})," and ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"node labels."})]}),"\n",(0,r.jsx)(n.h3,{id:"k3s-agent-cli-help",children:"K3s Agent CLI Help"}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(n.code,{children:"[$K3S_URL]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:'NAME:\n k3s agent - Run node agent\n\nUSAGE:\n k3s agent [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN]\n --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to [$K3S_URL]\n --data-dir value, -d value (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s")\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n'})})]})}function h(e={}){const{wrapper:n}={...(0,d.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>s,a:()=>i});var r=t(7294);const d={},l=r.createContext(d);function i(e){const n=r.useContext(l);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function s(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(d):e.components||d:i(e.components),r.createElement(l.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7628],{2023:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>i,default:()=>h,frontMatter:()=>l,metadata:()=>s,toc:()=>o});var r=t(5893),d=t(1151);const l={title:"agent"},i="k3s agent",s={id:"cli/agent",title:"agent",description:"In this section, you'll learn how to configure the K3s agent.",source:"@site/docs/cli/agent.md",sourceDirName:"cli",slug:"/cli/agent",permalink:"/cli/agent",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/agent.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"agent"},sidebar:"mySidebar",previous:{title:"server",permalink:"/cli/server"},next:{title:"certificate",permalink:"/cli/certificate"}},a={},o=[{value:"Logging",id:"logging",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Data",id:"data",level:3},{value:"Node",id:"node",level:3},{value:"Runtime",id:"runtime",level:3},{value:"Networking",id:"networking",level:3},{value:"Customized Flags",id:"customized-flags",level:3},{value:"Experimental",id:"experimental",level:3},{value:"Deprecated",id:"deprecated",level:3},{value:"Node Labels and Taints for Agents",id:"node-labels-and-taints-for-agents",level:3},{value:"K3s Agent CLI Help",id:"k3s-agent-cli-help",level:3}];function c(e){const n={a:"a",blockquote:"blockquote",code:"code",h1:"h1",h3:"h3",header:"header",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,d.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.header,{children:(0,r.jsx)(n.h1,{id:"k3s-agent",children:"k3s agent"})}),"\n",(0,r.jsx)(n.p,{children:"In this section, you'll learn how to configure the K3s agent."}),"\n",(0,r.jsx)(n.p,{children:"Note that servers also run an agent, so all flags listed on this page are also valid for use on servers."}),"\n",(0,r.jsxs)(n.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(n.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"-v"})," value"]}),(0,r.jsx)(n.td,{children:"0"}),(0,r.jsx)(n.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--alsologtostderr"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token value, -t"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(n.td,{children:"Token to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--token-file"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(n.td,{children:"Token file to use for authentication"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--server value, -s"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_URL"})}),(0,r.jsx)(n.td,{children:"Server to connect to"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsx)(n.tbody,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsx)(n.td,{children:'"/var/lib/rancher/k3s"'}),(0,r.jsx)(n.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(n.h3,{id:"node",children:"Node"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-name"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_NODE_NAME"})}),(0,r.jsx)(n.td,{children:"Node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--with-node-id"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Append id to node name"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-label"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering and starting kubelet with set of labels"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-taint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Registering kubelet with set of taints"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--protect-kernel-defaults"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Kernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults."})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--selinux"})}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_SELINUX"})}),(0,r.jsx)(n.td,{children:"Enable SELinux in containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--lb-server-port"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_LB_SERVER_PORT"})}),(0,r.jsx)(n.td,{children:"Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"runtime",children:"Runtime"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Default"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--container-runtime-endpoint"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the cri-docker socket path"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--pause-image"})," value"]}),(0,r.jsx)(n.td,{children:'"docker.io/rancher/pause:3.1"'}),(0,r.jsx)(n.td,{children:"Customized pause image for containerd or docker sandbox"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--private-registry"})," value"]}),(0,r.jsx)(n.td,{children:'"/etc/rancher/k3s/registries.yaml"'}),(0,r.jsx)(n.td,{children:"Private registry configuration file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-ip value, -i"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--node-external-ip"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"External IP address to advertise for node"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--resolv-conf"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_RESOLV_CONF"})}),(0,r.jsx)(n.td,{children:"Kubelet resolv.conf file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-iface"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel interface"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel config file"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--flannel-cni-conf"})," value"]}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsx)(n.td,{children:"Override default flannel cni config file"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"customized-flags",children:"Customized Flags"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(n.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"experimental",children:"Experimental"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--rootless"})}),(0,r.jsx)(n.td,{children:"Run rootless"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--docker"})}),(0,r.jsx)(n.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(n.td,{children:"Prefer bundled userspace binaries over host binaries"})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--disable-default-registry-endpoint"})}),(0,r.jsxs)(n.td,{children:['See "',(0,r.jsx)(n.a,{href:"/installation/private-registry#default-endpoint-fallback",children:"Default Endpoint Fallback"}),'"']})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"deprecated",children:"Deprecated"}),"\n",(0,r.jsxs)(n.table,{children:[(0,r.jsx)(n.thead,{children:(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.th,{children:"Flag"}),(0,r.jsx)(n.th,{children:"Environment Variable"}),(0,r.jsx)(n.th,{children:"Description"})]})}),(0,r.jsxs)(n.tbody,{children:[(0,r.jsxs)(n.tr,{children:[(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"--no-flannel"})}),(0,r.jsx)(n.td,{children:"N/A"}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(n.tr,{children:[(0,r.jsxs)(n.td,{children:[(0,r.jsx)(n.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(n.td,{children:(0,r.jsx)(n.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(n.td,{children:["Use ",(0,r.jsx)(n.code,{children:"--token"})]})]})]})]}),"\n",(0,r.jsx)(n.h3,{id:"node-labels-and-taints-for-agents",children:"Node Labels and Taints for Agents"}),"\n",(0,r.jsxs)(n.p,{children:["K3s agents can be configured with the options ",(0,r.jsx)(n.code,{children:"--node-label"})," and ",(0,r.jsx)(n.code,{children:"--node-taint"})," which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands."]}),"\n",(0,r.jsx)(n.p,{children:"Below is an example showing how to add labels and a taint:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:" --node-label foo=bar \\\n --node-label hello=world \\\n --node-taint key1=value1:NoExecute\n"})}),"\n",(0,r.jsxs)(n.p,{children:["If you want to change node labels and taints after node registration you should use ",(0,r.jsx)(n.code,{children:"kubectl"}),". Refer to the official Kubernetes documentation for details on how to add ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/",children:"taints"})," and ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"node labels."})]}),"\n",(0,r.jsx)(n.h3,{id:"k3s-agent-cli-help",children:"K3s Agent CLI Help"}),"\n",(0,r.jsxs)(n.blockquote,{children:["\n",(0,r.jsxs)(n.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(n.code,{children:"[$K3S_URL]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:'NAME:\n k3s agent - Run node agent\n\nUSAGE:\n k3s agent [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN]\n --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to [$K3S_URL]\n --data-dir value, -d value (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s")\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n'})})]})}function h(e={}){const{wrapper:n}={...(0,d.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(c,{...e})}):c(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>s,a:()=>i});var r=t(7294);const d={},l=r.createContext(d);function i(e){const n=r.useContext(l);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function s(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(d):e.components||d:i(e.components),r.createElement(l.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/1e924268.ac2a25db.js b/assets/js/1e924268.f54cd95f.js
similarity index 98%
rename from assets/js/1e924268.ac2a25db.js
rename to assets/js/1e924268.f54cd95f.js
index dfc0e6ea1..3a4ac8c82 100644
--- a/assets/js/1e924268.ac2a25db.js
+++ b/assets/js/1e924268.f54cd95f.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8614],{770:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>a,default:()=>u,frontMatter:()=>o,metadata:()=>r,toc:()=>c});var i=t(5893),s=t(1151);const o={title:"Installation"},a=void 0,r={id:"installation/installation",title:"Installation",description:"This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.",source:"@site/docs/installation/installation.md",sourceDirName:"installation",slug:"/installation/",permalink:"/installation/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/installation.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Installation"},sidebar:"mySidebar",previous:{title:"Quick-Start Guide",permalink:"/quick-start"},next:{title:"Requirements",permalink:"/installation/requirements"}},l={},c=[];function d(e){const n={a:"a",code:"code",p:"p",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(n.p,{children:["This section contains instructions for installing K3s in various environments. Please ensure you have met the ",(0,i.jsx)(n.a,{href:"/installation/requirements",children:"Requirements"})," before you begin installing K3s."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/configuration",children:"Configuration Options"})," provides guidance on the options available to you when installing K3s."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/private-registry",children:"Private Registry Configuration"})," covers use of ",(0,i.jsx)(n.code,{children:"registries.yaml"})," to configure container image registry mirrors."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/registry-mirror",children:"Embedded Mirror"})," shows how to enable the embedded distributed image registry mirror."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/airgap",children:"Air-Gap Install"})," details how to set up K3s in environments that do not have direct access to the Internet."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/server-roles",children:"Managing Server Roles"})," details how to set up K3s with dedicated ",(0,i.jsx)(n.code,{children:"control-plane"})," or ",(0,i.jsx)(n.code,{children:"etcd"})," servers."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/packaged-components",children:"Managing Packaged Components"})," details how to disable packaged components, or install your own using auto-deploying manifests."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/uninstall",children:"Uninstalling K3s"})," details how to remove K3s from a host."]})]})}function u(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>r,a:()=>a});var i=t(7294);const s={},o=i.createContext(s);function a(e){const n=i.useContext(o);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:a(e.components),i.createElement(o.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8614],{770:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>a,default:()=>u,frontMatter:()=>o,metadata:()=>r,toc:()=>c});var i=t(5893),s=t(1151);const o={title:"Installation"},a=void 0,r={id:"installation/installation",title:"Installation",description:"This section contains instructions for installing K3s in various environments. Please ensure you have met the Requirements before you begin installing K3s.",source:"@site/docs/installation/installation.md",sourceDirName:"installation",slug:"/installation/",permalink:"/installation/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/installation.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Installation"},sidebar:"mySidebar",previous:{title:"Quick-Start Guide",permalink:"/quick-start"},next:{title:"Requirements",permalink:"/installation/requirements"}},l={},c=[];function d(e){const n={a:"a",code:"code",p:"p",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(n.p,{children:["This section contains instructions for installing K3s in various environments. Please ensure you have met the ",(0,i.jsx)(n.a,{href:"/installation/requirements",children:"Requirements"})," before you begin installing K3s."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/configuration",children:"Configuration Options"})," provides guidance on the options available to you when installing K3s."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/private-registry",children:"Private Registry Configuration"})," covers use of ",(0,i.jsx)(n.code,{children:"registries.yaml"})," to configure container image registry mirrors."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/registry-mirror",children:"Embedded Mirror"})," shows how to enable the embedded distributed image registry mirror."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/airgap",children:"Air-Gap Install"})," details how to set up K3s in environments that do not have direct access to the Internet."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/server-roles",children:"Managing Server Roles"})," details how to set up K3s with dedicated ",(0,i.jsx)(n.code,{children:"control-plane"})," or ",(0,i.jsx)(n.code,{children:"etcd"})," servers."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/packaged-components",children:"Managing Packaged Components"})," details how to disable packaged components, or install your own using auto-deploying manifests."]}),"\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.a,{href:"/installation/uninstall",children:"Uninstalling K3s"})," details how to remove K3s from a host."]})]})}function u(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>r,a:()=>a});var i=t(7294);const s={},o=i.createContext(s);function a(e){const n=i.useContext(o);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:a(e.components),i.createElement(o.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/2a65762c.bafbe9a1.js b/assets/js/2a65762c.69a0a67c.js
similarity index 99%
rename from assets/js/2a65762c.bafbe9a1.js
rename to assets/js/2a65762c.69a0a67c.js
index f7ed9b6ec..0969c9530 100644
--- a/assets/js/2a65762c.bafbe9a1.js
+++ b/assets/js/2a65762c.69a0a67c.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1430],{7084:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>c,contentTitle:()=>o,default:()=>h,frontMatter:()=>i,metadata:()=>d,toc:()=>l});var s=n(5893),r=n(1151);const i={title:"token"},o="k3s token",d={id:"cli/token",title:"token",description:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.",source:"@site/docs/cli/token.md",sourceDirName:"cli",slug:"/cli/token",permalink:"/cli/token",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/token.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"token"},sidebar:"mySidebar",previous:{title:"secrets-encrypt",permalink:"/cli/secrets-encrypt"},next:{title:"Architecture",permalink:"/architecture"}},c={},l=[{value:"Token Format",id:"token-format",level:2},{value:"Secure",id:"secure",level:3},{value:"TLS Bootstrapping",id:"tls-bootstrapping",level:4},{value:"Short",id:"short",level:3},{value:"Token Types",id:"token-types",level:2},{value:"Server",id:"server",level:3},{value:"Agent",id:"agent",level:3},{value:"Bootstrap",id:"bootstrap",level:3},{value:"k3s token",id:"k3s-token-1",level:2},{value:"k3s token create [token]",id:"k3s-token-create-token",level:4},{value:"k3s token delete",id:"k3s-token-delete",level:4},{value:"k3s token generate",id:"k3s-token-generate",level:4},{value:"k3s token list",id:"k3s-token-list",level:4},{value:"k3s token rotate",id:"k3s-token-rotate",level:4}];function a(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",h4:"h4",header:"header",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.header,{children:(0,s.jsx)(t.h1,{id:"k3s-token",children:"k3s token"})}),"\n",(0,s.jsx)(t.p,{children:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster."}),"\n",(0,s.jsx)(t.h2,{id:"token-format",children:"Token Format"}),"\n",(0,s.jsx)(t.p,{children:"K3s tokens can be specified in either secure or short format. The secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials."}),"\n",(0,s.jsx)(t.h3,{id:"secure",children:"Secure"}),"\n",(0,s.jsx)(t.p,{children:'The secure token format (occasionally referred to as a "full" token) contains the following parts:'}),"\n",(0,s.jsx)(t.p,{children:(0,s.jsx)(t.code,{children:"::"})}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"prefix"}),": a fixed ",(0,s.jsx)(t.code,{children:"K10"})," prefix that identifies the token format"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"cluster CA hash"}),": The hash of the cluster's server CA certificate, used to authenticate the server to the joining node.","\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:"For self-signed CA certificates, this is the SHA256 sum of the PEM-formatted certificate, as stored on disk."}),"\n",(0,s.jsx)(t.li,{children:"For custom CA certificates, this is the SHA256 sum of the DER encoding of the root certificate; commonly known as the certificate fingerprint."}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"credentials"}),": The username and password, or bearer token, used to authenticate the joining node to the cluster."]}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"tls-bootstrapping",children:"TLS Bootstrapping"}),"\n",(0,s.jsx)(t.p,{children:"When a secure token is specified, the joining node performs the following steps to validate the identity of the server it has connected to, before transmitting credentials:"}),"\n",(0,s.jsxs)(t.ol,{children:["\n",(0,s.jsxs)(t.li,{children:["With TLS verification disabled, download the CA bundle from ",(0,s.jsx)(t.code,{children:"/cacerts"})," on the server it is joining."]}),"\n",(0,s.jsx)(t.li,{children:"Calculate the SHA256 hash of the CA certificate, as described above."}),"\n",(0,s.jsx)(t.li,{children:"Compare the calculated SHA256 hash to the hash from the token."}),"\n",(0,s.jsx)(t.li,{children:"If the hash matches, validate that the certificate presented by the server can be validated by the server's CA bundle."}),"\n",(0,s.jsx)(t.li,{children:"If the server certificate is valid, present credentials to join the cluster using either basic or bearer token authentication, depending on the token type."}),"\n"]}),"\n",(0,s.jsx)(t.h3,{id:"short",children:"Short"}),"\n",(0,s.jsx)(t.p,{children:"The short token format includes only the password or bearer token used to authenticate the joining node to the cluster."}),"\n",(0,s.jsxs)(t.p,{children:["If a short token is used, the joining node implicitly trusts the CA bundle presented by the server; steps 2-4 in the TLS Bootstrapping process are skipped. The initial connection may be vulnerable to ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/Man-in-the-middle_attack",children:"man-in-the-middle"})," attack."]}),"\n",(0,s.jsx)(t.h2,{id:"token-types",children:"Token Types"}),"\n",(0,s.jsx)(t.p,{children:"K3s supports three types of tokens. Only the server token is available by default; additional token types must be configured or created by the administrator."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Type"}),(0,s.jsx)(t.th,{children:"CLI Option"}),(0,s.jsx)(t.th,{children:"Environment Variable"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Server"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Agent"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--agent-token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_AGENT_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Bootstrap"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})})]})]})]}),"\n",(0,s.jsx)(t.h3,{id:"server",children:"Server"}),"\n",(0,s.jsxs)(t.p,{children:["If no token is provided when starting the first server in the cluster, one is created with a random password. The server token is always written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/token"}),", in secure format."]}),"\n",(0,s.jsx)(t.p,{children:"The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster. This token should be guarded carefully."}),"\n",(0,s.jsxs)(t.p,{children:["The server token is also used as the ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/PBKDF2",children:"PBKDF2"})," passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsx)(t.p,{children:"Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates."})}),"\n",(0,s.jsxs)(t.p,{children:["For more information on using custom CA certificates, see the ",(0,s.jsxs)(t.a,{href:"/cli/certificate",children:[(0,s.jsx)(t.code,{children:"k3s certificate"})," documentation"]}),".",(0,s.jsx)(t.br,{}),"\n","For more information on backing up your cluster, see the ",(0,s.jsx)(t.a,{href:"/datastore/backup-restore",children:"Backup and Restore"})," documentation."]}),"\n",(0,s.jsx)(t.h3,{id:"agent",children:"Agent"}),"\n",(0,s.jsx)(t.p,{children:"By default, the agent token is the same as the server token. The agent token can be set before or after the cluster has been started, by changing the CLI option or environment variable on all servers in the cluster. The agent token is similar to the server token in that is it statically configured, and does not expire."}),"\n",(0,s.jsxs)(t.p,{children:["The agent token is written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/agent-token"}),", in secure format. If no agent token is specified, this file is a link to the server token."]}),"\n",(0,s.jsx)(t.h3,{id:"bootstrap",children:"Bootstrap"}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s token"})," command and the ability to join nodes with bootstrap tokens is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.p,{children:"K3s supports dynamically generated, automatically expiring agent bootstrap tokens. Bootstrap tokens can only be used to join agents."}),"\n",(0,s.jsx)(t.h2,{id:"k3s-token-1",children:"k3s token"}),"\n",(0,s.jsxs)(t.p,{children:["K3s bootstrap tokens use the same generation and validation code as ",(0,s.jsx)(t.code,{children:"kubeadm token"})," bootstrap tokens, and the ",(0,s.jsx)(t.code,{children:"k3s token"})," CLI is similar."]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{children:"NAME:\n k3s token - Manage bootstrap tokens\n\nUSAGE:\n k3s token command [command options] [arguments...]\n\nCOMMANDS:\n create Create bootstrap tokens on the server\n delete Delete bootstrap tokens on the server\n generate Generate and print a bootstrap token, but do not create it on the server\n list List bootstrap tokens on the server\n rotate Rotate original server token with a new bootstrap token\n\nOPTIONS:\n --help, -h show help\n"})}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-create-token",children:(0,s.jsx)(t.code,{children:"k3s token create [token]"})}),"\n",(0,s.jsxs)(t.p,{children:["Create a new token. The ",(0,s.jsx)(t.code,{children:"[token]"})," is the actual token to write, as generated by ",(0,s.jsx)(t.code,{children:"k3s token generate"}),". If no token is given, a random one will be generated."]}),"\n",(0,s.jsx)(t.p,{children:"A token in secure format, including the cluster CA hash, will be written to stdout. The output of this command should be saved, as the secret portion of the token cannot be shown again."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--description"})," value"]}),(0,s.jsx)(t.td,{children:"A human friendly description of how this token is used"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--groups"})," value"]}),(0,s.jsxs)(t.td,{children:['Extra groups that this token will authenticate as when used for authentication. (default: Default: "system:bootstrappers:k3s',":default-node-token",'")']})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--ttl"})," value"]}),(0,s.jsx)(t.td,{children:"The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default: 24h0m0s)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--usages"})," value"]}),(0,s.jsx)(t.td,{children:'Describes the ways in which this token can be used. (default: "signing,authentication")'})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-delete",children:(0,s.jsx)(t.code,{children:"k3s token delete"})}),"\n",(0,s.jsx)(t.p,{children:"Delete one or more tokens. The full token can be provided, or just the token ID."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-generate",children:(0,s.jsx)(t.code,{children:"k3s token generate"})}),"\n",(0,s.jsx)(t.p,{children:"Generate a randomly-generated bootstrap token."}),"\n",(0,s.jsxs)(t.p,{children:["You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format \"[a-z0-9]",6,".[a-z0-9]",16,'", where the first portion is the token ID, and the second portion is the secret.']}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-list",children:(0,s.jsx)(t.code,{children:"k3s token list"})}),"\n",(0,s.jsx)(t.p,{children:"List bootstrap tokens, showing their ID, description, and remaining time-to-live."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--output"})," value"]}),(0,s.jsx)(t.td,{children:'Output format. Valid options: text, json (default: "text")'})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-rotate",children:(0,s.jsx)(t.code,{children:"k3s token rotate"})}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(t.p,{children:"Available as of 2023-10 releases (v1.28.2+k3s1, v1.27.7+k3s1, v1.26.10+k3s1, v1.25.15+k3s1)."})}),"\n",(0,s.jsx)(t.p,{children:"Rotate original server token with a new bootstrap token. After running this command, all servers and any agents that originally joined with the old token must be restarted with the new token."}),"\n",(0,s.jsx)(t.p,{children:"If you do not specify a new token, one will be generated for you."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--server"})," value"]}),(0,s.jsxs)(t.td,{children:['Server to connect to (default: "',(0,s.jsx)(t.a,{href:"https://127.0.0.1:6443",children:"https://127.0.0.1:6443"}),'") [$K3S_URL]']})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--token"})," value"]}),(0,s.jsx)(t.td,{children:"Existing token used to join a server or agent to a cluster [$K3S_TOKEN]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--new-token"})," value"]}),(0,s.jsx)(t.td,{children:"New token that replaces existing token"})]})]})]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(a,{...e})}):a(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>d,a:()=>o});var s=n(7294);const r={},i=s.createContext(r);function o(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1430],{7084:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>c,contentTitle:()=>o,default:()=>h,frontMatter:()=>i,metadata:()=>d,toc:()=>l});var s=n(5893),r=n(1151);const i={title:"token"},o="k3s token",d={id:"cli/token",title:"token",description:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster.",source:"@site/docs/cli/token.md",sourceDirName:"cli",slug:"/cli/token",permalink:"/cli/token",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/token.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"token"},sidebar:"mySidebar",previous:{title:"secrets-encrypt",permalink:"/cli/secrets-encrypt"},next:{title:"Architecture",permalink:"/architecture"}},c={},l=[{value:"Token Format",id:"token-format",level:2},{value:"Secure",id:"secure",level:3},{value:"TLS Bootstrapping",id:"tls-bootstrapping",level:4},{value:"Short",id:"short",level:3},{value:"Token Types",id:"token-types",level:2},{value:"Server",id:"server",level:3},{value:"Agent",id:"agent",level:3},{value:"Bootstrap",id:"bootstrap",level:3},{value:"k3s token",id:"k3s-token-1",level:2},{value:"k3s token create [token]",id:"k3s-token-create-token",level:4},{value:"k3s token delete",id:"k3s-token-delete",level:4},{value:"k3s token generate",id:"k3s-token-generate",level:4},{value:"k3s token list",id:"k3s-token-list",level:4},{value:"k3s token rotate",id:"k3s-token-rotate",level:4}];function a(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",h4:"h4",header:"header",li:"li",ol:"ol",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.header,{children:(0,s.jsx)(t.h1,{id:"k3s-token",children:"k3s token"})}),"\n",(0,s.jsx)(t.p,{children:"K3s uses tokens to secure the node join process. Tokens authenticate the cluster to the joining node, and the node to the cluster."}),"\n",(0,s.jsx)(t.h2,{id:"token-format",children:"Token Format"}),"\n",(0,s.jsx)(t.p,{children:"K3s tokens can be specified in either secure or short format. The secure format is preferred, as it enables the client to authenticate the identity of the cluster it is joining, before sending credentials."}),"\n",(0,s.jsx)(t.h3,{id:"secure",children:"Secure"}),"\n",(0,s.jsx)(t.p,{children:'The secure token format (occasionally referred to as a "full" token) contains the following parts:'}),"\n",(0,s.jsx)(t.p,{children:(0,s.jsx)(t.code,{children:"::"})}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"prefix"}),": a fixed ",(0,s.jsx)(t.code,{children:"K10"})," prefix that identifies the token format"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"cluster CA hash"}),": The hash of the cluster's server CA certificate, used to authenticate the server to the joining node.","\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:"For self-signed CA certificates, this is the SHA256 sum of the PEM-formatted certificate, as stored on disk."}),"\n",(0,s.jsx)(t.li,{children:"For custom CA certificates, this is the SHA256 sum of the DER encoding of the root certificate; commonly known as the certificate fingerprint."}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"credentials"}),": The username and password, or bearer token, used to authenticate the joining node to the cluster."]}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"tls-bootstrapping",children:"TLS Bootstrapping"}),"\n",(0,s.jsx)(t.p,{children:"When a secure token is specified, the joining node performs the following steps to validate the identity of the server it has connected to, before transmitting credentials:"}),"\n",(0,s.jsxs)(t.ol,{children:["\n",(0,s.jsxs)(t.li,{children:["With TLS verification disabled, download the CA bundle from ",(0,s.jsx)(t.code,{children:"/cacerts"})," on the server it is joining."]}),"\n",(0,s.jsx)(t.li,{children:"Calculate the SHA256 hash of the CA certificate, as described above."}),"\n",(0,s.jsx)(t.li,{children:"Compare the calculated SHA256 hash to the hash from the token."}),"\n",(0,s.jsx)(t.li,{children:"If the hash matches, validate that the certificate presented by the server can be validated by the server's CA bundle."}),"\n",(0,s.jsx)(t.li,{children:"If the server certificate is valid, present credentials to join the cluster using either basic or bearer token authentication, depending on the token type."}),"\n"]}),"\n",(0,s.jsx)(t.h3,{id:"short",children:"Short"}),"\n",(0,s.jsx)(t.p,{children:"The short token format includes only the password or bearer token used to authenticate the joining node to the cluster."}),"\n",(0,s.jsxs)(t.p,{children:["If a short token is used, the joining node implicitly trusts the CA bundle presented by the server; steps 2-4 in the TLS Bootstrapping process are skipped. The initial connection may be vulnerable to ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/Man-in-the-middle_attack",children:"man-in-the-middle"})," attack."]}),"\n",(0,s.jsx)(t.h2,{id:"token-types",children:"Token Types"}),"\n",(0,s.jsx)(t.p,{children:"K3s supports three types of tokens. Only the server token is available by default; additional token types must be configured or created by the administrator."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Type"}),(0,s.jsx)(t.th,{children:"CLI Option"}),(0,s.jsx)(t.th,{children:"Environment Variable"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Server"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Agent"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"--agent-token"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"K3S_AGENT_TOKEN"})})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:"Bootstrap"}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})}),(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"n/a"})})]})]})]}),"\n",(0,s.jsx)(t.h3,{id:"server",children:"Server"}),"\n",(0,s.jsxs)(t.p,{children:["If no token is provided when starting the first server in the cluster, one is created with a random password. The server token is always written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/token"}),", in secure format."]}),"\n",(0,s.jsx)(t.p,{children:"The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster. This token should be guarded carefully."}),"\n",(0,s.jsxs)(t.p,{children:["The server token is also used as the ",(0,s.jsx)(t.a,{href:"https://en.wikipedia.org/wiki/PBKDF2",children:"PBKDF2"})," passphrase for the key used to encrypt confidential information that is persisted to the datastore, such as the secrets-encryption configuration, wireguard keys, and private keys for cluster CA certificates and service-account tokens. For this reason, the token must be backed up alongside the cluster datastore itself."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsx)(t.p,{children:"Unless custom CA certificates are in use, only the short (password-only) token format can be used when starting the first server in the cluster. This is because the cluster CA hash cannot be known until after the server has generated the self-signed cluster CA certificates."})}),"\n",(0,s.jsxs)(t.p,{children:["For more information on using custom CA certificates, see the ",(0,s.jsxs)(t.a,{href:"/cli/certificate",children:[(0,s.jsx)(t.code,{children:"k3s certificate"})," documentation"]}),".",(0,s.jsx)(t.br,{}),"\n","For more information on backing up your cluster, see the ",(0,s.jsx)(t.a,{href:"/datastore/backup-restore",children:"Backup and Restore"})," documentation."]}),"\n",(0,s.jsx)(t.h3,{id:"agent",children:"Agent"}),"\n",(0,s.jsx)(t.p,{children:"By default, the agent token is the same as the server token. The agent token can be set before or after the cluster has been started, by changing the CLI option or environment variable on all servers in the cluster. The agent token is similar to the server token in that is it statically configured, and does not expire."}),"\n",(0,s.jsxs)(t.p,{children:["The agent token is written to ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/agent-token"}),", in secure format. If no agent token is specified, this file is a link to the server token."]}),"\n",(0,s.jsx)(t.h3,{id:"bootstrap",children:"Bootstrap"}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s token"})," command and the ability to join nodes with bootstrap tokens is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.p,{children:"K3s supports dynamically generated, automatically expiring agent bootstrap tokens. Bootstrap tokens can only be used to join agents."}),"\n",(0,s.jsx)(t.h2,{id:"k3s-token-1",children:"k3s token"}),"\n",(0,s.jsxs)(t.p,{children:["K3s bootstrap tokens use the same generation and validation code as ",(0,s.jsx)(t.code,{children:"kubeadm token"})," bootstrap tokens, and the ",(0,s.jsx)(t.code,{children:"k3s token"})," CLI is similar."]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{children:"NAME:\n k3s token - Manage bootstrap tokens\n\nUSAGE:\n k3s token command [command options] [arguments...]\n\nCOMMANDS:\n create Create bootstrap tokens on the server\n delete Delete bootstrap tokens on the server\n generate Generate and print a bootstrap token, but do not create it on the server\n list List bootstrap tokens on the server\n rotate Rotate original server token with a new bootstrap token\n\nOPTIONS:\n --help, -h show help\n"})}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-create-token",children:(0,s.jsx)(t.code,{children:"k3s token create [token]"})}),"\n",(0,s.jsxs)(t.p,{children:["Create a new token. The ",(0,s.jsx)(t.code,{children:"[token]"})," is the actual token to write, as generated by ",(0,s.jsx)(t.code,{children:"k3s token generate"}),". If no token is given, a random one will be generated."]}),"\n",(0,s.jsx)(t.p,{children:"A token in secure format, including the cluster CA hash, will be written to stdout. The output of this command should be saved, as the secret portion of the token cannot be shown again."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--description"})," value"]}),(0,s.jsx)(t.td,{children:"A human friendly description of how this token is used"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--groups"})," value"]}),(0,s.jsxs)(t.td,{children:['Extra groups that this token will authenticate as when used for authentication. (default: Default: "system:bootstrappers:k3s',":default-node-token",'")']})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--ttl"})," value"]}),(0,s.jsx)(t.td,{children:"The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default: 24h0m0s)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--usages"})," value"]}),(0,s.jsx)(t.td,{children:'Describes the ways in which this token can be used. (default: "signing,authentication")'})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-delete",children:(0,s.jsx)(t.code,{children:"k3s token delete"})}),"\n",(0,s.jsx)(t.p,{children:"Delete one or more tokens. The full token can be provided, or just the token ID."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-generate",children:(0,s.jsx)(t.code,{children:"k3s token generate"})}),"\n",(0,s.jsx)(t.p,{children:"Generate a randomly-generated bootstrap token."}),"\n",(0,s.jsxs)(t.p,{children:["You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format \"[a-z0-9]",6,".[a-z0-9]",16,'", where the first portion is the token ID, and the second portion is the secret.']}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-list",children:(0,s.jsx)(t.code,{children:"k3s token list"})}),"\n",(0,s.jsx)(t.p,{children:"List bootstrap tokens, showing their ID, description, and remaining time-to-live."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--output"})," value"]}),(0,s.jsx)(t.td,{children:'Output format. Valid options: text, json (default: "text")'})]})]})]}),"\n",(0,s.jsx)(t.h4,{id:"k3s-token-rotate",children:(0,s.jsx)(t.code,{children:"k3s token rotate"})}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(t.p,{children:"Available as of 2023-10 releases (v1.28.2+k3s1, v1.27.7+k3s1, v1.26.10+k3s1, v1.25.15+k3s1)."})}),"\n",(0,s.jsx)(t.p,{children:"Rotate original server token with a new bootstrap token. After running this command, all servers and any agents that originally joined with the old token must be restarted with the new token."}),"\n",(0,s.jsx)(t.p,{children:"If you do not specify a new token, one will be generated for you."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Flag"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--data-dir"})," value"]}),(0,s.jsx)(t.td,{children:"Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--kubeconfig"})," value"]}),(0,s.jsx)(t.td,{children:"Server to connect to [$KUBECONFIG]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--server"})," value"]}),(0,s.jsxs)(t.td,{children:['Server to connect to (default: "',(0,s.jsx)(t.a,{href:"https://127.0.0.1:6443",children:"https://127.0.0.1:6443"}),'") [$K3S_URL]']})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--token"})," value"]}),(0,s.jsx)(t.td,{children:"Existing token used to join a server or agent to a cluster [$K3S_TOKEN]"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsxs)(t.td,{children:[(0,s.jsx)(t.code,{children:"--new-token"})," value"]}),(0,s.jsx)(t.td,{children:"New token that replaces existing token"})]})]})]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(a,{...e})}):a(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>d,a:()=>o});var s=n(7294);const r={},i=s.createContext(r);function o(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function d(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/2f797aa4.ab0bed68.js b/assets/js/2f797aa4.f9dafcf2.js
similarity index 99%
rename from assets/js/2f797aa4.ab0bed68.js
rename to assets/js/2f797aa4.f9dafcf2.js
index 04c263d5c..e01ec939a 100644
--- a/assets/js/2f797aa4.ab0bed68.js
+++ b/assets/js/2f797aa4.f9dafcf2.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[101],{3989:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:3},l="v1.28.X",h={id:"release-notes/v1.28.X",title:"v1.28.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.28.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.28.X",permalink:"/release-notes/v1.28.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.28.X.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,sidebarPosition:3,frontMatter:{hide_table_of_contents:!0,sidebar_position:3},sidebar:"mySidebar",previous:{title:"v1.29.X",permalink:"/release-notes/v1.29.X"},next:{title:"v1.27.X",permalink:"/release-notes/v1.27.X"}},c={},d=[{value:"Release v1.28.12+k3s1",id:"release-v12812k3s1",level:2},{value:"Changes since v1.28.11+k3s2:",id:"changes-since-v12811k3s2",level:3},{value:"Release v1.28.11+k3s2",id:"release-v12811k3s2",level:2},{value:"Changes since v1.28.11+k3s1:",id:"changes-since-v12811k3s1",level:3},{value:"Release v1.28.11+k3s1",id:"release-v12811k3s1",level:2},{value:"Changes since v1.28.10+k3s1:",id:"changes-since-v12810k3s1",level:3},{value:"Release v1.28.10+k3s1",id:"release-v12810k3s1",level:2},{value:"Changes since v1.28.9+k3s1:",id:"changes-since-v1289k3s1",level:3},{value:"Release v1.28.9+k3s1",id:"release-v1289k3s1",level:2},{value:"Changes since v1.28.8+k3s1:",id:"changes-since-v1288k3s1",level:3},{value:"Release v1.28.8+k3s1",id:"release-v1288k3s1",level:2},{value:"Changes since v1.28.7+k3s1:",id:"changes-since-v1287k3s1",level:3},{value:"Release v1.28.7+k3s1",id:"release-v1287k3s1",level:2},{value:"Changes since v1.28.6+k3s2:",id:"changes-since-v1286k3s2",level:3},{value:"Release v1.28.6+k3s2",id:"release-v1286k3s2",level:2},{value:"Changes since v1.28.5+k3s1:",id:"changes-since-v1285k3s1",level:3},{value:"Release v1.28.5+k3s1",id:"release-v1285k3s1",level:2},{value:"Changes since v1.28.4+k3s1:",id:"changes-since-v1284k3s1",level:3},{value:"Release v1.28.4+k3s2",id:"release-v1284k3s2",level:2},{value:"Changes since v1.28.3+k3s2:",id:"changes-since-v1283k3s2",level:3},{value:"Release v1.28.3+k3s2",id:"release-v1283k3s2",level:2},{value:"Changes since v1.28.3+k3s1:",id:"changes-since-v1283k3s1",level:3},{value:"Release v1.28.3+k3s1",id:"release-v1283k3s1",level:2},{value:"Changes since v1.28.2+k3s1:",id:"changes-since-v1282k3s1",level:3},{value:"Release v1.28.2+k3s1",id:"release-v1282k3s1",level:2},{value:"Changes since v1.28.1+k3s1:",id:"changes-since-v1281k3s1",level:3},{value:"Release v1.28.1+k3s1",id:"release-v1281k3s1",level:2},{value:"Changes since v1.27.5+k3s1:",id:"changes-since-v1275k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v128x",children:"v1.28.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12812k3s1",children:"v1.28.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12812",children:"v1.28.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12811k3s2",children:"v1.28.11+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12811k3s1",children:"v1.28.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12810k3s1",children:"v1.28.10+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12810",children:"v1.28.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1289k3s1",children:"v1.28.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1289",children:"v1.28.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1288k3s1",children:"v1.28.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1288",children:"v1.28.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1287k3s1",children:"v1.28.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1287",children:"v1.28.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1286k3s2",children:"v1.28.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1286",children:"v1.28.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1285k3s1",children:"v1.28.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1285",children:"v1.28.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1284k3s2",children:"v1.28.4+k3s2"})}),(0,r.jsx)(s.td,{children:"Dec 06 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1284",children:"v1.28.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1283k3s2",children:"v1.28.3+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1283k3s1",children:"v1.28.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1282k3s1",children:"v1.28.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1282",children:"v1.28.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1281k3s1",children:"v1.28.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1281",children:"v1.28.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s2",children:"v1.7.3-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12812k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.12+k3s1",children:"v1.28.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s2",children:"Changes since v1.28.11+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10499",children:"(#10499)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10509",children:"(#10509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.12-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10541",children:"(#10541)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10598",children:"(#10598)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s2",children:"v1.28.11+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s1",children:"Changes since v1.28.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10428",children:"(#10428)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s1",children:"v1.28.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12810",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12810k3s1",children:"Changes since v1.28.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10090",children:"(#10090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10144",children:"(#10144)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10221",children:"(#10221)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10182",children:"(#10182)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10213",children:"(#10213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10258",children:"(#10258)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10289",children:"(#10289)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10315",children:"(#10315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10331",children:"(#10331)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10323",children:"(#10323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10299",children:"(#10299)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10347",children:"(#10347)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10355",children:"(#10355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10377",children:"(#10377)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12810k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.10+k3s1",children:"v1.28.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1289",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1289k3s1",children:"Changes since v1.28.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10095",children:"(#10095)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10114",children:"(#10114)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.10-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10098",children:"(#10098)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1289k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.9+k3s1",children:"v1.28.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1288",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1288k3s1",children:"Changes since v1.28.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9804",children:"(#9804)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9827",children:"(#9827)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9824",children:"(#9824)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Golang caching and E2E ubuntu 23.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9821",children:"(#9821)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9849",children:"(#9849)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9880",children:"(#9880)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-04 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9911",children:"(#9911)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Send error response if member list cannot be retrieved"}),"\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n",(0,r.jsx)(s.li,{children:"Fix error when image has already been pulled"}),"\n",(0,r.jsx)(s.li,{children:"Add /etc/passwd and /etc/group to k3s docker image"}),"\n",(0,r.jsx)(s.li,{children:"Fix etcd snapshot reconcile for agentless servers"}),"\n",(0,r.jsx)(s.li,{children:"Add health-check support to loadbalancer"}),"\n",(0,r.jsx)(s.li,{children:"Add certificate expiry check, events, and metrics"}),"\n",(0,r.jsx)(s.li,{children:"Add workaround for containerd hosts.toml bug when passing config for default registry endpoint"}),"\n",(0,r.jsx)(s.li,{children:"Add supervisor cert/key to rotate list"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n",(0,r.jsx)(s.li,{children:"Improve etcd load-balancer startup behavior"}),"\n",(0,r.jsx)(s.li,{children:"Actually fix agent certificate rotation"}),"\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow LPP to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9938",children:"(#9938)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9942",children:"(#9942)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.9-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9959",children:"(#9959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9994",children:"(#9994)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make /db/info available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10002",children:"(#10002)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1288k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.8+k3s1",children:"v1.28.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1287",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1287k3s1",children:"Changes since v1.28.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9608",children:"(#9608)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Install and Unit test backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9641",children:"(#9641)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9605",children:"(#9605)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVE-2023-45142 CVE-2023-48795 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9647",children:"(#9647)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9631",children:"(#9631)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9653",children:"(#9653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9669",children:"(#9669)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,r.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,r.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,r.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,r.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,r.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,r.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Docker and E2E Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9707",children:"(#9707)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9733",children:"(#9733)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.8-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9746",children:"(#9746)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1287k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.7+k3s1",children:"v1.28.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1286",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1286k3s2",children:"Changes since v1.28.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9426",children:"(#9426)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9293",children:"(#9293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9419",children:"(#9419)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9431",children:"(#9431)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9424",children:"(#9424)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Flannel v0.24.2 + remove multiclustercidr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9401",children:"(#9401)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9254",children:"(#9254)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9404",children:"(#9404)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9462",children:"(#9462)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9444",children:"(#9444)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9440",children:"(#9440)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support PR testing installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9469",children:"(#9469)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9492",children:"(#9492)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9508",children:"(#9508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9516",children:"(#9516)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9545",children:"(#9545)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9578",children:"(#9578)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1286k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.6+k3s2",children:"v1.28.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1285",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1285k3s1",children:"Changes since v1.28.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9125",children:"(#9125)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9175",children:"(#9175)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9181",children:"(#9181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9203",children:"(#9203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9216",children:"(#9216)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9206",children:"(#9206)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd node is nil ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9228",children:"(#9228)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.6 and Go 1.20.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9260",children:"(#9260)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9269",children:"(#9269)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9336",children:"(#9336)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,r.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9346",children:"(#9346)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1285k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.5+k3s1",children:"v1.28.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1284",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s1",children:"Changes since v1.28.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.5-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9081",children:"(#9081)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1284k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.4+k3s2",children:"v1.28.4+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s2",children:"Changes since v1.28.3+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channels latest to v1.27.7+k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8799",children:"(#8799)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8724",children:"(#8724)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Now the user can see the etcd status from each node in a simple way"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["ADR for etcd status ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8355",children:"(#8355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wasm shims detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8751",children:"(#8751)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Automatic discovery of WebAssembly runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8758",children:"(#8758)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8798",children:"(#8798)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Optimize: Simplify and clean up Dockerfile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8244",children:"(#8244)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add: timezone info in image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8764",children:"(#8764)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to fix nats, postgres, and watch issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8778",children:"(#8778)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["QoS-class resource configuration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8726",children:"(#8726)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add agent flag disable-apiserver-lb ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8717",children:"(#8717)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Force umount for NFS mount (like with longhorn) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8521",children:"(#8521)"})]}),"\n",(0,r.jsxs)(s.li,{children:["General updates to README ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8786",children:"(#8786)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wrong warning from restorecon in install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8871",children:"(#8871)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with snapshot metadata configmap ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8835",children:"(#8835)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Skip initial datastore reconcile during cluster-reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8861",children:"(#8861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweaked order of ingress IPs in ServiceLB ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8711",children:"(#8711)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable helm CRD installation for disable-helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8702",children:"(#8702)"})]}),"\n",(0,r.jsxs)(s.li,{children:["More improves for K3s patch release docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8800",children:"(#8800)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8885",children:"(#8885)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add jitter to client config retry to avoid hammering servers when they are starting up ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8863",children:"(#8863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8886",children:"(#8886)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8894",children:"(#8894)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove depends_on for e2e step; fix cert rotate e2e ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8906",children:"(#8906)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8926",children:"(#8926)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.4 and Go to v1.20.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8920",children:"(#8920)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s2",children:"v1.28.3+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s1",children:"Changes since v1.28.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Restore selinux context systemd unit file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8593",children:"(#8593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel to v1.27.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8753",children:"(#8753)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8710",children:"(#8710)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8739",children:"(#8739)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Access outer scope .SystemdCgroup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8761",children:"(#8761)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed failing to start with nvidia-container-runtime"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8771",children:"(#8771)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8792",children:"(#8792)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use iptables-save/iptables-restore if it will corrupt rules ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8795",children:"(#8795)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s1",children:"v1.28.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1282",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1282k3s1",children:"Changes since v1.28.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8250",children:"(#8250)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8284",children:"(#8284)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel, September patch release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8397",children:"(#8397)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing link to drone in documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8295",children:"(#8295)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8346",children:"(#8346)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to vpn provider ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8354",children:"(#8354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Allow to pass extra args to the vpn provider"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable HTTP on main etcd client port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8402",children:"(#8402)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Embedded etcd no longer serves http requests on the client port, only grpc. This addresses a performance issue that could cause watch stream starvation under load. For more information, see ",(0,r.jsx)(s.a,{href:"https://github.com/etcd-io/etcd/issues/15402",children:"https://github.com/etcd-io/etcd/issues/15402"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Server token rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8215",children:"(#8215)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues with etcd member removal after reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8392",children:"(#8392)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix gofmt error ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8439",children:"(#8439)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8344",children:"(#8344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added cluster reset from non bootstrap nodes on snapshot restore e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8292",children:"(#8292)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix .github regex to skip drone runs on gh action bumps ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8433",children:"(#8433)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8385",children:"(#8385)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8423",children:"(#8423)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update kube-router to v2.0.0-rc7 to fix performance issues"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add SHA256 signatures of the install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8312",children:"(#8312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add SHA256 signatures of the install script."}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8279",children:"(#8279)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Don't ignore assets in home dir if system assets exist ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8458",children:"(#8458)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pass SystemdCgroup setting through to nvidia runtime options ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8470",children:"(#8470)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that would cause pods using nvidia container runtime to be killed after a few seconds, when using newer versions of nvidia-container-toolkit."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve release docs - updated ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8414",children:"(#8414)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8460",children:"(#8460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8507",children:"(#8507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8523",children:"(#8523)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix slemicro check for selinux ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8526",children:"(#8526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh.sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8566",children:"(#8566)"})]}),"\n",(0,r.jsxs)(s.li,{children:["System agent push tags fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8568",children:"(#8568)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8524",children:"(#8524)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8265",children:"(#8265)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8579",children:"(#8579)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8604",children:"(#8604)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump busybox to v1.36.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8602",children:"(#8602)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate to using custom resource to store etcd snapshot metadata ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8064",children:"(#8064)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch build target from main.go to a package. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8342",children:"(#8342)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8581",children:"(#8581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump traefik, golang.org/x/net, google.golang.org/grpc ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8624",children:"(#8624)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8630",children:"(#8630)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8638",children:"(#8638)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8653",children:"(#8653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["[Windows Port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7259",children:"(#7259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix CloudDualStackNodeIPs feature-gate inconsistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8667",children:"(#8667)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Re-enable etcd endpoint auto-sync ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8675",children:"(#8675)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Manually requeue configmap reconcile when no nodes have reconciled snapshots ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8683",children:"(#8683)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.3 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8682",children:"(#8682)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8729",children:"(#8729)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1282k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.2+k3s1",children:"v1.28.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1281",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1281k3s1",children:"Changes since v1.28.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel for version v1.28 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8305",children:"(#8305)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8323",children:"(#8323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.2 and go v1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8364",children:"(#8364)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1281k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.1+k3s1",children:"v1.28.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.28 line. This release updates Kubernetes to v1.28.1."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including documentation on changes in behavior that harden clusters against this vulnerability."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Critical Regression",type:"danger",children:(0,r.jsxs)(s.p,{children:["Kubernetes v1.28 contains a critical regression (",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/120247",children:"kubernetes/kubernetes#120247"}),") that causes init containers to run at the same time as app containers following a restart of the node. This issue will be fixed in v1.28.2. We do not recommend using K3s v1.28 at this time if your application depends on init containers."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1275k3s1",children:"Changes since v1.27.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8239",children:"(#8239)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI Removal for v1.28.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8203",children:"(#8203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Secrets Encryption V3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8111",children:"(#8111)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to disable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8252",children:"(#8252)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8268",children:"(#8268)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[101],{3989:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:3},l="v1.28.X",h={id:"release-notes/v1.28.X",title:"v1.28.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.28.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.28.X",permalink:"/release-notes/v1.28.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.28.X.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,sidebarPosition:3,frontMatter:{hide_table_of_contents:!0,sidebar_position:3},sidebar:"mySidebar",previous:{title:"v1.29.X",permalink:"/release-notes/v1.29.X"},next:{title:"v1.27.X",permalink:"/release-notes/v1.27.X"}},c={},d=[{value:"Release v1.28.12+k3s1",id:"release-v12812k3s1",level:2},{value:"Changes since v1.28.11+k3s2:",id:"changes-since-v12811k3s2",level:3},{value:"Release v1.28.11+k3s2",id:"release-v12811k3s2",level:2},{value:"Changes since v1.28.11+k3s1:",id:"changes-since-v12811k3s1",level:3},{value:"Release v1.28.11+k3s1",id:"release-v12811k3s1",level:2},{value:"Changes since v1.28.10+k3s1:",id:"changes-since-v12810k3s1",level:3},{value:"Release v1.28.10+k3s1",id:"release-v12810k3s1",level:2},{value:"Changes since v1.28.9+k3s1:",id:"changes-since-v1289k3s1",level:3},{value:"Release v1.28.9+k3s1",id:"release-v1289k3s1",level:2},{value:"Changes since v1.28.8+k3s1:",id:"changes-since-v1288k3s1",level:3},{value:"Release v1.28.8+k3s1",id:"release-v1288k3s1",level:2},{value:"Changes since v1.28.7+k3s1:",id:"changes-since-v1287k3s1",level:3},{value:"Release v1.28.7+k3s1",id:"release-v1287k3s1",level:2},{value:"Changes since v1.28.6+k3s2:",id:"changes-since-v1286k3s2",level:3},{value:"Release v1.28.6+k3s2",id:"release-v1286k3s2",level:2},{value:"Changes since v1.28.5+k3s1:",id:"changes-since-v1285k3s1",level:3},{value:"Release v1.28.5+k3s1",id:"release-v1285k3s1",level:2},{value:"Changes since v1.28.4+k3s1:",id:"changes-since-v1284k3s1",level:3},{value:"Release v1.28.4+k3s2",id:"release-v1284k3s2",level:2},{value:"Changes since v1.28.3+k3s2:",id:"changes-since-v1283k3s2",level:3},{value:"Release v1.28.3+k3s2",id:"release-v1283k3s2",level:2},{value:"Changes since v1.28.3+k3s1:",id:"changes-since-v1283k3s1",level:3},{value:"Release v1.28.3+k3s1",id:"release-v1283k3s1",level:2},{value:"Changes since v1.28.2+k3s1:",id:"changes-since-v1282k3s1",level:3},{value:"Release v1.28.2+k3s1",id:"release-v1282k3s1",level:2},{value:"Changes since v1.28.1+k3s1:",id:"changes-since-v1281k3s1",level:3},{value:"Release v1.28.1+k3s1",id:"release-v1281k3s1",level:2},{value:"Changes since v1.27.5+k3s1:",id:"changes-since-v1275k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v128x",children:"v1.28.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12812k3s1",children:"v1.28.12+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12812",children:"v1.28.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12811k3s2",children:"v1.28.11+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12811k3s1",children:"v1.28.11+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12811",children:"v1.28.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1.28",children:"v1.7.17-k3s1.28"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.10",children:"v0.15.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v12810k3s1",children:"v1.28.10+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v12810",children:"v1.28.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1289k3s1",children:"v1.28.9+k3s1"})}),(0,r.jsx)(s.td,{children:"Apr 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1289",children:"v1.28.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1288k3s1",children:"v1.28.8+k3s1"})}),(0,r.jsx)(s.td,{children:"Mar 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1288",children:"v1.28.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.15.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1287k3s1",children:"v1.28.7+k3s1"})}),(0,r.jsx)(s.td,{children:"Feb 29 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1287",children:"v1.28.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.4",children:"v0.11.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1286k3s2",children:"v1.28.6+k3s2"})}),(0,r.jsx)(s.td,{children:"Feb 06 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1286",children:"v1.28.6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.8",children:"v0.15.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1285k3s1",children:"v1.28.5+k3s1"})}),(0,r.jsx)(s.td,{children:"Dec 27 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1285",children:"v1.28.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.11-k3s2",children:"v1.7.11-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.10",children:"v1.1.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1284k3s2",children:"v1.28.4+k3s2"})}),(0,r.jsx)(s.td,{children:"Dec 06 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1284",children:"v1.28.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1283k3s2",children:"v1.28.3+k3s2"})}),(0,r.jsx)(s.td,{children:"Nov 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1283k3s1",children:"v1.28.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Oct 30 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283",children:"v1.28.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1282k3s1",children:"v1.28.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 20 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1282",children:"v1.28.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.28.X#release-v1281k3s1",children:"v1.28.1+k3s1"})}),(0,r.jsx)(s.td,{children:"Sep 08 2023"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1281",children:"v1.28.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s2",children:"v1.7.3-k3s2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12812k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.12+k3s1",children:"v1.28.12+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.12, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s2",children:"Changes since v1.28.11+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10499",children:"(#10499)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10509",children:"(#10509)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.12-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10541",children:"(#10541)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10598",children:"(#10598)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s2",children:"v1.28.11+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12811",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12811k3s1",children:"Changes since v1.28.11+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10428",children:"(#10428)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12811k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.11+k3s1",children:"v1.28.11+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.11, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v12810",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v12810k3s1",children:"Changes since v1.28.10+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10090",children:"(#10090)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10144",children:"(#10144)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10221",children:"(#10221)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10182",children:"(#10182)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale test & add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10213",children:"(#10213)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10258",children:"(#10258)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add WithSkipMissing to not fail import on missing blobs"}),"\n",(0,r.jsx)(s.li,{children:"Use fixed stream server bind address for cri-dockerd"}),"\n",(0,r.jsx)(s.li,{children:"Switch stargz over to cri registry config_path"}),"\n",(0,r.jsx)(s.li,{children:"Bump to containerd v1.7.17, etcd v3.5.13"}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel version"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes"}),"\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n",(0,r.jsx)(s.li,{children:"Bump minio-go to v7.0.70"}),"\n",(0,r.jsx)(s.li,{children:"Bump kine to v0.11.9 to fix pagination"}),"\n",(0,r.jsx)(s.li,{children:"Update valid resolv conf"}),"\n",(0,r.jsx)(s.li,{children:"Add missing kernel config check"}),"\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n",(0,r.jsx)(s.li,{children:"Fix bug: allow helm controller set owner reference"}),"\n",(0,r.jsx)(s.li,{children:"Bump klipper-helm image for tls secret support"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with k3s-etcd informers not starting"}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n",(0,r.jsx)(s.li,{children:"Fix netpol crash when node remains tainted uninitialized"}),"\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["More backports for 2024-06 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10289",children:"(#10289)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10315",children:"(#10315)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," (#10302) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10331",children:"(#10331)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10323",children:"(#10323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10299",children:"(#10299)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10347",children:"(#10347)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10355",children:"(#10355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10377",children:"(#10377)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v12810k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.10+k3s1",children:"v1.28.10+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.10, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1289",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1289k3s1",children:"Changes since v1.28.9+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10095",children:"(#10095)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Windows changes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10114",children:"(#10114)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.10-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10098",children:"(#10098)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1289k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.9+k3s1",children:"v1.28.9+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.9, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1288",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1288k3s1",children:"Changes since v1.28.8+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a new error when kine is with disable apiserver or disable etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9804",children:"(#9804)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove old pinned dependencies ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9827",children:"(#9827)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Transition from deprecated pointer library to ptr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9824",children:"(#9824)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Golang caching and E2E ubuntu 23.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9821",children:"(#9821)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add tls for kine ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9849",children:"(#9849)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel to v0.0.20-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9880",children:"(#9880)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-04 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9911",children:"(#9911)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Send error response if member list cannot be retrieved"}),"\n",(0,r.jsx)(s.li,{children:"The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels"}),"\n",(0,r.jsx)(s.li,{children:"Fix error when image has already been pulled"}),"\n",(0,r.jsx)(s.li,{children:"Add /etc/passwd and /etc/group to k3s docker image"}),"\n",(0,r.jsx)(s.li,{children:"Fix etcd snapshot reconcile for agentless servers"}),"\n",(0,r.jsx)(s.li,{children:"Add health-check support to loadbalancer"}),"\n",(0,r.jsx)(s.li,{children:"Add certificate expiry check, events, and metrics"}),"\n",(0,r.jsx)(s.li,{children:"Add workaround for containerd hosts.toml bug when passing config for default registry endpoint"}),"\n",(0,r.jsx)(s.li,{children:"Add supervisor cert/key to rotate list"}),"\n",(0,r.jsx)(s.li,{children:"The embedded containerd has been bumped to v1.7.15"}),"\n",(0,r.jsx)(s.li,{children:"The embedded cri-dockerd has been bumped to v0.3.12"}),"\n",(0,r.jsxs)(s.li,{children:["The ",(0,r.jsx)(s.code,{children:"k3s etcd-snapshot"})," command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots."]}),"\n",(0,r.jsx)(s.li,{children:"Improve etcd load-balancer startup behavior"}),"\n",(0,r.jsx)(s.li,{children:"Actually fix agent certificate rotation"}),"\n",(0,r.jsx)(s.li,{children:"Traefik has been bumped to v2.10.7."}),"\n",(0,r.jsx)(s.li,{children:"Traefik pod annotations are now set properly in the default chart values."}),"\n",(0,r.jsx)(s.li,{children:"The system-default-registry value now supports RFC2732 IPv6 literals."}),"\n",(0,r.jsxs)(s.li,{children:["The local-path provisioner now defaults to creating ",(0,r.jsx)(s.code,{children:"local"})," volumes, instead of ",(0,r.jsx)(s.code,{children:"hostPath"}),"."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Allow LPP to read helper logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9938",children:"(#9938)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router to v2.1.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9942",children:"(#9942)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.9-k3s1 and Go 1.21.9 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9959",children:"(#9959)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix on-demand snapshots timing out; not honoring folder ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9994",children:"(#9994)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Make /db/info available anonymously from localhost ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10002",children:"(#10002)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1288k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.8+k3s1",children:"v1.28.8+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.8, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1287",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1287k3s1",children:"Changes since v1.28.7+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add an integration test for flannel-backend=none ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9608",children:"(#9608)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Install and Unit test backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9641",children:"(#9641)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update klipper-lb image version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9605",children:"(#9605)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Chore(deps): Remediating CVE-2023-45142 CVE-2023-48795 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9647",children:"(#9647)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Adjust first node-ip based on configured clusterCIDR ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9631",children:"(#9631)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve tailscale e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9653",children:"(#9653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-03 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9669",children:"(#9669)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fix: use correct wasm shims names"}),"\n",(0,r.jsx)(s.li,{children:"The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller."}),"\n",(0,r.jsx)(s.li,{children:"Bump spegel to v0.0.18-k3s3"}),"\n",(0,r.jsx)(s.li,{children:"Adds wildcard registry support"}),"\n",(0,r.jsx)(s.li,{children:"Fixes issue with excessive CPU utilization while waiting for containerd to start"}),"\n",(0,r.jsx)(s.li,{children:"Add env var to allow spegel mirroring of latest tag"}),"\n",(0,r.jsx)(s.li,{children:"Tweak netpol node wait logs"}),"\n",(0,r.jsx)(s.li,{children:"Fix coredns NodeHosts on dual-stack clusters"}),"\n",(0,r.jsx)(s.li,{children:"Bump helm-controller/klipper-helm versions"}),"\n",(0,r.jsx)(s.li,{children:"Fix snapshot prune"}),"\n",(0,r.jsx)(s.li,{children:"Fix issue with etcd node name missing hostname"}),"\n",(0,r.jsx)(s.li,{children:"Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode."}),"\n",(0,r.jsxs)(s.li,{children:["To enable raw output for the ",(0,r.jsx)(s.code,{children:"check-config"})," subcommand, you may now set NO_COLOR=1"]}),"\n",(0,r.jsx)(s.li,{children:"Fix additional corner cases in registries handling"}),"\n",(0,r.jsx)(s.li,{children:"Bump metrics-server to v0.7.0"}),"\n",(0,r.jsx)(s.li,{children:"K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Docker and E2E Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9707",children:"(#9707)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wildcard entry upstream fallback ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9733",children:"(#9733)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.8-k3s1 and Go 1.21.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9746",children:"(#9746)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1287k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.7+k3s1",children:"v1.28.7+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.7, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1286",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1286k3s2",children:"Changes since v1.28.6+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Chore: bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9426",children:"(#9426)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump cri-dockerd to fix compat with Docker Engine 25 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9293",children:"(#9293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Auto Dependency Bump ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9419",children:"(#9419)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Runtimes refactor using exec.LookPath ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9431",children:"(#9431)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Changed how lastHeartBeatTime works in the etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9424",children:"(#9424)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Flannel v0.24.2 + remove multiclustercidr ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9401",children:"(#9401)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow executors to define containerd and docker behavior ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9254",children:"(#9254)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kube-router to v2.0.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9404",children:"(#9404)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-02 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9462",children:"(#9462)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable longer http timeout requests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9444",children:"(#9444)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test_UnitApplyContainerdQoSClassConfigFileIfPresent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9440",children:"(#9440)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Support PR testing installs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9469",children:"(#9469)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.28.7 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9492",children:"(#9492)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix drone publish for arm ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9508",children:"(#9508)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove failing Drone step ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9516",children:"(#9516)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Restore original order of agent startup functions ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9545",children:"(#9545)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol startup when flannel is disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9578",children:"(#9578)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1286k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.6+k3s2",children:"v1.28.6+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.6, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1285",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.p,{children:(0,r.jsx)(s.strong,{children:"Important Notes"})}),"\n",(0,r.jsxs)(s.p,{children:["Addresses the runc CVE: ",(0,r.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2024-21626",children:"CVE-2024-21626"})," by updating runc to v1.1.12."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1285k3s1",children:"Changes since v1.28.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add a retry around updating a secrets-encrypt node annotations ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9125",children:"(#9125)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wait for taint to be gone in the node before starting the netpol controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9175",children:"(#9175)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9181",children:"(#9181)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9203",children:"(#9203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pin opa version for missing dependency chain ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9216",children:"(#9216)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added support for env *_PROXY variables for agent loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9206",children:"(#9206)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Etcd node is nil ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9228",children:"(#9228)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.6 and Go 1.20.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9260",children:"(#9260)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"ipFamilyPolicy: RequireDualStack"})," for dual-stack kube-dns ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9269",children:"(#9269)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-01 k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9336",children:"(#9336)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump runc to v1.1.12 and helm-controller to v0.15.7"}),"\n",(0,r.jsx)(s.li,{children:"Fix handling of bare hostname or IP as endpoint address in registries.yaml"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump helm-controller to fix issue with ChartContent ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9346",children:"(#9346)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1285k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.5+k3s1",children:"v1.28.5+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.5, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1284",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1284k3s1",children:"Changes since v1.28.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix overlapping address range ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8913",children:"(#8913)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Modify CONTRIBUTING.md guide ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8954",children:"(#8954)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Nov 2023 stable channel update ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9022",children:"(#9022)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Default runtime and runtime classes for wasm/nvidia/crun ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8936",children:"(#8936)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Added runtime classes for wasm/nvidia/crun"}),"\n",(0,r.jsx)(s.li,{children:"Added default runtime flag for containerd"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.10-k3s1/v1.1.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8962",children:"(#8962)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Allow setting default-runtime on servers ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9027",children:"(#9027)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9040",children:"(#9040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.5-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9081",children:"(#9081)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1284k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.4+k3s2",children:"v1.28.4+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.4, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s2",children:"Changes since v1.28.3+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channels latest to v1.27.7+k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8799",children:"(#8799)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd status condition ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8724",children:"(#8724)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Now the user can see the etcd status from each node in a simple way"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["ADR for etcd status ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8355",children:"(#8355)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Wasm shims detection ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8751",children:"(#8751)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Automatic discovery of WebAssembly runtimes"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add warning for removal of multiclustercidr flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8758",children:"(#8758)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Improve dualStack log ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8798",children:"(#8798)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Optimize: Simplify and clean up Dockerfile ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8244",children:"(#8244)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add: timezone info in image ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8764",children:"(#8764)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,r.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to fix nats, postgres, and watch issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8778",children:"(#8778)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["QoS-class resource configuration ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8726",children:"(#8726)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,r.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,r.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add agent flag disable-apiserver-lb ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8717",children:"(#8717)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Force umount for NFS mount (like with longhorn) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8521",children:"(#8521)"})]}),"\n",(0,r.jsxs)(s.li,{children:["General updates to README ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8786",children:"(#8786)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix wrong warning from restorecon in install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8871",children:"(#8871)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with snapshot metadata configmap ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8835",children:"(#8835)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Skip initial datastore reconcile during cluster-reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8861",children:"(#8861)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Tweaked order of ingress IPs in ServiceLB ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8711",children:"(#8711)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable helm CRD installation for disable-helm-controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8702",children:"(#8702)"})]}),"\n",(0,r.jsxs)(s.li,{children:["More improves for K3s patch release docs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8800",children:"(#8800)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8885",children:"(#8885)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add jitter to client config retry to avoid hammering servers when they are starting up ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8863",children:"(#8863)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8886",children:"(#8886)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8894",children:"(#8894)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,r.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Remove depends_on for e2e step; fix cert rotate e2e ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8906",children:"(#8906)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8926",children:"(#8926)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,r.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,r.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.4 and Go to v1.20.11 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8920",children:"(#8920)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8983",children:"(#8983)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove s390x from manifest ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8998",children:"(#8998)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s2",children:"v1.28.3+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1283",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1283k3s1",children:"Changes since v1.28.3+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Restore selinux context systemd unit file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8593",children:"(#8593)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel to v1.27.7+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8753",children:"(#8753)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Sonobuoy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8710",children:"(#8710)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8739",children:"(#8739)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Access outer scope .SystemdCgroup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8761",children:"(#8761)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed failing to start with nvidia-container-runtime"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Upgrade traefik chart to v25.0.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8771",children:"(#8771)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8792",children:"(#8792)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Don't use iptables-save/iptables-restore if it will corrupt rules ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8795",children:"(#8795)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1283k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.3+k3s1",children:"v1.28.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1282",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1282k3s1",children:"Changes since v1.28.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix error reporting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8250",children:"(#8250)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add context to flannel errors ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8284",children:"(#8284)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel, September patch release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8397",children:"(#8397)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing link to drone in documentation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8295",children:"(#8295)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8346",children:"(#8346)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add extraArgs to vpn provider ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8354",children:"(#8354)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Allow to pass extra args to the vpn provider"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Disable HTTP on main etcd client port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8402",children:"(#8402)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Embedded etcd no longer serves http requests on the client port, only grpc. This addresses a performance issue that could cause watch stream starvation under load. For more information, see ",(0,r.jsx)(s.a,{href:"https://github.com/etcd-io/etcd/issues/15402",children:"https://github.com/etcd-io/etcd/issues/15402"})]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Server token rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8215",children:"(#8215)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues with etcd member removal after reset ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8392",children:"(#8392)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix gofmt error ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8439",children:"(#8439)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added advertise address integration test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8344",children:"(#8344)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added cluster reset from non bootstrap nodes on snapshot restore e2e test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8292",children:"(#8292)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix .github regex to skip drone runs on gh action bumps ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8433",children:"(#8433)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8385",children:"(#8385)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8423",children:"(#8423)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Update kube-router to v2.0.0-rc7 to fix performance issues"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add SHA256 signatures of the install script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8312",children:"(#8312)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Add SHA256 signatures of the install script."}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add --image-service-endpoint flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8279",children:"(#8279)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Add ",(0,r.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Don't ignore assets in home dir if system assets exist ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8458",children:"(#8458)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Pass SystemdCgroup setting through to nvidia runtime options ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8470",children:"(#8470)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Fixed issue that would cause pods using nvidia container runtime to be killed after a few seconds, when using newer versions of nvidia-container-toolkit."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Improve release docs - updated ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8414",children:"(#8414)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8460",children:"(#8460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8507",children:"(#8507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8523",children:"(#8523)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix slemicro check for selinux ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8526",children:"(#8526)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update install.sh.sha256sum ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8566",children:"(#8566)"})]}),"\n",(0,r.jsxs)(s.li,{children:["System agent push tags fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8568",children:"(#8568)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8524",children:"(#8524)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Server Token Rotation ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8265",children:"(#8265)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,r.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8579",children:"(#8579)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump containerd to v1.7.7-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8604",children:"(#8604)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump busybox to v1.36.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8602",children:"(#8602)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Migrate to using custom resource to store etcd snapshot metadata ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8064",children:"(#8064)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch build target from main.go to a package. ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8342",children:"(#8342)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8581",children:"(#8581)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump traefik, golang.org/x/net, google.golang.org/grpc ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8624",children:"(#8624)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8630",children:"(#8630)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8638",children:"(#8638)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use ",(0,r.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8653",children:"(#8653)"})]}),"\n",(0,r.jsxs)(s.li,{children:["[Windows Port ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7259",children:"(#7259)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix CloudDualStackNodeIPs feature-gate inconsistency ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8667",children:"(#8667)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Re-enable etcd endpoint auto-sync ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8675",children:"(#8675)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Manually requeue configmap reconcile when no nodes have reconciled snapshots ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8683",children:"(#8683)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.3 and Go to v1.20.10 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8682",children:"(#8682)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8729",children:"(#8729)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1282k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.2+k3s1",children:"v1.28.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.28.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1281",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1281k3s1",children:"Changes since v1.28.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel for version v1.28 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8305",children:"(#8305)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8323",children:"(#8323)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.2 and go v1.20.8 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8364",children:"(#8364)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,r.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,r.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,r.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1281k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.28.1+k3s1",children:"v1.28.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.28 line. This release updates Kubernetes to v1.28.1."}),"\n",(0,r.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,r.jsxs)(s.p,{children:["This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including documentation on changes in behavior that harden clusters against this vulnerability."]})}),"\n",(0,r.jsx)(s.admonition,{title:"Critical Regression",type:"danger",children:(0,r.jsxs)(s.p,{children:["Kubernetes v1.28 contains a critical regression (",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/issues/120247",children:"kubernetes/kubernetes#120247"}),") that causes init containers to run at the same time as app containers following a restart of the node. This issue will be fixed in v1.28.2. We do not recommend using K3s v1.28 at this time if your application depends on init containers."]})}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1275k3s1",children:"Changes since v1.27.5+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update to v1.28.1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8239",children:"(#8239)"})]}),"\n",(0,r.jsxs)(s.li,{children:["CLI Removal for v1.28.0 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8203",children:"(#8203)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Secrets Encryption V3 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8111",children:"(#8111)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add new CLI flag to disable TLS SAN CN filtering ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8252",children:"(#8252)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Added a new ",(0,r.jsx)(s.code,{children:"--tls-san-security"})," option."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8268",children:"(#8268)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/36f34ab4.42c51523.js b/assets/js/36f34ab4.6a6dd1ec.js
similarity index 99%
rename from assets/js/36f34ab4.42c51523.js
rename to assets/js/36f34ab4.6a6dd1ec.js
index 0b4c7db75..7b3844812 100644
--- a/assets/js/36f34ab4.42c51523.js
+++ b/assets/js/36f34ab4.6a6dd1ec.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6155],{7406:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>a});var n=t(5893),r=t(1151);const d={title:"etcd-snapshot"},c="k3s etcd-snapshot",i={id:"cli/etcd-snapshot",title:"etcd-snapshot",description:"Available as of v1.19.1+k3s1",source:"@site/docs/cli/etcd-snapshot.md",sourceDirName:"cli",slug:"/cli/etcd-snapshot",permalink:"/cli/etcd-snapshot",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/etcd-snapshot.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"etcd-snapshot"},sidebar:"mySidebar",previous:{title:"certificate",permalink:"/cli/certificate"},next:{title:"secrets-encrypt",permalink:"/cli/secrets-encrypt"}},o={},a=[{value:"Creating Snapshots",id:"creating-snapshots",level:4},{value:"Restoring a Cluster from a Snapshot",id:"restoring-a-cluster-from-a-snapshot",level:4},{value:"Options",id:"options",level:4},{value:"S3 Compatible API Support",id:"s3-compatible-api-support",level:4},{value:"Etcd Snapshot and Restore Subcommands",id:"etcd-snapshot-and-restore-subcommands",level:4}];function l(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h4:"h4",header:"header",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components},{TabItem:t,Tabs:d}=s;return t||p("TabItem",!0),d||p("Tabs",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.header,{children:(0,n.jsx)(s.h1,{id:"k3s-etcd-snapshot",children:"k3s etcd-snapshot"})}),"\n",(0,n.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,n.jsxs)(s.p,{children:["Available as of ",(0,n.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,n.jsx)(s.p,{children:"In this section, you'll learn how to create backups of the K3s embedded etcd datastore, and to restore the cluster from backup."}),"\n",(0,n.jsx)(s.h4,{id:"creating-snapshots",children:"Creating Snapshots"}),"\n",(0,n.jsxs)(s.p,{children:["Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the ",(0,n.jsx)(s.a,{href:"#options",children:"options"}),"."]}),"\n",(0,n.jsxs)(s.p,{children:["The snapshot directory defaults to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/snapshots"}),". The data-dir value defaults to ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," and can be changed by setting the ",(0,n.jsx)(s.code,{children:"--data-dir"})," flag."]}),"\n",(0,n.jsx)(s.h4,{id:"restoring-a-cluster-from-a-snapshot",children:"Restoring a Cluster from a Snapshot"}),"\n",(0,n.jsxs)(s.p,{children:["When K3s is restored from backup, the old data directory will be moved to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/etcd-old/"}),". Then K3s will attempt to restore the snapshot by creating a new data directory, then starting etcd with a new K3s cluster with one etcd member."]}),"\n",(0,n.jsx)(s.p,{children:"To restore the cluster from backup:"}),"\n",(0,n.jsxs)(d,{queryString:"etcdsnap",children:[(0,n.jsxs)(t,{value:"Single Server",children:[(0,n.jsxs)(s.p,{children:["Run K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=\n"})}),(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags. Start k3s again and should run successfully and be restored from the specified snapshot."]})]}),(0,n.jsxs)(t,{value:"High Availability",children:[(0,n.jsxs)(s.p,{children:["In this example there are 3 servers, ",(0,n.jsx)(s.code,{children:"S1"}),", ",(0,n.jsx)(s.code,{children:"S2"}),", and ",(0,n.jsx)(s.code,{children:"S3"}),". The snapshot is located on ",(0,n.jsx)(s.code,{children:"S1"}),"."]}),(0,n.jsxs)(s.ol,{children:["\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S1, start K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=\n"})}),"\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags."]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S2 and S3, stop K3s. Then delete the data directory, ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/db/"}),":"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl stop k3s\nrm -rf /var/lib/rancher/k3s/server/db/\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S1, start K3s again:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S2 and S3, start K3s again to join the restored cluster:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"options",children:"Options"}),"\n",(0,n.jsxs)(s.p,{children:["These options can be passed in with the command line, or in the ",(0,n.jsx)(s.a,{href:"/installation/configuration#configuration-file",children:"configuration file,"})," which may be easier to use."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,n.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,n.jsxs)(s.td,{children:["Snapshot interval time in cron spec. eg. every 5 hours ",(0,n.jsx)(s.code,{children:"0 */5 * * *"}),"(default: ",(0,n.jsx)(s.code,{children:"0 */12 * * *"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,n.jsx)(s.td,{children:"Number of snapshots to retain (default: 5)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,n.jsxs)(s.td,{children:["Directory to save db snapshots. (Default location: ",(0,n.jsx)(s.code,{children:"${data-dir}/db/snapshots"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--cluster-reset"})}),(0,n.jsxs)(s.td,{children:["Forget all peers and become sole member of a new cluster. This can also be set with the environment variable ",(0,n.jsx)(s.code,{children:"[$K3S_CLUSTER_RESET]"}),"."]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," value"]}),(0,n.jsx)(s.td,{children:"Path to snapshot file to be restored"})]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"s3-compatible-api-support",children:"S3 Compatible API Support"}),"\n",(0,n.jsx)(s.p,{children:"K3s supports writing etcd snapshots to and restoring etcd snapshots from systems with S3-compatible APIs. S3 support is available for both on-demand and scheduled snapshots."}),"\n",(0,n.jsxs)(s.p,{children:["The arguments below have been added to the ",(0,n.jsx)(s.code,{children:"server"})," subcommand. These flags exist for the ",(0,n.jsx)(s.code,{children:"etcd-snapshot"})," subcommand as well however the ",(0,n.jsx)(s.code,{children:"--etcd-s3"})," portion is removed to avoid redundancy."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3"})}),(0,n.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint"})}),(0,n.jsx)(s.td,{children:"S3 endpoint url"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})}),(0,n.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,n.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-access-key"})}),(0,n.jsx)(s.td,{children:"S3 access key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-secret-key"})}),(0,n.jsx)(s.td,{children:"S3 secret key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-bucket"})}),(0,n.jsx)(s.td,{children:"S3 bucket name"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-region"})}),(0,n.jsx)(s.td,{children:"S3 region / bucket location (optional). defaults to us-east-1"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-folder"})}),(0,n.jsx)(s.td,{children:"S3 folder"})]})]})]}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot and save it to S3:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot save \\\n --s3 \\\n --s3-bucket= \\\n --s3-access-key= \\\n --s3-secret-key=\n"})}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot restore from S3, first make sure that K3s isn't running. Then run the following commands:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-init \\\n --cluster-reset \\\n --etcd-s3 \\\n --cluster-reset-restore-path= \\\n --etcd-s3-bucket= \\\n --etcd-s3-access-key= \\\n --etcd-s3-secret-key=\n"})}),"\n",(0,n.jsx)(s.h4,{id:"etcd-snapshot-and-restore-subcommands",children:"Etcd Snapshot and Restore Subcommands"}),"\n",(0,n.jsx)(s.p,{children:"k3s supports a set of subcommands for working with your etcd snapshots."}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Subcommand"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"delete"}),(0,n.jsx)(s.td,{children:"Delete given snapshot(s)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"ls, list, l"}),(0,n.jsx)(s.td,{children:"List snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"prune"}),(0,n.jsx)(s.td,{children:"Remove snapshots that exceed the configured retention count"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"save"}),(0,n.jsx)(s.td,{children:"Trigger an immediate etcd snapshot"})]})]})]}),"\n",(0,n.jsx)(s.admonition,{type:"note",children:(0,n.jsxs)(s.p,{children:["The ",(0,n.jsx)(s.code,{children:"save"})," subcommand is the same as ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),". The latter will eventually be deprecated in favor of the former."]})}),"\n",(0,n.jsx)(s.p,{children:"These commands will perform as expected whether the etcd snapshots are stored locally or in an S3 compatible object store."}),"\n",(0,n.jsxs)(s.p,{children:["For additional information on the etcd snapshot subcommands, run ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),"."]}),"\n",(0,n.jsx)(s.p,{children:"Delete a snapshot from S3."}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot delete \\\n --s3 \\\n --s3-bucket= \\\n --s3-access-key= \\\n --s3-secret-key= \\\n \n"})}),"\n",(0,n.jsxs)(s.p,{children:["Prune local snapshots with the default retention policy (5). The ",(0,n.jsx)(s.code,{children:"prune"})," subcommand takes an additional flag ",(0,n.jsx)(s.code,{children:"--snapshot-retention"})," that allows for overriding the default retention policy."]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune\n"})}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune --snapshot-retention 10\n"})})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(l,{...e})}):l(e)}function p(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var n=t(7294);const r={},d=n.createContext(r);function c(e){const s=n.useContext(d);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),n.createElement(d.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6155],{7406:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>a});var n=t(5893),r=t(1151);const d={title:"etcd-snapshot"},c="k3s etcd-snapshot",i={id:"cli/etcd-snapshot",title:"etcd-snapshot",description:"Available as of v1.19.1+k3s1",source:"@site/docs/cli/etcd-snapshot.md",sourceDirName:"cli",slug:"/cli/etcd-snapshot",permalink:"/cli/etcd-snapshot",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/etcd-snapshot.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"etcd-snapshot"},sidebar:"mySidebar",previous:{title:"certificate",permalink:"/cli/certificate"},next:{title:"secrets-encrypt",permalink:"/cli/secrets-encrypt"}},o={},a=[{value:"Creating Snapshots",id:"creating-snapshots",level:4},{value:"Restoring a Cluster from a Snapshot",id:"restoring-a-cluster-from-a-snapshot",level:4},{value:"Options",id:"options",level:4},{value:"S3 Compatible API Support",id:"s3-compatible-api-support",level:4},{value:"Etcd Snapshot and Restore Subcommands",id:"etcd-snapshot-and-restore-subcommands",level:4}];function l(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h4:"h4",header:"header",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components},{TabItem:t,Tabs:d}=s;return t||p("TabItem",!0),d||p("Tabs",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.header,{children:(0,n.jsx)(s.h1,{id:"k3s-etcd-snapshot",children:"k3s etcd-snapshot"})}),"\n",(0,n.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,n.jsxs)(s.p,{children:["Available as of ",(0,n.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,n.jsx)(s.p,{children:"In this section, you'll learn how to create backups of the K3s embedded etcd datastore, and to restore the cluster from backup."}),"\n",(0,n.jsx)(s.h4,{id:"creating-snapshots",children:"Creating Snapshots"}),"\n",(0,n.jsxs)(s.p,{children:["Snapshots are enabled by default, at 00:00 and 12:00 system time, with 5 snapshots retained. To configure the snapshot interval or the number of retained snapshots, refer to the ",(0,n.jsx)(s.a,{href:"#options",children:"options"}),"."]}),"\n",(0,n.jsxs)(s.p,{children:["The snapshot directory defaults to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/snapshots"}),". The data-dir value defaults to ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," and can be changed by setting the ",(0,n.jsx)(s.code,{children:"--data-dir"})," flag."]}),"\n",(0,n.jsx)(s.h4,{id:"restoring-a-cluster-from-a-snapshot",children:"Restoring a Cluster from a Snapshot"}),"\n",(0,n.jsxs)(s.p,{children:["When K3s is restored from backup, the old data directory will be moved to ",(0,n.jsx)(s.code,{children:"${data-dir}/server/db/etcd-old/"}),". Then K3s will attempt to restore the snapshot by creating a new data directory, then starting etcd with a new K3s cluster with one etcd member."]}),"\n",(0,n.jsx)(s.p,{children:"To restore the cluster from backup:"}),"\n",(0,n.jsxs)(d,{queryString:"etcdsnap",children:[(0,n.jsxs)(t,{value:"Single Server",children:[(0,n.jsxs)(s.p,{children:["Run K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=\n"})}),(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags. Start k3s again and should run successfully and be restored from the specified snapshot."]})]}),(0,n.jsxs)(t,{value:"High Availability",children:[(0,n.jsxs)(s.p,{children:["In this example there are 3 servers, ",(0,n.jsx)(s.code,{children:"S1"}),", ",(0,n.jsx)(s.code,{children:"S2"}),", and ",(0,n.jsx)(s.code,{children:"S3"}),". The snapshot is located on ",(0,n.jsx)(s.code,{children:"S1"}),"."]}),(0,n.jsxs)(s.ol,{children:["\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S1, start K3s with the ",(0,n.jsx)(s.code,{children:"--cluster-reset"})," option, with the ",(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," also given:"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-reset \\\n --cluster-reset-restore-path=\n"})}),"\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.strong,{children:"Result:"})," A message in the logs says that K3s can be restarted without the flags."]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:["On S2 and S3, stop K3s. Then delete the data directory, ",(0,n.jsx)(s.code,{children:"/var/lib/rancher/k3s/server/db/"}),":"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl stop k3s\nrm -rf /var/lib/rancher/k3s/server/db/\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S1, start K3s again:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsx)(s.p,{children:"On S2 and S3, start K3s again to join the restored cluster:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"systemctl start k3s\n"})}),"\n"]}),"\n"]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"options",children:"Options"}),"\n",(0,n.jsxs)(s.p,{children:["These options can be passed in with the command line, or in the ",(0,n.jsx)(s.a,{href:"/installation/configuration#configuration-file",children:"configuration file,"})," which may be easier to use."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,n.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,n.jsxs)(s.td,{children:["Snapshot interval time in cron spec. eg. every 5 hours ",(0,n.jsx)(s.code,{children:"0 */5 * * *"}),"(default: ",(0,n.jsx)(s.code,{children:"0 */12 * * *"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,n.jsx)(s.td,{children:"Number of snapshots to retain (default: 5)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,n.jsxs)(s.td,{children:["Directory to save db snapshots. (Default location: ",(0,n.jsx)(s.code,{children:"${data-dir}/db/snapshots"}),")"]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--cluster-reset"})}),(0,n.jsxs)(s.td,{children:["Forget all peers and become sole member of a new cluster. This can also be set with the environment variable ",(0,n.jsx)(s.code,{children:"[$K3S_CLUSTER_RESET]"}),"."]})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsxs)(s.td,{children:[(0,n.jsx)(s.code,{children:"--cluster-reset-restore-path"})," value"]}),(0,n.jsx)(s.td,{children:"Path to snapshot file to be restored"})]})]})]}),"\n",(0,n.jsx)(s.h4,{id:"s3-compatible-api-support",children:"S3 Compatible API Support"}),"\n",(0,n.jsx)(s.p,{children:"K3s supports writing etcd snapshots to and restoring etcd snapshots from systems with S3-compatible APIs. S3 support is available for both on-demand and scheduled snapshots."}),"\n",(0,n.jsxs)(s.p,{children:["The arguments below have been added to the ",(0,n.jsx)(s.code,{children:"server"})," subcommand. These flags exist for the ",(0,n.jsx)(s.code,{children:"etcd-snapshot"})," subcommand as well however the ",(0,n.jsx)(s.code,{children:"--etcd-s3"})," portion is removed to avoid redundancy."]}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Options"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3"})}),(0,n.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint"})}),(0,n.jsx)(s.td,{children:"S3 endpoint url"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})}),(0,n.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,n.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-access-key"})}),(0,n.jsx)(s.td,{children:"S3 access key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-secret-key"})}),(0,n.jsx)(s.td,{children:"S3 secret key"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-bucket"})}),(0,n.jsx)(s.td,{children:"S3 bucket name"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-region"})}),(0,n.jsx)(s.td,{children:"S3 region / bucket location (optional). defaults to us-east-1"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:(0,n.jsx)(s.code,{children:"--etcd-s3-folder"})}),(0,n.jsx)(s.td,{children:"S3 folder"})]})]})]}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot and save it to S3:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot save \\\n --s3 \\\n --s3-bucket= \\\n --s3-access-key= \\\n --s3-secret-key=\n"})}),"\n",(0,n.jsx)(s.p,{children:"To perform an on-demand etcd snapshot restore from S3, first make sure that K3s isn't running. Then run the following commands:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s server \\\n --cluster-init \\\n --cluster-reset \\\n --etcd-s3 \\\n --cluster-reset-restore-path= \\\n --etcd-s3-bucket= \\\n --etcd-s3-access-key= \\\n --etcd-s3-secret-key=\n"})}),"\n",(0,n.jsx)(s.h4,{id:"etcd-snapshot-and-restore-subcommands",children:"Etcd Snapshot and Restore Subcommands"}),"\n",(0,n.jsx)(s.p,{children:"k3s supports a set of subcommands for working with your etcd snapshots."}),"\n",(0,n.jsxs)(s.table,{children:[(0,n.jsx)(s.thead,{children:(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.th,{children:"Subcommand"}),(0,n.jsx)(s.th,{children:"Description"})]})}),(0,n.jsxs)(s.tbody,{children:[(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"delete"}),(0,n.jsx)(s.td,{children:"Delete given snapshot(s)"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"ls, list, l"}),(0,n.jsx)(s.td,{children:"List snapshots"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"prune"}),(0,n.jsx)(s.td,{children:"Remove snapshots that exceed the configured retention count"})]}),(0,n.jsxs)(s.tr,{children:[(0,n.jsx)(s.td,{children:"save"}),(0,n.jsx)(s.td,{children:"Trigger an immediate etcd snapshot"})]})]})]}),"\n",(0,n.jsx)(s.admonition,{type:"note",children:(0,n.jsxs)(s.p,{children:["The ",(0,n.jsx)(s.code,{children:"save"})," subcommand is the same as ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),". The latter will eventually be deprecated in favor of the former."]})}),"\n",(0,n.jsx)(s.p,{children:"These commands will perform as expected whether the etcd snapshots are stored locally or in an S3 compatible object store."}),"\n",(0,n.jsxs)(s.p,{children:["For additional information on the etcd snapshot subcommands, run ",(0,n.jsx)(s.code,{children:"k3s etcd-snapshot"}),"."]}),"\n",(0,n.jsx)(s.p,{children:"Delete a snapshot from S3."}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot delete \\\n --s3 \\\n --s3-bucket= \\\n --s3-access-key= \\\n --s3-secret-key= \\\n \n"})}),"\n",(0,n.jsxs)(s.p,{children:["Prune local snapshots with the default retention policy (5). The ",(0,n.jsx)(s.code,{children:"prune"})," subcommand takes an additional flag ",(0,n.jsx)(s.code,{children:"--snapshot-retention"})," that allows for overriding the default retention policy."]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune\n"})}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"k3s etcd-snapshot prune --snapshot-retention 10\n"})})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(l,{...e})}):l(e)}function p(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,t)=>{t.d(s,{Z:()=>i,a:()=>c});var n=t(7294);const r={},d=n.createContext(r);function c(e){const s=n.useContext(d);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),n.createElement(d.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/395f47e2.a4943a3b.js b/assets/js/395f47e2.ee4b1037.js
similarity index 99%
rename from assets/js/395f47e2.a4943a3b.js
rename to assets/js/395f47e2.ee4b1037.js
index 7256065bb..c50e958f0 100644
--- a/assets/js/395f47e2.a4943a3b.js
+++ b/assets/js/395f47e2.ee4b1037.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6801],{793:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>c});var s=t(5893),i=t(1151);const r={title:"Advanced Options / Configuration"},o=void 0,a={id:"advanced",title:"Advanced Options / Configuration",description:"This section contains advanced information describing the different ways you can run and manage K3s, as well as steps necessary to prepare the host OS for K3s use.",source:"@site/docs/advanced.md",sourceDirName:".",slug:"/advanced",permalink:"/advanced",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/advanced.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Advanced Options / Configuration"},sidebar:"mySidebar",previous:{title:"Helm",permalink:"/helm"},next:{title:"Environment Variables",permalink:"/reference/env-variables"}},l={},c=[{value:"Certificate Management",id:"certificate-management",level:2},{value:"Certificate Authority Certificates",id:"certificate-authority-certificates",level:3},{value:"Client and Server certificates",id:"client-and-server-certificates",level:3},{value:"Token Management",id:"token-management",level:2},{value:"Configuring an HTTP proxy",id:"configuring-an-http-proxy",level:2},{value:"Using Docker as the Container Runtime",id:"using-docker-as-the-container-runtime",level:2},{value:"Using etcdctl",id:"using-etcdctl",level:2},{value:"Configuring containerd",id:"configuring-containerd",level:2},{value:"Base template",id:"base-template",level:3},{value:"NVIDIA Container Runtime Support",id:"nvidia-container-runtime-support",level:2},{value:"Running Agentless Servers (Experimental)",id:"running-agentless-servers-experimental",level:2},{value:"Running Rootless Servers (Experimental)",id:"running-rootless-servers-experimental",level:2},{value:"Known Issues with Rootless mode",id:"known-issues-with-rootless-mode",level:3},{value:"Starting Rootless Servers",id:"starting-rootless-servers",level:3},{value:"Advanced Rootless Configuration",id:"advanced-rootless-configuration",level:3},{value:"Troubleshooting Rootless",id:"troubleshooting-rootless",level:3},{value:"Node Labels and Taints",id:"node-labels-and-taints",level:2},{value:"Starting the Service with the Installation Script",id:"starting-the-service-with-the-installation-script",level:2},{value:"Running K3s in Docker",id:"running-k3s-in-docker",level:2},{value:"SELinux Support",id:"selinux-support",level:2},{value:"Enabling SELinux Enforcement",id:"enabling-selinux-enforcement",level:3},{value:"Enabling Lazy Pulling of eStargz (Experimental)",id:"enabling-lazy-pulling-of-estargz-experimental",level:2},{value:"What's lazy pulling and eStargz?",id:"whats-lazy-pulling-and-estargz",level:3},{value:"Configure k3s for lazy pulling of eStargz",id:"configure-k3s-for-lazy-pulling-of-estargz",level:3},{value:"Additional Logging Sources",id:"additional-logging-sources",level:2},{value:"Additional Network Policy Logging",id:"additional-network-policy-logging",level:2}];function d(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,i.a)(),...e.components},{TabItem:t,Tabs:r}=n;return t||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This section contains advanced information describing the different ways you can run and manage K3s, as well as steps necessary to prepare the host OS for K3s use."}),"\n",(0,s.jsx)(n.h2,{id:"certificate-management",children:"Certificate Management"}),"\n",(0,s.jsx)(n.h3,{id:"certificate-authority-certificates",children:"Certificate Authority Certificates"}),"\n",(0,s.jsx)(n.p,{children:"K3s generates self-signed Certificate Authority (CA) Certificates during startup of the first server node. These CA certificates are valid for 10 years, and are not automatically renewed."}),"\n",(0,s.jsxs)(n.p,{children:["For information on using custom CA certificates, or renewing the self-signed CA certificates, see the ",(0,s.jsxs)(n.a,{href:"/cli/certificate#certificate-authority-ca-certificates",children:[(0,s.jsx)(n.code,{children:"k3s certificate rotate-ca"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"client-and-server-certificates",children:"Client and Server certificates"}),"\n",(0,s.jsx)(n.p,{children:"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts."}),"\n",(0,s.jsxs)(n.p,{children:["For information on manually rotating client and server certificates, see the ",(0,s.jsxs)(n.a,{href:"/cli/certificate#client-and-server-certificates",children:[(0,s.jsx)(n.code,{children:"k3s certificate rotate"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h2,{id:"token-management",children:"Token Management"}),"\n",(0,s.jsxs)(n.p,{children:["By default, K3s uses a single static token for both servers and agents. This token cannot be changed once the cluster has been created.\nIt is possible to enable a second static token that can only be used to join agents, or to create temporary ",(0,s.jsx)(n.code,{children:"kubeadm"})," style join tokens that expire automatically.\nFor more information, see the ",(0,s.jsxs)(n.a,{href:"/cli/token",children:[(0,s.jsx)(n.code,{children:"k3s token"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h2,{id:"configuring-an-http-proxy",children:"Configuring an HTTP proxy"}),"\n",(0,s.jsx)(n.p,{children:"If you are running K3s in an environment, which only has external connectivity through an HTTP proxy, you can configure your proxy settings on the K3s systemd service. These proxy settings will then be used in K3s and passed down to the embedded containerd and kubelet."}),"\n",(0,s.jsxs)(n.p,{children:["The K3s installation script will automatically take the ",(0,s.jsx)(n.code,{children:"HTTP_PROXY"}),", ",(0,s.jsx)(n.code,{children:"HTTPS_PROXY"})," and ",(0,s.jsx)(n.code,{children:"NO_PROXY"}),", as well as the ",(0,s.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY"}),", ",(0,s.jsx)(n.code,{children:"CONTAINERD_HTTPS_PROXY"})," and ",(0,s.jsx)(n.code,{children:"CONTAINERD_NO_PROXY"})," variables from the current shell, if they are present, and write them to the environment file of your systemd service, usually:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"/etc/systemd/system/k3s.service.env"})}),"\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"/etc/systemd/system/k3s-agent.service.env"})}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Of course, you can also configure the proxy by editing these files."}),"\n",(0,s.jsxs)(n.p,{children:["K3s will automatically add the cluster internal Pod and Service IP ranges and cluster DNS domain to the list of ",(0,s.jsx)(n.code,{children:"NO_PROXY"})," entries. You should ensure that the IP address ranges used by the Kubernetes nodes themselves (i.e. the public and private IPs of the nodes) are included in the ",(0,s.jsx)(n.code,{children:"NO_PROXY"})," list, or that the nodes can be reached through the proxy."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"HTTP_PROXY=http://your-proxy.example.com:8888\nHTTPS_PROXY=http://your-proxy.example.com:8888\nNO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,s.jsxs)(n.p,{children:["If you want to configure the proxy settings for containerd without affecting K3s and the Kubelet, you can prefix the variables with ",(0,s.jsx)(n.code,{children:"CONTAINERD_"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,s.jsx)(n.h2,{id:"using-docker-as-the-container-runtime",children:"Using Docker as the Container Runtime"}),"\n",(0,s.jsxs)(n.p,{children:["K3s includes and defaults to ",(0,s.jsx)(n.a,{href:"https://containerd.io/",children:"containerd"}),", an industry-standard container runtime.\nAs of Kubernetes 1.24, the Kubelet no longer includes dockershim, the component that allows the kubelet to communicate with dockerd.\nK3s 1.24 and higher include ",(0,s.jsx)(n.a,{href:"https://github.com/Mirantis/cri-dockerd",children:"cri-dockerd"}),", which allows seamless upgrade from prior releases of K3s while continuing to use the Docker container runtime."]}),"\n",(0,s.jsx)(n.p,{children:"To use Docker instead of containerd:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install Docker on the K3s node. One of Rancher's ",(0,s.jsx)(n.a,{href:"https://github.com/rancher/install-docker",children:"Docker installation scripts"})," can be used to install Docker:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl https://releases.rancher.com/install-docker/20.10.sh | sh\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install K3s using the ",(0,s.jsx)(n.code,{children:"--docker"})," option:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -s - --docker\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:"Confirm that the cluster is available:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"$ sudo k3s kubectl get pods --all-namespaces\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-6d59f47c7-lncxn 1/1 Running 0 51s\nkube-system metrics-server-7566d596c8-9tnck 1/1 Running 0 51s\nkube-system helm-install-traefik-mbkn9 0/1 Completed 1 51s\nkube-system coredns-8655855d6-rtbnb 1/1 Running 0 51s\nkube-system svclb-traefik-jbmvl 2/2 Running 0 43s\nkube-system traefik-758cd5fc85-2wz97 1/1 Running 0 43s\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:"Confirm that the Docker containers are running:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'$ sudo docker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\n3e4d34729602 897ce3c5fc8f "entry" About a minute ago Up About a minute k8s_lb-port-443_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\nbffdc9d7a65f rancher/klipper-lb "entry" About a minute ago Up About a minute k8s_lb-port-80_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n436b85c5e38d rancher/library-traefik "/traefik --configfi\u2026" About a minute ago Up About a minute k8s_traefik_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nde8fded06188 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n7c6a30aeeb2f rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nae6c58cab4a7 9d12f9848b99 "local-path-provisio\u2026" About a minute ago Up About a minute k8s_local-path-provisioner_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\nbe1450e1a11e 9dd718864ce6 "/metrics-server" About a minute ago Up About a minute k8s_metrics-server_metrics-server-7566d596c8-9tnck_kube-system_031e74b5-e9ef-47ef-a88d-fbf3f726cbc6_0\n4454d14e4d3f c4d3d16fe508 "/coredns -conf /etc\u2026" About a minute ago Up About a minute k8s_coredns_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\nc3675b87f96c rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\n4b1fddbe6ca6 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\n64d3517d4a95 rancher/pause:3.1 "/pause"\n'})}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"using-etcdctl",children:"Using etcdctl"}),"\n",(0,s.jsx)(n.p,{children:"etcdctl provides a CLI for interacting with etcd servers. K3s does not bundle etcdctl."}),"\n",(0,s.jsxs)(n.p,{children:["If you would like to use etcdctl to interact with K3s's embedded etcd, install etcdctl using the ",(0,s.jsx)(n.a,{href:"https://etcd.io/docs/latest/install/",children:"official documentation"}),"."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'ETCD_VERSION="v3.5.5"\nETCD_URL="https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz"\ncurl -sL ${ETCD_URL} | sudo tar -zxv --strip-components=1 -C /usr/local/bin\n'})}),"\n",(0,s.jsx)(n.p,{children:"You may then use etcdctl by configuring it to use the K3s-managed certificates and keys for authentication:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo etcdctl version \\\n --cacert=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt \\\n --cert=/var/lib/rancher/k3s/server/tls/etcd/client.crt \\\n --key=/var/lib/rancher/k3s/server/tls/etcd/client.key\n"})}),"\n",(0,s.jsx)(n.h2,{id:"configuring-containerd",children:"Configuring containerd"}),"\n",(0,s.jsxs)(n.p,{children:["K3s will generate config.toml for containerd in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/etc/containerd/config.toml"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["For advanced customization for this file you can create another file called ",(0,s.jsx)(n.code,{children:"config.toml.tmpl"})," in the same directory, and it will be used instead."]}),"\n",(0,s.jsxs)(n.p,{children:["The ",(0,s.jsx)(n.code,{children:"config.toml.tmpl"})," will be treated as a Go template file, and the ",(0,s.jsx)(n.code,{children:"config.Node"})," structure is being passed to the template. See ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/agent/templates",children:"this folder"})," for Linux and Windows examples on how to use the structure to customize the configuration file.\nThe config.Node golang struct is defined ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/daemons/config/types.go#L37",children:"here"})]}),"\n",(0,s.jsx)(n.h3,{id:"base-template",children:"Base template"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(n.p,{children:"Available as of September 2023 releases: v1.24.17+k3s1, v1.25.13+k3s1, v1.26.8+k3s1, v1.27.5+k3s1, v1.28.1+k3s1"})}),"\n",(0,s.jsx)(n.p,{children:"You can extend the K3s base template instead of copy-pasting the complete stock template out of the K3s source code. This is useful if you need to build on the existing configuration, and add a few extra lines at the end."}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-toml",children:'#/var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl\n\n{{ template "base" . }}\n\n[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."custom"]\n runtime_type = "io.containerd.runc.v2"\n[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."custom".options]\n BinaryName = "/usr/bin/custom-container-runtime"\n\n'})}),"\n",(0,s.jsx)(n.h2,{id:"nvidia-container-runtime-support",children:"NVIDIA Container Runtime Support"}),"\n",(0,s.jsx)(n.p,{children:"K3s will automatically detect and configure the NVIDIA container runtime if it is present when K3s starts."}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Install the nvidia-container package repository on the node by following the instructions at:\n",(0,s.jsx)(n.a,{href:"https://nvidia.github.io/libnvidia-container/",children:"https://nvidia.github.io/libnvidia-container/"})]}),"\n",(0,s.jsxs)(n.li,{children:["Install the nvidia container runtime packages. For example:\n",(0,s.jsx)(n.code,{children:"apt install -y nvidia-container-runtime cuda-drivers-fabricmanager-515 nvidia-headless-515-server"})]}),"\n",(0,s.jsxs)(n.li,{children:["Install K3s, or restart it if already installed:\n",(0,s.jsx)(n.code,{children:"curl -ksL get.k3s.io | sh -"})]}),"\n",(0,s.jsxs)(n.li,{children:["Confirm that the nvidia container runtime has been found by k3s:\n",(0,s.jsx)(n.code,{children:"grep nvidia /var/lib/rancher/k3s/agent/etc/containerd/config.toml"})]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["This will automatically add ",(0,s.jsx)(n.code,{children:"nvidia"})," and/or ",(0,s.jsx)(n.code,{children:"nvidia-experimental"})," runtimes to the containerd configuration, depending on what runtime executables are found.\nYou must still add a RuntimeClass definition to your cluster, and deploy Pods that explicitly request the appropriate runtime by setting ",(0,s.jsx)(n.code,{children:"runtimeClassName: nvidia"})," in the Pod spec:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'apiVersion: node.k8s.io/v1\nkind: RuntimeClass\nmetadata:\n name: nvidia\nhandler: nvidia\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: nbody-gpu-benchmark\n namespace: default\nspec:\n restartPolicy: OnFailure\n runtimeClassName: nvidia\n containers:\n - name: cuda-container\n image: nvcr.io/nvidia/k8s/cuda-sample:nbody\n args: ["nbody", "-gpu", "-benchmark"]\n resources:\n limits:\n nvidia.com/gpu: 1\n env:\n - name: NVIDIA_VISIBLE_DEVICES\n value: all\n - name: NVIDIA_DRIVER_CAPABILITIES\n value: all\n'})}),"\n",(0,s.jsxs)(n.p,{children:["Note that the NVIDIA Container Runtime is also frequently used with ",(0,s.jsx)(n.a,{href:"https://github.com/NVIDIA/k8s-device-plugin/",children:"NVIDIA Device Plugin"}),", with modifications to ensure that pod specs include ",(0,s.jsx)(n.code,{children:"runtimeClassName: nvidia"}),", as mentioned above."]}),"\n",(0,s.jsx)(n.h2,{id:"running-agentless-servers-experimental",children:"Running Agentless Servers (Experimental)"}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Warning:"})," This feature is experimental."]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["When started with the ",(0,s.jsx)(n.code,{children:"--disable-agent"})," flag, servers do not run the kubelet, container runtime, or CNI. They do not register a Node resource in the cluster, and will not appear in ",(0,s.jsx)(n.code,{children:"kubectl get nodes"})," output.\nBecause they do not host a kubelet, they cannot run pods or be managed by operators that rely on enumerating cluster nodes, including the embedded etcd controller and the system upgrade controller."]}),"\n",(0,s.jsx)(n.p,{children:"Running agentless servers may be advantageous if you want to obscure your control-plane nodes from discovery by agents and workloads, at the cost of increased administrative overhead caused by lack of cluster operator support."}),"\n",(0,s.jsxs)(n.p,{children:["By default, the apiserver on agentless servers will not be able to make outgoing connections to admission webhooks or aggregated apiservices running within the cluster. To remedy this, set the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," server flag to either ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"}),". If you are changing this flag on an existing cluster, you'll need to restart all nodes in the cluster for the option to take effect."]}),"\n",(0,s.jsx)(n.h2,{id:"running-rootless-servers-experimental",children:"Running Rootless Servers (Experimental)"}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Warning:"})," This feature is experimental."]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Rootless mode allows running K3s servers as an unprivileged user, so as to protect the real root on the host from potential container-breakout attacks."}),"\n",(0,s.jsxs)(n.p,{children:["See ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})," to learn more about Rootless Kubernetes."]}),"\n",(0,s.jsx)(n.h3,{id:"known-issues-with-rootless-mode",children:"Known Issues with Rootless mode"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Ports"})}),"\n",(0,s.jsx)(n.p,{children:"When running rootless a new network namespace is created. This means that K3s instance is running with networking fairly detached from the host.\nThe only way to access Services run in K3s from the host is to set up port forwards to the K3s network namespace.\nRootless K3s includes controller that will automatically bind 6443 and service ports below 1024 to the host with an offset of 10000."}),"\n",(0,s.jsx)(n.p,{children:"For example, a Service on port 80 will become 10080 on the host, but 8080 will become 8080 without any offset. Currently, only LoadBalancer Services are automatically bound."}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Cgroups"})}),"\n",(0,s.jsx)(n.p,{children:'Cgroup v1 and Hybrid v1/v2 are not supported; only pure Cgroup v2 is supported. If K3s fails to start due to missing cgroups when running rootless, it is likely that your node is in Hybrid mode, and the "missing" cgroups are still bound to a v1 controller.'}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Multi-node/multi-process cluster"})}),"\n",(0,s.jsxs)(n.p,{children:["Multi-node rootless clusters, or multiple rootless k3s processes on the same node, are not currently supported. See ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/6488#issuecomment-1314998091",children:"#6488"})," for more details."]}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"starting-rootless-servers",children:"Starting Rootless Servers"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Enable cgroup v2 delegation, see ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/getting-started/common/cgroup2/",children:"https://rootlesscontaine.rs/getting-started/common/cgroup2/"})," .\nThis step is required; the rootless kubelet will fail to start without the proper cgroups delegated."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Download ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," from ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service",children:(0,s.jsx)(n.code,{children:"https://github.com/k3s-io/k3s/blob//k3s-rootless.service"})}),".\nMake sure to use the same version of ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," and ",(0,s.jsx)(n.code,{children:"k3s"}),"."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," to ",(0,s.jsx)(n.code,{children:"~/.config/systemd/user/k3s-rootless.service"}),".\nInstalling this file as a system-wide service (",(0,s.jsx)(n.code,{children:"/etc/systemd/..."}),") is not supported.\nDepending on the path of ",(0,s.jsx)(n.code,{children:"k3s"})," binary, you might need to modify the ",(0,s.jsx)(n.code,{children:"ExecStart=/usr/local/bin/k3s ..."})," line of the file."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user daemon-reload"})]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user enable --now k3s-rootless"})]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A"}),", and make sure the pods are running."]}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Note:"})," Don't try to run ",(0,s.jsx)(n.code,{children:"k3s server --rootless"})," on a terminal, as terminal sessions do not allow cgroup v2 delegation.\nIf you really need to try it on a terminal, use ",(0,s.jsx)(n.code,{children:"systemd-run --user -p Delegate=yes --tty k3s server --rootless"})," to wrap it in a systemd scope."]}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"advanced-rootless-configuration",children:"Advanced Rootless Configuration"}),"\n",(0,s.jsxs)(n.p,{children:["Rootless K3s uses ",(0,s.jsx)(n.a,{href:"https://github.com/rootless-containers/rootlesskit",children:"rootlesskit"})," and ",(0,s.jsx)(n.a,{href:"https://github.com/rootless-containers/slirp4netns",children:"slirp4netns"})," to communicate between host and user network namespaces.\nSome of the configuration used by rootlesskit and slirp4nets can be set by environment variables. The best way to set these is to add them to the ",(0,s.jsx)(n.code,{children:"Environment"})," field of the k3s-rootless systemd unit."]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Variable"}),(0,s.jsx)(n.th,{children:"Default"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_MTU"})}),(0,s.jsx)(n.td,{children:"1500"}),(0,s.jsx)(n.td,{children:"Sets the MTU for the slirp4netns virtual interfaces."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_CIDR"})}),(0,s.jsx)(n.td,{children:"10.41.0.0/16"}),(0,s.jsx)(n.td,{children:"Sets the CIDR used by slirp4netns virtual interfaces."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_ENABLE_IPV6"})}),(0,s.jsx)(n.td,{children:"autotedected"}),(0,s.jsx)(n.td,{children:"Enables slirp4netns IPv6 support. If not specified, it is automatically enabled if K3s is configured for dual-stack operation."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_PORT_DRIVER"})}),(0,s.jsx)(n.td,{children:"builtin"}),(0,s.jsxs)(n.td,{children:["Selects the rootless port driver; either ",(0,s.jsx)(n.code,{children:"builtin"})," or ",(0,s.jsx)(n.code,{children:"slirp4netns"}),". Builtin is faster, but masquerades the original source address of inbound packets."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_DISABLE_HOST_LOOPBACK"})}),(0,s.jsx)(n.td,{children:"true"}),(0,s.jsx)(n.td,{children:"Controls whether or not access to the hosts's loopback address via the gateway interface is enabled. It is recommended that this not be changed, for security reasons."})]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"troubleshooting-rootless",children:"Troubleshooting Rootless"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user status k3s-rootless"})," to check the daemon status"]}),"\n",(0,s.jsxs)(n.li,{children:["Run ",(0,s.jsx)(n.code,{children:"journalctl --user -f -u k3s-rootless"})," to see the daemon log"]}),"\n",(0,s.jsxs)(n.li,{children:["See also ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"node-labels-and-taints",children:"Node Labels and Taints"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents can be configured with the options ",(0,s.jsx)(n.code,{children:"--node-label"})," and ",(0,s.jsx)(n.code,{children:"--node-taint"})," which adds a label and taint to the kubelet. The two options only add labels and/or taints ",(0,s.jsx)(n.a,{href:"/cli/agent#node-labels-and-taints-for-agents",children:"at registration time"}),", so they can only be set when the node is first joined to the cluster."]}),"\n",(0,s.jsxs)(n.p,{children:["All current versions of Kubernetes restrict nodes from registering with most labels with ",(0,s.jsx)(n.code,{children:"kubernetes.io"})," and ",(0,s.jsx)(n.code,{children:"k8s.io"})," prefixes, specifically including the ",(0,s.jsx)(n.code,{children:"kubernetes.io/role"})," label. If you attempt to start a node with a disallowed label, K3s will fail to start. As stated by the Kubernetes authors:"]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsx)(n.p,{children:"Nodes are not permitted to assert their own role labels. Node roles are typically used to identify privileged or control plane types of nodes, and allowing nodes to label themselves into that pool allows a compromised node to trivially attract workloads (like control plane daemonsets) that confer access to higher privilege credentials."}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["See ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/279-limit-node-access/README.md#proposal",children:"SIG-Auth KEP 279"})," for more information."]}),"\n",(0,s.jsxs)(n.p,{children:["If you want to change node labels and taints after node registration, or add reserved labels, you should use ",(0,s.jsx)(n.code,{children:"kubectl"}),". Refer to the official Kubernetes documentation for details on how to add ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/",children:"taints"})," and ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"node labels."})]}),"\n",(0,s.jsx)(n.h2,{id:"starting-the-service-with-the-installation-script",children:"Starting the Service with the Installation Script"}),"\n",(0,s.jsx)(n.p,{children:"The installation script will auto-detect if your OS is using systemd or openrc and enable and start the service as part of the installation process."}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["When running with openrc, logs will be created at ",(0,s.jsx)(n.code,{children:"/var/log/k3s.log"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["When running with systemd, logs will be created in ",(0,s.jsx)(n.code,{children:"/var/log/syslog"})," and viewed using ",(0,s.jsx)(n.code,{children:"journalctl -u k3s"})," (or ",(0,s.jsx)(n.code,{children:"journalctl -u k3s-agent"})," on agents)."]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"An example of disabling auto-starting and service enablement with the install script:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_ENABLE=true sh -\n"})}),"\n",(0,s.jsx)(n.h2,{id:"running-k3s-in-docker",children:"Running K3s in Docker"}),"\n",(0,s.jsx)(n.p,{children:"There are several ways to run K3s in Docker:"}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsxs)(t,{value:"K3d",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k3d-io/k3d",children:"k3d"})," is a utility designed to easily run multi-node K3s clusters in Docker."]}),(0,s.jsx)(n.p,{children:"k3d makes it very easy to create single- and multi-node k3s clusters in docker, e.g. for local development on Kubernetes."}),(0,s.jsxs)(n.p,{children:["See the ",(0,s.jsx)(n.a,{href:"https://k3d.io/#installation",children:"Installation"})," documentation for more information on how to install and use k3d."]})]}),(0,s.jsxs)(t,{value:"Docker",children:[(0,s.jsxs)(n.p,{children:["To use Docker, ",(0,s.jsx)(n.code,{children:"rancher/k3s"})," images are also available to run the K3s server and agent.\nUsing the ",(0,s.jsx)(n.code,{children:"docker run"})," command:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo docker run \\\n --privileged \\\n --name k3s-server-1 \\\n --hostname k3s-server-1 \\\n -p 6443:6443 \\\n -d rancher/k3s:v1.24.10-k3s1 \\\n server\n"})}),(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["You must specify a valid K3s version as the tag; the ",(0,s.jsx)(n.code,{children:"latest"})," tag is not maintained.",(0,s.jsx)(n.br,{}),"\n","Docker images do not allow a ",(0,s.jsx)(n.code,{children:"+"})," sign in tags, use a ",(0,s.jsx)(n.code,{children:"-"})," in the tag instead."]})}),(0,s.jsx)(n.p,{children:"Once K3s is up and running, you can copy the admin kubeconfig out of the Docker container for use:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo docker cp k3s-server-1:/etc/rancher/k3s/k3s.yaml ~/.kube/config\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"selinux-support",children:"SELinux Support"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(n.p,{children:"Available as of v1.19.4+k3s1"})}),"\n",(0,s.jsx)(n.p,{children:"If you are installing K3s on a system where SELinux is enabled by default (such as CentOS), you must ensure the proper SELinux policies have been installed."}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsx)(t,{value:"Automatic Installation",default:!0,children:(0,s.jsxs)(n.p,{children:["The ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-with-install-script",children:"install script"})," will automatically install the SELinux RPM from the Rancher RPM repository if on a compatible system if not performing an air-gapped install. Automatic installation can be skipped by setting ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM=true"}),"."]})}),(0,s.jsxs)(t,{value:"Manual Installation",default:!0,children:[(0,s.jsx)(n.p,{children:"The necessary policies can be installed with the following commands:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"yum install -y container-selinux selinux-policy-base\nyum install -y https://rpm.rancher.io/k3s/latest/common/centos/7/noarch/k3s-selinux-1.4-1.el7.noarch.rpm\n"})}),(0,s.jsxs)(n.p,{children:["To force the install script to log a warning rather than fail, you can set the following environment variable: ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_SELINUX_WARN=true"}),"."]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"enabling-selinux-enforcement",children:"Enabling SELinux Enforcement"}),"\n",(0,s.jsxs)(n.p,{children:["To leverage SELinux, specify the ",(0,s.jsx)(n.code,{children:"--selinux"})," flag when starting K3s servers and agents."]}),"\n",(0,s.jsxs)(n.p,{children:["This option can also be specified in the K3s ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"configuration file"}),"."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"selinux: true\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Using a custom ",(0,s.jsx)(n.code,{children:"--data-dir"})," under SELinux is not supported. To customize it, you would most likely need to write your own custom policy. For guidance, you could refer to the ",(0,s.jsx)(n.a,{href:"https://github.com/containers/container-selinux",children:"containers/container-selinux"})," repository, which contains the SELinux policy files for Container Runtimes, and the ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-selinux",children:"k3s-io/k3s-selinux"})," repository, which contains the SELinux policy for K3s."]}),"\n",(0,s.jsx)(n.h2,{id:"enabling-lazy-pulling-of-estargz-experimental",children:"Enabling Lazy Pulling of eStargz (Experimental)"}),"\n",(0,s.jsx)(n.h3,{id:"whats-lazy-pulling-and-estargz",children:"What's lazy pulling and eStargz?"}),"\n",(0,s.jsxs)(n.p,{children:["Pulling images is known as one of the time-consuming steps in the container lifecycle.\nAccording to ",(0,s.jsx)(n.a,{href:"https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter",children:"Harter, et al."}),","]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsx)(n.p,{children:"pulling packages accounts for 76% of container start time, but only 6.4% of that data is read"}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["To address this issue, k3s experimentally supports ",(0,s.jsx)(n.em,{children:"lazy pulling"})," of image contents.\nThis allows k3s to start a container before the entire image has been pulled.\nInstead, the necessary chunks of contents (e.g. individual files) are fetched on-demand.\nEspecially for large images, this technique can shorten the container startup latency."]}),"\n",(0,s.jsxs)(n.p,{children:["To enable lazy pulling, the target image needs to be formatted as ",(0,s.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter/blob/main/docs/stargz-estargz.md",children:(0,s.jsx)(n.em,{children:"eStargz"})}),".\nThis is an OCI-alternative but 100% OCI-compatible image format for lazy pulling.\nBecause of the compatibility, eStargz can be pushed to standard container registries (e.g. ghcr.io) as well as this is ",(0,s.jsx)(n.em,{children:"still runnable"})," even on eStargz-agnostic runtimes."]}),"\n",(0,s.jsxs)(n.p,{children:["eStargz is developed based on the ",(0,s.jsx)(n.a,{href:"https://github.com/google/crfs",children:"stargz format proposed by Google CRFS project"})," but comes with practical features including content verification and performance optimization.\nFor more details about lazy pulling and eStargz, please refer to ",(0,s.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter",children:"Stargz Snapshotter project repository"}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"configure-k3s-for-lazy-pulling-of-estargz",children:"Configure k3s for lazy pulling of eStargz"}),"\n",(0,s.jsxs)(n.p,{children:["As shown in the following, ",(0,s.jsx)(n.code,{children:"--snapshotter=stargz"})," option is needed for k3s server and agent."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s server --snapshotter=stargz\n"})}),"\n",(0,s.jsxs)(n.p,{children:["With this configuration, you can perform lazy pulling for eStargz-formatted images.\nThe following example Pod manifest uses eStargz-formatted ",(0,s.jsx)(n.code,{children:"node:13.13.0"})," image (",(0,s.jsx)(n.code,{children:"ghcr.io/stargz-containers/node:13.13.0-esgz"}),").\nWhen the stargz snapshotter is enabled, K3s performs lazy pulling for this image."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: nodejs\nspec:\n containers:\n - name: nodejs-estargz\n image: ghcr.io/stargz-containers/node:13.13.0-esgz\n command: [\"node\"]\n args:\n - -e\n - var http = require('http');\n http.createServer(function(req, res) {\n res.writeHead(200);\n res.end('Hello World!\\n');\n }).listen(80);\n ports:\n - containerPort: 80\n"})}),"\n",(0,s.jsx)(n.h2,{id:"additional-logging-sources",children:"Additional Logging Sources"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://rancher.com/docs/rancher/v2.6/en/logging/helm-chart-options/",children:"Rancher logging"})," for K3s can be installed without using Rancher. The following instructions should be executed to do so:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"helm repo add rancher-charts https://charts.rancher.io\nhelm repo update\nhelm install --create-namespace -n cattle-logging-system rancher-logging-crd rancher-charts/rancher-logging-crd\nhelm install --create-namespace -n cattle-logging-system rancher-logging --set additionalLoggingSources.k3s.enabled=true rancher-charts/rancher-logging\n"})}),"\n",(0,s.jsx)(n.h2,{id:"additional-network-policy-logging",children:"Additional Network Policy Logging"}),"\n",(0,s.jsx)(n.p,{children:"Packets dropped by network policies can be logged. The packet is sent to the iptables NFLOG action, which shows the packet details, including the network policy that blocked it."}),"\n",(0,s.jsxs)(n.p,{children:["If there is a lot of traffic, the number of log messages could be very high. To control the log rate on a per-policy basis, set the ",(0,s.jsx)(n.code,{children:"limit"})," and ",(0,s.jsx)(n.code,{children:"limit-burst"})," iptables parameters by adding the following annotations to the network policy in question:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit="})}),"\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit-burst="})}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["Default values are ",(0,s.jsx)(n.code,{children:"limit=10/minute"})," and ",(0,s.jsx)(n.code,{children:"limit-burst=10"}),". Check the ",(0,s.jsx)(n.a,{href:"https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#:~:text=restrict%20the%20rate%20of%20matches",children:"iptables manual"})," for more information on the format and possible values for these fields."]}),"\n",(0,s.jsxs)(n.p,{children:["To convert NFLOG packets to log entries, install ulogd2 and configure ",(0,s.jsx)(n.code,{children:"[log1]"})," to read on ",(0,s.jsx)(n.code,{children:"group=100"}),". Then, restart the ulogd2 service for the new config to be committed.\nWhen a packet is blocked by network policy rules, a log message will appear in ",(0,s.jsx)(n.code,{children:"/var/log/ulog/syslogemu.log"}),"."]}),"\n",(0,s.jsx)(n.p,{children:"Packets sent to the NFLOG netlink socket can also be read by using command-line tools like tcpdump or tshark:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"tcpdump -ni nflog:100\n"})}),"\n",(0,s.jsxs)(n.p,{children:["While more readily available, tcpdump will not show the name of the network policy that blocked the packet. Use wireshark's tshark command instead to display the full NFLOG packet header, including the ",(0,s.jsx)(n.code,{children:"nflog.prefix"})," field that contains the policy name."]})]})}function h(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>a,a:()=>o});var s=t(7294);const i={},r=s.createContext(i);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6801],{793:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>a,toc:()=>c});var s=t(5893),i=t(1151);const r={title:"Advanced Options / Configuration"},o=void 0,a={id:"advanced",title:"Advanced Options / Configuration",description:"This section contains advanced information describing the different ways you can run and manage K3s, as well as steps necessary to prepare the host OS for K3s use.",source:"@site/docs/advanced.md",sourceDirName:".",slug:"/advanced",permalink:"/advanced",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/advanced.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Advanced Options / Configuration"},sidebar:"mySidebar",previous:{title:"Helm",permalink:"/helm"},next:{title:"Environment Variables",permalink:"/reference/env-variables"}},l={},c=[{value:"Certificate Management",id:"certificate-management",level:2},{value:"Certificate Authority Certificates",id:"certificate-authority-certificates",level:3},{value:"Client and Server certificates",id:"client-and-server-certificates",level:3},{value:"Token Management",id:"token-management",level:2},{value:"Configuring an HTTP proxy",id:"configuring-an-http-proxy",level:2},{value:"Using Docker as the Container Runtime",id:"using-docker-as-the-container-runtime",level:2},{value:"Using etcdctl",id:"using-etcdctl",level:2},{value:"Configuring containerd",id:"configuring-containerd",level:2},{value:"Base template",id:"base-template",level:3},{value:"NVIDIA Container Runtime Support",id:"nvidia-container-runtime-support",level:2},{value:"Running Agentless Servers (Experimental)",id:"running-agentless-servers-experimental",level:2},{value:"Running Rootless Servers (Experimental)",id:"running-rootless-servers-experimental",level:2},{value:"Known Issues with Rootless mode",id:"known-issues-with-rootless-mode",level:3},{value:"Starting Rootless Servers",id:"starting-rootless-servers",level:3},{value:"Advanced Rootless Configuration",id:"advanced-rootless-configuration",level:3},{value:"Troubleshooting Rootless",id:"troubleshooting-rootless",level:3},{value:"Node Labels and Taints",id:"node-labels-and-taints",level:2},{value:"Starting the Service with the Installation Script",id:"starting-the-service-with-the-installation-script",level:2},{value:"Running K3s in Docker",id:"running-k3s-in-docker",level:2},{value:"SELinux Support",id:"selinux-support",level:2},{value:"Enabling SELinux Enforcement",id:"enabling-selinux-enforcement",level:3},{value:"Enabling Lazy Pulling of eStargz (Experimental)",id:"enabling-lazy-pulling-of-estargz-experimental",level:2},{value:"What's lazy pulling and eStargz?",id:"whats-lazy-pulling-and-estargz",level:3},{value:"Configure k3s for lazy pulling of eStargz",id:"configure-k3s-for-lazy-pulling-of-estargz",level:3},{value:"Additional Logging Sources",id:"additional-logging-sources",level:2},{value:"Additional Network Policy Logging",id:"additional-network-policy-logging",level:2}];function d(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",em:"em",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,i.a)(),...e.components},{TabItem:t,Tabs:r}=n;return t||u("TabItem",!0),r||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"This section contains advanced information describing the different ways you can run and manage K3s, as well as steps necessary to prepare the host OS for K3s use."}),"\n",(0,s.jsx)(n.h2,{id:"certificate-management",children:"Certificate Management"}),"\n",(0,s.jsx)(n.h3,{id:"certificate-authority-certificates",children:"Certificate Authority Certificates"}),"\n",(0,s.jsx)(n.p,{children:"K3s generates self-signed Certificate Authority (CA) Certificates during startup of the first server node. These CA certificates are valid for 10 years, and are not automatically renewed."}),"\n",(0,s.jsxs)(n.p,{children:["For information on using custom CA certificates, or renewing the self-signed CA certificates, see the ",(0,s.jsxs)(n.a,{href:"/cli/certificate#certificate-authority-ca-certificates",children:[(0,s.jsx)(n.code,{children:"k3s certificate rotate-ca"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"client-and-server-certificates",children:"Client and Server certificates"}),"\n",(0,s.jsx)(n.p,{children:"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts."}),"\n",(0,s.jsxs)(n.p,{children:["For information on manually rotating client and server certificates, see the ",(0,s.jsxs)(n.a,{href:"/cli/certificate#client-and-server-certificates",children:[(0,s.jsx)(n.code,{children:"k3s certificate rotate"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h2,{id:"token-management",children:"Token Management"}),"\n",(0,s.jsxs)(n.p,{children:["By default, K3s uses a single static token for both servers and agents. This token cannot be changed once the cluster has been created.\nIt is possible to enable a second static token that can only be used to join agents, or to create temporary ",(0,s.jsx)(n.code,{children:"kubeadm"})," style join tokens that expire automatically.\nFor more information, see the ",(0,s.jsxs)(n.a,{href:"/cli/token",children:[(0,s.jsx)(n.code,{children:"k3s token"})," command documentation"]}),"."]}),"\n",(0,s.jsx)(n.h2,{id:"configuring-an-http-proxy",children:"Configuring an HTTP proxy"}),"\n",(0,s.jsx)(n.p,{children:"If you are running K3s in an environment, which only has external connectivity through an HTTP proxy, you can configure your proxy settings on the K3s systemd service. These proxy settings will then be used in K3s and passed down to the embedded containerd and kubelet."}),"\n",(0,s.jsxs)(n.p,{children:["The K3s installation script will automatically take the ",(0,s.jsx)(n.code,{children:"HTTP_PROXY"}),", ",(0,s.jsx)(n.code,{children:"HTTPS_PROXY"})," and ",(0,s.jsx)(n.code,{children:"NO_PROXY"}),", as well as the ",(0,s.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY"}),", ",(0,s.jsx)(n.code,{children:"CONTAINERD_HTTPS_PROXY"})," and ",(0,s.jsx)(n.code,{children:"CONTAINERD_NO_PROXY"})," variables from the current shell, if they are present, and write them to the environment file of your systemd service, usually:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"/etc/systemd/system/k3s.service.env"})}),"\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"/etc/systemd/system/k3s-agent.service.env"})}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Of course, you can also configure the proxy by editing these files."}),"\n",(0,s.jsxs)(n.p,{children:["K3s will automatically add the cluster internal Pod and Service IP ranges and cluster DNS domain to the list of ",(0,s.jsx)(n.code,{children:"NO_PROXY"})," entries. You should ensure that the IP address ranges used by the Kubernetes nodes themselves (i.e. the public and private IPs of the nodes) are included in the ",(0,s.jsx)(n.code,{children:"NO_PROXY"})," list, or that the nodes can be reached through the proxy."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"HTTP_PROXY=http://your-proxy.example.com:8888\nHTTPS_PROXY=http://your-proxy.example.com:8888\nNO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,s.jsxs)(n.p,{children:["If you want to configure the proxy settings for containerd without affecting K3s and the Kubelet, you can prefix the variables with ",(0,s.jsx)(n.code,{children:"CONTAINERD_"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888\nCONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16\n"})}),"\n",(0,s.jsx)(n.h2,{id:"using-docker-as-the-container-runtime",children:"Using Docker as the Container Runtime"}),"\n",(0,s.jsxs)(n.p,{children:["K3s includes and defaults to ",(0,s.jsx)(n.a,{href:"https://containerd.io/",children:"containerd"}),", an industry-standard container runtime.\nAs of Kubernetes 1.24, the Kubelet no longer includes dockershim, the component that allows the kubelet to communicate with dockerd.\nK3s 1.24 and higher include ",(0,s.jsx)(n.a,{href:"https://github.com/Mirantis/cri-dockerd",children:"cri-dockerd"}),", which allows seamless upgrade from prior releases of K3s while continuing to use the Docker container runtime."]}),"\n",(0,s.jsx)(n.p,{children:"To use Docker instead of containerd:"}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install Docker on the K3s node. One of Rancher's ",(0,s.jsx)(n.a,{href:"https://github.com/rancher/install-docker",children:"Docker installation scripts"})," can be used to install Docker:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl https://releases.rancher.com/install-docker/20.10.sh | sh\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install K3s using the ",(0,s.jsx)(n.code,{children:"--docker"})," option:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -s - --docker\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:"Confirm that the cluster is available:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"$ sudo k3s kubectl get pods --all-namespaces\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-6d59f47c7-lncxn 1/1 Running 0 51s\nkube-system metrics-server-7566d596c8-9tnck 1/1 Running 0 51s\nkube-system helm-install-traefik-mbkn9 0/1 Completed 1 51s\nkube-system coredns-8655855d6-rtbnb 1/1 Running 0 51s\nkube-system svclb-traefik-jbmvl 2/2 Running 0 43s\nkube-system traefik-758cd5fc85-2wz97 1/1 Running 0 43s\n"})}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:"Confirm that the Docker containers are running:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'$ sudo docker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\n3e4d34729602 897ce3c5fc8f "entry" About a minute ago Up About a minute k8s_lb-port-443_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\nbffdc9d7a65f rancher/klipper-lb "entry" About a minute ago Up About a minute k8s_lb-port-80_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n436b85c5e38d rancher/library-traefik "/traefik --configfi\u2026" About a minute ago Up About a minute k8s_traefik_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nde8fded06188 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_svclb-traefik-jbmvl_kube-system_d46f10c6-073f-4c7e-8d7a-8e7ac18f9cb0_0\n7c6a30aeeb2f rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_traefik-758cd5fc85-2wz97_kube-system_07abe831-ffd6-4206-bfa1-7c9ca4fb39e7_0\nae6c58cab4a7 9d12f9848b99 "local-path-provisio\u2026" About a minute ago Up About a minute k8s_local-path-provisioner_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\nbe1450e1a11e 9dd718864ce6 "/metrics-server" About a minute ago Up About a minute k8s_metrics-server_metrics-server-7566d596c8-9tnck_kube-system_031e74b5-e9ef-47ef-a88d-fbf3f726cbc6_0\n4454d14e4d3f c4d3d16fe508 "/coredns -conf /etc\u2026" About a minute ago Up About a minute k8s_coredns_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\nc3675b87f96c rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_coredns-8655855d6-rtbnb_kube-system_d05725df-4fb1-410a-8e82-2b1c8278a6a1_0\n4b1fddbe6ca6 rancher/pause:3.1 "/pause" About a minute ago Up About a minute k8s_POD_local-path-provisioner-6d59f47c7-lncxn_kube-system_2dbd22bf-6ad9-4bea-a73d-620c90a6c1c1_0\n64d3517d4a95 rancher/pause:3.1 "/pause"\n'})}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"using-etcdctl",children:"Using etcdctl"}),"\n",(0,s.jsx)(n.p,{children:"etcdctl provides a CLI for interacting with etcd servers. K3s does not bundle etcdctl."}),"\n",(0,s.jsxs)(n.p,{children:["If you would like to use etcdctl to interact with K3s's embedded etcd, install etcdctl using the ",(0,s.jsx)(n.a,{href:"https://etcd.io/docs/latest/install/",children:"official documentation"}),"."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'ETCD_VERSION="v3.5.5"\nETCD_URL="https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz"\ncurl -sL ${ETCD_URL} | sudo tar -zxv --strip-components=1 -C /usr/local/bin\n'})}),"\n",(0,s.jsx)(n.p,{children:"You may then use etcdctl by configuring it to use the K3s-managed certificates and keys for authentication:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo etcdctl version \\\n --cacert=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt \\\n --cert=/var/lib/rancher/k3s/server/tls/etcd/client.crt \\\n --key=/var/lib/rancher/k3s/server/tls/etcd/client.key\n"})}),"\n",(0,s.jsx)(n.h2,{id:"configuring-containerd",children:"Configuring containerd"}),"\n",(0,s.jsxs)(n.p,{children:["K3s will generate config.toml for containerd in ",(0,s.jsx)(n.code,{children:"/var/lib/rancher/k3s/agent/etc/containerd/config.toml"}),"."]}),"\n",(0,s.jsxs)(n.p,{children:["For advanced customization for this file you can create another file called ",(0,s.jsx)(n.code,{children:"config.toml.tmpl"})," in the same directory, and it will be used instead."]}),"\n",(0,s.jsxs)(n.p,{children:["The ",(0,s.jsx)(n.code,{children:"config.toml.tmpl"})," will be treated as a Go template file, and the ",(0,s.jsx)(n.code,{children:"config.Node"})," structure is being passed to the template. See ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/agent/templates",children:"this folder"})," for Linux and Windows examples on how to use the structure to customize the configuration file.\nThe config.Node golang struct is defined ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/pkg/daemons/config/types.go#L37",children:"here"})]}),"\n",(0,s.jsx)(n.h3,{id:"base-template",children:"Base template"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(n.p,{children:"Available as of September 2023 releases: v1.24.17+k3s1, v1.25.13+k3s1, v1.26.8+k3s1, v1.27.5+k3s1, v1.28.1+k3s1"})}),"\n",(0,s.jsx)(n.p,{children:"You can extend the K3s base template instead of copy-pasting the complete stock template out of the K3s source code. This is useful if you need to build on the existing configuration, and add a few extra lines at the end."}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-toml",children:'#/var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl\n\n{{ template "base" . }}\n\n[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."custom"]\n runtime_type = "io.containerd.runc.v2"\n[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."custom".options]\n BinaryName = "/usr/bin/custom-container-runtime"\n\n'})}),"\n",(0,s.jsx)(n.h2,{id:"nvidia-container-runtime-support",children:"NVIDIA Container Runtime Support"}),"\n",(0,s.jsx)(n.p,{children:"K3s will automatically detect and configure the NVIDIA container runtime if it is present when K3s starts."}),"\n",(0,s.jsxs)(n.ol,{children:["\n",(0,s.jsxs)(n.li,{children:["Install the nvidia-container package repository on the node by following the instructions at:\n",(0,s.jsx)(n.a,{href:"https://nvidia.github.io/libnvidia-container/",children:"https://nvidia.github.io/libnvidia-container/"})]}),"\n",(0,s.jsxs)(n.li,{children:["Install the nvidia container runtime packages. For example:\n",(0,s.jsx)(n.code,{children:"apt install -y nvidia-container-runtime cuda-drivers-fabricmanager-515 nvidia-headless-515-server"})]}),"\n",(0,s.jsxs)(n.li,{children:["Install K3s, or restart it if already installed:\n",(0,s.jsx)(n.code,{children:"curl -ksL get.k3s.io | sh -"})]}),"\n",(0,s.jsxs)(n.li,{children:["Confirm that the nvidia container runtime has been found by k3s:\n",(0,s.jsx)(n.code,{children:"grep nvidia /var/lib/rancher/k3s/agent/etc/containerd/config.toml"})]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["This will automatically add ",(0,s.jsx)(n.code,{children:"nvidia"})," and/or ",(0,s.jsx)(n.code,{children:"nvidia-experimental"})," runtimes to the containerd configuration, depending on what runtime executables are found.\nYou must still add a RuntimeClass definition to your cluster, and deploy Pods that explicitly request the appropriate runtime by setting ",(0,s.jsx)(n.code,{children:"runtimeClassName: nvidia"})," in the Pod spec:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'apiVersion: node.k8s.io/v1\nkind: RuntimeClass\nmetadata:\n name: nvidia\nhandler: nvidia\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: nbody-gpu-benchmark\n namespace: default\nspec:\n restartPolicy: OnFailure\n runtimeClassName: nvidia\n containers:\n - name: cuda-container\n image: nvcr.io/nvidia/k8s/cuda-sample:nbody\n args: ["nbody", "-gpu", "-benchmark"]\n resources:\n limits:\n nvidia.com/gpu: 1\n env:\n - name: NVIDIA_VISIBLE_DEVICES\n value: all\n - name: NVIDIA_DRIVER_CAPABILITIES\n value: all\n'})}),"\n",(0,s.jsxs)(n.p,{children:["Note that the NVIDIA Container Runtime is also frequently used with ",(0,s.jsx)(n.a,{href:"https://github.com/NVIDIA/k8s-device-plugin/",children:"NVIDIA Device Plugin"}),", with modifications to ensure that pod specs include ",(0,s.jsx)(n.code,{children:"runtimeClassName: nvidia"}),", as mentioned above."]}),"\n",(0,s.jsx)(n.h2,{id:"running-agentless-servers-experimental",children:"Running Agentless Servers (Experimental)"}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Warning:"})," This feature is experimental."]}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["When started with the ",(0,s.jsx)(n.code,{children:"--disable-agent"})," flag, servers do not run the kubelet, container runtime, or CNI. They do not register a Node resource in the cluster, and will not appear in ",(0,s.jsx)(n.code,{children:"kubectl get nodes"})," output.\nBecause they do not host a kubelet, they cannot run pods or be managed by operators that rely on enumerating cluster nodes, including the embedded etcd controller and the system upgrade controller."]}),"\n",(0,s.jsx)(n.p,{children:"Running agentless servers may be advantageous if you want to obscure your control-plane nodes from discovery by agents and workloads, at the cost of increased administrative overhead caused by lack of cluster operator support."}),"\n",(0,s.jsxs)(n.p,{children:["By default, the apiserver on agentless servers will not be able to make outgoing connections to admission webhooks or aggregated apiservices running within the cluster. To remedy this, set the ",(0,s.jsx)(n.code,{children:"--egress-selector-mode"})," server flag to either ",(0,s.jsx)(n.code,{children:"pod"})," or ",(0,s.jsx)(n.code,{children:"cluster"}),". If you are changing this flag on an existing cluster, you'll need to restart all nodes in the cluster for the option to take effect."]}),"\n",(0,s.jsx)(n.h2,{id:"running-rootless-servers-experimental",children:"Running Rootless Servers (Experimental)"}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Warning:"})," This feature is experimental."]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"Rootless mode allows running K3s servers as an unprivileged user, so as to protect the real root on the host from potential container-breakout attacks."}),"\n",(0,s.jsxs)(n.p,{children:["See ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})," to learn more about Rootless Kubernetes."]}),"\n",(0,s.jsx)(n.h3,{id:"known-issues-with-rootless-mode",children:"Known Issues with Rootless mode"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Ports"})}),"\n",(0,s.jsx)(n.p,{children:"When running rootless a new network namespace is created. This means that K3s instance is running with networking fairly detached from the host.\nThe only way to access Services run in K3s from the host is to set up port forwards to the K3s network namespace.\nRootless K3s includes controller that will automatically bind 6443 and service ports below 1024 to the host with an offset of 10000."}),"\n",(0,s.jsx)(n.p,{children:"For example, a Service on port 80 will become 10080 on the host, but 8080 will become 8080 without any offset. Currently, only LoadBalancer Services are automatically bound."}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Cgroups"})}),"\n",(0,s.jsx)(n.p,{children:'Cgroup v1 and Hybrid v1/v2 are not supported; only pure Cgroup v2 is supported. If K3s fails to start due to missing cgroups when running rootless, it is likely that your node is in Hybrid mode, and the "missing" cgroups are still bound to a v1 controller.'}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsx)(n.p,{children:(0,s.jsx)(n.strong,{children:"Multi-node/multi-process cluster"})}),"\n",(0,s.jsxs)(n.p,{children:["Multi-node rootless clusters, or multiple rootless k3s processes on the same node, are not currently supported. See ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/issues/6488#issuecomment-1314998091",children:"#6488"})," for more details."]}),"\n"]}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"starting-rootless-servers",children:"Starting Rootless Servers"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Enable cgroup v2 delegation, see ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/getting-started/common/cgroup2/",children:"https://rootlesscontaine.rs/getting-started/common/cgroup2/"})," .\nThis step is required; the rootless kubelet will fail to start without the proper cgroups delegated."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Download ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," from ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service",children:(0,s.jsx)(n.code,{children:"https://github.com/k3s-io/k3s/blob//k3s-rootless.service"})}),".\nMake sure to use the same version of ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," and ",(0,s.jsx)(n.code,{children:"k3s"}),"."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Install ",(0,s.jsx)(n.code,{children:"k3s-rootless.service"})," to ",(0,s.jsx)(n.code,{children:"~/.config/systemd/user/k3s-rootless.service"}),".\nInstalling this file as a system-wide service (",(0,s.jsx)(n.code,{children:"/etc/systemd/..."}),") is not supported.\nDepending on the path of ",(0,s.jsx)(n.code,{children:"k3s"})," binary, you might need to modify the ",(0,s.jsx)(n.code,{children:"ExecStart=/usr/local/bin/k3s ..."})," line of the file."]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user daemon-reload"})]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user enable --now k3s-rootless"})]}),"\n"]}),"\n",(0,s.jsxs)(n.li,{children:["\n",(0,s.jsxs)(n.p,{children:["Run ",(0,s.jsx)(n.code,{children:"KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A"}),", and make sure the pods are running."]}),"\n"]}),"\n"]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.strong,{children:"Note:"})," Don't try to run ",(0,s.jsx)(n.code,{children:"k3s server --rootless"})," on a terminal, as terminal sessions do not allow cgroup v2 delegation.\nIf you really need to try it on a terminal, use ",(0,s.jsx)(n.code,{children:"systemd-run --user -p Delegate=yes --tty k3s server --rootless"})," to wrap it in a systemd scope."]}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"advanced-rootless-configuration",children:"Advanced Rootless Configuration"}),"\n",(0,s.jsxs)(n.p,{children:["Rootless K3s uses ",(0,s.jsx)(n.a,{href:"https://github.com/rootless-containers/rootlesskit",children:"rootlesskit"})," and ",(0,s.jsx)(n.a,{href:"https://github.com/rootless-containers/slirp4netns",children:"slirp4netns"})," to communicate between host and user network namespaces.\nSome of the configuration used by rootlesskit and slirp4nets can be set by environment variables. The best way to set these is to add them to the ",(0,s.jsx)(n.code,{children:"Environment"})," field of the k3s-rootless systemd unit."]}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Variable"}),(0,s.jsx)(n.th,{children:"Default"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_MTU"})}),(0,s.jsx)(n.td,{children:"1500"}),(0,s.jsx)(n.td,{children:"Sets the MTU for the slirp4netns virtual interfaces."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_CIDR"})}),(0,s.jsx)(n.td,{children:"10.41.0.0/16"}),(0,s.jsx)(n.td,{children:"Sets the CIDR used by slirp4netns virtual interfaces."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_ENABLE_IPV6"})}),(0,s.jsx)(n.td,{children:"autotedected"}),(0,s.jsx)(n.td,{children:"Enables slirp4netns IPv6 support. If not specified, it is automatically enabled if K3s is configured for dual-stack operation."})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_PORT_DRIVER"})}),(0,s.jsx)(n.td,{children:"builtin"}),(0,s.jsxs)(n.td,{children:["Selects the rootless port driver; either ",(0,s.jsx)(n.code,{children:"builtin"})," or ",(0,s.jsx)(n.code,{children:"slirp4netns"}),". Builtin is faster, but masquerades the original source address of inbound packets."]})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:(0,s.jsx)(n.code,{children:"K3S_ROOTLESS_DISABLE_HOST_LOOPBACK"})}),(0,s.jsx)(n.td,{children:"true"}),(0,s.jsx)(n.td,{children:"Controls whether or not access to the hosts's loopback address via the gateway interface is enabled. It is recommended that this not be changed, for security reasons."})]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"troubleshooting-rootless",children:"Troubleshooting Rootless"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["Run ",(0,s.jsx)(n.code,{children:"systemctl --user status k3s-rootless"})," to check the daemon status"]}),"\n",(0,s.jsxs)(n.li,{children:["Run ",(0,s.jsx)(n.code,{children:"journalctl --user -f -u k3s-rootless"})," to see the daemon log"]}),"\n",(0,s.jsxs)(n.li,{children:["See also ",(0,s.jsx)(n.a,{href:"https://rootlesscontaine.rs/",children:"https://rootlesscontaine.rs/"})]}),"\n"]}),"\n",(0,s.jsx)(n.h2,{id:"node-labels-and-taints",children:"Node Labels and Taints"}),"\n",(0,s.jsxs)(n.p,{children:["K3s agents can be configured with the options ",(0,s.jsx)(n.code,{children:"--node-label"})," and ",(0,s.jsx)(n.code,{children:"--node-taint"})," which adds a label and taint to the kubelet. The two options only add labels and/or taints ",(0,s.jsx)(n.a,{href:"/cli/agent#node-labels-and-taints-for-agents",children:"at registration time"}),", so they can only be set when the node is first joined to the cluster."]}),"\n",(0,s.jsxs)(n.p,{children:["All current versions of Kubernetes restrict nodes from registering with most labels with ",(0,s.jsx)(n.code,{children:"kubernetes.io"})," and ",(0,s.jsx)(n.code,{children:"k8s.io"})," prefixes, specifically including the ",(0,s.jsx)(n.code,{children:"kubernetes.io/role"})," label. If you attempt to start a node with a disallowed label, K3s will fail to start. As stated by the Kubernetes authors:"]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsx)(n.p,{children:"Nodes are not permitted to assert their own role labels. Node roles are typically used to identify privileged or control plane types of nodes, and allowing nodes to label themselves into that pool allows a compromised node to trivially attract workloads (like control plane daemonsets) that confer access to higher privilege credentials."}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["See ",(0,s.jsx)(n.a,{href:"https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/279-limit-node-access/README.md#proposal",children:"SIG-Auth KEP 279"})," for more information."]}),"\n",(0,s.jsxs)(n.p,{children:["If you want to change node labels and taints after node registration, or add reserved labels, you should use ",(0,s.jsx)(n.code,{children:"kubectl"}),". Refer to the official Kubernetes documentation for details on how to add ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/",children:"taints"})," and ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node",children:"node labels."})]}),"\n",(0,s.jsx)(n.h2,{id:"starting-the-service-with-the-installation-script",children:"Starting the Service with the Installation Script"}),"\n",(0,s.jsx)(n.p,{children:"The installation script will auto-detect if your OS is using systemd or openrc and enable and start the service as part of the installation process."}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["When running with openrc, logs will be created at ",(0,s.jsx)(n.code,{children:"/var/log/k3s.log"}),"."]}),"\n",(0,s.jsxs)(n.li,{children:["When running with systemd, logs will be created in ",(0,s.jsx)(n.code,{children:"/var/log/syslog"})," and viewed using ",(0,s.jsx)(n.code,{children:"journalctl -u k3s"})," (or ",(0,s.jsx)(n.code,{children:"journalctl -u k3s-agent"})," on agents)."]}),"\n"]}),"\n",(0,s.jsx)(n.p,{children:"An example of disabling auto-starting and service enablement with the install script:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_ENABLE=true sh -\n"})}),"\n",(0,s.jsx)(n.h2,{id:"running-k3s-in-docker",children:"Running K3s in Docker"}),"\n",(0,s.jsx)(n.p,{children:"There are several ways to run K3s in Docker:"}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsxs)(t,{value:"K3d",default:!0,children:[(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://github.com/k3d-io/k3d",children:"k3d"})," is a utility designed to easily run multi-node K3s clusters in Docker."]}),(0,s.jsx)(n.p,{children:"k3d makes it very easy to create single- and multi-node k3s clusters in docker, e.g. for local development on Kubernetes."}),(0,s.jsxs)(n.p,{children:["See the ",(0,s.jsx)(n.a,{href:"https://k3d.io/#installation",children:"Installation"})," documentation for more information on how to install and use k3d."]})]}),(0,s.jsxs)(t,{value:"Docker",children:[(0,s.jsxs)(n.p,{children:["To use Docker, ",(0,s.jsx)(n.code,{children:"rancher/k3s"})," images are also available to run the K3s server and agent.\nUsing the ",(0,s.jsx)(n.code,{children:"docker run"})," command:"]}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo docker run \\\n --privileged \\\n --name k3s-server-1 \\\n --hostname k3s-server-1 \\\n -p 6443:6443 \\\n -d rancher/k3s:v1.24.10-k3s1 \\\n server\n"})}),(0,s.jsx)(n.admonition,{type:"note",children:(0,s.jsxs)(n.p,{children:["You must specify a valid K3s version as the tag; the ",(0,s.jsx)(n.code,{children:"latest"})," tag is not maintained.",(0,s.jsx)(n.br,{}),"\n","Docker images do not allow a ",(0,s.jsx)(n.code,{children:"+"})," sign in tags, use a ",(0,s.jsx)(n.code,{children:"-"})," in the tag instead."]})}),(0,s.jsx)(n.p,{children:"Once K3s is up and running, you can copy the admin kubeconfig out of the Docker container for use:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo docker cp k3s-server-1:/etc/rancher/k3s/k3s.yaml ~/.kube/config\n"})})]})]}),"\n",(0,s.jsx)(n.h2,{id:"selinux-support",children:"SELinux Support"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsx)(n.p,{children:"Available as of v1.19.4+k3s1"})}),"\n",(0,s.jsx)(n.p,{children:"If you are installing K3s on a system where SELinux is enabled by default (such as CentOS), you must ensure the proper SELinux policies have been installed."}),"\n",(0,s.jsxs)(r,{children:[(0,s.jsx)(t,{value:"Automatic Installation",default:!0,children:(0,s.jsxs)(n.p,{children:["The ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-with-install-script",children:"install script"})," will automatically install the SELinux RPM from the Rancher RPM repository if on a compatible system if not performing an air-gapped install. Automatic installation can be skipped by setting ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM=true"}),"."]})}),(0,s.jsxs)(t,{value:"Manual Installation",default:!0,children:[(0,s.jsx)(n.p,{children:"The necessary policies can be installed with the following commands:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"yum install -y container-selinux selinux-policy-base\nyum install -y https://rpm.rancher.io/k3s/latest/common/centos/7/noarch/k3s-selinux-1.4-1.el7.noarch.rpm\n"})}),(0,s.jsxs)(n.p,{children:["To force the install script to log a warning rather than fail, you can set the following environment variable: ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_SELINUX_WARN=true"}),"."]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"enabling-selinux-enforcement",children:"Enabling SELinux Enforcement"}),"\n",(0,s.jsxs)(n.p,{children:["To leverage SELinux, specify the ",(0,s.jsx)(n.code,{children:"--selinux"})," flag when starting K3s servers and agents."]}),"\n",(0,s.jsxs)(n.p,{children:["This option can also be specified in the K3s ",(0,s.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"configuration file"}),"."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"selinux: true\n"})}),"\n",(0,s.jsxs)(n.p,{children:["Using a custom ",(0,s.jsx)(n.code,{children:"--data-dir"})," under SELinux is not supported. To customize it, you would most likely need to write your own custom policy. For guidance, you could refer to the ",(0,s.jsx)(n.a,{href:"https://github.com/containers/container-selinux",children:"containers/container-selinux"})," repository, which contains the SELinux policy files for Container Runtimes, and the ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-selinux",children:"k3s-io/k3s-selinux"})," repository, which contains the SELinux policy for K3s."]}),"\n",(0,s.jsx)(n.h2,{id:"enabling-lazy-pulling-of-estargz-experimental",children:"Enabling Lazy Pulling of eStargz (Experimental)"}),"\n",(0,s.jsx)(n.h3,{id:"whats-lazy-pulling-and-estargz",children:"What's lazy pulling and eStargz?"}),"\n",(0,s.jsxs)(n.p,{children:["Pulling images is known as one of the time-consuming steps in the container lifecycle.\nAccording to ",(0,s.jsx)(n.a,{href:"https://www.usenix.org/conference/fast16/technical-sessions/presentation/harter",children:"Harter, et al."}),","]}),"\n",(0,s.jsxs)(n.blockquote,{children:["\n",(0,s.jsx)(n.p,{children:"pulling packages accounts for 76% of container start time, but only 6.4% of that data is read"}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["To address this issue, k3s experimentally supports ",(0,s.jsx)(n.em,{children:"lazy pulling"})," of image contents.\nThis allows k3s to start a container before the entire image has been pulled.\nInstead, the necessary chunks of contents (e.g. individual files) are fetched on-demand.\nEspecially for large images, this technique can shorten the container startup latency."]}),"\n",(0,s.jsxs)(n.p,{children:["To enable lazy pulling, the target image needs to be formatted as ",(0,s.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter/blob/main/docs/stargz-estargz.md",children:(0,s.jsx)(n.em,{children:"eStargz"})}),".\nThis is an OCI-alternative but 100% OCI-compatible image format for lazy pulling.\nBecause of the compatibility, eStargz can be pushed to standard container registries (e.g. ghcr.io) as well as this is ",(0,s.jsx)(n.em,{children:"still runnable"})," even on eStargz-agnostic runtimes."]}),"\n",(0,s.jsxs)(n.p,{children:["eStargz is developed based on the ",(0,s.jsx)(n.a,{href:"https://github.com/google/crfs",children:"stargz format proposed by Google CRFS project"})," but comes with practical features including content verification and performance optimization.\nFor more details about lazy pulling and eStargz, please refer to ",(0,s.jsx)(n.a,{href:"https://github.com/containerd/stargz-snapshotter",children:"Stargz Snapshotter project repository"}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"configure-k3s-for-lazy-pulling-of-estargz",children:"Configure k3s for lazy pulling of eStargz"}),"\n",(0,s.jsxs)(n.p,{children:["As shown in the following, ",(0,s.jsx)(n.code,{children:"--snapshotter=stargz"})," option is needed for k3s server and agent."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s server --snapshotter=stargz\n"})}),"\n",(0,s.jsxs)(n.p,{children:["With this configuration, you can perform lazy pulling for eStargz-formatted images.\nThe following example Pod manifest uses eStargz-formatted ",(0,s.jsx)(n.code,{children:"node:13.13.0"})," image (",(0,s.jsx)(n.code,{children:"ghcr.io/stargz-containers/node:13.13.0-esgz"}),").\nWhen the stargz snapshotter is enabled, K3s performs lazy pulling for this image."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: nodejs\nspec:\n containers:\n - name: nodejs-estargz\n image: ghcr.io/stargz-containers/node:13.13.0-esgz\n command: [\"node\"]\n args:\n - -e\n - var http = require('http');\n http.createServer(function(req, res) {\n res.writeHead(200);\n res.end('Hello World!\\n');\n }).listen(80);\n ports:\n - containerPort: 80\n"})}),"\n",(0,s.jsx)(n.h2,{id:"additional-logging-sources",children:"Additional Logging Sources"}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"https://rancher.com/docs/rancher/v2.6/en/logging/helm-chart-options/",children:"Rancher logging"})," for K3s can be installed without using Rancher. The following instructions should be executed to do so:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"helm repo add rancher-charts https://charts.rancher.io\nhelm repo update\nhelm install --create-namespace -n cattle-logging-system rancher-logging-crd rancher-charts/rancher-logging-crd\nhelm install --create-namespace -n cattle-logging-system rancher-logging --set additionalLoggingSources.k3s.enabled=true rancher-charts/rancher-logging\n"})}),"\n",(0,s.jsx)(n.h2,{id:"additional-network-policy-logging",children:"Additional Network Policy Logging"}),"\n",(0,s.jsx)(n.p,{children:"Packets dropped by network policies can be logged. The packet is sent to the iptables NFLOG action, which shows the packet details, including the network policy that blocked it."}),"\n",(0,s.jsxs)(n.p,{children:["If there is a lot of traffic, the number of log messages could be very high. To control the log rate on a per-policy basis, set the ",(0,s.jsx)(n.code,{children:"limit"})," and ",(0,s.jsx)(n.code,{children:"limit-burst"})," iptables parameters by adding the following annotations to the network policy in question:"]}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit="})}),"\n",(0,s.jsx)(n.li,{children:(0,s.jsx)(n.code,{children:"kube-router.io/netpol-nflog-limit-burst="})}),"\n"]}),"\n",(0,s.jsxs)(n.p,{children:["Default values are ",(0,s.jsx)(n.code,{children:"limit=10/minute"})," and ",(0,s.jsx)(n.code,{children:"limit-burst=10"}),". Check the ",(0,s.jsx)(n.a,{href:"https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#:~:text=restrict%20the%20rate%20of%20matches",children:"iptables manual"})," for more information on the format and possible values for these fields."]}),"\n",(0,s.jsxs)(n.p,{children:["To convert NFLOG packets to log entries, install ulogd2 and configure ",(0,s.jsx)(n.code,{children:"[log1]"})," to read on ",(0,s.jsx)(n.code,{children:"group=100"}),". Then, restart the ulogd2 service for the new config to be committed.\nWhen a packet is blocked by network policy rules, a log message will appear in ",(0,s.jsx)(n.code,{children:"/var/log/ulog/syslogemu.log"}),"."]}),"\n",(0,s.jsx)(n.p,{children:"Packets sent to the NFLOG netlink socket can also be read by using command-line tools like tcpdump or tshark:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"tcpdump -ni nflog:100\n"})}),"\n",(0,s.jsxs)(n.p,{children:["While more readily available, tcpdump will not show the name of the network policy that blocked the packet. Use wireshark's tshark command instead to display the full NFLOG packet header, including the ",(0,s.jsx)(n.code,{children:"nflog.prefix"})," field that contains the policy name."]})]})}function h(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>a,a:()=>o});var s=t(7294);const i={},r=s.createContext(i);function o(e){const n=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:o(e.components),s.createElement(r.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/41765d36.ed40d505.js b/assets/js/41765d36.d40b96ba.js
similarity index 99%
rename from assets/js/41765d36.ed40d505.js
rename to assets/js/41765d36.d40b96ba.js
index 13a323a9a..a5a4f549e 100644
--- a/assets/js/41765d36.ed40d505.js
+++ b/assets/js/41765d36.d40b96ba.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1615],{99:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>i,contentTitle:()=>r,default:()=>h,frontMatter:()=>s,metadata:()=>l,toc:()=>c});var a=t(5893),o=t(1151);const s={title:"Volumes and Storage"},r=void 0,l={id:"storage",title:"Volumes and Storage",description:"When deploying an application that needs to retain data, you\u2019ll need to create persistent storage. Persistent storage allows you to store application data external from the pod running your application. This storage practice allows you to maintain application data, even if the application\u2019s pod fails.",source:"@site/docs/storage.md",sourceDirName:".",slug:"/storage",permalink:"/storage",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/storage.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Volumes and Storage"},sidebar:"mySidebar",previous:{title:"Cluster Access",permalink:"/cluster-access"},next:{title:"Networking",permalink:"/networking/"}},i={},c=[{value:"What's different about K3s storage?",id:"whats-different-about-k3s-storage",level:2},{value:"Setting up the Local Storage Provider",id:"setting-up-the-local-storage-provider",level:2},{value:"pvc.yaml",id:"pvcyaml",level:3},{value:"pod.yaml",id:"podyaml",level:3},{value:"Setting up Longhorn",id:"setting-up-longhorn",level:2},{value:"pvc.yaml",id:"pvcyaml-1",level:3},{value:"pod.yaml",id:"podyaml-1",level:3}];function d(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,o.a)(),...e.components};return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(n.p,{children:"When deploying an application that needs to retain data, you\u2019ll need to create persistent storage. Persistent storage allows you to store application data external from the pod running your application. This storage practice allows you to maintain application data, even if the application\u2019s pod fails."}),"\n",(0,a.jsxs)(n.p,{children:["A persistent volume (PV) is a piece of storage in the Kubernetes cluster, while a persistent volume claim (PVC) is a request for storage. For details on how PVs and PVCs work, refer to the official Kubernetes documentation on ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/storage/volumes/",children:"storage."})]}),"\n",(0,a.jsxs)(n.p,{children:["This page describes how to set up persistent storage with a local storage provider, or with ",(0,a.jsx)(n.a,{href:"#setting-up-longhorn",children:"Longhorn."})]}),"\n",(0,a.jsx)(n.h2,{id:"whats-different-about-k3s-storage",children:"What's different about K3s storage?"}),"\n",(0,a.jsx)(n.p,{children:'K3s removes several optional volume plugins and all built-in (sometimes referred to as "in-tree") cloud providers. We do this in order to achieve a smaller binary size and to avoid dependence on third-party cloud or data center technologies and services, which may not be available in many K3s use cases. We are able to do this because their removal affects neither core Kubernetes functionality nor conformance.'}),"\n",(0,a.jsx)(n.p,{children:"The following volume plugins have been removed from K3s:"}),"\n",(0,a.jsxs)(n.ul,{children:["\n",(0,a.jsx)(n.li,{children:"cephfs"}),"\n",(0,a.jsx)(n.li,{children:"fc"}),"\n",(0,a.jsx)(n.li,{children:"flocker"}),"\n",(0,a.jsx)(n.li,{children:"git_repo"}),"\n",(0,a.jsx)(n.li,{children:"glusterfs"}),"\n",(0,a.jsx)(n.li,{children:"portworx"}),"\n",(0,a.jsx)(n.li,{children:"quobyte"}),"\n",(0,a.jsx)(n.li,{children:"rbd"}),"\n",(0,a.jsx)(n.li,{children:"storageos"}),"\n"]}),"\n",(0,a.jsxs)(n.p,{children:["Both components have out-of-tree alternatives that can be used with K3s: The Kubernetes ",(0,a.jsx)(n.a,{href:"https://github.com/container-storage-interface/spec/blob/master/spec.md",children:"Container Storage Interface (CSI)"})," and ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/",children:"Cloud Provider Interface (CPI)"}),"."]}),"\n",(0,a.jsxs)(n.p,{children:["Kubernetes maintainers are actively migrating in-tree volume plugins to CSI drivers. For more information on this migration, please refer ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/blog/2021/12/10/storage-in-tree-to-csi-migration-status-update/",children:"here"}),"."]}),"\n",(0,a.jsx)(n.h2,{id:"setting-up-the-local-storage-provider",children:"Setting up the Local Storage Provider"}),"\n",(0,a.jsxs)(n.p,{children:["K3s comes with Rancher's Local Path Provisioner and this enables the ability to create persistent volume claims out of the box using local storage on the respective node. Below we cover a simple example. For more information please reference the official documentation ",(0,a.jsx)(n.a,{href:"https://github.com/rancher/local-path-provisioner/blob/master/README.md#usage",children:"here"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Create a hostPath backed persistent volume claim and a pod to utilize it:"}),"\n",(0,a.jsx)(n.h3,{id:"pvcyaml",children:"pvc.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: local-path-pvc\n namespace: default\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: local-path\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,a.jsx)(n.h3,{id:"podyaml",children:"pod.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: local-path-pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"Apply the yaml:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,a.jsx)(n.p,{children:"Confirm the PV and PVC are created:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"The status should be Bound for each."}),"\n",(0,a.jsx)(n.h2,{id:"setting-up-longhorn",children:"Setting up Longhorn"}),"\n",(0,a.jsx)(n.admonition,{type:"warning",children:(0,a.jsx)(n.p,{children:"Longhorn does not support ARM32."})}),"\n",(0,a.jsxs)(n.p,{children:["K3s supports ",(0,a.jsx)(n.a,{href:"https://github.com/longhorn/longhorn",children:"Longhorn"}),", an open-source distributed block storage system for Kubernetes."]}),"\n",(0,a.jsxs)(n.p,{children:["Below we cover a simple example. For more information, refer to the ",(0,a.jsx)(n.a,{href:"https://longhorn.io/docs/latest/",children:"official documentation"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Apply the longhorn.yaml to install Longhorn:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.0/deploy/longhorn.yaml\n"})}),"\n",(0,a.jsxs)(n.p,{children:["Longhorn will be installed in the namespace ",(0,a.jsx)(n.code,{children:"longhorn-system"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Apply the yaml to create the PVC and pod:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,a.jsx)(n.h3,{id:"pvcyaml-1",children:"pvc.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: longhorn-volv-pvc\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: longhorn\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,a.jsx)(n.h3,{id:"podyaml-1",children:"pod.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: longhorn-volv-pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"Confirm the PV and PVC are created:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"The status should be Bound for each."})]})}function h(e={}){const{wrapper:n}={...(0,o.a)(),...e.components};return n?(0,a.jsx)(n,{...e,children:(0,a.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>r});var a=t(7294);const o={},s=a.createContext(o);function r(e){const n=a.useContext(s);return a.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(o):e.components||o:r(e.components),a.createElement(s.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1615],{99:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>i,contentTitle:()=>r,default:()=>h,frontMatter:()=>s,metadata:()=>l,toc:()=>c});var a=t(5893),o=t(1151);const s={title:"Volumes and Storage"},r=void 0,l={id:"storage",title:"Volumes and Storage",description:"When deploying an application that needs to retain data, you\u2019ll need to create persistent storage. Persistent storage allows you to store application data external from the pod running your application. This storage practice allows you to maintain application data, even if the application\u2019s pod fails.",source:"@site/docs/storage.md",sourceDirName:".",slug:"/storage",permalink:"/storage",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/storage.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Volumes and Storage"},sidebar:"mySidebar",previous:{title:"Cluster Access",permalink:"/cluster-access"},next:{title:"Networking",permalink:"/networking/"}},i={},c=[{value:"What's different about K3s storage?",id:"whats-different-about-k3s-storage",level:2},{value:"Setting up the Local Storage Provider",id:"setting-up-the-local-storage-provider",level:2},{value:"pvc.yaml",id:"pvcyaml",level:3},{value:"pod.yaml",id:"podyaml",level:3},{value:"Setting up Longhorn",id:"setting-up-longhorn",level:2},{value:"pvc.yaml",id:"pvcyaml-1",level:3},{value:"pod.yaml",id:"podyaml-1",level:3}];function d(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,o.a)(),...e.components};return(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(n.p,{children:"When deploying an application that needs to retain data, you\u2019ll need to create persistent storage. Persistent storage allows you to store application data external from the pod running your application. This storage practice allows you to maintain application data, even if the application\u2019s pod fails."}),"\n",(0,a.jsxs)(n.p,{children:["A persistent volume (PV) is a piece of storage in the Kubernetes cluster, while a persistent volume claim (PVC) is a request for storage. For details on how PVs and PVCs work, refer to the official Kubernetes documentation on ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/storage/volumes/",children:"storage."})]}),"\n",(0,a.jsxs)(n.p,{children:["This page describes how to set up persistent storage with a local storage provider, or with ",(0,a.jsx)(n.a,{href:"#setting-up-longhorn",children:"Longhorn."})]}),"\n",(0,a.jsx)(n.h2,{id:"whats-different-about-k3s-storage",children:"What's different about K3s storage?"}),"\n",(0,a.jsx)(n.p,{children:'K3s removes several optional volume plugins and all built-in (sometimes referred to as "in-tree") cloud providers. We do this in order to achieve a smaller binary size and to avoid dependence on third-party cloud or data center technologies and services, which may not be available in many K3s use cases. We are able to do this because their removal affects neither core Kubernetes functionality nor conformance.'}),"\n",(0,a.jsx)(n.p,{children:"The following volume plugins have been removed from K3s:"}),"\n",(0,a.jsxs)(n.ul,{children:["\n",(0,a.jsx)(n.li,{children:"cephfs"}),"\n",(0,a.jsx)(n.li,{children:"fc"}),"\n",(0,a.jsx)(n.li,{children:"flocker"}),"\n",(0,a.jsx)(n.li,{children:"git_repo"}),"\n",(0,a.jsx)(n.li,{children:"glusterfs"}),"\n",(0,a.jsx)(n.li,{children:"portworx"}),"\n",(0,a.jsx)(n.li,{children:"quobyte"}),"\n",(0,a.jsx)(n.li,{children:"rbd"}),"\n",(0,a.jsx)(n.li,{children:"storageos"}),"\n"]}),"\n",(0,a.jsxs)(n.p,{children:["Both components have out-of-tree alternatives that can be used with K3s: The Kubernetes ",(0,a.jsx)(n.a,{href:"https://github.com/container-storage-interface/spec/blob/master/spec.md",children:"Container Storage Interface (CSI)"})," and ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/",children:"Cloud Provider Interface (CPI)"}),"."]}),"\n",(0,a.jsxs)(n.p,{children:["Kubernetes maintainers are actively migrating in-tree volume plugins to CSI drivers. For more information on this migration, please refer ",(0,a.jsx)(n.a,{href:"https://kubernetes.io/blog/2021/12/10/storage-in-tree-to-csi-migration-status-update/",children:"here"}),"."]}),"\n",(0,a.jsx)(n.h2,{id:"setting-up-the-local-storage-provider",children:"Setting up the Local Storage Provider"}),"\n",(0,a.jsxs)(n.p,{children:["K3s comes with Rancher's Local Path Provisioner and this enables the ability to create persistent volume claims out of the box using local storage on the respective node. Below we cover a simple example. For more information please reference the official documentation ",(0,a.jsx)(n.a,{href:"https://github.com/rancher/local-path-provisioner/blob/master/README.md#usage",children:"here"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Create a hostPath backed persistent volume claim and a pod to utilize it:"}),"\n",(0,a.jsx)(n.h3,{id:"pvcyaml",children:"pvc.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: local-path-pvc\n namespace: default\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: local-path\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,a.jsx)(n.h3,{id:"podyaml",children:"pod.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: local-path-pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"Apply the yaml:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,a.jsx)(n.p,{children:"Confirm the PV and PVC are created:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"The status should be Bound for each."}),"\n",(0,a.jsx)(n.h2,{id:"setting-up-longhorn",children:"Setting up Longhorn"}),"\n",(0,a.jsx)(n.admonition,{type:"warning",children:(0,a.jsx)(n.p,{children:"Longhorn does not support ARM32."})}),"\n",(0,a.jsxs)(n.p,{children:["K3s supports ",(0,a.jsx)(n.a,{href:"https://github.com/longhorn/longhorn",children:"Longhorn"}),", an open-source distributed block storage system for Kubernetes."]}),"\n",(0,a.jsxs)(n.p,{children:["Below we cover a simple example. For more information, refer to the ",(0,a.jsx)(n.a,{href:"https://longhorn.io/docs/latest/",children:"official documentation"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Apply the longhorn.yaml to install Longhorn:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.0/deploy/longhorn.yaml\n"})}),"\n",(0,a.jsxs)(n.p,{children:["Longhorn will be installed in the namespace ",(0,a.jsx)(n.code,{children:"longhorn-system"}),"."]}),"\n",(0,a.jsx)(n.p,{children:"Apply the yaml to create the PVC and pod:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl create -f pvc.yaml\nkubectl create -f pod.yaml\n"})}),"\n",(0,a.jsx)(n.h3,{id:"pvcyaml-1",children:"pvc.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: longhorn-volv-pvc\nspec:\n accessModes:\n - ReadWriteOnce\n storageClassName: longhorn\n resources:\n requests:\n storage: 2Gi\n"})}),"\n",(0,a.jsx)(n.h3,{id:"podyaml-1",children:"pod.yaml"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-yaml",children:"apiVersion: v1\nkind: Pod\nmetadata:\n name: volume-test\n namespace: default\nspec:\n containers:\n - name: volume-test\n image: nginx:stable-alpine\n imagePullPolicy: IfNotPresent\n volumeMounts:\n - name: volv\n mountPath: /data\n ports:\n - containerPort: 80\n volumes:\n - name: volv\n persistentVolumeClaim:\n claimName: longhorn-volv-pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"Confirm the PV and PVC are created:"}),"\n",(0,a.jsx)(n.pre,{children:(0,a.jsx)(n.code,{className:"language-bash",children:"kubectl get pv\nkubectl get pvc\n"})}),"\n",(0,a.jsx)(n.p,{children:"The status should be Bound for each."})]})}function h(e={}){const{wrapper:n}={...(0,o.a)(),...e.components};return n?(0,a.jsx)(n,{...e,children:(0,a.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>r});var a=t(7294);const o={},s=a.createContext(o);function r(e){const n=a.useContext(s);return a.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(o):e.components||o:r(e.components),a.createElement(s.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/43077f1d.87f5351e.js b/assets/js/43077f1d.c8371153.js
similarity index 98%
rename from assets/js/43077f1d.87f5351e.js
rename to assets/js/43077f1d.c8371153.js
index d72056c88..2486af5fa 100644
--- a/assets/js/43077f1d.87f5351e.js
+++ b/assets/js/43077f1d.c8371153.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8397],{8104:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>a});var c=s(5893),n=s(1151);const r={title:"Cluster Access"},o=void 0,l={id:"cluster-access",title:"Cluster Access",description:"The kubeconfig file stored at /etc/rancher/k3s/k3s.yaml is used to configure access to the Kubernetes cluster. If you have installed upstream Kubernetes command line tools such as kubectl or helm you will need to configure them with the correct kubeconfig path. This can be done by either exporting the KUBECONFIG environment variable or by invoking the --kubeconfig command line flag. Refer to the examples below for details.",source:"@site/docs/cluster-access.md",sourceDirName:".",slug:"/cluster-access",permalink:"/cluster-access",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cluster-access.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Cluster Access"},sidebar:"mySidebar",previous:{title:"Architecture",permalink:"/architecture"},next:{title:"Volumes and Storage",permalink:"/storage"}},i={},a=[{value:"Accessing the Cluster from Outside with kubectl",id:"accessing-the-cluster-from-outside-with-kubectl",level:3}];function u(e){const t={code:"code",h3:"h3",p:"p",pre:"pre",...(0,n.a)(),...e.components};return(0,c.jsxs)(c.Fragment,{children:[(0,c.jsxs)(t.p,{children:["The kubeconfig file stored at ",(0,c.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," is used to configure access to the Kubernetes cluster. If you have installed upstream Kubernetes command line tools such as kubectl or helm you will need to configure them with the correct kubeconfig path. This can be done by either exporting the ",(0,c.jsx)(t.code,{children:"KUBECONFIG"})," environment variable or by invoking the ",(0,c.jsx)(t.code,{children:"--kubeconfig"})," command line flag. Refer to the examples below for details."]}),"\n",(0,c.jsx)(t.p,{children:"Leverage the KUBECONFIG environment variable:"}),"\n",(0,c.jsx)(t.pre,{children:(0,c.jsx)(t.code,{className:"language-bash",children:"export KUBECONFIG=/etc/rancher/k3s/k3s.yaml\nkubectl get pods --all-namespaces\nhelm ls --all-namespaces\n"})}),"\n",(0,c.jsx)(t.p,{children:"Or specify the location of the kubeconfig file in the command:"}),"\n",(0,c.jsx)(t.pre,{children:(0,c.jsx)(t.code,{className:"language-bash",children:"kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces\nhelm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces\n"})}),"\n",(0,c.jsx)(t.h3,{id:"accessing-the-cluster-from-outside-with-kubectl",children:"Accessing the Cluster from Outside with kubectl"}),"\n",(0,c.jsxs)(t.p,{children:["Copy ",(0,c.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," on your machine located outside the cluster as ",(0,c.jsx)(t.code,{children:"~/.kube/config"}),". Then replace the value of the ",(0,c.jsx)(t.code,{children:"server"})," field with the IP or name of your K3s server. ",(0,c.jsx)(t.code,{children:"kubectl"})," can now manage your K3s cluster."]})]})}function h(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,c.jsx)(t,{...e,children:(0,c.jsx)(u,{...e})}):u(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>l,a:()=>o});var c=s(7294);const n={},r=c.createContext(n);function o(e){const t=c.useContext(r);return c.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function l(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:o(e.components),c.createElement(r.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8397],{8104:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>a});var c=s(5893),n=s(1151);const r={title:"Cluster Access"},o=void 0,l={id:"cluster-access",title:"Cluster Access",description:"The kubeconfig file stored at /etc/rancher/k3s/k3s.yaml is used to configure access to the Kubernetes cluster. If you have installed upstream Kubernetes command line tools such as kubectl or helm you will need to configure them with the correct kubeconfig path. This can be done by either exporting the KUBECONFIG environment variable or by invoking the --kubeconfig command line flag. Refer to the examples below for details.",source:"@site/docs/cluster-access.md",sourceDirName:".",slug:"/cluster-access",permalink:"/cluster-access",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cluster-access.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Cluster Access"},sidebar:"mySidebar",previous:{title:"Architecture",permalink:"/architecture"},next:{title:"Volumes and Storage",permalink:"/storage"}},i={},a=[{value:"Accessing the Cluster from Outside with kubectl",id:"accessing-the-cluster-from-outside-with-kubectl",level:3}];function u(e){const t={code:"code",h3:"h3",p:"p",pre:"pre",...(0,n.a)(),...e.components};return(0,c.jsxs)(c.Fragment,{children:[(0,c.jsxs)(t.p,{children:["The kubeconfig file stored at ",(0,c.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," is used to configure access to the Kubernetes cluster. If you have installed upstream Kubernetes command line tools such as kubectl or helm you will need to configure them with the correct kubeconfig path. This can be done by either exporting the ",(0,c.jsx)(t.code,{children:"KUBECONFIG"})," environment variable or by invoking the ",(0,c.jsx)(t.code,{children:"--kubeconfig"})," command line flag. Refer to the examples below for details."]}),"\n",(0,c.jsx)(t.p,{children:"Leverage the KUBECONFIG environment variable:"}),"\n",(0,c.jsx)(t.pre,{children:(0,c.jsx)(t.code,{className:"language-bash",children:"export KUBECONFIG=/etc/rancher/k3s/k3s.yaml\nkubectl get pods --all-namespaces\nhelm ls --all-namespaces\n"})}),"\n",(0,c.jsx)(t.p,{children:"Or specify the location of the kubeconfig file in the command:"}),"\n",(0,c.jsx)(t.pre,{children:(0,c.jsx)(t.code,{className:"language-bash",children:"kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces\nhelm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces\n"})}),"\n",(0,c.jsx)(t.h3,{id:"accessing-the-cluster-from-outside-with-kubectl",children:"Accessing the Cluster from Outside with kubectl"}),"\n",(0,c.jsxs)(t.p,{children:["Copy ",(0,c.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," on your machine located outside the cluster as ",(0,c.jsx)(t.code,{children:"~/.kube/config"}),". Then replace the value of the ",(0,c.jsx)(t.code,{children:"server"})," field with the IP or name of your K3s server. ",(0,c.jsx)(t.code,{children:"kubectl"})," can now manage your K3s cluster."]})]})}function h(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,c.jsx)(t,{...e,children:(0,c.jsx)(u,{...e})}):u(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>l,a:()=>o});var c=s(7294);const n={},r=c.createContext(n);function o(e){const t=c.useContext(r);return c.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function l(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:o(e.components),c.createElement(r.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/43e5cb58.d45b37d4.js b/assets/js/43e5cb58.6e3a902c.js
similarity index 99%
rename from assets/js/43e5cb58.d45b37d4.js
rename to assets/js/43e5cb58.6e3a902c.js
index 3f73da3e0..d016fe3c5 100644
--- a/assets/js/43e5cb58.d45b37d4.js
+++ b/assets/js/43e5cb58.6e3a902c.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4804],{8446:(e,n,r)=>{r.r(n),r.d(n,{assets:()=>a,contentTitle:()=>l,default:()=>h,frontMatter:()=>t,metadata:()=>s,toc:()=>d});var o=r(5893),i=r(1151);const t={title:"Networking Services"},l=void 0,s={id:"networking/networking-services",title:"Networking Services",description:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s.",source:"@site/docs/networking/networking-services.md",sourceDirName:"networking",slug:"/networking/networking-services",permalink:"/networking/networking-services",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/networking-services.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Networking Services"},sidebar:"mySidebar",previous:{title:"Multus and IPAM plugins",permalink:"/networking/multus-ipams"},next:{title:"Helm",permalink:"/helm"}},a={},d=[{value:"CoreDNS",id:"coredns",level:2},{value:"Traefik Ingress Controller",id:"traefik-ingress-controller",level:2},{value:"Network Policy Controller",id:"network-policy-controller",level:2},{value:"Service Load Balancer",id:"service-load-balancer",level:2},{value:"How ServiceLB Works",id:"how-servicelb-works",level:3},{value:"Usage",id:"usage",level:3},{value:"Controlling ServiceLB Node Selection",id:"controlling-servicelb-node-selection",level:3},{value:"Creating ServiceLB Node Pools",id:"creating-servicelb-node-pools",level:3},{value:"Disabling ServiceLB",id:"disabling-servicelb",level:3},{value:"Deploying an External Cloud Controller Manager",id:"deploying-an-external-cloud-controller-manager",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(n.p,{children:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s."}),"\n",(0,o.jsxs)(n.p,{children:["Refer to the ",(0,o.jsx)(n.a,{href:"/networking/basic-network-options",children:"Installation Network Options"})," page for details on Flannel configuration options and backend selection, or how to set up your own CNI."]}),"\n",(0,o.jsxs)(n.p,{children:["For information on which ports need to be opened for K3s, refer to the ",(0,o.jsx)(n.a,{href:"/installation/requirements#networking",children:"Networking Requirements"}),"."]}),"\n",(0,o.jsx)(n.h2,{id:"coredns",children:"CoreDNS"}),"\n",(0,o.jsxs)(n.p,{children:["CoreDNS is deployed automatically on server startup. To disable it, configure all servers in the cluster with the ",(0,o.jsx)(n.code,{children:"--disable=coredns"})," option."]}),"\n",(0,o.jsx)(n.p,{children:"If you don't install CoreDNS, you will need to install a cluster DNS provider yourself."}),"\n",(0,o.jsx)(n.h2,{id:"traefik-ingress-controller",children:"Traefik Ingress Controller"}),"\n",(0,o.jsxs)(n.p,{children:[(0,o.jsx)(n.a,{href:"https://traefik.io/",children:"Traefik"})," is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. It simplifies networking complexity while designing, deploying, and running applications."]}),"\n",(0,o.jsx)(n.p,{children:"The Traefik ingress controller deploys a LoadBalancer Service that uses ports 80 and 443, advertises the LoadBalancer Service's External IPs in the Status of Ingress resources it manages."}),"\n",(0,o.jsx)(n.p,{children:"By default, ServiceLB will use all nodes in the cluster to host the Traefik LoadBalancer Service, meaning ports 80 and 443 will not be usable for other HostPort or NodePort pods, and Ingress resources' Status will show all cluster members' node IPs."}),"\n",(0,o.jsxs)(n.p,{children:["To restrict the nodes used by Traefik, and by extension the node IPs advertised in the Ingress Status, you can follow the instructions in the ",(0,o.jsx)(n.a,{href:"#controlling-servicelb-node-selection",children:"Controlling ServiceLB Node Selection"})," section below to limit what nodes ServiceLB runs on, or by adding some nodes to a LoadBalancer pool and restricting the Traefik Service to that pool by setting matching labels in the Traefik HelmChartConfig."]}),"\n",(0,o.jsxs)(n.p,{children:["Traefik is deployed by default when starting the server. For more information see ",(0,o.jsx)(n.a,{href:"/installation/packaged-components",children:"Managing Packaged Components"}),". The default config file is found in ",(0,o.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik.yaml"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["The ",(0,o.jsx)(n.code,{children:"traefik.yaml"})," file should not be edited manually, as K3s will replace the file with defaults at startup. Instead, you should customize Traefik by creating an additional ",(0,o.jsx)(n.code,{children:"HelmChartConfig"})," manifest in ",(0,o.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),". For more details and an example see ",(0,o.jsx)(n.a,{href:"/helm#customizing-packaged-components-with-helmchartconfig",children:"Customizing Packaged Components with HelmChartConfig"}),". For more information on the possible configuration values, refer to the official ",(0,o.jsx)(n.a,{href:"https://github.com/traefik/traefik-helm-chart/tree/master/traefik",children:"Traefik Helm Configuration Parameters."}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["To remove Traefik from your cluster, start all servers with the ",(0,o.jsx)(n.code,{children:"--disable=traefik"})," flag."]}),"\n",(0,o.jsx)(n.p,{children:"K3s includes Traefik v2. K3s versions 1.21 through 1.30 install Traefik v2, unless an existing installation of Traefik v1 is found, in which case Traefik is not upgraded to v2. K3s versions 1.20 and earlier include Traefik v1. For more information on the specific version of Traefik included with K3s, consult the Release Notes for your version."}),"\n",(0,o.jsxs)(n.p,{children:["To migrate from an older Traefik v1 instance please refer to the ",(0,o.jsx)(n.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik documentation"})," and ",(0,o.jsx)(n.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"migration tool"}),"."]}),"\n",(0,o.jsx)(n.h2,{id:"network-policy-controller",children:"Network Policy Controller"}),"\n",(0,o.jsxs)(n.p,{children:["K3s includes an embedded network policy controller. The underlying implementation is ",(0,o.jsx)(n.a,{href:"https://github.com/cloudnativelabs/kube-router",children:"kube-router's"})," netpol controller library (no other kube-router functionality is present) and can be found ",(0,o.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/tree/master/pkg/agent/netpol",children:"here"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["To disable it, start each server with the ",(0,o.jsx)(n.code,{children:"--disable-network-policy"})," flag."]}),"\n",(0,o.jsxs)(n.admonition,{type:"note",children:[(0,o.jsxs)(n.p,{children:["Network policy iptables rules are not removed if the K3s configuration is changed to disable the network policy controller. To clean up the configured kube-router network policy rules after disabling the network policy controller, use the ",(0,o.jsx)(n.code,{children:"k3s-killall.sh"})," script, or clean them using ",(0,o.jsx)(n.code,{children:"iptables-save"})," and ",(0,o.jsx)(n.code,{children:"iptables-restore"}),". These steps must be run manually on all nodes in the cluster."]}),(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{children:"iptables-save | grep -v KUBE-ROUTER | iptables-restore\nip6tables-save | grep -v KUBE-ROUTER | ip6tables-restore\n"})})]}),"\n",(0,o.jsx)(n.h2,{id:"service-load-balancer",children:"Service Load Balancer"}),"\n",(0,o.jsxs)(n.p,{children:["Any LoadBalancer controller can be deployed to your K3s cluster. By default, K3s provides a load balancer known as ",(0,o.jsx)(n.a,{href:"https://github.com/k3s-io/klipper-lb",children:"ServiceLB"})," (formerly Klipper LoadBalancer) that uses available host ports."]}),"\n",(0,o.jsxs)(n.p,{children:["Upstream Kubernetes allows Services of type LoadBalancer to be created, but doesn't include a default load balancer implementation, so these services will remain ",(0,o.jsx)(n.code,{children:"pending"})," until one is installed. Many hosted services require a cloud provider such as Amazon EC2 or Microsoft Azure to offer an external load balancer implementation. By contrast, the K3s ServiceLB makes it possible to use LoadBalancer Services without a cloud provider or any additional configuration."]}),"\n",(0,o.jsx)(n.h3,{id:"how-servicelb-works",children:"How ServiceLB Works"}),"\n",(0,o.jsxs)(n.p,{children:["The ServiceLB controller watches Kubernetes ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/",children:"Services"})," with the ",(0,o.jsx)(n.code,{children:"spec.type"})," field set to ",(0,o.jsx)(n.code,{children:"LoadBalancer"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["For each LoadBalancer Service, a ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",children:"DaemonSet"})," is created in the ",(0,o.jsx)(n.code,{children:"kube-system"})," namespace. This DaemonSet in turn creates Pods with a ",(0,o.jsx)(n.code,{children:"svc-"})," prefix, on each node. These Pods use iptables to forward traffic from the Pod's NodePort, to the Service's ClusterIP address and port."]}),"\n",(0,o.jsxs)(n.p,{children:["If the ServiceLB Pod runs on a node that has an external IP configured, the node's external IP is populated into the Service's ",(0,o.jsx)(n.code,{children:"status.loadBalancer.ingress"})," address list. Otherwise, the node's internal IP is used."]}),"\n",(0,o.jsx)(n.p,{children:"If multiple LoadBalancer Services are created, a separate DaemonSet is created for each Service."}),"\n",(0,o.jsx)(n.p,{children:"It is possible to expose multiple Services on the same node, as long as they use different ports."}),"\n",(0,o.jsx)(n.p,{children:"If you try to create a LoadBalancer Service that listens on port 80, the ServiceLB will try to find a free host in the cluster for port 80. If no host with that port is available, the LB will remain Pending."}),"\n",(0,o.jsx)(n.h3,{id:"usage",children:"Usage"}),"\n",(0,o.jsxs)(n.p,{children:["Create a ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer",children:"Service of type LoadBalancer"})," in K3s."]}),"\n",(0,o.jsx)(n.h3,{id:"controlling-servicelb-node-selection",children:"Controlling ServiceLB Node Selection"}),"\n",(0,o.jsxs)(n.p,{children:["Adding the ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})," label to one or more nodes switches the ServiceLB controller into allow-list mode, where only nodes with the label are eligible to host LoadBalancer pods. Nodes that remain unlabeled will be excluded from use by ServiceLB."]}),"\n",(0,o.jsx)(n.admonition,{type:"note",children:(0,o.jsx)(n.p,{children:"By default, nodes are not labeled. As long as all nodes remain unlabeled, all nodes with ports available will be used by ServiceLB."})}),"\n",(0,o.jsx)(n.h3,{id:"creating-servicelb-node-pools",children:"Creating ServiceLB Node Pools"}),"\n",(0,o.jsxs)(n.p,{children:["To select a particular subset of nodes to host pods for a LoadBalancer, add the ",(0,o.jsx)(n.code,{children:"enablelb"})," label to the desired nodes, and set matching ",(0,o.jsx)(n.code,{children:"lbpool"})," label values on the Nodes and Services. For example:"]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["Label Node A and Node B with ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"})," and ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(n.li,{children:["Label Node C and Node D with ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"})," and ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(n.li,{children:["Create one LoadBalancer Service on port 443 with label ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"}),". The DaemonSet for this service only deploy Pods to Node A and Node B."]}),"\n",(0,o.jsxs)(n.li,{children:["Create another LoadBalancer Service on port 443 with label ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"}),". The DaemonSet will only deploy Pods to Node C and Node D."]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"disabling-servicelb",children:"Disabling ServiceLB"}),"\n",(0,o.jsxs)(n.p,{children:["To disable ServiceLB, configure all servers in the cluster with the ",(0,o.jsx)(n.code,{children:"--disable=servicelb"})," flag."]}),"\n",(0,o.jsx)(n.p,{children:"This is necessary if you wish to run a different LB, such as MetalLB."}),"\n",(0,o.jsx)(n.h2,{id:"deploying-an-external-cloud-controller-manager",children:"Deploying an External Cloud Controller Manager"}),"\n",(0,o.jsx)(n.p,{children:'In order to reduce binary size, K3s removes all "in-tree" (built-in) cloud providers. Instead, K3s provides an embedded Cloud Controller Manager (CCM) stub that does the following:'}),"\n",(0,o.jsxs)(n.ul,{children:["\n",(0,o.jsxs)(n.li,{children:["Sets node InternalIP and ExternalIP address fields based on the ",(0,o.jsx)(n.code,{children:"--node-ip"})," and ",(0,o.jsx)(n.code,{children:"--node-external-ip"})," flags."]}),"\n",(0,o.jsx)(n.li,{children:"Hosts the ServiceLB LoadBalancer controller."}),"\n",(0,o.jsxs)(n.li,{children:["Clears the ",(0,o.jsx)(n.code,{children:"node.cloudprovider.kubernetes.io/uninitialized"})," taint that is present when the cloud-provider is set to ",(0,o.jsx)(n.code,{children:"external"})]}),"\n"]}),"\n",(0,o.jsxs)(n.p,{children:["Before deploying an external CCM, you must start all K3s servers with the ",(0,o.jsx)(n.code,{children:"--disable-cloud-controller"})," flag to disable to embedded CCM."]}),"\n",(0,o.jsx)(n.admonition,{type:"note",children:(0,o.jsx)(n.p,{children:"If you disable the built-in CCM and do not deploy and properly configure an external substitute, nodes will remain tainted and unschedulable."})})]})}function h(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,o.jsx)(n,{...e,children:(0,o.jsx)(c,{...e})}):c(e)}},1151:(e,n,r)=>{r.d(n,{Z:()=>s,a:()=>l});var o=r(7294);const i={},t=o.createContext(i);function l(e){const n=o.useContext(t);return o.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function s(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),o.createElement(t.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4804],{8446:(e,n,r)=>{r.r(n),r.d(n,{assets:()=>a,contentTitle:()=>l,default:()=>h,frontMatter:()=>t,metadata:()=>s,toc:()=>d});var o=r(5893),i=r(1151);const t={title:"Networking Services"},l=void 0,s={id:"networking/networking-services",title:"Networking Services",description:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s.",source:"@site/docs/networking/networking-services.md",sourceDirName:"networking",slug:"/networking/networking-services",permalink:"/networking/networking-services",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/networking/networking-services.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Networking Services"},sidebar:"mySidebar",previous:{title:"Multus and IPAM plugins",permalink:"/networking/multus-ipams"},next:{title:"Helm",permalink:"/helm"}},a={},d=[{value:"CoreDNS",id:"coredns",level:2},{value:"Traefik Ingress Controller",id:"traefik-ingress-controller",level:2},{value:"Network Policy Controller",id:"network-policy-controller",level:2},{value:"Service Load Balancer",id:"service-load-balancer",level:2},{value:"How ServiceLB Works",id:"how-servicelb-works",level:3},{value:"Usage",id:"usage",level:3},{value:"Controlling ServiceLB Node Selection",id:"controlling-servicelb-node-selection",level:3},{value:"Creating ServiceLB Node Pools",id:"creating-servicelb-node-pools",level:3},{value:"Disabling ServiceLB",id:"disabling-servicelb",level:3},{value:"Deploying an External Cloud Controller Manager",id:"deploying-an-external-cloud-controller-manager",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(n.p,{children:"This page explains how CoreDNS, Traefik Ingress controller, Network Policy controller, and ServiceLB load balancer controller work within K3s."}),"\n",(0,o.jsxs)(n.p,{children:["Refer to the ",(0,o.jsx)(n.a,{href:"/networking/basic-network-options",children:"Installation Network Options"})," page for details on Flannel configuration options and backend selection, or how to set up your own CNI."]}),"\n",(0,o.jsxs)(n.p,{children:["For information on which ports need to be opened for K3s, refer to the ",(0,o.jsx)(n.a,{href:"/installation/requirements#networking",children:"Networking Requirements"}),"."]}),"\n",(0,o.jsx)(n.h2,{id:"coredns",children:"CoreDNS"}),"\n",(0,o.jsxs)(n.p,{children:["CoreDNS is deployed automatically on server startup. To disable it, configure all servers in the cluster with the ",(0,o.jsx)(n.code,{children:"--disable=coredns"})," option."]}),"\n",(0,o.jsx)(n.p,{children:"If you don't install CoreDNS, you will need to install a cluster DNS provider yourself."}),"\n",(0,o.jsx)(n.h2,{id:"traefik-ingress-controller",children:"Traefik Ingress Controller"}),"\n",(0,o.jsxs)(n.p,{children:[(0,o.jsx)(n.a,{href:"https://traefik.io/",children:"Traefik"})," is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. It simplifies networking complexity while designing, deploying, and running applications."]}),"\n",(0,o.jsx)(n.p,{children:"The Traefik ingress controller deploys a LoadBalancer Service that uses ports 80 and 443, advertises the LoadBalancer Service's External IPs in the Status of Ingress resources it manages."}),"\n",(0,o.jsx)(n.p,{children:"By default, ServiceLB will use all nodes in the cluster to host the Traefik LoadBalancer Service, meaning ports 80 and 443 will not be usable for other HostPort or NodePort pods, and Ingress resources' Status will show all cluster members' node IPs."}),"\n",(0,o.jsxs)(n.p,{children:["To restrict the nodes used by Traefik, and by extension the node IPs advertised in the Ingress Status, you can follow the instructions in the ",(0,o.jsx)(n.a,{href:"#controlling-servicelb-node-selection",children:"Controlling ServiceLB Node Selection"})," section below to limit what nodes ServiceLB runs on, or by adding some nodes to a LoadBalancer pool and restricting the Traefik Service to that pool by setting matching labels in the Traefik HelmChartConfig."]}),"\n",(0,o.jsxs)(n.p,{children:["Traefik is deployed by default when starting the server. For more information see ",(0,o.jsx)(n.a,{href:"/installation/packaged-components",children:"Managing Packaged Components"}),". The default config file is found in ",(0,o.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests/traefik.yaml"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["The ",(0,o.jsx)(n.code,{children:"traefik.yaml"})," file should not be edited manually, as K3s will replace the file with defaults at startup. Instead, you should customize Traefik by creating an additional ",(0,o.jsx)(n.code,{children:"HelmChartConfig"})," manifest in ",(0,o.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),". For more details and an example see ",(0,o.jsx)(n.a,{href:"/helm#customizing-packaged-components-with-helmchartconfig",children:"Customizing Packaged Components with HelmChartConfig"}),". For more information on the possible configuration values, refer to the official ",(0,o.jsx)(n.a,{href:"https://github.com/traefik/traefik-helm-chart/tree/master/traefik",children:"Traefik Helm Configuration Parameters."}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["To remove Traefik from your cluster, start all servers with the ",(0,o.jsx)(n.code,{children:"--disable=traefik"})," flag."]}),"\n",(0,o.jsx)(n.p,{children:"K3s includes Traefik v2. K3s versions 1.21 through 1.30 install Traefik v2, unless an existing installation of Traefik v1 is found, in which case Traefik is not upgraded to v2. K3s versions 1.20 and earlier include Traefik v1. For more information on the specific version of Traefik included with K3s, consult the Release Notes for your version."}),"\n",(0,o.jsxs)(n.p,{children:["To migrate from an older Traefik v1 instance please refer to the ",(0,o.jsx)(n.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik documentation"})," and ",(0,o.jsx)(n.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"migration tool"}),"."]}),"\n",(0,o.jsx)(n.h2,{id:"network-policy-controller",children:"Network Policy Controller"}),"\n",(0,o.jsxs)(n.p,{children:["K3s includes an embedded network policy controller. The underlying implementation is ",(0,o.jsx)(n.a,{href:"https://github.com/cloudnativelabs/kube-router",children:"kube-router's"})," netpol controller library (no other kube-router functionality is present) and can be found ",(0,o.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/tree/master/pkg/agent/netpol",children:"here"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["To disable it, start each server with the ",(0,o.jsx)(n.code,{children:"--disable-network-policy"})," flag."]}),"\n",(0,o.jsxs)(n.admonition,{type:"note",children:[(0,o.jsxs)(n.p,{children:["Network policy iptables rules are not removed if the K3s configuration is changed to disable the network policy controller. To clean up the configured kube-router network policy rules after disabling the network policy controller, use the ",(0,o.jsx)(n.code,{children:"k3s-killall.sh"})," script, or clean them using ",(0,o.jsx)(n.code,{children:"iptables-save"})," and ",(0,o.jsx)(n.code,{children:"iptables-restore"}),". These steps must be run manually on all nodes in the cluster."]}),(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{children:"iptables-save | grep -v KUBE-ROUTER | iptables-restore\nip6tables-save | grep -v KUBE-ROUTER | ip6tables-restore\n"})})]}),"\n",(0,o.jsx)(n.h2,{id:"service-load-balancer",children:"Service Load Balancer"}),"\n",(0,o.jsxs)(n.p,{children:["Any LoadBalancer controller can be deployed to your K3s cluster. By default, K3s provides a load balancer known as ",(0,o.jsx)(n.a,{href:"https://github.com/k3s-io/klipper-lb",children:"ServiceLB"})," (formerly Klipper LoadBalancer) that uses available host ports."]}),"\n",(0,o.jsxs)(n.p,{children:["Upstream Kubernetes allows Services of type LoadBalancer to be created, but doesn't include a default load balancer implementation, so these services will remain ",(0,o.jsx)(n.code,{children:"pending"})," until one is installed. Many hosted services require a cloud provider such as Amazon EC2 or Microsoft Azure to offer an external load balancer implementation. By contrast, the K3s ServiceLB makes it possible to use LoadBalancer Services without a cloud provider or any additional configuration."]}),"\n",(0,o.jsx)(n.h3,{id:"how-servicelb-works",children:"How ServiceLB Works"}),"\n",(0,o.jsxs)(n.p,{children:["The ServiceLB controller watches Kubernetes ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/",children:"Services"})," with the ",(0,o.jsx)(n.code,{children:"spec.type"})," field set to ",(0,o.jsx)(n.code,{children:"LoadBalancer"}),"."]}),"\n",(0,o.jsxs)(n.p,{children:["For each LoadBalancer Service, a ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",children:"DaemonSet"})," is created in the ",(0,o.jsx)(n.code,{children:"kube-system"})," namespace. This DaemonSet in turn creates Pods with a ",(0,o.jsx)(n.code,{children:"svc-"})," prefix, on each node. These Pods use iptables to forward traffic from the Pod's NodePort, to the Service's ClusterIP address and port."]}),"\n",(0,o.jsxs)(n.p,{children:["If the ServiceLB Pod runs on a node that has an external IP configured, the node's external IP is populated into the Service's ",(0,o.jsx)(n.code,{children:"status.loadBalancer.ingress"})," address list. Otherwise, the node's internal IP is used."]}),"\n",(0,o.jsx)(n.p,{children:"If multiple LoadBalancer Services are created, a separate DaemonSet is created for each Service."}),"\n",(0,o.jsx)(n.p,{children:"It is possible to expose multiple Services on the same node, as long as they use different ports."}),"\n",(0,o.jsx)(n.p,{children:"If you try to create a LoadBalancer Service that listens on port 80, the ServiceLB will try to find a free host in the cluster for port 80. If no host with that port is available, the LB will remain Pending."}),"\n",(0,o.jsx)(n.h3,{id:"usage",children:"Usage"}),"\n",(0,o.jsxs)(n.p,{children:["Create a ",(0,o.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer",children:"Service of type LoadBalancer"})," in K3s."]}),"\n",(0,o.jsx)(n.h3,{id:"controlling-servicelb-node-selection",children:"Controlling ServiceLB Node Selection"}),"\n",(0,o.jsxs)(n.p,{children:["Adding the ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})," label to one or more nodes switches the ServiceLB controller into allow-list mode, where only nodes with the label are eligible to host LoadBalancer pods. Nodes that remain unlabeled will be excluded from use by ServiceLB."]}),"\n",(0,o.jsx)(n.admonition,{type:"note",children:(0,o.jsx)(n.p,{children:"By default, nodes are not labeled. As long as all nodes remain unlabeled, all nodes with ports available will be used by ServiceLB."})}),"\n",(0,o.jsx)(n.h3,{id:"creating-servicelb-node-pools",children:"Creating ServiceLB Node Pools"}),"\n",(0,o.jsxs)(n.p,{children:["To select a particular subset of nodes to host pods for a LoadBalancer, add the ",(0,o.jsx)(n.code,{children:"enablelb"})," label to the desired nodes, and set matching ",(0,o.jsx)(n.code,{children:"lbpool"})," label values on the Nodes and Services. For example:"]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["Label Node A and Node B with ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"})," and ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(n.li,{children:["Label Node C and Node D with ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"})," and ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/enablelb=true"})]}),"\n",(0,o.jsxs)(n.li,{children:["Create one LoadBalancer Service on port 443 with label ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool1"}),". The DaemonSet for this service only deploy Pods to Node A and Node B."]}),"\n",(0,o.jsxs)(n.li,{children:["Create another LoadBalancer Service on port 443 with label ",(0,o.jsx)(n.code,{children:"svccontroller.k3s.cattle.io/lbpool=pool2"}),". The DaemonSet will only deploy Pods to Node C and Node D."]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"disabling-servicelb",children:"Disabling ServiceLB"}),"\n",(0,o.jsxs)(n.p,{children:["To disable ServiceLB, configure all servers in the cluster with the ",(0,o.jsx)(n.code,{children:"--disable=servicelb"})," flag."]}),"\n",(0,o.jsx)(n.p,{children:"This is necessary if you wish to run a different LB, such as MetalLB."}),"\n",(0,o.jsx)(n.h2,{id:"deploying-an-external-cloud-controller-manager",children:"Deploying an External Cloud Controller Manager"}),"\n",(0,o.jsx)(n.p,{children:'In order to reduce binary size, K3s removes all "in-tree" (built-in) cloud providers. Instead, K3s provides an embedded Cloud Controller Manager (CCM) stub that does the following:'}),"\n",(0,o.jsxs)(n.ul,{children:["\n",(0,o.jsxs)(n.li,{children:["Sets node InternalIP and ExternalIP address fields based on the ",(0,o.jsx)(n.code,{children:"--node-ip"})," and ",(0,o.jsx)(n.code,{children:"--node-external-ip"})," flags."]}),"\n",(0,o.jsx)(n.li,{children:"Hosts the ServiceLB LoadBalancer controller."}),"\n",(0,o.jsxs)(n.li,{children:["Clears the ",(0,o.jsx)(n.code,{children:"node.cloudprovider.kubernetes.io/uninitialized"})," taint that is present when the cloud-provider is set to ",(0,o.jsx)(n.code,{children:"external"})]}),"\n"]}),"\n",(0,o.jsxs)(n.p,{children:["Before deploying an external CCM, you must start all K3s servers with the ",(0,o.jsx)(n.code,{children:"--disable-cloud-controller"})," flag to disable to embedded CCM."]}),"\n",(0,o.jsx)(n.admonition,{type:"note",children:(0,o.jsx)(n.p,{children:"If you disable the built-in CCM and do not deploy and properly configure an external substitute, nodes will remain tainted and unschedulable."})})]})}function h(e={}){const{wrapper:n}={...(0,i.a)(),...e.components};return n?(0,o.jsx)(n,{...e,children:(0,o.jsx)(c,{...e})}):c(e)}},1151:(e,n,r)=>{r.d(n,{Z:()=>s,a:()=>l});var o=r(7294);const i={},t=o.createContext(i);function l(e){const n=o.useContext(t);return o.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function s(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:l(e.components),o.createElement(t.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/4455f95b.44f701eb.js b/assets/js/4455f95b.f2e4ed70.js
similarity index 99%
rename from assets/js/4455f95b.44f701eb.js
rename to assets/js/4455f95b.f2e4ed70.js
index 1b83e9b8e..fded9fae1 100644
--- a/assets/js/4455f95b.44f701eb.js
+++ b/assets/js/4455f95b.f2e4ed70.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1340],{2644:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>o});var r=n(5893),t=n(1151);const d={title:"server"},l="k3s server",i={id:"cli/server",title:"server",description:"In this section, you'll learn how to configure the K3s server.",source:"@site/docs/cli/server.md",sourceDirName:"cli",slug:"/cli/server",permalink:"/cli/server",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/server.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"server"},sidebar:"mySidebar",previous:{title:"CLI Tools",permalink:"/cli/"},next:{title:"agent",permalink:"/cli/agent"}},c={},o=[{value:"Critical Configuration Values",id:"critical-configuration-values",level:2},{value:"Commonly Used Options",id:"commonly-used-options",level:2},{value:"Database",id:"database",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Admin Kubeconfig Options",id:"admin-kubeconfig-options",level:3},{value:"Advanced Options",id:"advanced-options",level:2},{value:"Logging",id:"logging",level:3},{value:"Listeners",id:"listeners",level:3},{value:"Data",id:"data",level:3},{value:"Secrets Encryption",id:"secrets-encryption",level:3},{value:"Networking",id:"networking",level:3},{value:"Storage Class",id:"storage-class",level:3},{value:"Kubernetes Components",id:"kubernetes-components",level:3},{value:"Customized Flags for Kubernetes Processes",id:"customized-flags-for-kubernetes-processes",level:3},{value:"Experimental Options",id:"experimental-options",level:3},{value:"Deprecated Options",id:"deprecated-options",level:3},{value:"K3s Server CLI Help",id:"k3s-server-cli-help",level:2}];function a(e){const s={a:"a",blockquote:"blockquote",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",header:"header",li:"li",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"k3s-server",children:"k3s server"})}),"\n",(0,r.jsx)(s.p,{children:"In this section, you'll learn how to configure the K3s server."}),"\n",(0,r.jsxs)(s.p,{children:["Note that servers also run an agent, so all of the configuration options listed in the ",(0,r.jsxs)(s.a,{href:"/cli/agent",children:[(0,r.jsx)(s.code,{children:"k3s agent"})," documentation"]})," are also supported on servers."]}),"\n",(0,r.jsxs)(s.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(s.a,{href:"/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(s.h2,{id:"critical-configuration-values",children:"Critical Configuration Values"}),"\n",(0,r.jsx)(s.p,{children:"The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster when using embedded etcd, or incorrect operation of the cluster when using an external datastore."}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--agent-token"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-cidr"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-dns"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-domain"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--disable=servicelb"})," ",(0,r.jsx)(s.em,{children:"note: other packaged components may be disabled on a per-server basis"})]}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--egress-selector-mode"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--embedded-registry"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-backend"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--service-cidr"})}),"\n"]}),"\n",(0,r.jsx)(s.h2,{id:"commonly-used-options",children:"Commonly Used Options"}),"\n",(0,r.jsx)(s.h3,{id:"database",children:"Database"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-endpoint"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Specify etcd, Mysql, Postgres, or Sqlite data source name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-cafile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS Certificate Authority file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-certfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS certification file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-keyfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS key file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-expose-metrics"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Expose etcd metrics to client interface"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-name"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"etcd-snapshot-"'}),(0,r.jsx)(s.td,{children:"Set the base name of etcd snapshots."})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"0 */12 * * *"'}),(0,r.jsx)(s.td,{children:"Snapshot interval time in cron spec. eg. every 5 hours '0 */5 _ * _'"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"5"}),(0,r.jsx)(s.td,{children:"Number of snapshots to retain"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"${data-dir}/db/snapshots"}),(0,r.jsx)(s.td,{children:"Directory to save db snapshots"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"s3.amazonaws.com"'}),(0,r.jsx)(s.td,{children:"S3 endpoint url"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-access-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_ACCESS_KEY_ID"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 access key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-secret-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_SECRET_ACCESS_KEY"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 secret key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-bucket"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 bucket name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-region"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"us-east-1"'}),(0,r.jsx)(s.td,{children:"S3 region / bucket location (optional)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-folder"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 folder"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-insecure"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Disables S3 over HTTPS"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-timeout"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"5m0s"}),(0,r.jsx)(s.td,{children:"S3 timeout (default: 5m0s)"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token"})," value, ",(0,r.jsx)(s.code,{children:"-t"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join a server or agent to a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the cluster-secret/token"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join agents to the cluster, but not servers"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the agent secret"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--server"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_URL"})}),(0,r.jsx)(s.td,{children:"Server to connect to, used to join a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-init"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_INIT"})}),(0,r.jsx)(s.td,{children:"Initialize a new cluster using embedded Etcd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-reset"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_RESET"})}),(0,r.jsx)(s.td,{children:"Forget all peers and become sole member of a new cluster"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"admin-kubeconfig-options",children:"Admin Kubeconfig Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig value, -o"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_OUTPUT"})}),(0,r.jsx)(s.td,{children:"Write kubeconfig for admin client to this file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig-mode"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_MODE"})}),(0,r.jsxs)(s.td,{children:["Write kubeconfig with this ",(0,r.jsx)(s.a,{href:"https://en.wikipedia.org/wiki/Chmod",children:"mode."})," The kubeconfig file is owned by root, and written with a default mode of 600. Changing the mode to 644 will allow it to be read by other unprivileged users on the host."]})]})]})]}),"\n",(0,r.jsx)(s.h2,{id:"advanced-options",children:"Advanced Options"}),"\n",(0,r.jsx)(s.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--debug"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Turn on debug logs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"-v"})," value"]}),(0,r.jsx)(s.td,{children:"0"}),(0,r.jsx)(s.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--alsologtostderr"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"listeners",children:"Listeners"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--bind-address"})," value"]}),(0,r.jsx)(s.td,{children:"0.0.0.0"}),(0,r.jsx)(s.td,{children:"k3s bind address"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--https-listen-port"})," value"]}),(0,r.jsx)(s.td,{children:"6443"}),(0,r.jsx)(s.td,{children:"HTTPS listen port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-address"})," value"]}),(0,r.jsx)(s.td,{children:"node-external-ip/node-ip"}),(0,r.jsxs)(s.td,{children:["IPv4/IPv6 address that apiserver advertises for its service endpoint",(0,r.jsx)("br",{}),"Note that the primary ",(0,r.jsx)(s.code,{children:"service-cidr"})," IP range must be of the same address family as the advertised address"]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-port"})," value"]}),(0,r.jsx)(s.td,{children:"listen-port/0"}),(0,r.jsx)(s.td,{children:"Port that apiserver uses to advertise to members of the cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--tls-san"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," or ",(0,r.jsx)(s.code,{children:"${HOME}/.rancher/k3s"})," if not root"]}),(0,r.jsx)(s.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"secrets-encryption",children:"Secrets Encryption"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Enable Secret encryption at rest"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.42.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for pod IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for service IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-node-port-range"})," value"]}),(0,r.jsx)(s.td,{children:'"30000-32767"'}),(0,r.jsx)(s.td,{children:"Port range to reserve for services with NodePort visibility"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-dns"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.10"'}),(0,r.jsx)(s.td,{children:"IPv4 Cluster IP for coredns service. Should be in your service-cidr range"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-domain"})," value"]}),(0,r.jsx)(s.td,{children:'"cluster.local"'}),(0,r.jsx)(s.td,{children:"Cluster Domain"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value"]}),(0,r.jsx)(s.td,{children:'"vxlan"'}),(0,r.jsx)(s.td,{children:"One of 'none', 'vxlan', 'ipsec'(deprecated), 'host-gw', 'wireguard-native', or 'wireguard'(deprecated)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Enable IPv6 masquerading for pod"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Use node external IP addresses for Flannel traffic"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--servicelb-namespace"})," value"]}),(0,r.jsx)(s.td,{children:'"kube-system"'}),(0,r.jsx)(s.td,{children:"Namespace of the pods for the servicelb component"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--egress-selector-mode"})," value"]}),(0,r.jsx)(s.td,{children:'"agent"'}),(0,r.jsxs)(s.td,{children:["Must be one of the following: ",(0,r.jsxs)("ul",{children:[(0,r.jsx)("li",{children:"disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs."}),(0,r.jsx)("li",{children:"agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s."}),(0,r.jsx)("li",{children:" pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node."}),(0,r.jsx)("li",{children:" cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range."})]})]})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"storage-class",children:"Storage Class"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--default-local-storage-path"})," value"]}),(0,r.jsx)(s.td,{children:"Default local storage path for local provisioner storage class"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"kubernetes-components",children:"Kubernetes Components"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--disable"})," value"]}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsxs)(s.a,{href:"/installation/packaged-components#using-the---disable-flag",children:["Using the ",(0,r.jsx)(s.code,{children:"--disable"})," flag"]}),'"']})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-scheduler"})}),(0,r.jsx)(s.td,{children:"Disable Kubernetes default scheduler"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),(0,r.jsx)(s.td,{children:"Disable k3s default cloud controller manager"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-kube-proxy"})}),(0,r.jsx)(s.td,{children:"Disable running kube-proxy"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),(0,r.jsx)(s.td,{children:"Disable k3s default network policy controller"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),(0,r.jsx)(s.td,{children:"Disable Helm controller"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"customized-flags-for-kubernetes-processes",children:"Customized Flags for Kubernetes Processes"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for etcd process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-apiserver-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-apiserver process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-scheduler-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-scheduler process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-cloud-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-cloud-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"experimental-options",children:"Experimental Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--rootless"})}),(0,r.jsx)(s.td,{children:"Run rootless"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--enable-pprof"})}),(0,r.jsx)(s.td,{children:"Enable pprof endpoint on supervisor port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--docker"})}),(0,r.jsx)(s.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(s.td,{children:"Prefer bundled userspace binaries over host binaries"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-agent"})}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsx)(s.a,{href:"/advanced#running-agentless-servers-experimental",children:"Running Agentless Servers (Experimental)"}),'"']})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--embedded-registry"})}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsx)(s.a,{href:"/installation/registry-mirror",children:"Embedded Registry Mirror"}),'"']})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"deprecated-options",children:"Deprecated Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--no-flannel"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--no-deploy"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--disable"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--token"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," wireguard"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value=option1=value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-conf"})," to specify the flannel config file with the backend config"]})]})]})]}),"\n",(0,r.jsx)(s.h2,{id:"k3s-server-cli-help",children:"K3s Server CLI Help"}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsxs)(s.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(s.code,{children:"[$K3S_TOKEN]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:'NAME:\n k3s server - Run management server\n\nUSAGE:\n k3s server [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --bind-address value (listener) k3s bind address (default: 0.0.0.0)\n --https-listen-port value (listener) HTTPS listen port (default: 6443)\n --advertise-address value (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)\n --advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)\n --tls-san value (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert\n --data-dir value, -d value (data) Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)\n --cluster-cidr value (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)\n --service-cidr value (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)\n --service-node-port-range value (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")\n --cluster-dns value (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)\n --cluster-domain value (networking) Cluster Domain (default: "cluster.local")\n --flannel-backend value (networking) backend<=option1=val1,option2=val2> where backend is one of \'none\', \'vxlan\', \'ipsec\' (deprecated), \'host-gw\', \'wireguard-native\', \'wireguard\' (deprecated) (default: "vxlan")\n --flannel-ipv6-masq (networking) Enable IPv6 masquerading for pod\n --flannel-external-ip (networking) Use node external IP addresses for Flannel traffic\n --egress-selector-mode value (networking) One of \'agent\', \'cluster\', \'pod\', \'disabled\' (default: "agent")\n --servicelb-namespace value (networking) Namespace of the pods for the servicelb component (default: "kube-system")\n --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]\n --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]\n --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]\n --token-file value (cluster) File containing the token [$K3S_TOKEN_FILE]\n --agent-token value (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]\n --agent-token-file value (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to, used to join a cluster [$K3S_URL]\n --cluster-init (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]\n --cluster-reset (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]\n --cluster-reset-restore-path value (db) Path to snapshot file to be restored\n --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process\n --etcd-arg value (flags) Customized flag for etcd process\n --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process\n --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process\n --kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process\n --datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]\n --datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]\n --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]\n --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]\n --etcd-expose-metrics (db) Expose etcd metrics to client interface. (default: false)\n --etcd-disable-snapshots (db) Disable automatic etcd snapshots\n --etcd-snapshot-name value (db) Set the base name of etcd snapshots (default: etcd-snapshot-) (default: "etcd-snapshot")\n --etcd-snapshot-schedule-cron value (db) Snapshot interval time in cron spec. eg. every 5 hours \'* */5 * * *\' (default: "0 */12 * * *")\n --etcd-snapshot-retention value (db) Number of snapshots to retain (default: 5)\n --etcd-snapshot-dir value (db) Directory to save db snapshots. (default: ${data-dir}/db/snapshots)\n --etcd-snapshot-compress (db) Compress etcd snapshot\n --etcd-s3 (db) Enable backup to S3\n --etcd-s3-endpoint value (db) S3 endpoint url (default: "s3.amazonaws.com")\n --etcd-s3-endpoint-ca value (db) S3 custom CA cert to connect to S3 endpoint\n --etcd-s3-skip-ssl-verify (db) Disables S3 SSL certificate validation\n --etcd-s3-access-key value (db) S3 access key [$AWS_ACCESS_KEY_ID]\n --etcd-s3-secret-key value (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]\n --etcd-s3-bucket value (db) S3 bucket name\n --etcd-s3-region value (db) S3 region / bucket location (optional) (default: "us-east-1")\n --etcd-s3-folder value (db) S3 folder\n --etcd-s3-insecure (db) Disables S3 over HTTPS\n --etcd-s3-timeout value (db) S3 timeout (default: 5m0s)\n --default-local-storage-path value (storage) Default local storage path for local provisioner storage class\n --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)\n --disable-scheduler (components) Disable Kubernetes default scheduler\n --disable-cloud-controller (components) Disable k3s default cloud controller manager\n --disable-kube-proxy (components) Disable running kube-proxy\n --disable-network-policy (components) Disable k3s default network policy controller\n --disable-helm-controller (components) Disable Helm controller\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --system-default-registry value (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --secrets-encryption Enable secret encryption at rest\n --enable-pprof (experimental) Enable pprof endpoint on supervisor port\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n'})})]})}function h(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>l});var r=n(7294);const t={},d=r.createContext(t);function l(e){const s=r.useContext(d);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(d.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1340],{2644:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>h,frontMatter:()=>d,metadata:()=>i,toc:()=>o});var r=n(5893),t=n(1151);const d={title:"server"},l="k3s server",i={id:"cli/server",title:"server",description:"In this section, you'll learn how to configure the K3s server.",source:"@site/docs/cli/server.md",sourceDirName:"cli",slug:"/cli/server",permalink:"/cli/server",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/server.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"server"},sidebar:"mySidebar",previous:{title:"CLI Tools",permalink:"/cli/"},next:{title:"agent",permalink:"/cli/agent"}},c={},o=[{value:"Critical Configuration Values",id:"critical-configuration-values",level:2},{value:"Commonly Used Options",id:"commonly-used-options",level:2},{value:"Database",id:"database",level:3},{value:"Cluster Options",id:"cluster-options",level:3},{value:"Admin Kubeconfig Options",id:"admin-kubeconfig-options",level:3},{value:"Advanced Options",id:"advanced-options",level:2},{value:"Logging",id:"logging",level:3},{value:"Listeners",id:"listeners",level:3},{value:"Data",id:"data",level:3},{value:"Secrets Encryption",id:"secrets-encryption",level:3},{value:"Networking",id:"networking",level:3},{value:"Storage Class",id:"storage-class",level:3},{value:"Kubernetes Components",id:"kubernetes-components",level:3},{value:"Customized Flags for Kubernetes Processes",id:"customized-flags-for-kubernetes-processes",level:3},{value:"Experimental Options",id:"experimental-options",level:3},{value:"Deprecated Options",id:"deprecated-options",level:3},{value:"K3s Server CLI Help",id:"k3s-server-cli-help",level:2}];function a(e){const s={a:"a",blockquote:"blockquote",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",header:"header",li:"li",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"k3s-server",children:"k3s server"})}),"\n",(0,r.jsx)(s.p,{children:"In this section, you'll learn how to configure the K3s server."}),"\n",(0,r.jsxs)(s.p,{children:["Note that servers also run an agent, so all of the configuration options listed in the ",(0,r.jsxs)(s.a,{href:"/cli/agent",children:[(0,r.jsx)(s.code,{children:"k3s agent"})," documentation"]})," are also supported on servers."]}),"\n",(0,r.jsxs)(s.p,{children:["Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the ",(0,r.jsx)(s.a,{href:"/installation/configuration#configuration-file",children:"Configuration File"})," documentation for more information on using YAML configuration files."]}),"\n",(0,r.jsx)(s.h2,{id:"critical-configuration-values",children:"Critical Configuration Values"}),"\n",(0,r.jsx)(s.p,{children:"The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster when using embedded etcd, or incorrect operation of the cluster when using an external datastore."}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--agent-token"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-cidr"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-dns"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--cluster-domain"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--disable=servicelb"})," ",(0,r.jsx)(s.em,{children:"note: other packaged components may be disabled on a per-server basis"})]}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--egress-selector-mode"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--embedded-registry"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-backend"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),"\n",(0,r.jsx)(s.li,{children:(0,r.jsx)(s.code,{children:"--service-cidr"})}),"\n"]}),"\n",(0,r.jsx)(s.h2,{id:"commonly-used-options",children:"Commonly Used Options"}),"\n",(0,r.jsx)(s.h3,{id:"database",children:"Database"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-endpoint"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Specify etcd, Mysql, Postgres, or Sqlite data source name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-cafile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS Certificate Authority file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-certfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS certification file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--datastore-keyfile"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"TLS key file used to secure datastore backend communication"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-expose-metrics"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Expose etcd metrics to client interface"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-disable-snapshots"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Disable automatic etcd snapshots"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-name"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"etcd-snapshot-"'}),(0,r.jsx)(s.td,{children:"Set the base name of etcd snapshots."})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-schedule-cron"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"0 */12 * * *"'}),(0,r.jsx)(s.td,{children:"Snapshot interval time in cron spec. eg. every 5 hours '0 */5 _ * _'"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-retention"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"5"}),(0,r.jsx)(s.td,{children:"Number of snapshots to retain"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-snapshot-dir"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"${data-dir}/db/snapshots"}),(0,r.jsx)(s.td,{children:"Directory to save db snapshots"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Enable backup to S3"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"s3.amazonaws.com"'}),(0,r.jsx)(s.td,{children:"S3 endpoint url"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-endpoint-ca"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 custom CA cert to connect to S3 endpoint"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-skip-ssl-verify"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Disables S3 SSL certificate validation"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-access-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_ACCESS_KEY_ID"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 access key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-secret-key"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"AWS_SECRET_ACCESS_KEY"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 secret key"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-bucket"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 bucket name"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-region"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:'"us-east-1"'}),(0,r.jsx)(s.td,{children:"S3 region / bucket location (optional)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-folder"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"S3 folder"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--etcd-s3-insecure"})}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"Disables S3 over HTTPS"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-s3-timeout"})," value"]}),(0,r.jsx)(s.td,{}),(0,r.jsx)(s.td,{children:"5m0s"}),(0,r.jsx)(s.td,{children:"S3 timeout (default: 5m0s)"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"cluster-options",children:"Cluster Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token"})," value, ",(0,r.jsx)(s.code,{children:"-t"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join a server or agent to a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the cluster-secret/token"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN"})}),(0,r.jsx)(s.td,{children:"Shared secret used to join agents to the cluster, but not servers"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--agent-token-file"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_AGENT_TOKEN_FILE"})}),(0,r.jsx)(s.td,{children:"File containing the agent secret"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--server"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_URL"})}),(0,r.jsx)(s.td,{children:"Server to connect to, used to join a cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-init"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_INIT"})}),(0,r.jsx)(s.td,{children:"Initialize a new cluster using embedded Etcd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--cluster-reset"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_RESET"})}),(0,r.jsx)(s.td,{children:"Forget all peers and become sole member of a new cluster"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"admin-kubeconfig-options",children:"Admin Kubeconfig Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig value, -o"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_OUTPUT"})}),(0,r.jsx)(s.td,{children:"Write kubeconfig for admin client to this file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--write-kubeconfig-mode"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_KUBECONFIG_MODE"})}),(0,r.jsxs)(s.td,{children:["Write kubeconfig with this ",(0,r.jsx)(s.a,{href:"https://en.wikipedia.org/wiki/Chmod",children:"mode."})," The kubeconfig file is owned by root, and written with a default mode of 600. Changing the mode to 644 will allow it to be read by other unprivileged users on the host."]})]})]})]}),"\n",(0,r.jsx)(s.h2,{id:"advanced-options",children:"Advanced Options"}),"\n",(0,r.jsx)(s.h3,{id:"logging",children:"Logging"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--debug"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Turn on debug logs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"-v"})," value"]}),(0,r.jsx)(s.td,{children:"0"}),(0,r.jsx)(s.td,{children:"Number for the log level verbosity"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--vmodule"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--log value, -l"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to file"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--alsologtostderr"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Log to standard error as well as file (if set)"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"listeners",children:"Listeners"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--bind-address"})," value"]}),(0,r.jsx)(s.td,{children:"0.0.0.0"}),(0,r.jsx)(s.td,{children:"k3s bind address"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--https-listen-port"})," value"]}),(0,r.jsx)(s.td,{children:"6443"}),(0,r.jsx)(s.td,{children:"HTTPS listen port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-address"})," value"]}),(0,r.jsx)(s.td,{children:"node-external-ip/node-ip"}),(0,r.jsxs)(s.td,{children:["IPv4/IPv6 address that apiserver advertises for its service endpoint",(0,r.jsx)("br",{}),"Note that the primary ",(0,r.jsx)(s.code,{children:"service-cidr"})," IP range must be of the same address family as the advertised address"]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--advertise-port"})," value"]}),(0,r.jsx)(s.td,{children:"listen-port/0"}),(0,r.jsx)(s.td,{children:"Port that apiserver uses to advertise to members of the cluster"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--tls-san"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsx)(s.td,{children:"Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"data",children:"Data"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--data-dir value, -d"})," value"]}),(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"/var/lib/rancher/k3s"})," or ",(0,r.jsx)(s.code,{children:"${HOME}/.rancher/k3s"})," if not root"]}),(0,r.jsx)(s.td,{children:"Folder to hold state"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"secrets-encryption",children:"Secrets Encryption"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--secrets-encryption"})}),(0,r.jsx)(s.td,{children:"false"}),(0,r.jsx)(s.td,{children:"Enable Secret encryption at rest"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"networking",children:"Networking"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Default"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.42.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for pod IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-cidr"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.0/16"'}),(0,r.jsx)(s.td,{children:"IPv4/IPv6 network CIDRs to use for service IPs"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--service-node-port-range"})," value"]}),(0,r.jsx)(s.td,{children:'"30000-32767"'}),(0,r.jsx)(s.td,{children:"Port range to reserve for services with NodePort visibility"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-dns"})," value"]}),(0,r.jsx)(s.td,{children:'"10.43.0.10"'}),(0,r.jsx)(s.td,{children:"IPv4 Cluster IP for coredns service. Should be in your service-cidr range"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-domain"})," value"]}),(0,r.jsx)(s.td,{children:'"cluster.local"'}),(0,r.jsx)(s.td,{children:"Cluster Domain"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value"]}),(0,r.jsx)(s.td,{children:'"vxlan"'}),(0,r.jsx)(s.td,{children:"One of 'none', 'vxlan', 'ipsec'(deprecated), 'host-gw', 'wireguard-native', or 'wireguard'(deprecated)"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-ipv6-masq"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Enable IPv6 masquerading for pod"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--flannel-external-ip"})}),(0,r.jsx)(s.td,{children:'"N/A"'}),(0,r.jsx)(s.td,{children:"Use node external IP addresses for Flannel traffic"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--servicelb-namespace"})," value"]}),(0,r.jsx)(s.td,{children:'"kube-system"'}),(0,r.jsx)(s.td,{children:"Namespace of the pods for the servicelb component"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--egress-selector-mode"})," value"]}),(0,r.jsx)(s.td,{children:'"agent"'}),(0,r.jsxs)(s.td,{children:["Must be one of the following: ",(0,r.jsxs)("ul",{children:[(0,r.jsx)("li",{children:"disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs."}),(0,r.jsx)("li",{children:"agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s."}),(0,r.jsx)("li",{children:" pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node."}),(0,r.jsx)("li",{children:" cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range."})]})]})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"storage-class",children:"Storage Class"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsx)(s.tbody,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--default-local-storage-path"})," value"]}),(0,r.jsx)(s.td,{children:"Default local storage path for local provisioner storage class"})]})})]}),"\n",(0,r.jsx)(s.h3,{id:"kubernetes-components",children:"Kubernetes Components"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--disable"})," value"]}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsxs)(s.a,{href:"/installation/packaged-components#using-the---disable-flag",children:["Using the ",(0,r.jsx)(s.code,{children:"--disable"})," flag"]}),'"']})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-scheduler"})}),(0,r.jsx)(s.td,{children:"Disable Kubernetes default scheduler"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-cloud-controller"})}),(0,r.jsx)(s.td,{children:"Disable k3s default cloud controller manager"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-kube-proxy"})}),(0,r.jsx)(s.td,{children:"Disable running kube-proxy"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-network-policy"})}),(0,r.jsx)(s.td,{children:"Disable k3s default network policy controller"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-helm-controller"})}),(0,r.jsx)(s.td,{children:"Disable Helm controller"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"customized-flags-for-kubernetes-processes",children:"Customized Flags for Kubernetes Processes"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--etcd-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for etcd process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-apiserver-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-apiserver process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-scheduler-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-scheduler process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-cloud-controller-manager-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-cloud-controller-manager process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kubelet-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kubelet process"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--kube-proxy-arg"})," value"]}),(0,r.jsx)(s.td,{children:"Customized flag for kube-proxy process"})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"experimental-options",children:"Experimental Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--rootless"})}),(0,r.jsx)(s.td,{children:"Run rootless"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--enable-pprof"})}),(0,r.jsx)(s.td,{children:"Enable pprof endpoint on supervisor port"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--docker"})}),(0,r.jsx)(s.td,{children:"Use cri-dockerd instead of containerd"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--prefer-bundled-bin"})}),(0,r.jsx)(s.td,{children:"Prefer bundled userspace binaries over host binaries"})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--disable-agent"})}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsx)(s.a,{href:"/advanced#running-agentless-servers-experimental",children:"Running Agentless Servers (Experimental)"}),'"']})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--embedded-registry"})}),(0,r.jsxs)(s.td,{children:['See "',(0,r.jsx)(s.a,{href:"/installation/registry-mirror",children:"Embedded Registry Mirror"}),'"']})]})]})]}),"\n",(0,r.jsx)(s.h3,{id:"deprecated-options",children:"Deprecated Options"}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Flag"}),(0,r.jsx)(s.th,{children:"Environment Variable"}),(0,r.jsx)(s.th,{children:"Description"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"--no-flannel"})}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=none"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--no-deploy"})," value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--disable"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--cluster-secret"})," value"]}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.code,{children:"K3S_CLUSTER_SECRET"})}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--token"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," wireguard"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-backend=wireguard-native"})]})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsxs)(s.td,{children:[(0,r.jsx)(s.code,{children:"--flannel-backend"})," value=option1=value"]}),(0,r.jsx)(s.td,{children:"N/A"}),(0,r.jsxs)(s.td,{children:["Use ",(0,r.jsx)(s.code,{children:"--flannel-conf"})," to specify the flannel config file with the backend config"]})]})]})]}),"\n",(0,r.jsx)(s.h2,{id:"k3s-server-cli-help",children:"K3s Server CLI Help"}),"\n",(0,r.jsxs)(s.blockquote,{children:["\n",(0,r.jsxs)(s.p,{children:["If an option appears in brackets below, for example ",(0,r.jsx)(s.code,{children:"[$K3S_TOKEN]"}),", it means that the option can be passed in as an environment variable of that name."]}),"\n"]}),"\n",(0,r.jsx)(s.pre,{children:(0,r.jsx)(s.code,{className:"language-bash",children:'NAME:\n k3s server - Run management server\n\nUSAGE:\n k3s server [OPTIONS]\n\nOPTIONS:\n --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]\n --debug (logging) Turn on debug logs [$K3S_DEBUG]\n -v value (logging) Number for the log level verbosity (default: 0)\n --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging\n --log value, -l value (logging) Log to file\n --alsologtostderr (logging) Log to standard error as well as file (if set)\n --bind-address value (listener) k3s bind address (default: 0.0.0.0)\n --https-listen-port value (listener) HTTPS listen port (default: 6443)\n --advertise-address value (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)\n --advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)\n --tls-san value (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert\n --data-dir value, -d value (data) Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)\n --cluster-cidr value (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)\n --service-cidr value (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)\n --service-node-port-range value (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")\n --cluster-dns value (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)\n --cluster-domain value (networking) Cluster Domain (default: "cluster.local")\n --flannel-backend value (networking) backend<=option1=val1,option2=val2> where backend is one of \'none\', \'vxlan\', \'ipsec\' (deprecated), \'host-gw\', \'wireguard-native\', \'wireguard\' (deprecated) (default: "vxlan")\n --flannel-ipv6-masq (networking) Enable IPv6 masquerading for pod\n --flannel-external-ip (networking) Use node external IP addresses for Flannel traffic\n --egress-selector-mode value (networking) One of \'agent\', \'cluster\', \'pod\', \'disabled\' (default: "agent")\n --servicelb-namespace value (networking) Namespace of the pods for the servicelb component (default: "kube-system")\n --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]\n --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]\n --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]\n --token-file value (cluster) File containing the token [$K3S_TOKEN_FILE]\n --agent-token value (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]\n --agent-token-file value (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]\n --server value, -s value (cluster) Server to connect to, used to join a cluster [$K3S_URL]\n --cluster-init (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]\n --cluster-reset (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]\n --cluster-reset-restore-path value (db) Path to snapshot file to be restored\n --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process\n --etcd-arg value (flags) Customized flag for etcd process\n --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process\n --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process\n --kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process\n --datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]\n --datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]\n --datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]\n --datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]\n --etcd-expose-metrics (db) Expose etcd metrics to client interface. (default: false)\n --etcd-disable-snapshots (db) Disable automatic etcd snapshots\n --etcd-snapshot-name value (db) Set the base name of etcd snapshots (default: etcd-snapshot-) (default: "etcd-snapshot")\n --etcd-snapshot-schedule-cron value (db) Snapshot interval time in cron spec. eg. every 5 hours \'* */5 * * *\' (default: "0 */12 * * *")\n --etcd-snapshot-retention value (db) Number of snapshots to retain (default: 5)\n --etcd-snapshot-dir value (db) Directory to save db snapshots. (default: ${data-dir}/db/snapshots)\n --etcd-snapshot-compress (db) Compress etcd snapshot\n --etcd-s3 (db) Enable backup to S3\n --etcd-s3-endpoint value (db) S3 endpoint url (default: "s3.amazonaws.com")\n --etcd-s3-endpoint-ca value (db) S3 custom CA cert to connect to S3 endpoint\n --etcd-s3-skip-ssl-verify (db) Disables S3 SSL certificate validation\n --etcd-s3-access-key value (db) S3 access key [$AWS_ACCESS_KEY_ID]\n --etcd-s3-secret-key value (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]\n --etcd-s3-bucket value (db) S3 bucket name\n --etcd-s3-region value (db) S3 region / bucket location (optional) (default: "us-east-1")\n --etcd-s3-folder value (db) S3 folder\n --etcd-s3-insecure (db) Disables S3 over HTTPS\n --etcd-s3-timeout value (db) S3 timeout (default: 5m0s)\n --default-local-storage-path value (storage) Default local storage path for local provisioner storage class\n --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)\n --disable-scheduler (components) Disable Kubernetes default scheduler\n --disable-cloud-controller (components) Disable k3s default cloud controller manager\n --disable-kube-proxy (components) Disable running kube-proxy\n --disable-network-policy (components) Disable k3s default network policy controller\n --disable-helm-controller (components) Disable Helm controller\n --node-name value (agent/node) Node name [$K3S_NODE_NAME]\n --with-node-id (agent/node) Append id to node name\n --node-label value (agent/node) Registering and starting kubelet with set of labels\n --node-taint value (agent/node) Registering kubelet with set of taints\n --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")\n --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")\n --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd\n --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path\n --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")\n --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")\n --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")\n --system-default-registry value (agent/runtime) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]\n --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node\n --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node\n --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]\n --flannel-iface value (agent/networking) Override default flannel interface\n --flannel-conf value (agent/networking) Override default flannel config file\n --flannel-cni-conf value (agent/networking) Override default flannel cni config file\n --kubelet-arg value (agent/flags) Customized flag for kubelet process\n --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process\n --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.\n --secrets-encryption Enable secret encryption at rest\n --enable-pprof (experimental) Enable pprof endpoint on supervisor port\n --rootless (experimental) Run rootless\n --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries\n --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]\n --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]\n'})})]})}function h(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>l});var r=n(7294);const t={},d=r.createContext(t);function l(e){const s=r.useContext(d);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(d.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/4a667cf9.133a6c6e.js b/assets/js/4a667cf9.3b4b3fbd.js
similarity index 99%
rename from assets/js/4a667cf9.133a6c6e.js
rename to assets/js/4a667cf9.3b4b3fbd.js
index 4dfeafa65..05f20452f 100644
--- a/assets/js/4a667cf9.133a6c6e.js
+++ b/assets/js/4a667cf9.3b4b3fbd.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9477],{8676:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>i,contentTitle:()=>t,default:()=>h,frontMatter:()=>l,metadata:()=>o,toc:()=>d});var r=s(5893),a=s(1151);const l={title:"Cluster Load Balancer"},t=void 0,o={id:"datastore/cluster-loadbalancer",title:"Cluster Load Balancer",description:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.",source:"@site/docs/datastore/cluster-loadbalancer.md",sourceDirName:"datastore",slug:"/datastore/cluster-loadbalancer",permalink:"/datastore/cluster-loadbalancer",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/cluster-loadbalancer.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Cluster Load Balancer"},sidebar:"mySidebar",previous:{title:"High Availability External DB",permalink:"/datastore/ha"},next:{title:"Upgrades",permalink:"/upgrades/"}},i={},d=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Setup Load Balancer",id:"setup-load-balancer",level:2},{value:"Nginx Load Balancer",id:"nginx-load-balancer",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,a.a)(),...e.components},{TabItem:s,Tabs:l}=n;return s||x("TabItem",!0),l||x("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.p,{children:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy."}),"\n",(0,r.jsxs)(n.admonition,{type:"tip",children:[(0,r.jsxs)(n.p,{children:["External load-balancers should not be confused with the embedded ServiceLB, which is an embedded controller that allows for use of Kubernetes LoadBalancer Services without deploying a third-party load-balancer controller. For more details, see ",(0,r.jsx)(n.a,{href:"/networking/networking-services#service-load-balancer",children:"Service Load Balancer"}),"."]}),(0,r.jsx)(n.p,{children:"External load-balancers can be used to provide a fixed registration address for registering nodes, or for external access to the Kubernetes API Server. For exposing LoadBalancer Services, external load-balancers can be used alongside or instead of ServiceLB, but in most cases, replacement load-balancer controllers such as MetalLB or Kube-VIP are a better choice."})]}),"\n",(0,r.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,r.jsx)(n.p,{children:"All nodes in this example are running Ubuntu 20.04."}),"\n",(0,r.jsxs)(n.p,{children:["For both examples, assume that a ",(0,r.jsx)(n.a,{href:"/datastore/ha-embedded",children:"HA K3s cluster with embedded etcd"})," has been installed on 3 nodes."]}),"\n",(0,r.jsx)(n.p,{children:"Each k3s server is configured with:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"# /etc/rancher/k3s/config.yaml\ntoken: lb-cluster-gd\ntls-san: 10.10.10.100\n"})}),"\n",(0,r.jsx)(n.p,{children:"The nodes have hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["server-1: ",(0,r.jsx)(n.code,{children:"10.10.10.50"})]}),"\n",(0,r.jsxs)(n.li,{children:["server-2: ",(0,r.jsx)(n.code,{children:"10.10.10.51"})]}),"\n",(0,r.jsxs)(n.li,{children:["server-3: ",(0,r.jsx)(n.code,{children:"10.10.10.52"})]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"Two additional nodes for load balancing are configured with hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["lb-1: ",(0,r.jsx)(n.code,{children:"10.10.10.98"})]}),"\n",(0,r.jsxs)(n.li,{children:["lb-2: ",(0,r.jsx)(n.code,{children:"10.10.10.99"})]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"Three additional nodes exist with hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["agent-1: ",(0,r.jsx)(n.code,{children:"10.10.10.101"})]}),"\n",(0,r.jsxs)(n.li,{children:["agent-2: ",(0,r.jsx)(n.code,{children:"10.10.10.102"})]}),"\n",(0,r.jsxs)(n.li,{children:["agent-3: ",(0,r.jsx)(n.code,{children:"10.10.10.103"})]}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"setup-load-balancer",children:"Setup Load Balancer"}),"\n",(0,r.jsxs)(l,{queryString:"ext-load-balancer",children:[(0,r.jsxs)(s,{value:"HAProxy",default:!0,children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"http://www.haproxy.org/",children:"HAProxy"})," is an open source option that provides a TCP load balancer. It also supports HA for the load balancer itself, ensuring redundancy at all levels. See ",(0,r.jsx)(n.a,{href:"http://docs.haproxy.org/2.8/intro.html",children:"HAProxy Documentation"})," for more info."]}),(0,r.jsxs)(n.p,{children:["Additionally, we will use KeepAlived to generate a virtual IP (VIP) that will be used to access the cluster. See ",(0,r.jsx)(n.a,{href:"https://www.keepalived.org/manpage.html",children:"KeepAlived Documentation"})," for more info."]}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:"Install HAProxy and KeepAlived:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo apt-get install haproxy keepalived\n"})}),(0,r.jsxs)(n.ol,{start:"2",children:["\n",(0,r.jsxs)(n.li,{children:["Add the following to ",(0,r.jsx)(n.code,{children:"/etc/haproxy/haproxy.cfg"})," on lb-1 and lb-2:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"frontend k3s-frontend\n bind *:6443\n mode tcp\n option tcplog\n default_backend k3s-backend\n\nbackend k3s-backend\n mode tcp\n option tcp-check\n balance roundrobin\n default-server inter 10s downinter 5s\n server server-1 10.10.10.50:6443 check\n server server-2 10.10.10.51:6443 check\n server server-3 10.10.10.52:6443 check\n"})}),(0,r.jsxs)(n.ol,{start:"3",children:["\n",(0,r.jsxs)(n.li,{children:["Add the following to ",(0,r.jsx)(n.code,{children:"/etc/keepalived/keepalived.conf"})," on lb-1 and lb-2:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"global_defs {\n enable_script_security\n script_user root\n}\n\nvrrp_script chk_haproxy {\n script 'killall -0 haproxy' # faster than pidof\n interval 2\n}\n\nvrrp_instance haproxy-vip {\n interface eth1\n state # MASTER on lb-1, BACKUP on lb-2\n priority # 200 on lb-1, 100 on lb-2\n\n virtual_router_id 51\n\n virtual_ipaddress {\n 10.10.10.100/24\n }\n\n track_script {\n chk_haproxy\n }\n}\n"})}),(0,r.jsxs)(n.ol,{start:"6",children:["\n",(0,r.jsx)(n.li,{children:"Restart HAProxy and KeepAlived on lb-1 and lb-2:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"systemctl restart haproxy\nsystemctl restart keepalived\n"})}),(0,r.jsxs)(n.ol,{start:"5",children:["\n",(0,r.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.100:6443\n"})}),(0,r.jsxs)(n.p,{children:["You can now use ",(0,r.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"root@server-1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready 32s v1.27.3+k3s1\nagent-2 Ready 20s v1.27.3+k3s1\nagent-3 Ready 9s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m22s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m12s v1.27.3+k3s1\n"})})]}),(0,r.jsxs)(s,{value:"Nginx",children:[(0,r.jsx)(n.h2,{id:"nginx-load-balancer",children:"Nginx Load Balancer"}),(0,r.jsx)(n.admonition,{type:"danger",children:(0,r.jsx)(n.p,{children:"Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure."})}),(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"http://nginx.org/",children:"Nginx Open Source"})," provides a TCP load balancer. See ",(0,r.jsx)(n.a,{href:"https://nginx.org/en/docs/http/load_balancing.html",children:"Using nginx as HTTP load balancer"})," for more info."]}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["Create a ",(0,r.jsx)(n.code,{children:"nginx.conf"})," file on lb-1 with the following contents:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"events {}\n\nstream {\n upstream k3s_servers {\n server 10.10.10.50:6443;\n server 10.10.10.51:6443;\n server 10.10.10.52:6443;\n }\n\n server {\n listen 6443;\n proxy_pass k3s_servers;\n }\n}\n"})}),(0,r.jsxs)(n.ol,{start:"2",children:["\n",(0,r.jsx)(n.li,{children:"Run the Nginx load balancer on lb-1:"}),"\n"]}),(0,r.jsx)(n.p,{children:"Using docker:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"docker run -d --restart unless-stopped \\\n -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \\\n -p 6443:6443 \\\n nginx:stable\n"})}),(0,r.jsxs)(n.p,{children:["Or ",(0,r.jsx)(n.a,{href:"https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/",children:"install nginx"})," and then run:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"cp nginx.conf /etc/nginx/nginx.conf\nsystemctl start nginx\n"})}),(0,r.jsxs)(n.ol,{start:"3",children:["\n",(0,r.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.98:6443\n"})}),(0,r.jsxs)(n.p,{children:["You can now use ",(0,r.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"root@server1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready 30s v1.27.3+k3s1\nagent-2 Ready 22s v1.27.3+k3s1\nagent-3 Ready 13s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m49s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m16s v1.27.3+k3s1\n"})})]})]})]})}function h(e={}){const{wrapper:n}={...(0,a.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(c,{...e})}):c(e)}function x(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>t});var r=s(7294);const a={},l=r.createContext(a);function t(e){const n=r.useContext(l);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(a):e.components||a:t(e.components),r.createElement(l.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9477],{8676:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>i,contentTitle:()=>t,default:()=>h,frontMatter:()=>l,metadata:()=>o,toc:()=>d});var r=s(5893),a=s(1151);const l={title:"Cluster Load Balancer"},t=void 0,o={id:"datastore/cluster-loadbalancer",title:"Cluster Load Balancer",description:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy.",source:"@site/docs/datastore/cluster-loadbalancer.md",sourceDirName:"datastore",slug:"/datastore/cluster-loadbalancer",permalink:"/datastore/cluster-loadbalancer",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/cluster-loadbalancer.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Cluster Load Balancer"},sidebar:"mySidebar",previous:{title:"High Availability External DB",permalink:"/datastore/ha"},next:{title:"Upgrades",permalink:"/upgrades/"}},i={},d=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Setup Load Balancer",id:"setup-load-balancer",level:2},{value:"Nginx Load Balancer",id:"nginx-load-balancer",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,a.a)(),...e.components},{TabItem:s,Tabs:l}=n;return s||x("TabItem",!0),l||x("Tabs",!0),(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.p,{children:"This section describes how to install an external load balancer in front of a High Availability (HA) K3s cluster's server nodes. Two examples are provided: Nginx and HAProxy."}),"\n",(0,r.jsxs)(n.admonition,{type:"tip",children:[(0,r.jsxs)(n.p,{children:["External load-balancers should not be confused with the embedded ServiceLB, which is an embedded controller that allows for use of Kubernetes LoadBalancer Services without deploying a third-party load-balancer controller. For more details, see ",(0,r.jsx)(n.a,{href:"/networking/networking-services#service-load-balancer",children:"Service Load Balancer"}),"."]}),(0,r.jsx)(n.p,{children:"External load-balancers can be used to provide a fixed registration address for registering nodes, or for external access to the Kubernetes API Server. For exposing LoadBalancer Services, external load-balancers can be used alongside or instead of ServiceLB, but in most cases, replacement load-balancer controllers such as MetalLB or Kube-VIP are a better choice."})]}),"\n",(0,r.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,r.jsx)(n.p,{children:"All nodes in this example are running Ubuntu 20.04."}),"\n",(0,r.jsxs)(n.p,{children:["For both examples, assume that a ",(0,r.jsx)(n.a,{href:"/datastore/ha-embedded",children:"HA K3s cluster with embedded etcd"})," has been installed on 3 nodes."]}),"\n",(0,r.jsx)(n.p,{children:"Each k3s server is configured with:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-yaml",children:"# /etc/rancher/k3s/config.yaml\ntoken: lb-cluster-gd\ntls-san: 10.10.10.100\n"})}),"\n",(0,r.jsx)(n.p,{children:"The nodes have hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["server-1: ",(0,r.jsx)(n.code,{children:"10.10.10.50"})]}),"\n",(0,r.jsxs)(n.li,{children:["server-2: ",(0,r.jsx)(n.code,{children:"10.10.10.51"})]}),"\n",(0,r.jsxs)(n.li,{children:["server-3: ",(0,r.jsx)(n.code,{children:"10.10.10.52"})]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"Two additional nodes for load balancing are configured with hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["lb-1: ",(0,r.jsx)(n.code,{children:"10.10.10.98"})]}),"\n",(0,r.jsxs)(n.li,{children:["lb-2: ",(0,r.jsx)(n.code,{children:"10.10.10.99"})]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:"Three additional nodes exist with hostnames and IPs of:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["agent-1: ",(0,r.jsx)(n.code,{children:"10.10.10.101"})]}),"\n",(0,r.jsxs)(n.li,{children:["agent-2: ",(0,r.jsx)(n.code,{children:"10.10.10.102"})]}),"\n",(0,r.jsxs)(n.li,{children:["agent-3: ",(0,r.jsx)(n.code,{children:"10.10.10.103"})]}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"setup-load-balancer",children:"Setup Load Balancer"}),"\n",(0,r.jsxs)(l,{queryString:"ext-load-balancer",children:[(0,r.jsxs)(s,{value:"HAProxy",default:!0,children:[(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"http://www.haproxy.org/",children:"HAProxy"})," is an open source option that provides a TCP load balancer. It also supports HA for the load balancer itself, ensuring redundancy at all levels. See ",(0,r.jsx)(n.a,{href:"http://docs.haproxy.org/2.8/intro.html",children:"HAProxy Documentation"})," for more info."]}),(0,r.jsxs)(n.p,{children:["Additionally, we will use KeepAlived to generate a virtual IP (VIP) that will be used to access the cluster. See ",(0,r.jsx)(n.a,{href:"https://www.keepalived.org/manpage.html",children:"KeepAlived Documentation"})," for more info."]}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:"Install HAProxy and KeepAlived:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"sudo apt-get install haproxy keepalived\n"})}),(0,r.jsxs)(n.ol,{start:"2",children:["\n",(0,r.jsxs)(n.li,{children:["Add the following to ",(0,r.jsx)(n.code,{children:"/etc/haproxy/haproxy.cfg"})," on lb-1 and lb-2:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"frontend k3s-frontend\n bind *:6443\n mode tcp\n option tcplog\n default_backend k3s-backend\n\nbackend k3s-backend\n mode tcp\n option tcp-check\n balance roundrobin\n default-server inter 10s downinter 5s\n server server-1 10.10.10.50:6443 check\n server server-2 10.10.10.51:6443 check\n server server-3 10.10.10.52:6443 check\n"})}),(0,r.jsxs)(n.ol,{start:"3",children:["\n",(0,r.jsxs)(n.li,{children:["Add the following to ",(0,r.jsx)(n.code,{children:"/etc/keepalived/keepalived.conf"})," on lb-1 and lb-2:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"global_defs {\n enable_script_security\n script_user root\n}\n\nvrrp_script chk_haproxy {\n script 'killall -0 haproxy' # faster than pidof\n interval 2\n}\n\nvrrp_instance haproxy-vip {\n interface eth1\n state # MASTER on lb-1, BACKUP on lb-2\n priority # 200 on lb-1, 100 on lb-2\n\n virtual_router_id 51\n\n virtual_ipaddress {\n 10.10.10.100/24\n }\n\n track_script {\n chk_haproxy\n }\n}\n"})}),(0,r.jsxs)(n.ol,{start:"6",children:["\n",(0,r.jsx)(n.li,{children:"Restart HAProxy and KeepAlived on lb-1 and lb-2:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"systemctl restart haproxy\nsystemctl restart keepalived\n"})}),(0,r.jsxs)(n.ol,{start:"5",children:["\n",(0,r.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.100:6443\n"})}),(0,r.jsxs)(n.p,{children:["You can now use ",(0,r.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"root@server-1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready 32s v1.27.3+k3s1\nagent-2 Ready 20s v1.27.3+k3s1\nagent-3 Ready 9s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m22s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m12s v1.27.3+k3s1\n"})})]}),(0,r.jsxs)(s,{value:"Nginx",children:[(0,r.jsx)(n.h2,{id:"nginx-load-balancer",children:"Nginx Load Balancer"}),(0,r.jsx)(n.admonition,{type:"danger",children:(0,r.jsx)(n.p,{children:"Nginx does not natively support a High Availability (HA) configuration. If setting up an HA cluster, having a single load balancer in front of K3s will reintroduce a single point of failure."})}),(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.a,{href:"http://nginx.org/",children:"Nginx Open Source"})," provides a TCP load balancer. See ",(0,r.jsx)(n.a,{href:"https://nginx.org/en/docs/http/load_balancing.html",children:"Using nginx as HTTP load balancer"})," for more info."]}),(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["Create a ",(0,r.jsx)(n.code,{children:"nginx.conf"})," file on lb-1 with the following contents:"]}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"events {}\n\nstream {\n upstream k3s_servers {\n server 10.10.10.50:6443;\n server 10.10.10.51:6443;\n server 10.10.10.52:6443;\n }\n\n server {\n listen 6443;\n proxy_pass k3s_servers;\n }\n}\n"})}),(0,r.jsxs)(n.ol,{start:"2",children:["\n",(0,r.jsx)(n.li,{children:"Run the Nginx load balancer on lb-1:"}),"\n"]}),(0,r.jsx)(n.p,{children:"Using docker:"}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"docker run -d --restart unless-stopped \\\n -v ${PWD}/nginx.conf:/etc/nginx/nginx.conf \\\n -p 6443:6443 \\\n nginx:stable\n"})}),(0,r.jsxs)(n.p,{children:["Or ",(0,r.jsx)(n.a,{href:"https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/",children:"install nginx"})," and then run:"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"cp nginx.conf /etc/nginx/nginx.conf\nsystemctl start nginx\n"})}),(0,r.jsxs)(n.ol,{start:"3",children:["\n",(0,r.jsx)(n.li,{children:"On agent-1, agent-2, and agent-3, run the following command to install k3s and join the cluster:"}),"\n"]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=lb-cluster-gd sh -s - agent --server https://10.10.10.98:6443\n"})}),(0,r.jsxs)(n.p,{children:["You can now use ",(0,r.jsx)(n.code,{children:"kubectl"})," from server node to interact with the cluster."]}),(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"root@server1 $ k3s kubectl get nodes -A\nNAME STATUS ROLES AGE VERSION\nagent-1 Ready 30s v1.27.3+k3s1\nagent-2 Ready 22s v1.27.3+k3s1\nagent-3 Ready 13s v1.27.3+k3s1\nserver-1 Ready control-plane,etcd,master 4m49s v1.27.3+k3s1\nserver-2 Ready control-plane,etcd,master 3m58s v1.27.3+k3s1\nserver-3 Ready control-plane,etcd,master 3m16s v1.27.3+k3s1\n"})})]})]})]})}function h(e={}){const{wrapper:n}={...(0,a.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(c,{...e})}):c(e)}function x(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>t});var r=s(7294);const a={},l=r.createContext(a);function t(e){const n=r.useContext(l);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(a):e.components||a:t(e.components),r.createElement(l.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/4aae9e46.aa17d933.js b/assets/js/4aae9e46.88170da1.js
similarity index 98%
rename from assets/js/4aae9e46.aa17d933.js
rename to assets/js/4aae9e46.88170da1.js
index 6ab33e56c..0f628f08e 100644
--- a/assets/js/4aae9e46.aa17d933.js
+++ b/assets/js/4aae9e46.88170da1.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4443],{557:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>a,default:()=>p,frontMatter:()=>l,metadata:()=>i,toc:()=>o});var t=n(5893),r=n(1151);const l={title:"Stopping K3s"},a=void 0,i={id:"upgrades/killall",title:"Stopping K3s",description:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped.",source:"@site/docs/upgrades/killall.md",sourceDirName:"upgrades",slug:"/upgrades/killall",permalink:"/upgrades/killall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/killall.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Stopping K3s"},sidebar:"mySidebar",previous:{title:"Upgrades",permalink:"/upgrades/"},next:{title:"Manual Upgrades",permalink:"/upgrades/manual"}},c={},o=[{value:"K3s Service",id:"k3s-service",level:2},{value:"Killall Script",id:"killall-script",level:2}];function d(e){const s={code:"code",h2:"h2",p:"p",pre:"pre",...(0,r.a)(),...e.components},{TabItem:n,Tabs:l}=s;return n||h("TabItem",!0),l||h("Tabs",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(s.p,{children:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped."}),"\n",(0,t.jsx)(s.h2,{id:"k3s-service",children:"K3s Service"}),"\n",(0,t.jsx)(s.p,{children:"Stopping and restarting K3s is supported by the installation script for systemd and OpenRC."}),"\n",(0,t.jsxs)(l,{children:[(0,t.jsxs)(n,{value:"systemd",children:[(0,t.jsx)(s.p,{children:"To stop servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl stop k3s\n"})}),(0,t.jsx)(s.p,{children:"To restart servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl start k3s\n"})}),(0,t.jsx)(s.p,{children:"To stop agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl stop k3s-agent\n"})}),(0,t.jsx)(s.p,{children:"To restart agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl start k3s-agent\n"})})]}),(0,t.jsxs)(n,{value:"OpenRC",children:[(0,t.jsx)(s.p,{children:"To stop servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s stop\n"})}),(0,t.jsx)(s.p,{children:"To restart servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s restart\n"})}),(0,t.jsx)(s.p,{children:"To stop agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s-agent stop\n"})}),(0,t.jsx)(s.p,{children:"To restart agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s-agent restart\n"})})]})]}),"\n",(0,t.jsx)(s.h2,{id:"killall-script",children:"Killall Script"}),"\n",(0,t.jsxs)(s.p,{children:["To stop all of the K3s containers and reset the containerd state, the ",(0,t.jsx)(s.code,{children:"k3s-killall.sh"})," script can be used."]}),"\n",(0,t.jsx)(s.p,{children:"The killall script cleans up containers, K3s directories, and networking components while also removing the iptables chain with all the associated rules. The cluster data will not be deleted."}),"\n",(0,t.jsx)(s.p,{children:"To run the killall script from a server node, run:"}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-bash",children:"/usr/local/bin/k3s-killall.sh\n"})})]})}function p(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,t.jsx)(s,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}function h(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>a});var t=n(7294);const r={},l=t.createContext(r);function a(e){const s=t.useContext(l);return t.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),t.createElement(l.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4443],{557:(e,s,n)=>{n.r(s),n.d(s,{assets:()=>c,contentTitle:()=>a,default:()=>p,frontMatter:()=>l,metadata:()=>i,toc:()=>o});var t=n(5893),r=n(1151);const l={title:"Stopping K3s"},a=void 0,i={id:"upgrades/killall",title:"Stopping K3s",description:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped.",source:"@site/docs/upgrades/killall.md",sourceDirName:"upgrades",slug:"/upgrades/killall",permalink:"/upgrades/killall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/killall.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Stopping K3s"},sidebar:"mySidebar",previous:{title:"Upgrades",permalink:"/upgrades/"},next:{title:"Manual Upgrades",permalink:"/upgrades/manual"}},c={},o=[{value:"K3s Service",id:"k3s-service",level:2},{value:"Killall Script",id:"killall-script",level:2}];function d(e){const s={code:"code",h2:"h2",p:"p",pre:"pre",...(0,r.a)(),...e.components},{TabItem:n,Tabs:l}=s;return n||h("TabItem",!0),l||h("Tabs",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(s.p,{children:"To allow high availability during upgrades, the K3s containers continue running when the K3s service is stopped."}),"\n",(0,t.jsx)(s.h2,{id:"k3s-service",children:"K3s Service"}),"\n",(0,t.jsx)(s.p,{children:"Stopping and restarting K3s is supported by the installation script for systemd and OpenRC."}),"\n",(0,t.jsxs)(l,{children:[(0,t.jsxs)(n,{value:"systemd",children:[(0,t.jsx)(s.p,{children:"To stop servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl stop k3s\n"})}),(0,t.jsx)(s.p,{children:"To restart servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl start k3s\n"})}),(0,t.jsx)(s.p,{children:"To stop agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl stop k3s-agent\n"})}),(0,t.jsx)(s.p,{children:"To restart agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo systemctl start k3s-agent\n"})})]}),(0,t.jsxs)(n,{value:"OpenRC",children:[(0,t.jsx)(s.p,{children:"To stop servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s stop\n"})}),(0,t.jsx)(s.p,{children:"To restart servers:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s restart\n"})}),(0,t.jsx)(s.p,{children:"To stop agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s-agent stop\n"})}),(0,t.jsx)(s.p,{children:"To restart agents:"}),(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-sh",children:"sudo rc-service k3s-agent restart\n"})})]})]}),"\n",(0,t.jsx)(s.h2,{id:"killall-script",children:"Killall Script"}),"\n",(0,t.jsxs)(s.p,{children:["To stop all of the K3s containers and reset the containerd state, the ",(0,t.jsx)(s.code,{children:"k3s-killall.sh"})," script can be used."]}),"\n",(0,t.jsx)(s.p,{children:"The killall script cleans up containers, K3s directories, and networking components while also removing the iptables chain with all the associated rules. The cluster data will not be deleted."}),"\n",(0,t.jsx)(s.p,{children:"To run the killall script from a server node, run:"}),"\n",(0,t.jsx)(s.pre,{children:(0,t.jsx)(s.code,{className:"language-bash",children:"/usr/local/bin/k3s-killall.sh\n"})})]})}function p(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,t.jsx)(s,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}function h(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,s,n)=>{n.d(s,{Z:()=>i,a:()=>a});var t=n(7294);const r={},l=t.createContext(r);function a(e){const s=t.useContext(l);return t.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function i(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),t.createElement(l.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/4e366d5e.7072c3bd.js b/assets/js/4e366d5e.4b1c1293.js
similarity index 98%
rename from assets/js/4e366d5e.7072c3bd.js
rename to assets/js/4e366d5e.4b1c1293.js
index 9412c89c2..9ae721864 100644
--- a/assets/js/4e366d5e.7072c3bd.js
+++ b/assets/js/4e366d5e.4b1c1293.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3595],{882:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>l,contentTitle:()=>i,default:()=>u,frontMatter:()=>a,metadata:()=>o,toc:()=>d});var t=s(5893),n=s(1151);const a={title:"Upgrades"},i=void 0,o={id:"upgrades/upgrades",title:"Upgrades",description:"Upgrading your K3s cluster",source:"@site/docs/upgrades/upgrades.md",sourceDirName:"upgrades",slug:"/upgrades/",permalink:"/upgrades/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/upgrades.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Upgrades"},sidebar:"mySidebar",previous:{title:"Cluster Load Balancer",permalink:"/datastore/cluster-loadbalancer"},next:{title:"Stopping K3s",permalink:"/upgrades/killall"}},l={},d=[{value:"Upgrading your K3s cluster",id:"upgrading-your-k3s-cluster",level:3},{value:"Version-specific caveats",id:"version-specific-caveats",level:3}];function c(e){const r={a:"a",code:"code",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h3,{id:"upgrading-your-k3s-cluster",children:"Upgrading your K3s cluster"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.a,{href:"/upgrades/manual",children:"Manual Upgrades"})," describes several techniques for upgrading your cluster manually. It can also be used as a basis for upgrading through third-party Infrastructure-as-Code tools like ",(0,t.jsx)(r.a,{href:"https://www.terraform.io/",children:"Terraform"}),"."]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.a,{href:"/upgrades/automated",children:"Automated Upgrades"})," describes how to perform Kubernetes-native automated upgrades using Rancher's ",(0,t.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"system-upgrade-controller"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"version-specific-caveats",children:"Version-specific caveats"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Traefik:"})," If Traefik is not disabled, K3s versions 1.20 and earlier will install Traefik v1, while K3s versions 1.21 and later will install Traefik v2, if v1 is not already present. To upgrade from the older Traefik v1 to Traefik v2, please refer to the ",(0,t.jsx)(r.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik documentation"})," and use the ",(0,t.jsx)(r.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"migration tool"}),"."]}),"\n"]}),"\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"K3s bootstrap data:"})," If you are using K3s in an HA configuration with an external SQL datastore, and your server (control-plane) nodes were not started with the ",(0,t.jsx)(r.code,{children:"--token"})," CLI flag, you will no longer be able to add additional K3s servers to the cluster without specifying the token. Ensure that you retain a copy of this token, as it is required when restoring from backup. Previously, K3s did not enforce the use of a token when using external SQL datastores."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsx)(r.p,{children:"The affected versions are <= v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1; the patched versions are v1.19.13+k3s1, v1.20.9+k3s1, v1.21.3+k3s1."}),"\n"]}),"\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsx)(r.p,{children:"You may retrieve the token value from any server already joined to the cluster as follows:"}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"cat /var/lib/rancher/k3s/server/token\n"})})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>o,a:()=>i});var t=s(7294);const n={},a=t.createContext(n);function i(e){const r=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function o(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),t.createElement(a.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3595],{882:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>l,contentTitle:()=>i,default:()=>u,frontMatter:()=>a,metadata:()=>o,toc:()=>d});var t=s(5893),n=s(1151);const a={title:"Upgrades"},i=void 0,o={id:"upgrades/upgrades",title:"Upgrades",description:"Upgrading your K3s cluster",source:"@site/docs/upgrades/upgrades.md",sourceDirName:"upgrades",slug:"/upgrades/",permalink:"/upgrades/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/upgrades.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Upgrades"},sidebar:"mySidebar",previous:{title:"Cluster Load Balancer",permalink:"/datastore/cluster-loadbalancer"},next:{title:"Stopping K3s",permalink:"/upgrades/killall"}},l={},d=[{value:"Upgrading your K3s cluster",id:"upgrading-your-k3s-cluster",level:3},{value:"Version-specific caveats",id:"version-specific-caveats",level:3}];function c(e){const r={a:"a",code:"code",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h3,{id:"upgrading-your-k3s-cluster",children:"Upgrading your K3s cluster"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.a,{href:"/upgrades/manual",children:"Manual Upgrades"})," describes several techniques for upgrading your cluster manually. It can also be used as a basis for upgrading through third-party Infrastructure-as-Code tools like ",(0,t.jsx)(r.a,{href:"https://www.terraform.io/",children:"Terraform"}),"."]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.a,{href:"/upgrades/automated",children:"Automated Upgrades"})," describes how to perform Kubernetes-native automated upgrades using Rancher's ",(0,t.jsx)(r.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"system-upgrade-controller"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"version-specific-caveats",children:"Version-specific caveats"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Traefik:"})," If Traefik is not disabled, K3s versions 1.20 and earlier will install Traefik v1, while K3s versions 1.21 and later will install Traefik v2, if v1 is not already present. To upgrade from the older Traefik v1 to Traefik v2, please refer to the ",(0,t.jsx)(r.a,{href:"https://doc.traefik.io/traefik/migration/v1-to-v2/",children:"Traefik documentation"})," and use the ",(0,t.jsx)(r.a,{href:"https://github.com/traefik/traefik-migration-tool",children:"migration tool"}),"."]}),"\n"]}),"\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"K3s bootstrap data:"})," If you are using K3s in an HA configuration with an external SQL datastore, and your server (control-plane) nodes were not started with the ",(0,t.jsx)(r.code,{children:"--token"})," CLI flag, you will no longer be able to add additional K3s servers to the cluster without specifying the token. Ensure that you retain a copy of this token, as it is required when restoring from backup. Previously, K3s did not enforce the use of a token when using external SQL datastores."]}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsx)(r.p,{children:"The affected versions are <= v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1; the patched versions are v1.19.13+k3s1, v1.20.9+k3s1, v1.21.3+k3s1."}),"\n"]}),"\n",(0,t.jsxs)(r.li,{children:["\n",(0,t.jsx)(r.p,{children:"You may retrieve the token value from any server already joined to the cluster as follows:"}),"\n"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"cat /var/lib/rancher/k3s/server/token\n"})})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>o,a:()=>i});var t=s(7294);const n={},a=t.createContext(n);function i(e){const r=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function o(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),t.createElement(a.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/4fea1ac4.97fc9d89.js b/assets/js/4fea1ac4.2c8d5f94.js
similarity index 98%
rename from assets/js/4fea1ac4.97fc9d89.js
rename to assets/js/4fea1ac4.2c8d5f94.js
index 0c6fc83d4..55c471612 100644
--- a/assets/js/4fea1ac4.97fc9d89.js
+++ b/assets/js/4fea1ac4.2c8d5f94.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1073],{8544:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>r,contentTitle:()=>l,default:()=>u,frontMatter:()=>i,metadata:()=>o,toc:()=>d});var s=t(5893),a=t(1151);const i={title:"Uninstalling K3s"},l=void 0,o={id:"installation/uninstall",title:"Uninstalling K3s",description:"Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",source:"@site/docs/installation/uninstall.md",sourceDirName:"installation",slug:"/installation/uninstall",permalink:"/installation/uninstall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/uninstall.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Uninstalling K3s"},sidebar:"mySidebar",previous:{title:"Managing Packaged Components",permalink:"/installation/packaged-components"},next:{title:"Cluster Datastore",permalink:"/datastore/"}},r={},d=[{value:"Uninstalling Servers",id:"uninstalling-servers",level:3},{value:"Uninstalling Agents",id:"uninstalling-agents",level:3}];function c(n){const e={a:"a",admonition:"admonition",br:"br",code:"code",h3:"h3",p:"p",pre:"pre",...(0,a.a)(),...n.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(e.admonition,{type:"warning",children:(0,s.jsxs)(e.p,{children:["Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",(0,s.jsx)(e.br,{}),"\n","It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes."]})}),"\n",(0,s.jsx)(e.p,{children:"If you installed K3s using the installation script, a script to uninstall K3s was generated during installation."}),"\n",(0,s.jsxs)(e.p,{children:["If you are planning on rejoining a node to an existing cluster after uninstalling and reinstalling, be sure to delete the node from the cluster to ensure that the node password secret is removed. See the ",(0,s.jsx)(e.a,{href:"/architecture#how-agent-node-registration-works",children:"Node Registration"})," documentation for more information."]}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-servers",children:"Uninstalling Servers"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from a server node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-uninstall.sh\n"})}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-agents",children:"Uninstalling Agents"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from an agent node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-agent-uninstall.sh\n"})})]})}function u(n={}){const{wrapper:e}={...(0,a.a)(),...n.components};return e?(0,s.jsx)(e,{...n,children:(0,s.jsx)(c,{...n})}):c(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>o,a:()=>l});var s=t(7294);const a={},i=s.createContext(a);function l(n){const e=s.useContext(i);return s.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function o(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(a):n.components||a:l(n.components),s.createElement(i.Provider,{value:e},n.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1073],{8544:(n,e,t)=>{t.r(e),t.d(e,{assets:()=>r,contentTitle:()=>l,default:()=>u,frontMatter:()=>i,metadata:()=>o,toc:()=>d});var s=t(5893),a=t(1151);const i={title:"Uninstalling K3s"},l=void 0,o={id:"installation/uninstall",title:"Uninstalling K3s",description:"Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",source:"@site/docs/installation/uninstall.md",sourceDirName:"installation",slug:"/installation/uninstall",permalink:"/installation/uninstall",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/uninstall.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Uninstalling K3s"},sidebar:"mySidebar",previous:{title:"Managing Packaged Components",permalink:"/installation/packaged-components"},next:{title:"Cluster Datastore",permalink:"/datastore/"}},r={},d=[{value:"Uninstalling Servers",id:"uninstalling-servers",level:3},{value:"Uninstalling Agents",id:"uninstalling-agents",level:3}];function c(n){const e={a:"a",admonition:"admonition",br:"br",code:"code",h3:"h3",p:"p",pre:"pre",...(0,a.a)(),...n.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(e.admonition,{type:"warning",children:(0,s.jsxs)(e.p,{children:["Uninstalling K3s deletes the local cluster data, configuration, and all of the scripts and CLI tools.",(0,s.jsx)(e.br,{}),"\n","It does not remove any data from external datastores, or created by pods using external Kubernetes storage volumes."]})}),"\n",(0,s.jsx)(e.p,{children:"If you installed K3s using the installation script, a script to uninstall K3s was generated during installation."}),"\n",(0,s.jsxs)(e.p,{children:["If you are planning on rejoining a node to an existing cluster after uninstalling and reinstalling, be sure to delete the node from the cluster to ensure that the node password secret is removed. See the ",(0,s.jsx)(e.a,{href:"/architecture#how-agent-node-registration-works",children:"Node Registration"})," documentation for more information."]}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-servers",children:"Uninstalling Servers"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from a server node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-uninstall.sh\n"})}),"\n",(0,s.jsx)(e.h3,{id:"uninstalling-agents",children:"Uninstalling Agents"}),"\n",(0,s.jsx)(e.p,{children:"To uninstall K3s from an agent node, run:"}),"\n",(0,s.jsx)(e.pre,{children:(0,s.jsx)(e.code,{className:"language-bash",children:"/usr/local/bin/k3s-agent-uninstall.sh\n"})})]})}function u(n={}){const{wrapper:e}={...(0,a.a)(),...n.components};return e?(0,s.jsx)(e,{...n,children:(0,s.jsx)(c,{...n})}):c(n)}},1151:(n,e,t)=>{t.d(e,{Z:()=>o,a:()=>l});var s=t(7294);const a={},i=s.createContext(a);function l(n){const e=s.useContext(i);return s.useMemo((function(){return"function"==typeof n?n(e):{...e,...n}}),[e,n])}function o(n){let e;return e=n.disableParentContext?"function"==typeof n.components?n.components(a):n.components||a:l(n.components),s.createElement(i.Provider,{value:e},n.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/5159b4a0.867ebed5.js b/assets/js/5159b4a0.7ab186e2.js
similarity index 99%
rename from assets/js/5159b4a0.867ebed5.js
rename to assets/js/5159b4a0.7ab186e2.js
index de0a7b074..5c374cf1f 100644
--- a/assets/js/5159b4a0.867ebed5.js
+++ b/assets/js/5159b4a0.7ab186e2.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9478],{7477:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>a,default:()=>h,frontMatter:()=>s,metadata:()=>o,toc:()=>d});var t=i(5893),n=i(1151);const s={title:"Embedded Registry Mirror"},a=void 0,o={id:"installation/registry-mirror",title:"Embedded Registry Mirror",description:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1",source:"@site/docs/installation/registry-mirror.md",sourceDirName:"installation",slug:"/installation/registry-mirror",permalink:"/installation/registry-mirror",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/registry-mirror.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Embedded Registry Mirror"},sidebar:"mySidebar",previous:{title:"Private Registry Configuration",permalink:"/installation/private-registry"},next:{title:"Air-Gap Install",permalink:"/installation/airgap"}},l={},d=[{value:"Enabling The Distributed OCI Registry Mirror",id:"enabling-the-distributed-oci-registry-mirror",level:2},{value:"Requirements",id:"requirements",level:3},{value:"Enabling Registry Mirroring",id:"enabling-registry-mirroring",level:2},{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:3},{value:"Latest Tag",id:"latest-tag",level:3},{value:"Security",id:"security",level:2},{value:"Authentication",id:"authentication",level:3},{value:"Potential Concerns",id:"potential-concerns",level:3},{value:"Sharing Air-gap or Manually Loaded Images",id:"sharing-air-gap-or-manually-loaded-images",level:2},{value:"Pushing Images",id:"pushing-images",level:2}];function c(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",p:"p",pre:"pre",strong:"strong",...(0,n.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["K3s embeds ",(0,t.jsx)(r.a,{href:"https://github.com/XenitAB/spegel",children:"Spegel"}),", a stateless distributed OCI registry mirror that allows peer-to-peer sharing of container images between nodes in a Kubernetes cluster.\nThe distributed registry mirror is disabled by default."]}),"\n",(0,t.jsx)(r.h2,{id:"enabling-the-distributed-oci-registry-mirror",children:"Enabling The Distributed OCI Registry Mirror"}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable the embedded registry mirror, server nodes must be started with the ",(0,t.jsx)(r.code,{children:"--embedded-registry"})," flag, or with ",(0,t.jsx)(r.code,{children:"embedded-registry: true"})," in the configuration file.\nThis option enables the embedded mirror for use on all nodes in the cluster."]}),"\n",(0,t.jsxs)(r.p,{children:["When enabled at a cluster level, all nodes will host a local OCI registry on port 6443,\nand publish a list of available images via a peer to peer network on port 5001.\nAny image available in the containerd image store on any node, can be pulled by other cluster members without access to an external registry.\nImages imported via ",(0,t.jsx)(r.a,{href:"/installation/airgap#manually-deploy-images-method",children:"air-gap image tar files"})," are pinned in containerd to\nensure that they remain available and are not pruned by Kubelet garbage collection."]}),"\n",(0,t.jsxs)(r.p,{children:["The peer to peer port can changed from 5001 by setting the ",(0,t.jsx)(r.code,{children:"K3S_P2P_PORT"})," environment variable for the K3s service. The port must be set to the same value on all nodes.\nChanging the port is unsupported and not recommended."]}),"\n",(0,t.jsx)(r.h3,{id:"requirements",children:"Requirements"}),"\n",(0,t.jsx)(r.p,{children:"When the embedded registry mirror is enabled, all nodes must be able to reach each other via their internal IP addresses, on TCP ports 5001 and 6443.\nIf nodes cannot reach each other, it may take longer for images to be pulled, as the distributed registry will be tried first by containerd, before it falls back to other endpoints."}),"\n",(0,t.jsx)(r.h2,{id:"enabling-registry-mirroring",children:"Enabling Registry Mirroring"}),"\n",(0,t.jsx)(r.p,{children:"Enabling mirroring for a registry allows a node to both pull images from that registry from other nodes, and share the registry's images with other nodes.\nIf a registry is enabled for mirroring on some nodes, but not on others, only the nodes with the registry enabled will exchange images from that registry."}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable mirroring of images from an upstream container registry, nodes must have an entry in the ",(0,t.jsx)(r.code,{children:"mirrors"})," section of ",(0,t.jsx)(r.code,{children:"registries.yaml"})," for that registry.\nThe registry does not need to have any endpoints listed, it just needs to be present.\nFor example, to enable distributed mirroring of images from ",(0,t.jsx)(r.code,{children:"docker.io"})," and ",(0,t.jsx)(r.code,{children:"registry.k8s.io"}),", configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," with the following content on all cluster nodes:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n registry.k8s.io:\n"})}),"\n",(0,t.jsxs)(r.p,{children:["Endpoints for registry mirrors may also be added as usual.\nIn the following configuration, images pull attempts will first try the embedded mirror, then ",(0,t.jsx)(r.code,{children:"mirror.example.com"}),", then finally ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.p,{children:"If you are using a private registry directly, instead of as a mirror for an upstream registry, you may enable distributed mirroring in the same way public\nregistries are enabled - by listing it in the mirrors section:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n mirror.example.com:\n"})}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"Wildcard support is available as of the March 2024 releases: v1.26.15+k3s1, v1.27.12+k3s1, v1.28.8+k3s1, v1.29.3+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:'"*"'})," wildcard mirror entry can be used to enable distributed mirroring of all registries. Note that the asterisk MUST be quoted:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n "*":\n'})}),"\n",(0,t.jsx)(r.p,{children:"If no registries are enabled for mirroring on a node, that node does not participate in the distributed registry in any capacity."}),"\n",(0,t.jsxs)(r.p,{children:["For more information on the structure of the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file, see ",(0,t.jsx)(r.a,{href:"/installation/private-registry",children:"Private Registry Configuration"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:["By default, containerd will fall back to the default endpoint when pulling from registries with mirror endpoints configured. If you want to disable this,\nand only pull images from the configured mirrors and/or the embedded mirror, see the ",(0,t.jsx)(r.a,{href:"/installation/private-registry#default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\nsection of the Private Registry Configuration documentation."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that if you are using the ",(0,t.jsx)(r.code,{children:"--disable-default-endpoint"})," option and want to allow pulling directly from a particular registry, while disallowing the rest,\nyou can explicitly provide an endpoint in order to allow the image pull to fall back to the registry itself:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io: # no default endpoint, pulls will fail if not available on a node\n registry.k8s.io: # no default endpoint, pulls will fail if not available on a node\n mirror.example.com: # explicit default endpoint, can pull from upstream if not available on a node\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.h3,{id:"latest-tag",children:"Latest Tag"}),"\n",(0,t.jsxs)(r.p,{children:["When no tag is specified for a container image, the implicit default tag is ",(0,t.jsx)(r.code,{children:"latest"}),". This tag is frequently\nupdated to point at the most recent version of the image. Because this tag will point at a different revisions\nof an image depending on when it is pulled, the distributed registry ",(0,t.jsx)(r.strong,{children:"will not"})," pull the ",(0,t.jsx)(r.code,{children:"latest"})," tag from\nother nodes. This forces containerd go out to an upstream registry or registry mirror to ensure a consistent\nview of what the ",(0,t.jsx)(r.code,{children:"latest"})," tag refers to."]}),"\n",(0,t.jsxs)(r.p,{children:["This aligns with the ",(0,t.jsxs)(r.a,{href:"https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting",children:["special ",(0,t.jsx)(r.code,{children:"imagePullPolicy"})," defaulting"]}),"\nobserved by Kubernetes when using the ",(0,t.jsx)(r.code,{children:"latest"})," tag for a container image."]}),"\n",(0,t.jsxs)(r.p,{children:["Mirroring the ",(0,t.jsx)(r.code,{children:"latest"})," tag can be enabled by setting the ",(0,t.jsx)(r.code,{children:"K3S_P2P_ENABLE_LATEST=true"})," environment variable for the K3s service.\nThis is unsupported and not recommended, for the reasons discussed above."]}),"\n",(0,t.jsx)(r.h2,{id:"security",children:"Security"}),"\n",(0,t.jsx)(r.h3,{id:"authentication",children:"Authentication"}),"\n",(0,t.jsx)(r.p,{children:"Access to the embedded mirror's registry API requires a valid client certificate, signed by the cluster's client certificate authority."}),"\n",(0,t.jsx)(r.p,{children:"Access to the distributed hash table's peer-to-peer network requires a preshared key that is controlled by server nodes.\nNodes authenticate each other using both the preshared key, and a certificate signed by the cluster certificate authority."}),"\n",(0,t.jsx)(r.h3,{id:"potential-concerns",children:"Potential Concerns"}),"\n",(0,t.jsx)(r.admonition,{type:"warning",children:(0,t.jsx)(r.p,{children:"The distributed registry is built on peer-to-peer principles, and assumes an equal level of privilege and trust between all cluster members.\nIf this does not match your cluster's security posture, you should not enable the embedded distributed registry."})}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry may make available images that a node may not otherwise have access to.\nFor example, if some of your images are pulled from a registry, project, or repository that requires authentication via Kubernetes Image Pull Secrets, or credentials in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),",\nthe distributed registry will allow other nodes to share those images without providing any credentials to the upstream registry."]}),"\n",(0,t.jsx)(r.p,{children:"Users with access to push images into the containerd image store on one node may be able to use this to 'poison' the image for other cluster nodes,\nas other nodes will trust the tag advertised by the node, and use it without checking with the upstream registry.\nIf image integrity is important, you should use image digests instead of tags, as the digest cannot be poisoned in this manner."}),"\n",(0,t.jsx)(r.h2,{id:"sharing-air-gap-or-manually-loaded-images",children:"Sharing Air-gap or Manually Loaded Images"}),"\n",(0,t.jsxs)(r.p,{children:["Images sharing is controlled based on the source registry.\nImages loaded directly into containerd via air-gap tarballs, or loaded directly into containerd's image store using the ",(0,t.jsx)(r.code,{children:"ctr"})," command line tool,\nwill be shared between nodes if they are tagged as being from a registry that is enabled for mirroring."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that the upstream registry that the images appear to come from does not actually have to exist or be reachable.\nFor example, you could tag images as being from a fictitious upstream registry, and import those images into containerd's image store.\nYou would then be able to pull those images from all cluster members, as long as that registry is listed in ",(0,t.jsx)(r.code,{children:"registries.yaml"})]}),"\n",(0,t.jsx)(r.h2,{id:"pushing-images",children:"Pushing Images"}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry is read-only, and cannot be pushed to directly using ",(0,t.jsx)(r.code,{children:"docker push"})," or other common tools that interact with OCI registries."]}),"\n",(0,t.jsxs)(r.p,{children:["Images can be manually made available via the embedded registry by running ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io image pull"})," to pull an image,\nor by loading image archives created by ",(0,t.jsx)(r.code,{children:"docker save"})," via the ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io image import"})," command.\nNote that the ",(0,t.jsx)(r.code,{children:"k8s.io"})," namespace must be specified when managing images via ",(0,t.jsx)(r.code,{children:"ctr"})," in order for them to be visible to the kubelet."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,r,i)=>{i.d(r,{Z:()=>o,a:()=>a});var t=i(7294);const n={},s=t.createContext(n);function a(e){const r=t.useContext(s);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function o(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),t.createElement(s.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9478],{7477:(e,r,i)=>{i.r(r),i.d(r,{assets:()=>l,contentTitle:()=>a,default:()=>h,frontMatter:()=>s,metadata:()=>o,toc:()=>d});var t=i(5893),n=i(1151);const s={title:"Embedded Registry Mirror"},a=void 0,o={id:"installation/registry-mirror",title:"Embedded Registry Mirror",description:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1",source:"@site/docs/installation/registry-mirror.md",sourceDirName:"installation",slug:"/installation/registry-mirror",permalink:"/installation/registry-mirror",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/registry-mirror.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Embedded Registry Mirror"},sidebar:"mySidebar",previous:{title:"Private Registry Configuration",permalink:"/installation/private-registry"},next:{title:"Air-Gap Install",permalink:"/installation/airgap"}},l={},d=[{value:"Enabling The Distributed OCI Registry Mirror",id:"enabling-the-distributed-oci-registry-mirror",level:2},{value:"Requirements",id:"requirements",level:3},{value:"Enabling Registry Mirroring",id:"enabling-registry-mirroring",level:2},{value:"Default Endpoint Fallback",id:"default-endpoint-fallback",level:3},{value:"Latest Tag",id:"latest-tag",level:3},{value:"Security",id:"security",level:2},{value:"Authentication",id:"authentication",level:3},{value:"Potential Concerns",id:"potential-concerns",level:3},{value:"Sharing Air-gap or Manually Loaded Images",id:"sharing-air-gap-or-manually-loaded-images",level:2},{value:"Pushing Images",id:"pushing-images",level:2}];function c(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",p:"p",pre:"pre",strong:"strong",...(0,n.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"The Embedded Registry Mirror is available as an experimental feature as of January 2024 releases: v1.26.13+k3s1, v1.27.10+k3s1, v1.28.6+k3s1, v1.29.1+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["K3s embeds ",(0,t.jsx)(r.a,{href:"https://github.com/XenitAB/spegel",children:"Spegel"}),", a stateless distributed OCI registry mirror that allows peer-to-peer sharing of container images between nodes in a Kubernetes cluster.\nThe distributed registry mirror is disabled by default."]}),"\n",(0,t.jsx)(r.h2,{id:"enabling-the-distributed-oci-registry-mirror",children:"Enabling The Distributed OCI Registry Mirror"}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable the embedded registry mirror, server nodes must be started with the ",(0,t.jsx)(r.code,{children:"--embedded-registry"})," flag, or with ",(0,t.jsx)(r.code,{children:"embedded-registry: true"})," in the configuration file.\nThis option enables the embedded mirror for use on all nodes in the cluster."]}),"\n",(0,t.jsxs)(r.p,{children:["When enabled at a cluster level, all nodes will host a local OCI registry on port 6443,\nand publish a list of available images via a peer to peer network on port 5001.\nAny image available in the containerd image store on any node, can be pulled by other cluster members without access to an external registry.\nImages imported via ",(0,t.jsx)(r.a,{href:"/installation/airgap#manually-deploy-images-method",children:"air-gap image tar files"})," are pinned in containerd to\nensure that they remain available and are not pruned by Kubelet garbage collection."]}),"\n",(0,t.jsxs)(r.p,{children:["The peer to peer port can changed from 5001 by setting the ",(0,t.jsx)(r.code,{children:"K3S_P2P_PORT"})," environment variable for the K3s service. The port must be set to the same value on all nodes.\nChanging the port is unsupported and not recommended."]}),"\n",(0,t.jsx)(r.h3,{id:"requirements",children:"Requirements"}),"\n",(0,t.jsx)(r.p,{children:"When the embedded registry mirror is enabled, all nodes must be able to reach each other via their internal IP addresses, on TCP ports 5001 and 6443.\nIf nodes cannot reach each other, it may take longer for images to be pulled, as the distributed registry will be tried first by containerd, before it falls back to other endpoints."}),"\n",(0,t.jsx)(r.h2,{id:"enabling-registry-mirroring",children:"Enabling Registry Mirroring"}),"\n",(0,t.jsx)(r.p,{children:"Enabling mirroring for a registry allows a node to both pull images from that registry from other nodes, and share the registry's images with other nodes.\nIf a registry is enabled for mirroring on some nodes, but not on others, only the nodes with the registry enabled will exchange images from that registry."}),"\n",(0,t.jsxs)(r.p,{children:["In order to enable mirroring of images from an upstream container registry, nodes must have an entry in the ",(0,t.jsx)(r.code,{children:"mirrors"})," section of ",(0,t.jsx)(r.code,{children:"registries.yaml"})," for that registry.\nThe registry does not need to have any endpoints listed, it just needs to be present.\nFor example, to enable distributed mirroring of images from ",(0,t.jsx)(r.code,{children:"docker.io"})," and ",(0,t.jsx)(r.code,{children:"registry.k8s.io"}),", configure ",(0,t.jsx)(r.code,{children:"registries.yaml"})," with the following content on all cluster nodes:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n registry.k8s.io:\n"})}),"\n",(0,t.jsxs)(r.p,{children:["Endpoints for registry mirrors may also be added as usual.\nIn the following configuration, images pull attempts will first try the embedded mirror, then ",(0,t.jsx)(r.code,{children:"mirror.example.com"}),", then finally ",(0,t.jsx)(r.code,{children:"docker.io"}),":"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io:\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.p,{children:"If you are using a private registry directly, instead of as a mirror for an upstream registry, you may enable distributed mirroring in the same way public\nregistries are enabled - by listing it in the mirrors section:"}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n mirror.example.com:\n"})}),"\n",(0,t.jsx)(r.admonition,{title:"Version Gate",type:"info",children:(0,t.jsx)(r.p,{children:"Wildcard support is available as of the March 2024 releases: v1.26.15+k3s1, v1.27.12+k3s1, v1.28.8+k3s1, v1.29.3+k3s1"})}),"\n",(0,t.jsxs)(r.p,{children:["The ",(0,t.jsx)(r.code,{children:'"*"'})," wildcard mirror entry can be used to enable distributed mirroring of all registries. Note that the asterisk MUST be quoted:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:'mirrors:\n "*":\n'})}),"\n",(0,t.jsx)(r.p,{children:"If no registries are enabled for mirroring on a node, that node does not participate in the distributed registry in any capacity."}),"\n",(0,t.jsxs)(r.p,{children:["For more information on the structure of the ",(0,t.jsx)(r.code,{children:"registries.yaml"})," file, see ",(0,t.jsx)(r.a,{href:"/installation/private-registry",children:"Private Registry Configuration"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\n",(0,t.jsxs)(r.p,{children:["By default, containerd will fall back to the default endpoint when pulling from registries with mirror endpoints configured. If you want to disable this,\nand only pull images from the configured mirrors and/or the embedded mirror, see the ",(0,t.jsx)(r.a,{href:"/installation/private-registry#default-endpoint-fallback",children:"Default Endpoint Fallback"}),"\nsection of the Private Registry Configuration documentation."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that if you are using the ",(0,t.jsx)(r.code,{children:"--disable-default-endpoint"})," option and want to allow pulling directly from a particular registry, while disallowing the rest,\nyou can explicitly provide an endpoint in order to allow the image pull to fall back to the registry itself:"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-yaml",children:"mirrors:\n docker.io: # no default endpoint, pulls will fail if not available on a node\n registry.k8s.io: # no default endpoint, pulls will fail if not available on a node\n mirror.example.com: # explicit default endpoint, can pull from upstream if not available on a node\n endpoint:\n - https://mirror.example.com\n"})}),"\n",(0,t.jsx)(r.h3,{id:"latest-tag",children:"Latest Tag"}),"\n",(0,t.jsxs)(r.p,{children:["When no tag is specified for a container image, the implicit default tag is ",(0,t.jsx)(r.code,{children:"latest"}),". This tag is frequently\nupdated to point at the most recent version of the image. Because this tag will point at a different revisions\nof an image depending on when it is pulled, the distributed registry ",(0,t.jsx)(r.strong,{children:"will not"})," pull the ",(0,t.jsx)(r.code,{children:"latest"})," tag from\nother nodes. This forces containerd go out to an upstream registry or registry mirror to ensure a consistent\nview of what the ",(0,t.jsx)(r.code,{children:"latest"})," tag refers to."]}),"\n",(0,t.jsxs)(r.p,{children:["This aligns with the ",(0,t.jsxs)(r.a,{href:"https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting",children:["special ",(0,t.jsx)(r.code,{children:"imagePullPolicy"})," defaulting"]}),"\nobserved by Kubernetes when using the ",(0,t.jsx)(r.code,{children:"latest"})," tag for a container image."]}),"\n",(0,t.jsxs)(r.p,{children:["Mirroring the ",(0,t.jsx)(r.code,{children:"latest"})," tag can be enabled by setting the ",(0,t.jsx)(r.code,{children:"K3S_P2P_ENABLE_LATEST=true"})," environment variable for the K3s service.\nThis is unsupported and not recommended, for the reasons discussed above."]}),"\n",(0,t.jsx)(r.h2,{id:"security",children:"Security"}),"\n",(0,t.jsx)(r.h3,{id:"authentication",children:"Authentication"}),"\n",(0,t.jsx)(r.p,{children:"Access to the embedded mirror's registry API requires a valid client certificate, signed by the cluster's client certificate authority."}),"\n",(0,t.jsx)(r.p,{children:"Access to the distributed hash table's peer-to-peer network requires a preshared key that is controlled by server nodes.\nNodes authenticate each other using both the preshared key, and a certificate signed by the cluster certificate authority."}),"\n",(0,t.jsx)(r.h3,{id:"potential-concerns",children:"Potential Concerns"}),"\n",(0,t.jsx)(r.admonition,{type:"warning",children:(0,t.jsx)(r.p,{children:"The distributed registry is built on peer-to-peer principles, and assumes an equal level of privilege and trust between all cluster members.\nIf this does not match your cluster's security posture, you should not enable the embedded distributed registry."})}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry may make available images that a node may not otherwise have access to.\nFor example, if some of your images are pulled from a registry, project, or repository that requires authentication via Kubernetes Image Pull Secrets, or credentials in ",(0,t.jsx)(r.code,{children:"registries.yaml"}),",\nthe distributed registry will allow other nodes to share those images without providing any credentials to the upstream registry."]}),"\n",(0,t.jsx)(r.p,{children:"Users with access to push images into the containerd image store on one node may be able to use this to 'poison' the image for other cluster nodes,\nas other nodes will trust the tag advertised by the node, and use it without checking with the upstream registry.\nIf image integrity is important, you should use image digests instead of tags, as the digest cannot be poisoned in this manner."}),"\n",(0,t.jsx)(r.h2,{id:"sharing-air-gap-or-manually-loaded-images",children:"Sharing Air-gap or Manually Loaded Images"}),"\n",(0,t.jsxs)(r.p,{children:["Images sharing is controlled based on the source registry.\nImages loaded directly into containerd via air-gap tarballs, or loaded directly into containerd's image store using the ",(0,t.jsx)(r.code,{children:"ctr"})," command line tool,\nwill be shared between nodes if they are tagged as being from a registry that is enabled for mirroring."]}),"\n",(0,t.jsxs)(r.p,{children:["Note that the upstream registry that the images appear to come from does not actually have to exist or be reachable.\nFor example, you could tag images as being from a fictitious upstream registry, and import those images into containerd's image store.\nYou would then be able to pull those images from all cluster members, as long as that registry is listed in ",(0,t.jsx)(r.code,{children:"registries.yaml"})]}),"\n",(0,t.jsx)(r.h2,{id:"pushing-images",children:"Pushing Images"}),"\n",(0,t.jsxs)(r.p,{children:["The embedded registry is read-only, and cannot be pushed to directly using ",(0,t.jsx)(r.code,{children:"docker push"})," or other common tools that interact with OCI registries."]}),"\n",(0,t.jsxs)(r.p,{children:["Images can be manually made available via the embedded registry by running ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io image pull"})," to pull an image,\nor by loading image archives created by ",(0,t.jsx)(r.code,{children:"docker save"})," via the ",(0,t.jsx)(r.code,{children:"ctr -n k8s.io image import"})," command.\nNote that the ",(0,t.jsx)(r.code,{children:"k8s.io"})," namespace must be specified when managing images via ",(0,t.jsx)(r.code,{children:"ctr"})," in order for them to be visible to the kubelet."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,r,i)=>{i.d(r,{Z:()=>o,a:()=>a});var t=i(7294);const n={},s=t.createContext(n);function a(e){const r=t.useContext(s);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function o(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),t.createElement(s.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/5281b7a2.5f842cca.js b/assets/js/5281b7a2.81ae9cfc.js
similarity index 99%
rename from assets/js/5281b7a2.5f842cca.js
rename to assets/js/5281b7a2.81ae9cfc.js
index 8488c47b7..f702e2f12 100644
--- a/assets/js/5281b7a2.5f842cca.js
+++ b/assets/js/5281b7a2.81ae9cfc.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5927],{6506:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>l,contentTitle:()=>d,default:()=>g,frontMatter:()=>o,metadata:()=>c,toc:()=>h});var n=s(5893),r=s(1151),i=s(9965),a=s(4996);const o={title:"Architecture"},d=void 0,c={id:"architecture",title:"Architecture",description:"Servers and Agents",source:"@site/docs/architecture.md",sourceDirName:".",slug:"/architecture",permalink:"/architecture",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/architecture.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Architecture"},sidebar:"mySidebar",previous:{title:"token",permalink:"/cli/token"},next:{title:"Cluster Access",permalink:"/cluster-access"}},l={},h=[{value:"Servers and Agents",id:"servers-and-agents",level:3},{value:"Single-server Setup with an Embedded DB",id:"single-server-setup-with-an-embedded-db",level:3},{value:"High-Availability K3s",id:"high-availability-k3s",level:3},{value:"Fixed Registration Address for Agent Nodes",id:"fixed-registration-address-for-agent-nodes",level:3},{value:"How Agent Node Registration Works",id:"how-agent-node-registration-works",level:3}];function u(e){const t={a:"a",code:"code",h3:"h3",img:"img",li:"li",p:"p",strong:"strong",ul:"ul",...(0,r.a)(),...e.components},{TabItem:o,Tabs:d}=t;return o||v("TabItem",!0),d||v("Tabs",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(t.h3,{id:"servers-and-agents",children:"Servers and Agents"}),"\n",(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["A server node is defined as a host running the ",(0,n.jsx)(t.code,{children:"k3s server"})," command, with control-plane and datastore components managed by K3s."]}),"\n",(0,n.jsxs)(t.li,{children:["An agent node is defined as a host running the ",(0,n.jsx)(t.code,{children:"k3s agent"})," command, without any datastore or control-plane components."]}),"\n",(0,n.jsxs)(t.li,{children:["Both servers and agents run the kubelet, container runtime, and CNI. See the ",(0,n.jsx)(t.a,{href:"/advanced#running-agentless-servers-experimental",children:"Advanced Options"})," documentation for more information on running agentless servers."]}),"\n"]}),"\n",(0,n.jsx)(t.p,{children:(0,n.jsx)(t.img,{src:s(4530).Z+"",width:"1562",height:"898"})}),"\n",(0,n.jsx)(t.h3,{id:"single-server-setup-with-an-embedded-db",children:"Single-server Setup with an Embedded DB"}),"\n",(0,n.jsx)(t.p,{children:"The following diagram shows an example of a cluster that has a single-node K3s server with an embedded SQLite database."}),"\n",(0,n.jsx)(t.p,{children:"In this configuration, each agent node is registered to the same server node. A K3s user can manipulate Kubernetes resources by calling the K3s API on the server node."}),"\n",(0,n.jsx)(i.Z,{alt:"K3s Architecture with a Single Server",sources:{light:(0,a.ZP)("/img/k3s-architecture-single-server.svg"),dark:(0,a.ZP)("/img/k3s-architecture-single-server-dark.svg")}}),"\n",(0,n.jsx)(t.h3,{id:"high-availability-k3s",children:"High-Availability K3s"}),"\n",(0,n.jsx)(t.p,{children:"Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster comprises:"}),"\n",(0,n.jsxs)(d,{children:[(0,n.jsxs)(o,{value:"Embedded DB",children:[(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["Three or more ",(0,n.jsx)(t.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,n.jsxs)(t.li,{children:["An ",(0,n.jsx)(t.strong,{children:"embedded etcd datastore"})," (as opposed to the embedded SQLite datastore used in single-server setups)"]}),"\n"]}),(0,n.jsx)(i.Z,{alt:"K3s Architecture with High-availability Servers",sources:{light:(0,a.ZP)("/img/k3s-architecture-ha-embedded.svg"),dark:(0,a.ZP)("/img/k3s-architecture-ha-embedded-dark.svg")}})]}),(0,n.jsxs)(o,{value:"External DB",children:[(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["Two or more ",(0,n.jsx)(t.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,n.jsxs)(t.li,{children:["An ",(0,n.jsx)(t.strong,{children:"external datastore"})," (such as MySQL, PostgreSQL, or etcd)"]}),"\n"]}),(0,n.jsx)(i.Z,{alt:"K3s Architecture with High-availability Servers and an External DB",sources:{light:(0,a.ZP)("/img/k3s-architecture-ha-external.svg"),dark:(0,a.ZP)("/img/k3s-architecture-ha-external-dark.svg")}})]})]}),"\n",(0,n.jsx)(t.h3,{id:"fixed-registration-address-for-agent-nodes",children:"Fixed Registration Address for Agent Nodes"}),"\n",(0,n.jsx)(t.p,{children:"In the high-availability server configuration, each node can also register with the Kubernetes API by using a fixed registration address, as shown in the diagram below."}),"\n",(0,n.jsx)(t.p,{children:"After registration, the agent nodes establish a connection directly to one of the server nodes."}),"\n",(0,n.jsx)(i.Z,{alt:"Agent Registration HA",sources:{light:(0,a.ZP)("/img/k3s-production-setup.svg"),dark:(0,a.ZP)("/img/k3s-production-setup-dark.svg")}}),"\n",(0,n.jsx)(t.h3,{id:"how-agent-node-registration-works",children:"How Agent Node Registration Works"}),"\n",(0,n.jsxs)(t.p,{children:["Agent nodes are registered with a websocket connection initiated by the ",(0,n.jsx)(t.code,{children:"k3s agent"})," process, and the connection is maintained by a client-side load balancer running as part of the agent process. Initially, the agent connects to the supervisor (and kube-apiserver) via the local load-balancer on port 6443. The load-balancer maintains a list of available endpoints to connect to. The default (and initially only) endpoint is seeded by the hostname from the ",(0,n.jsx)(t.code,{children:"--server"})," address. Once it connects to the cluster, the agent retrieves a list of kube-apiserver addresses from the Kubernetes service endpoint list in the default namespace. Those endpoints are added to the load balancer, which then maintains stable connections to all servers in the cluster, providing a connection to the kube-apiserver that tolerates outages of individual servers."]}),"\n",(0,n.jsxs)(t.p,{children:["Agents will register with the server using the node cluster secret along with a randomly generated password for the node, stored at ",(0,n.jsx)(t.code,{children:"/etc/rancher/node/password"}),". The server will store the passwords for individual nodes as Kubernetes secrets, and any subsequent attempts must use the same password. Node password secrets are stored in the ",(0,n.jsx)(t.code,{children:"kube-system"})," namespace with names using the template ",(0,n.jsx)(t.code,{children:".node-password.k3s"}),". This is done to protect the integrity of node IDs."]}),"\n",(0,n.jsxs)(t.p,{children:["If the ",(0,n.jsx)(t.code,{children:"/etc/rancher/node"})," directory of an agent is removed, or you wish to rejoin a node using an existing name, the node should be deleted from the cluster. This will clean up both the old node entry, and the node password secret, and allow the node to (re)join the cluster."]}),"\n",(0,n.jsxs)(t.p,{children:["If you frequently reuse hostnames, but are unable to remove the node password secrets, a unique node ID can be automatically appended to the hostname by launching K3s servers or agents using the ",(0,n.jsx)(t.code,{children:"--with-node-id"})," flag. When enabled, the node ID is also stored in ",(0,n.jsx)(t.code,{children:"/etc/rancher/node/"}),"."]})]})}function g(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,n.jsx)(t,{...e,children:(0,n.jsx)(u,{...e})}):u(e)}function v(e,t){throw new Error("Expected "+(t?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},4530:(e,t,s)=>{s.d(t,{Z:()=>n});const n=s.p+"assets/images/how-it-works-k3s-revised-9c025ef482404bca2e53a89a0ba7a3c5.svg"},1151:(e,t,s)=>{s.d(t,{Z:()=>o,a:()=>a});var n=s(7294);const r={},i=n.createContext(r);function a(e){const t=n.useContext(i);return n.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),n.createElement(i.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[5927],{6506:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>l,contentTitle:()=>d,default:()=>g,frontMatter:()=>o,metadata:()=>c,toc:()=>h});var n=s(5893),r=s(1151),i=s(9965),a=s(4996);const o={title:"Architecture"},d=void 0,c={id:"architecture",title:"Architecture",description:"Servers and Agents",source:"@site/docs/architecture.md",sourceDirName:".",slug:"/architecture",permalink:"/architecture",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/architecture.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Architecture"},sidebar:"mySidebar",previous:{title:"token",permalink:"/cli/token"},next:{title:"Cluster Access",permalink:"/cluster-access"}},l={},h=[{value:"Servers and Agents",id:"servers-and-agents",level:3},{value:"Single-server Setup with an Embedded DB",id:"single-server-setup-with-an-embedded-db",level:3},{value:"High-Availability K3s",id:"high-availability-k3s",level:3},{value:"Fixed Registration Address for Agent Nodes",id:"fixed-registration-address-for-agent-nodes",level:3},{value:"How Agent Node Registration Works",id:"how-agent-node-registration-works",level:3}];function u(e){const t={a:"a",code:"code",h3:"h3",img:"img",li:"li",p:"p",strong:"strong",ul:"ul",...(0,r.a)(),...e.components},{TabItem:o,Tabs:d}=t;return o||v("TabItem",!0),d||v("Tabs",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(t.h3,{id:"servers-and-agents",children:"Servers and Agents"}),"\n",(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["A server node is defined as a host running the ",(0,n.jsx)(t.code,{children:"k3s server"})," command, with control-plane and datastore components managed by K3s."]}),"\n",(0,n.jsxs)(t.li,{children:["An agent node is defined as a host running the ",(0,n.jsx)(t.code,{children:"k3s agent"})," command, without any datastore or control-plane components."]}),"\n",(0,n.jsxs)(t.li,{children:["Both servers and agents run the kubelet, container runtime, and CNI. See the ",(0,n.jsx)(t.a,{href:"/advanced#running-agentless-servers-experimental",children:"Advanced Options"})," documentation for more information on running agentless servers."]}),"\n"]}),"\n",(0,n.jsx)(t.p,{children:(0,n.jsx)(t.img,{src:s(4530).Z+"",width:"1562",height:"898"})}),"\n",(0,n.jsx)(t.h3,{id:"single-server-setup-with-an-embedded-db",children:"Single-server Setup with an Embedded DB"}),"\n",(0,n.jsx)(t.p,{children:"The following diagram shows an example of a cluster that has a single-node K3s server with an embedded SQLite database."}),"\n",(0,n.jsx)(t.p,{children:"In this configuration, each agent node is registered to the same server node. A K3s user can manipulate Kubernetes resources by calling the K3s API on the server node."}),"\n",(0,n.jsx)(i.Z,{alt:"K3s Architecture with a Single Server",sources:{light:(0,a.ZP)("/img/k3s-architecture-single-server.svg"),dark:(0,a.ZP)("/img/k3s-architecture-single-server-dark.svg")}}),"\n",(0,n.jsx)(t.h3,{id:"high-availability-k3s",children:"High-Availability K3s"}),"\n",(0,n.jsx)(t.p,{children:"Single server clusters can meet a variety of use cases, but for environments where uptime of the Kubernetes control plane is critical, you can run K3s in an HA configuration. An HA K3s cluster comprises:"}),"\n",(0,n.jsxs)(d,{children:[(0,n.jsxs)(o,{value:"Embedded DB",children:[(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["Three or more ",(0,n.jsx)(t.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,n.jsxs)(t.li,{children:["An ",(0,n.jsx)(t.strong,{children:"embedded etcd datastore"})," (as opposed to the embedded SQLite datastore used in single-server setups)"]}),"\n"]}),(0,n.jsx)(i.Z,{alt:"K3s Architecture with High-availability Servers",sources:{light:(0,a.ZP)("/img/k3s-architecture-ha-embedded.svg"),dark:(0,a.ZP)("/img/k3s-architecture-ha-embedded-dark.svg")}})]}),(0,n.jsxs)(o,{value:"External DB",children:[(0,n.jsxs)(t.ul,{children:["\n",(0,n.jsxs)(t.li,{children:["Two or more ",(0,n.jsx)(t.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services"]}),"\n",(0,n.jsxs)(t.li,{children:["An ",(0,n.jsx)(t.strong,{children:"external datastore"})," (such as MySQL, PostgreSQL, or etcd)"]}),"\n"]}),(0,n.jsx)(i.Z,{alt:"K3s Architecture with High-availability Servers and an External DB",sources:{light:(0,a.ZP)("/img/k3s-architecture-ha-external.svg"),dark:(0,a.ZP)("/img/k3s-architecture-ha-external-dark.svg")}})]})]}),"\n",(0,n.jsx)(t.h3,{id:"fixed-registration-address-for-agent-nodes",children:"Fixed Registration Address for Agent Nodes"}),"\n",(0,n.jsx)(t.p,{children:"In the high-availability server configuration, each node can also register with the Kubernetes API by using a fixed registration address, as shown in the diagram below."}),"\n",(0,n.jsx)(t.p,{children:"After registration, the agent nodes establish a connection directly to one of the server nodes."}),"\n",(0,n.jsx)(i.Z,{alt:"Agent Registration HA",sources:{light:(0,a.ZP)("/img/k3s-production-setup.svg"),dark:(0,a.ZP)("/img/k3s-production-setup-dark.svg")}}),"\n",(0,n.jsx)(t.h3,{id:"how-agent-node-registration-works",children:"How Agent Node Registration Works"}),"\n",(0,n.jsxs)(t.p,{children:["Agent nodes are registered with a websocket connection initiated by the ",(0,n.jsx)(t.code,{children:"k3s agent"})," process, and the connection is maintained by a client-side load balancer running as part of the agent process. Initially, the agent connects to the supervisor (and kube-apiserver) via the local load-balancer on port 6443. The load-balancer maintains a list of available endpoints to connect to. The default (and initially only) endpoint is seeded by the hostname from the ",(0,n.jsx)(t.code,{children:"--server"})," address. Once it connects to the cluster, the agent retrieves a list of kube-apiserver addresses from the Kubernetes service endpoint list in the default namespace. Those endpoints are added to the load balancer, which then maintains stable connections to all servers in the cluster, providing a connection to the kube-apiserver that tolerates outages of individual servers."]}),"\n",(0,n.jsxs)(t.p,{children:["Agents will register with the server using the node cluster secret along with a randomly generated password for the node, stored at ",(0,n.jsx)(t.code,{children:"/etc/rancher/node/password"}),". The server will store the passwords for individual nodes as Kubernetes secrets, and any subsequent attempts must use the same password. Node password secrets are stored in the ",(0,n.jsx)(t.code,{children:"kube-system"})," namespace with names using the template ",(0,n.jsx)(t.code,{children:".node-password.k3s"}),". This is done to protect the integrity of node IDs."]}),"\n",(0,n.jsxs)(t.p,{children:["If the ",(0,n.jsx)(t.code,{children:"/etc/rancher/node"})," directory of an agent is removed, or you wish to rejoin a node using an existing name, the node should be deleted from the cluster. This will clean up both the old node entry, and the node password secret, and allow the node to (re)join the cluster."]}),"\n",(0,n.jsxs)(t.p,{children:["If you frequently reuse hostnames, but are unable to remove the node password secrets, a unique node ID can be automatically appended to the hostname by launching K3s servers or agents using the ",(0,n.jsx)(t.code,{children:"--with-node-id"})," flag. When enabled, the node ID is also stored in ",(0,n.jsx)(t.code,{children:"/etc/rancher/node/"}),"."]})]})}function g(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,n.jsx)(t,{...e,children:(0,n.jsx)(u,{...e})}):u(e)}function v(e,t){throw new Error("Expected "+(t?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},4530:(e,t,s)=>{s.d(t,{Z:()=>n});const n=s.p+"assets/images/how-it-works-k3s-revised-9c025ef482404bca2e53a89a0ba7a3c5.svg"},1151:(e,t,s)=>{s.d(t,{Z:()=>o,a:()=>a});var n=s(7294);const r={},i=n.createContext(r);function a(e){const t=n.useContext(i);return n.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),n.createElement(i.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/57d35c99.870237be.js b/assets/js/57d35c99.2f1debc1.js
similarity index 98%
rename from assets/js/57d35c99.870237be.js
rename to assets/js/57d35c99.2f1debc1.js
index 64e1e1c15..2b42afeca 100644
--- a/assets/js/57d35c99.870237be.js
+++ b/assets/js/57d35c99.2f1debc1.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8005],{3548:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>c,default:()=>p,frontMatter:()=>s,metadata:()=>o,toc:()=>a});var i=t(5893),r=t(1151);const s={title:"Secrets Encryption"},c="Secrets Encryption Config",o={id:"security/secrets-encryption",title:"Secrets Encryption",description:"K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically:",source:"@site/docs/security/secrets-encryption.md",sourceDirName:"security",slug:"/security/secrets-encryption",permalink:"/security/secrets-encryption",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/secrets-encryption.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Secrets Encryption"},sidebar:"mySidebar",previous:{title:"Security",permalink:"/security/"},next:{title:"CIS Hardening Guide",permalink:"/security/hardening-guide"}},l={},a=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",header:"header",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.header,{children:(0,i.jsx)(n.h1,{id:"secrets-encryption-config",children:"Secrets Encryption Config"})}),"\n",(0,i.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag ",(0,i.jsx)(n.code,{children:"--secrets-encryption"})," will do the following automatically:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Generate an AES-CBC key"}),"\n",(0,i.jsx)(n.li,{children:"Generate an encryption config file with the generated key"}),"\n",(0,i.jsx)(n.li,{children:"Pass the config to the KubeAPI as encryption-provider-config"}),"\n"]}),"\n",(0,i.jsxs)(n.admonition,{type:"tip",children:[(0,i.jsx)(n.mdxAdmonitionTitle,{}),(0,i.jsxs)(n.p,{children:["Secrets-encryption cannot be enabled on an existing server without restarting it.",(0,i.jsx)(n.br,{}),"\n","Use ",(0,i.jsx)(n.code,{children:"curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption"})," if installing from script, or other methods described in ",(0,i.jsx)(n.a,{href:"/installation/configuration#configuration-with-install-script",children:"Configuration Options"}),"."]})]}),"\n",(0,i.jsx)(n.p,{children:"Example of the encryption config file:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-json",children:'{\n "kind": "EncryptionConfiguration",\n "apiVersion": "apiserver.config.k8s.io/v1",\n "resources": [\n {\n "resources": [\n "secrets"\n ],\n "providers": [\n {\n "aescbc": {\n "keys": [\n {\n "name": "aescbckey",\n "secret": "xxxxxxxxxxxxxxxxxxx"\n }\n ]\n }\n },\n {\n "identity": {}\n }\n ]\n }\n ]\n}\n'})}),"\n",(0,i.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,i.jsxs)(n.p,{children:["K3s contains a utility tool ",(0,i.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,i.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,i.jsxs)(n.p,{children:["For more information, see the ",(0,i.jsxs)(n.a,{href:"/cli/secrets-encrypt",children:[(0,i.jsx)(n.code,{children:"k3s secrets-encrypt"})," command documentation"]}),"."]})]})}function p(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>o,a:()=>c});var i=t(7294);const r={},s=i.createContext(r);function c(e){const n=i.useContext(s);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),i.createElement(s.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[8005],{3548:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>l,contentTitle:()=>c,default:()=>p,frontMatter:()=>s,metadata:()=>o,toc:()=>a});var i=t(5893),r=t(1151);const s={title:"Secrets Encryption"},c="Secrets Encryption Config",o={id:"security/secrets-encryption",title:"Secrets Encryption",description:"K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag --secrets-encryption will do the following automatically:",source:"@site/docs/security/secrets-encryption.md",sourceDirName:"security",slug:"/security/secrets-encryption",permalink:"/security/secrets-encryption",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/secrets-encryption.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Secrets Encryption"},sidebar:"mySidebar",previous:{title:"Security",permalink:"/security/"},next:{title:"CIS Hardening Guide",permalink:"/security/hardening-guide"}},l={},a=[{value:"Secrets Encryption Tool",id:"secrets-encryption-tool",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h1:"h1",h2:"h2",header:"header",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.header,{children:(0,i.jsx)(n.h1,{id:"secrets-encryption-config",children:"Secrets Encryption Config"})}),"\n",(0,i.jsxs)(n.p,{children:["K3s supports enabling secrets encryption at rest. When first starting the server, passing the flag ",(0,i.jsx)(n.code,{children:"--secrets-encryption"})," will do the following automatically:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Generate an AES-CBC key"}),"\n",(0,i.jsx)(n.li,{children:"Generate an encryption config file with the generated key"}),"\n",(0,i.jsx)(n.li,{children:"Pass the config to the KubeAPI as encryption-provider-config"}),"\n"]}),"\n",(0,i.jsxs)(n.admonition,{type:"tip",children:[(0,i.jsx)(n.mdxAdmonitionTitle,{}),(0,i.jsxs)(n.p,{children:["Secrets-encryption cannot be enabled on an existing server without restarting it.",(0,i.jsx)(n.br,{}),"\n","Use ",(0,i.jsx)(n.code,{children:"curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption"})," if installing from script, or other methods described in ",(0,i.jsx)(n.a,{href:"/installation/configuration#configuration-with-install-script",children:"Configuration Options"}),"."]})]}),"\n",(0,i.jsx)(n.p,{children:"Example of the encryption config file:"}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-json",children:'{\n "kind": "EncryptionConfiguration",\n "apiVersion": "apiserver.config.k8s.io/v1",\n "resources": [\n {\n "resources": [\n "secrets"\n ],\n "providers": [\n {\n "aescbc": {\n "keys": [\n {\n "name": "aescbckey",\n "secret": "xxxxxxxxxxxxxxxxxxx"\n }\n ]\n }\n },\n {\n "identity": {}\n }\n ]\n }\n ]\n}\n'})}),"\n",(0,i.jsx)(n.h2,{id:"secrets-encryption-tool",children:"Secrets Encryption Tool"}),"\n",(0,i.jsxs)(n.p,{children:["K3s contains a utility tool ",(0,i.jsx)(n.code,{children:"secrets-encrypt"}),", which enables automatic control over the following:"]}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Disabling/Enabling secrets encryption"}),"\n",(0,i.jsx)(n.li,{children:"Adding new encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Rotating and deleting encryption keys"}),"\n",(0,i.jsx)(n.li,{children:"Reencrypting secrets"}),"\n"]}),"\n",(0,i.jsxs)(n.p,{children:["For more information, see the ",(0,i.jsxs)(n.a,{href:"/cli/secrets-encrypt",children:[(0,i.jsx)(n.code,{children:"k3s secrets-encrypt"})," command documentation"]}),"."]})]})}function p(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>o,a:()=>c});var i=t(7294);const r={},s=i.createContext(r);function c(e){const n=i.useContext(s);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:c(e.components),i.createElement(s.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/5ea4afd8.6ab4e106.js b/assets/js/5ea4afd8.8740e93a.js
similarity index 99%
rename from assets/js/5ea4afd8.6ab4e106.js
rename to assets/js/5ea4afd8.8740e93a.js
index b916b4514..5dd63d214 100644
--- a/assets/js/5ea4afd8.6ab4e106.js
+++ b/assets/js/5ea4afd8.8740e93a.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9075],{7902:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var t=s(5893),n=s(1151);const i={title:"CIS 1.7 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.7",title:"CIS 1.7 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.7.md",sourceDirName:"security",slug:"/security/self-assessment-1.7",permalink:"/security/self-assessment-1.7",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.7.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"CIS 1.7 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS 1.8 Self Assessment Guide",permalink:"/security/self-assessment-1.8"},next:{title:"CIS 1.24 Self Assessment Guide",permalink:"/security/self-assessment-1.24"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Automated)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)",id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.16 Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)",id:"1216-ensure-that-the---secure-port-argument-is-not-set-to-0---notethis-recommendation-is-obsolete-and-will-be-deleted-per-the-consensus-process-automated",level:3},{value:"1.2.17 Ensure that the --profiling argument is set to false (Automated)",id:"1217-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.18 Ensure that the --audit-log-path argument is set (Manual)",id:"1218-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.19 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)",id:"1219-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)",id:"1220-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",level:3},{value:"1.2.21 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)",id:"1221-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",level:3},{value:"1.2.22 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1222-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.23 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1223-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.24 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1224-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1225-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1227-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1228-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1229-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.30 Ensure that encryption providers are appropriately configured (Manual)",id:"1230-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1231-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)",id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)",id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.1.9 Minimize access to create persistent volumes (Manual)",id:"519-minimize-access-to-create-persistent-volumes-manual",level:3},{value:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)",id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",level:3},{value:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)",id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",level:3},{value:"5.1.12 Minimize access to webhook configuration objects (Manual)",id:"5112-minimize-access-to-webhook-configuration-objects-manual",level:3},{value:"5.1.13 Minimize access to the service account token creation (Manual)",id:"5113-minimize-access-to-the-service-account-token-creation-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:s}=r;return s||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(r.p,{children:["This document is a companion to the ",(0,t.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,t.jsxs)(r.p,{children:["This guide is specific to the ",(0,t.jsx)(r.strong,{children:"v1.25"})," release line of K3s and the ",(0,t.jsx)(r.strong,{children:"v1.7.1"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,t.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.7.1. You can download the benchmark, after creating a free account, in ",(0,t.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,t.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,t.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,t.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,t.jsx)(r.admonition,{type:"note",children:(0,t.jsxs)(r.p,{children:["Only ",(0,t.jsx)(r.code,{children:"scored"})," test, also know as ",(0,t.jsx)(r.code,{children:"automated"})," tests are covered in this guide."]})}),"\n",(0,t.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nBy default, K3s sets the CNI file permissions to 644.\nNote that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.\nIf you modify your CNI configuration, ensure that the permissions are set to 600.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/cni/networks/"})]}),"\n",(0,t.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-automated",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"ps -ef | grep containerd | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\\([^ ]*\\).*%\\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G\nfind /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root "})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,t.jsx)(r.code,{children:"chmod 700 /var/lib/rancher/k3s/server/db/etcd"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,t.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/cred/controller.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown -R root:root /var/lib/rancher/k3s/server/tls"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,t.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,t.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false. If it is set to true,\nedit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate="\n - "kubelet-client-key="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet CA cert file, at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-certificate-authority="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file="\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"Enabling Pod Security Policy is no longer supported on K3s v1.25+ and will cause applications to unexpectedly fail."}),"\n",(0,t.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1216-ensure-that-the---secure-port-argument-is-not-set-to-0---notethis-recommendation-is-obsolete-and-will-be-deleted-per-the-consensus-process-automated",children:"1.2.16 Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--secure-port' is greater than 0 OR '--secure-port' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the secure port to 6444.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "secure-port="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1217-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.17 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1218-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.18 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",children:"1.2.19 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",children:"1.2.20 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",children:"1.2.21 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1222-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.22 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1223-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.23 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,t.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,t.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.24 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1225-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile="\n - "etcd-keyfile="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1226-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1227-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.27 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "client-ca-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1228-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-cafile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the etcd certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-cafile="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1229-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.29 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--encryption-provider-config' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json."})]}),"\n",(0,t.jsx)(r.h3,{id:"1230-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.30 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"ENCRYPTION_PROVIDER_CONFIG=$(journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -o 'providers\\\"\\:\\[.*\\]' $ENCRYPTION_PROVIDER_CONFIG | grep -o \"[A-Za-z]*\" | head -2 | tail -1 | sed 's/^/provider=/'; fi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'provider' contains valid elements from 'aescbc,kms,secretbox'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"provider=aescbc\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest. K3s will utilize the aescbc provider.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json"})]}),"\n",(0,t.jsx)(r.h3,{id:"1231-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",children:"1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, the K3s kube-apiserver complies with this test. Changes to these values may cause regression, therefore ensure that all apiserver clients support the new TLS configuration before applying it in production deployments.\nIf a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.\nIf this check fails, remove any custom configuration around ",(0,t.jsx)(r.code,{children:"tls-cipher-suites"})," or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,t.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--terminated-pod-gc-threshold' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node\nand set the --terminated-pod-gc-threshold to an appropriate threshold,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--use-service-account-credentials' is not equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --use-service-account-credentials argument to true.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "use-service-account-credentials=false"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the service account private key file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "service-account-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--root-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the root CA file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "root-ca-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--feature-gates' does not have 'RotateKubeletServerCertificate=false' OR '--feature-gates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "feature-gate=RotateKubeletServerCertificate"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is present OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root 2372 2354 4 19:01 ? 00:00:05 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd\nroot 3128 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 878d74b0d77d904ec40cd1db71956f2edeb68ab420227a5a42e6d25f249a140a -address /run/k3s/containerd/containerd.sock\nroot 3239 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id d00cc363af40aee36210e396597e4c02712ae99535be21d204849dc33a22af88 -address /run/k3s/containerd/containerd.sock\nroot 3293 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 5df076fa9547c555a2231b9a9a7cbb44021eaa1ab68c9b59b13da960697143f6 -address /run/k3s/containerd/containerd.sock\nroot 4557 1 0 19:02 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id f6483b71bcb7ea23356003921a7d90cf638b8f9e473728f3b28dc67163e0fa2d -address /run/k3s/containerd/containerd.sock\nroot 4644 1 0 19:02 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 4d8ceb2620c4e0501a49dc9192fc56d035e76bc79a2c6072fee8619730006233 -address /run/k3s/containerd/containerd.sock\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "bind-address="\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,t.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "bind-address="\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,t.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' AND '.client-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.auto-tls' is present OR '.client-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --auto-tls parameter or set it to false.\nclient-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt' AND '.peer-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates peer cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom peer cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable peer client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.auto-tls' is present OR '.peer-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\npeer-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.trusted-ca-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates a unique certificate authority for etcd.\nThis is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use a shared certificate authority."})]}),"\n",(0,t.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.p,{children:"All configuration is passed in as arguments at container run time."}),"\n",(0,t.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubelet.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubelet.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c permissions=%a /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the file permissions of the\n--client-ca-file ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the ownership of the --client-ca-file.\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,t.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth to false. If you have set this to a different value, you\nshould set it back to false. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "anonymous-auth=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="anonymous-auth=true"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "authorization-mode=AlwaysAllow"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="authorization-mode=AlwaysAllow"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client ca certificate for the Kubelet.\nIt is generated and located at /var/lib/rancher/k3s/agent/client-ca.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",children:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--read-only-port' is equal to '0' OR '--read-only-port' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --read-only-port to 0. If you have set this to a different value, you\nshould set it back to 0. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "read-only-port=XXXX"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="read-only-port=XXXX"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--streaming-connection-idle-timeout' is not equal to '0' OR '--streaming-connection-idle-timeout' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="streaming-connection-idle-timeout=5m".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--make-iptables-util-chains' is equal to 'true' OR '--make-iptables-util-chains' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "make-iptables-util-chains=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="make-iptables-util-chains=true".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",children:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s does set the --hostname-override argument. Per CIS guidelines, this is to comply\nwith cloud providers that require this flag to ensure that hostname matches node names."}),"\n",(0,t.jsx)(r.h3,{id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--event-qps' is greater or equal to 0 OR '--event-qps' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the event-qps to 0. Should you wish to change this,\nIf using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "event-qps="\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="event-qps=".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the TLS certificate and private key for the Kubelet.\nThey are generated and located at /var/lib/rancher/k3s/agent/serving-kubelet.crt and /var/lib/rancher/k3s/agent/serving-kubelet.key\nIf for some reason you need to provide your own certificate and key, you can set the\nthe below parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--rotate-certificates' is present OR '--rotate-certificates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, K3s does not set the --rotate-certificates argument. If you have set this flag with a value of ",(0,t.jsx)(r.code,{children:"false"}),", you should either set it to ",(0,t.jsx)(r.code,{children:"true"}),' or completely remove the flag.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any rotate-certificates parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="rotate-certificates".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service']})]}),"\n",(0,t.jsx)(r.h3,{id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'RotateKubeletServerCertificate' is present OR 'RotateKubeletServerCertificate' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:'By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any feature-gate=RotateKubeletServerCertificate parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="feature-gate=RotateKubeletServerCertificate".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"TLSCipherSuites"})," to"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})}),(0,t.jsx)(r.p,{children:'or to a subset of these values.\nIf using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites="\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",children:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nDecide on an appropriate level for this parameter and set it,\nIf using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"podPidsLimit"})," to"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "pod-max-pids="\n'})}),"\n",(0,t.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,t.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,t.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,t.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,t.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,t.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,t.jsx)(r.h3,{id:"519-minimize-access-to-create-persistent-volumes-manual",children:"5.1.9 Minimize access to create persistent volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to PersistentVolume objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",children:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the proxy sub-resource of node objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",children:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the approval sub-resource of certificatesigningrequest objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5112-minimize-access-to-webhook-configuration-objects-manual",children:"5.1.12 Minimize access to webhook configuration objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects"]}),"\n",(0,t.jsx)(r.h3,{id:"5113-minimize-access-to-the-service-account-token-creation-manual",children:"5.1.13 Minimize access to the service account token creation (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the token sub-resource of serviceaccount objects."]}),"\n",(0,t.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,t.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,t.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-manual",children:"5.2.2 Minimize the admission of privileged containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,t.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,t.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,t.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,t.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,t.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,t.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,t.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,t.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,t.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,t.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,t.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,t.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,t.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,t.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,t.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,t.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,t.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,t.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,t.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,t.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,t.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,t.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,t.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,t.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,t.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>l,a:()=>a});var t=s(7294);const n={},i=t.createContext(n);function a(e){const r=t.useContext(i);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),t.createElement(i.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[9075],{7902:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var t=s(5893),n=s(1151);const i={title:"CIS 1.7 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.7",title:"CIS 1.7 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.7.md",sourceDirName:"security",slug:"/security/self-assessment-1.7",permalink:"/security/self-assessment-1.7",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.7.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"CIS 1.7 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS 1.8 Self Assessment Guide",permalink:"/security/self-assessment-1.8"},next:{title:"CIS 1.24 Self Assessment Guide",permalink:"/security/self-assessment-1.24"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Automated)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)",id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.16 Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)",id:"1216-ensure-that-the---secure-port-argument-is-not-set-to-0---notethis-recommendation-is-obsolete-and-will-be-deleted-per-the-consensus-process-automated",level:3},{value:"1.2.17 Ensure that the --profiling argument is set to false (Automated)",id:"1217-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.18 Ensure that the --audit-log-path argument is set (Manual)",id:"1218-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.19 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)",id:"1219-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)",id:"1220-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",level:3},{value:"1.2.21 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)",id:"1221-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",level:3},{value:"1.2.22 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1222-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.23 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1223-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.24 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1224-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1225-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1227-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1228-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1229-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.30 Ensure that encryption providers are appropriately configured (Manual)",id:"1230-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1231-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)",id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)",id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.1.9 Minimize access to create persistent volumes (Manual)",id:"519-minimize-access-to-create-persistent-volumes-manual",level:3},{value:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)",id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",level:3},{value:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)",id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",level:3},{value:"5.1.12 Minimize access to webhook configuration objects (Manual)",id:"5112-minimize-access-to-webhook-configuration-objects-manual",level:3},{value:"5.1.13 Minimize access to the service account token creation (Manual)",id:"5113-minimize-access-to-the-service-account-token-creation-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:s}=r;return s||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(r.p,{children:["This document is a companion to the ",(0,t.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,t.jsxs)(r.p,{children:["This guide is specific to the ",(0,t.jsx)(r.strong,{children:"v1.25"})," release line of K3s and the ",(0,t.jsx)(r.strong,{children:"v1.7.1"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,t.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.7.1. You can download the benchmark, after creating a free account, in ",(0,t.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,t.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,t.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,t.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,t.jsx)(r.admonition,{type:"note",children:(0,t.jsxs)(r.p,{children:["Only ",(0,t.jsx)(r.code,{children:"scored"})," test, also know as ",(0,t.jsx)(r.code,{children:"automated"})," tests are covered in this guide."]})}),"\n",(0,t.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nBy default, K3s sets the CNI file permissions to 644.\nNote that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.\nIf you modify your CNI configuration, ensure that the permissions are set to 600.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/cni/networks/"})]}),"\n",(0,t.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-automated",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"ps -ef | grep containerd | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\\([^ ]*\\).*%\\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G\nfind /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root "})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,t.jsx)(r.code,{children:"chmod 700 /var/lib/rancher/k3s/server/db/etcd"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,t.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/cred/controller.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown -R root:root /var/lib/rancher/k3s/server/tls"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,t.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,t.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false. If it is set to true,\nedit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate="\n - "kubelet-client-key="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet CA cert file, at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-certificate-authority="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file="\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"Enabling Pod Security Policy is no longer supported on K3s v1.25+ and will cause applications to unexpectedly fail."}),"\n",(0,t.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1216-ensure-that-the---secure-port-argument-is-not-set-to-0---notethis-recommendation-is-obsolete-and-will-be-deleted-per-the-consensus-process-automated",children:"1.2.16 Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--secure-port' is greater than 0 OR '--secure-port' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the secure port to 6444.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "secure-port="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1217-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.17 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1218-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.18 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",children:"1.2.19 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",children:"1.2.20 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",children:"1.2.21 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1222-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.22 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1223-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.23 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,t.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,t.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.24 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1225-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile="\n - "etcd-keyfile="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1226-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1227-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.27 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "client-ca-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1228-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-cafile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the etcd certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-cafile="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1229-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.29 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--encryption-provider-config' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json."})]}),"\n",(0,t.jsx)(r.h3,{id:"1230-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.30 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"ENCRYPTION_PROVIDER_CONFIG=$(journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -o 'providers\\\"\\:\\[.*\\]' $ENCRYPTION_PROVIDER_CONFIG | grep -o \"[A-Za-z]*\" | head -2 | tail -1 | sed 's/^/provider=/'; fi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'provider' contains valid elements from 'aescbc,kms,secretbox'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"provider=aescbc\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest. K3s will utilize the aescbc provider.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json"})]}),"\n",(0,t.jsx)(r.h3,{id:"1231-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",children:"1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, the K3s kube-apiserver complies with this test. Changes to these values may cause regression, therefore ensure that all apiserver clients support the new TLS configuration before applying it in production deployments.\nIf a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.\nIf this check fails, remove any custom configuration around ",(0,t.jsx)(r.code,{children:"tls-cipher-suites"})," or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,t.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--terminated-pod-gc-threshold' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node\nand set the --terminated-pod-gc-threshold to an appropriate threshold,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--use-service-account-credentials' is not equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --use-service-account-credentials argument to true.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "use-service-account-credentials=false"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the service account private key file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "service-account-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--root-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the root CA file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "root-ca-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--feature-gates' does not have 'RotateKubeletServerCertificate=false' OR '--feature-gates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "feature-gate=RotateKubeletServerCertificate"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is present OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root 2372 2354 4 19:01 ? 00:00:05 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd\nroot 3128 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 878d74b0d77d904ec40cd1db71956f2edeb68ab420227a5a42e6d25f249a140a -address /run/k3s/containerd/containerd.sock\nroot 3239 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id d00cc363af40aee36210e396597e4c02712ae99535be21d204849dc33a22af88 -address /run/k3s/containerd/containerd.sock\nroot 3293 1 0 19:01 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 5df076fa9547c555a2231b9a9a7cbb44021eaa1ab68c9b59b13da960697143f6 -address /run/k3s/containerd/containerd.sock\nroot 4557 1 0 19:02 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id f6483b71bcb7ea23356003921a7d90cf638b8f9e473728f3b28dc67163e0fa2d -address /run/k3s/containerd/containerd.sock\nroot 4644 1 0 19:02 ? 00:00:00 /var/lib/rancher/k3s/data/0f1a87835be3817408b496b439fddb9ea54cab4298db472792bb1b1cbdc210bc/bin/containerd-shim-runc-v2 -namespace k8s.io -id 4d8ceb2620c4e0501a49dc9192fc56d035e76bc79a2c6072fee8619730006233 -address /run/k3s/containerd/containerd.sock\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "bind-address="\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,t.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-scheduler-arg:\n - "bind-address="\n'})})]}),"\n",(0,t.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,t.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' AND '.client-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.auto-tls' is present OR '.client-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --auto-tls parameter or set it to false.\nclient-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt' AND '.peer-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates peer cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom peer cert and key files."})]}),"\n",(0,t.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable peer client certificate authentication."})]}),"\n",(0,t.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.auto-tls' is present OR '.peer-transport-security.auto-tls' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\npeer-transport-security:\nauto-tls: false"})]}),"\n",(0,t.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.trusted-ca-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-4a89bd20=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-http-urls: https://127.0.0.1:2382\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-4a89bd20\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates a unique certificate authority for etcd.\nThis is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use a shared certificate authority."})]}),"\n",(0,t.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.p,{children:"All configuration is passed in as arguments at container run time."}),"\n",(0,t.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubelet.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubelet.kubeconfig; fi' \n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c permissions=%a /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the file permissions of the\n--client-ca-file ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the following command to modify the ownership of the --client-ca-file.\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,t.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,t.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth to false. If you have set this to a different value, you\nshould set it back to false. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "anonymous-auth=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="anonymous-auth=true"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "authorization-mode=AlwaysAllow"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="authorization-mode=AlwaysAllow"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\' \n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:28 server-0 k3s[2354]: time="2024-08-09T19:01:28Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the client ca certificate for the Kubelet.\nIt is generated and located at /var/lib/rancher/k3s/agent/client-ca.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",children:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--read-only-port' is equal to '0' OR '--read-only-port' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --read-only-port to 0. If you have set this to a different value, you\nshould set it back to 0. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "read-only-port=XXXX"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="read-only-port=XXXX"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--streaming-connection-idle-timeout' is not equal to '0' OR '--streaming-connection-idle-timeout' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="streaming-connection-idle-timeout=5m".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--make-iptables-util-chains' is equal to 'true' OR '--make-iptables-util-chains' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "make-iptables-util-chains=true"\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="make-iptables-util-chains=true".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",children:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s does set the --hostname-override argument. Per CIS guidelines, this is to comply\nwith cloud providers that require this flag to ensure that hostname matches node names."}),"\n",(0,t.jsx)(r.h3,{id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--event-qps' is greater or equal to 0 OR '--event-qps' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the event-qps to 0. Should you wish to change this,\nIf using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "event-qps="\n'})}),(0,t.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="event-qps=".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the TLS certificate and private key for the Kubelet.\nThey are generated and located at /var/lib/rancher/k3s/agent/serving-kubelet.crt and /var/lib/rancher/k3s/agent/serving-kubelet.key\nIf for some reason you need to provide your own certificate and key, you can set the\nthe below parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--rotate-certificates' is present OR '--rotate-certificates' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, K3s does not set the --rotate-certificates argument. If you have set this flag with a value of ",(0,t.jsx)(r.code,{children:"false"}),", you should either set it to ",(0,t.jsx)(r.code,{children:"true"}),' or completely remove the flag.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any rotate-certificates parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="rotate-certificates".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service']})]}),"\n",(0,t.jsx)(r.h3,{id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'RotateKubeletServerCertificate' is present OR 'RotateKubeletServerCertificate' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:'By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any feature-gate=RotateKubeletServerCertificate parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="feature-gate=RotateKubeletServerCertificate".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:01:30 server-0 k3s[2354]: time="2024-08-09T19:01:30Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"TLSCipherSuites"})," to"]}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})}),(0,t.jsx)(r.p,{children:'or to a subset of these values.\nIf using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites="\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,t.jsx)(r.h3,{id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",children:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nDecide on an appropriate level for this parameter and set it,\nIf using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,t.jsx)(r.code,{children:"podPidsLimit"})," to"]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kubelet-arg:\n - "pod-max-pids="\n'})}),"\n",(0,t.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,t.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,t.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,t.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,t.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,t.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,t.jsx)(r.h3,{id:"519-minimize-access-to-create-persistent-volumes-manual",children:"5.1.9 Minimize access to create persistent volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to PersistentVolume objects in the cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",children:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the proxy sub-resource of node objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",children:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the approval sub-resource of certificatesigningrequest objects."]}),"\n",(0,t.jsx)(r.h3,{id:"5112-minimize-access-to-webhook-configuration-objects-manual",children:"5.1.12 Minimize access to webhook configuration objects (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects"]}),"\n",(0,t.jsx)(r.h3,{id:"5113-minimize-access-to-the-service-account-token-creation-manual",children:"5.1.13 Minimize access to the service account token creation (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove access to the token sub-resource of serviceaccount objects."]}),"\n",(0,t.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,t.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,t.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-manual",children:"5.2.2 Minimize the admission of privileged containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,t.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,t.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,t.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,t.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,t.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,t.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,t.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,t.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,t.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,t.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,t.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,t.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,t.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,t.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,t.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,t.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,t.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,t.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,t.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,t.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,t.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,t.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,t.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,t.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,t.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,t.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,t.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,t.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,t.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,t.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,t.jsx)(r,{...e,children:(0,t.jsx)(d,{...e})}):d(e)}},1151:(e,r,s)=>{s.d(r,{Z:()=>l,a:()=>a});var t=s(7294);const n={},i=t.createContext(n);function a(e){const r=t.useContext(i);return t.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),t.createElement(i.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/65c5030c.fd25ad71.js b/assets/js/65c5030c.e1e06803.js
similarity index 99%
rename from assets/js/65c5030c.fd25ad71.js
rename to assets/js/65c5030c.e1e06803.js
index e7593c8bd..aa5d69026 100644
--- a/assets/js/65c5030c.fd25ad71.js
+++ b/assets/js/65c5030c.e1e06803.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7733],{215:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>l});var i=s(5893),t=s(1151);const a={title:"Managing Packaged Components"},o=void 0,r={id:"installation/packaged-components",title:"Managing Packaged Components",description:"Auto-Deploying Manifests (AddOns)",source:"@site/docs/installation/packaged-components.md",sourceDirName:"installation",slug:"/installation/packaged-components",permalink:"/installation/packaged-components",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/packaged-components.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Managing Packaged Components"},sidebar:"mySidebar",previous:{title:"Managing Server Roles",permalink:"/installation/server-roles"},next:{title:"Uninstalling K3s",permalink:"/installation/uninstall"}},d={},l=[{value:"Auto-Deploying Manifests (AddOns)",id:"auto-deploying-manifests-addons",level:2},{value:"Packaged Components",id:"packaged-components",level:3},{value:"User AddOns",id:"user-addons",level:3},{value:"File Naming Requirements",id:"file-naming-requirements",level:4},{value:"Disabling Manifests",id:"disabling-manifests",level:2},{value:"Using the --disable flag",id:"using-the---disable-flag",level:3},{value:"Using .skip files",id:"using-skip-files",level:3},{value:"Helm AddOns",id:"helm-addons",level:2}];function c(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",p:"p",pre:"pre",...(0,t.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.h2,{id:"auto-deploying-manifests-addons",children:"Auto-Deploying Manifests (AddOns)"}),"\n",(0,i.jsxs)(n.p,{children:["On server nodes, any file found in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," will automatically be deployed to Kubernetes in a manner similar to ",(0,i.jsx)(n.code,{children:"kubectl apply"}),", both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster."]}),"\n",(0,i.jsxs)(n.p,{children:["Manifests are tracked as ",(0,i.jsx)(n.code,{children:"AddOn"})," custom resources in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Any errors or warnings encountered when applying the manifest file may seen by using ",(0,i.jsx)(n.code,{children:"kubectl describe"})," on the corresponding ",(0,i.jsx)(n.code,{children:"AddOn"}),", or by using ",(0,i.jsx)(n.code,{children:"kubectl get event -n kube-system"})," to view all events for that namespace, including those from the deploy controller."]}),"\n",(0,i.jsx)(n.h3,{id:"packaged-components",children:"Packaged Components"}),"\n",(0,i.jsxs)(n.p,{children:["K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: ",(0,i.jsx)(n.code,{children:"coredns"}),", ",(0,i.jsx)(n.code,{children:"traefik"}),", ",(0,i.jsx)(n.code,{children:"local-storage"}),", and ",(0,i.jsx)(n.code,{children:"metrics-server"}),". The embedded ",(0,i.jsx)(n.code,{children:"servicelb"})," LoadBalancer controller does not have a manifest file, but can be disabled as if it were an ",(0,i.jsx)(n.code,{children:"AddOn"})," for historical reasons."]}),"\n",(0,i.jsx)(n.p,{children:"Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity."}),"\n",(0,i.jsx)(n.h3,{id:"user-addons",children:"User AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["You may place additional files in the manifests directory for deployment as an ",(0,i.jsx)(n.code,{children:"AddOn"}),". Each file may contain multiple Kubernetes resources, delmited by the ",(0,i.jsx)(n.code,{children:"---"})," YAML document separator. For more information on organizing resources in manifests, see the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/",children:"Managing Resources"})," section of the Kubernetes documentation."]}),"\n",(0,i.jsx)(n.h4,{id:"file-naming-requirements",children:"File Naming Requirements"}),"\n",(0,i.jsxs)(n.p,{children:["The ",(0,i.jsx)(n.code,{children:"AddOn"})," name for each file in the manifest directory is derived from the file basename.\nEnsure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/names/",children:"object naming restrictions"}),".\nCare should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled."]}),"\n",(0,i.jsx)(n.p,{children:"Here is en example of an error that would be reported if the file name contains underscores:"}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsx)(n.p,{children:(0,i.jsx)(n.code,{children:"Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io \"example_manifest\" is invalid: metadata.name: Invalid value: \"example_manifest\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"})}),"\n"]}),"\n",(0,i.jsx)(n.admonition,{type:"danger",children:(0,i.jsx)(n.p,{children:"If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests."})}),"\n",(0,i.jsx)(n.h2,{id:"disabling-manifests",children:"Disabling Manifests"}),"\n",(0,i.jsx)(n.p,{children:"There are two ways to disable deployment of specific content from the manifests directory."}),"\n",(0,i.jsxs)(n.h3,{id:"using-the---disable-flag",children:["Using the ",(0,i.jsx)(n.code,{children:"--disable"})," flag"]}),"\n",(0,i.jsxs)(n.p,{children:["The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the ",(0,i.jsx)(n.code,{children:"manifests"})," directory, can be disabled with the ",(0,i.jsx)(n.code,{children:"--disable"})," flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the ",(0,i.jsx)(n.code,{children:"manifests"})," directory."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with ",(0,i.jsx)(n.code,{children:"--disable=traefik"}),". Multiple items can be disabled by separating their names with commas, or by repeating the flag."]}),"\n",(0,i.jsx)(n.h3,{id:"using-skip-files",children:"Using .skip files"}),"\n",(0,i.jsxs)(n.p,{children:["For any file under ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),", you can create a ",(0,i.jsx)(n.code,{children:".skip"})," file which will cause K3s to ignore the corresponding manifest. The contents of the ",(0,i.jsx)(n.code,{children:".skip"})," file do not matter, only its existence is checked. Note that creating a ",(0,i.jsx)(n.code,{children:".skip"})," file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, creating an empty ",(0,i.jsx)(n.code,{children:"traefik.yaml.skip"})," file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying ",(0,i.jsx)(n.code,{children:"traefik.yaml"}),":"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"$ ls /var/lib/rancher/k3s/server/manifests\nccm.yaml local-storage.yaml rolebindings.yaml traefik.yaml.skip\ncoredns.yaml traefik.yaml\n\n$ kubectl get pods -A\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-64ffb68fd-xx98j 1/1 Running 0 74s\nkube-system metrics-server-5489f84d5d-7zwkt 1/1 Running 0 74s\nkube-system coredns-85cb69466-vcq7j 1/1 Running 0 74s\n"})}),"\n",(0,i.jsxs)(n.p,{children:["If Traefik had already been deployed prior to creating the ",(0,i.jsx)(n.code,{children:"traefik.skip"})," file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded."]}),"\n",(0,i.jsx)(n.h2,{id:"helm-addons",children:"Helm AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["For information about managing Helm charts via auto-deploying manifests, refer to the section about ",(0,i.jsx)(n.a,{href:"/helm",children:"Helm."})]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>r,a:()=>o});var i=s(7294);const t={},a=i.createContext(t);function o(e){const n=i.useContext(a);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),i.createElement(a.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7733],{215:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>l});var i=s(5893),t=s(1151);const a={title:"Managing Packaged Components"},o=void 0,r={id:"installation/packaged-components",title:"Managing Packaged Components",description:"Auto-Deploying Manifests (AddOns)",source:"@site/docs/installation/packaged-components.md",sourceDirName:"installation",slug:"/installation/packaged-components",permalink:"/installation/packaged-components",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/packaged-components.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Managing Packaged Components"},sidebar:"mySidebar",previous:{title:"Managing Server Roles",permalink:"/installation/server-roles"},next:{title:"Uninstalling K3s",permalink:"/installation/uninstall"}},d={},l=[{value:"Auto-Deploying Manifests (AddOns)",id:"auto-deploying-manifests-addons",level:2},{value:"Packaged Components",id:"packaged-components",level:3},{value:"User AddOns",id:"user-addons",level:3},{value:"File Naming Requirements",id:"file-naming-requirements",level:4},{value:"Disabling Manifests",id:"disabling-manifests",level:2},{value:"Using the --disable flag",id:"using-the---disable-flag",level:3},{value:"Using .skip files",id:"using-skip-files",level:3},{value:"Helm AddOns",id:"helm-addons",level:2}];function c(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",p:"p",pre:"pre",...(0,t.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.h2,{id:"auto-deploying-manifests-addons",children:"Auto-Deploying Manifests (AddOns)"}),"\n",(0,i.jsxs)(n.p,{children:["On server nodes, any file found in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," will automatically be deployed to Kubernetes in a manner similar to ",(0,i.jsx)(n.code,{children:"kubectl apply"}),", both on startup and when the file is changed on disk. Deleting files out of this directory will not delete the corresponding resources from the cluster."]}),"\n",(0,i.jsxs)(n.p,{children:["Manifests are tracked as ",(0,i.jsx)(n.code,{children:"AddOn"})," custom resources in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Any errors or warnings encountered when applying the manifest file may seen by using ",(0,i.jsx)(n.code,{children:"kubectl describe"})," on the corresponding ",(0,i.jsx)(n.code,{children:"AddOn"}),", or by using ",(0,i.jsx)(n.code,{children:"kubectl get event -n kube-system"})," to view all events for that namespace, including those from the deploy controller."]}),"\n",(0,i.jsx)(n.h3,{id:"packaged-components",children:"Packaged Components"}),"\n",(0,i.jsxs)(n.p,{children:["K3s comes with a number of packaged components that are deployed as AddOns via the manifests directory: ",(0,i.jsx)(n.code,{children:"coredns"}),", ",(0,i.jsx)(n.code,{children:"traefik"}),", ",(0,i.jsx)(n.code,{children:"local-storage"}),", and ",(0,i.jsx)(n.code,{children:"metrics-server"}),". The embedded ",(0,i.jsx)(n.code,{children:"servicelb"})," LoadBalancer controller does not have a manifest file, but can be disabled as if it were an ",(0,i.jsx)(n.code,{children:"AddOn"})," for historical reasons."]}),"\n",(0,i.jsx)(n.p,{children:"Manifests for packaged components are managed by K3s, and should not be altered. The files are re-written to disk whenever K3s is started, in order to ensure their integrity."}),"\n",(0,i.jsx)(n.h3,{id:"user-addons",children:"User AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["You may place additional files in the manifests directory for deployment as an ",(0,i.jsx)(n.code,{children:"AddOn"}),". Each file may contain multiple Kubernetes resources, delmited by the ",(0,i.jsx)(n.code,{children:"---"})," YAML document separator. For more information on organizing resources in manifests, see the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/",children:"Managing Resources"})," section of the Kubernetes documentation."]}),"\n",(0,i.jsx)(n.h4,{id:"file-naming-requirements",children:"File Naming Requirements"}),"\n",(0,i.jsxs)(n.p,{children:["The ",(0,i.jsx)(n.code,{children:"AddOn"})," name for each file in the manifest directory is derived from the file basename.\nEnsure that all files within the manifests directory (or within any subdirectories) have names that are unique, and adhere to Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/names/",children:"object naming restrictions"}),".\nCare should also be taken not to conflict with names in use by the default K3s packaged components, even if those components are disabled."]}),"\n",(0,i.jsx)(n.p,{children:"Here is en example of an error that would be reported if the file name contains underscores:"}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsx)(n.p,{children:(0,i.jsx)(n.code,{children:"Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/example_manifest.yaml: Addon.k3s.cattle.io \"example_manifest\" is invalid: metadata.name: Invalid value: \"example_manifest\": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"})}),"\n"]}),"\n",(0,i.jsx)(n.admonition,{type:"danger",children:(0,i.jsx)(n.p,{children:"If you have multiple server nodes, and place additional AddOn manifests on more than one server, it is your responsibility to ensure that files stay in sync across those nodes. K3s does not sync AddOn content between nodes, and cannot guarantee correct behavior if different servers attempt to deploy conflicting manifests."})}),"\n",(0,i.jsx)(n.h2,{id:"disabling-manifests",children:"Disabling Manifests"}),"\n",(0,i.jsx)(n.p,{children:"There are two ways to disable deployment of specific content from the manifests directory."}),"\n",(0,i.jsxs)(n.h3,{id:"using-the---disable-flag",children:["Using the ",(0,i.jsx)(n.code,{children:"--disable"})," flag"]}),"\n",(0,i.jsxs)(n.p,{children:["The AddOns for packaged components listed above, in addition to AddOns for any additional manifests placed in the ",(0,i.jsx)(n.code,{children:"manifests"})," directory, can be disabled with the ",(0,i.jsx)(n.code,{children:"--disable"})," flag. Disabled AddOns are actively uninstalled from the cluster, and the source files deleted from the ",(0,i.jsx)(n.code,{children:"manifests"})," directory."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, to disable traefik from being installed on a new cluster, or to uninstall it and remove the manifest from an existing cluster, you can start K3s with ",(0,i.jsx)(n.code,{children:"--disable=traefik"}),". Multiple items can be disabled by separating their names with commas, or by repeating the flag."]}),"\n",(0,i.jsx)(n.h3,{id:"using-skip-files",children:"Using .skip files"}),"\n",(0,i.jsxs)(n.p,{children:["For any file under ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"}),", you can create a ",(0,i.jsx)(n.code,{children:".skip"})," file which will cause K3s to ignore the corresponding manifest. The contents of the ",(0,i.jsx)(n.code,{children:".skip"})," file do not matter, only its existence is checked. Note that creating a ",(0,i.jsx)(n.code,{children:".skip"})," file after an AddOn has already been created will not remove or otherwise modify it or the resources it created; the file is simply treated as if it did not exist."]}),"\n",(0,i.jsxs)(n.p,{children:["For example, creating an empty ",(0,i.jsx)(n.code,{children:"traefik.yaml.skip"})," file in the manifests directory before K3s is started the first time, will cause K3s to skip deploying ",(0,i.jsx)(n.code,{children:"traefik.yaml"}),":"]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"$ ls /var/lib/rancher/k3s/server/manifests\nccm.yaml local-storage.yaml rolebindings.yaml traefik.yaml.skip\ncoredns.yaml traefik.yaml\n\n$ kubectl get pods -A\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system local-path-provisioner-64ffb68fd-xx98j 1/1 Running 0 74s\nkube-system metrics-server-5489f84d5d-7zwkt 1/1 Running 0 74s\nkube-system coredns-85cb69466-vcq7j 1/1 Running 0 74s\n"})}),"\n",(0,i.jsxs)(n.p,{children:["If Traefik had already been deployed prior to creating the ",(0,i.jsx)(n.code,{children:"traefik.skip"})," file, Traefik would stay as-is, and would not be affected by future updates when K3s is upgraded."]}),"\n",(0,i.jsx)(n.h2,{id:"helm-addons",children:"Helm AddOns"}),"\n",(0,i.jsxs)(n.p,{children:["For information about managing Helm charts via auto-deploying manifests, refer to the section about ",(0,i.jsx)(n.a,{href:"/helm",children:"Helm."})]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>r,a:()=>o});var i=s(7294);const t={},a=i.createContext(t);function o(e){const n=i.useContext(a);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),i.createElement(a.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/6ab2c2e0.06c8b0e2.js b/assets/js/6ab2c2e0.31c46199.js
similarity index 99%
rename from assets/js/6ab2c2e0.06c8b0e2.js
rename to assets/js/6ab2c2e0.31c46199.js
index ca986b9e4..3e7894bb6 100644
--- a/assets/js/6ab2c2e0.06c8b0e2.js
+++ b/assets/js/6ab2c2e0.31c46199.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[981],{9414:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>c,contentTitle:()=>d,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>o});var n=s(5893),i=s(1151);const r={title:"Environment Variables"},d=void 0,l={id:"reference/env-variables",title:"Environment Variables",description:"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.",source:"@site/docs/reference/env-variables.md",sourceDirName:"reference",slug:"/reference/env-variables",permalink:"/reference/env-variables",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/env-variables.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Environment Variables"},sidebar:"mySidebar",previous:{title:"Advanced Options / Configuration",permalink:"/advanced"},next:{title:"Flag Deprecation",permalink:"/reference/flag-deprecation"}},c={},o=[];function a(e){const t={a:"a",code:"code",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,i.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsxs)(t.p,{children:["As mentioned in the ",(0,n.jsx)(t.a,{href:"/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,n.jsx)(t.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,n.jsx)(t.p,{children:"The simplest form of this command is as follows:"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,n.jsx)(t.p,{children:"When using this method to install K3s, the following environment variables can be used to configure the installation:"}),"\n",(0,n.jsxs)(t.table,{children:[(0,n.jsx)(t.thead,{children:(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.th,{children:"Environment Variable"}),(0,n.jsx)(t.th,{children:"Description"})]})}),(0,n.jsxs)(t.tbody,{children:[(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})}),(0,n.jsx)(t.td,{children:"If set to true will not download K3s hash or binary."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYMLINK"})}),(0,n.jsx)(t.td,{children:"By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_ENABLE"})}),(0,n.jsx)(t.td,{children:"If set to true will not enable or start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_START"})}),(0,n.jsx)(t.td,{children:"If set to true will not start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_VERSION"})}),(0,n.jsx)(t.td,{children:"Version of K3s to download from Github. Will attempt to download from the stable channel if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install K3s binary, links, and uninstall script to, or use ",(0,n.jsx)(t.code,{children:"/usr/local/bin"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR_READ_ONLY"})}),(0,n.jsxs)(t.td,{children:["If set to true will not write files to ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"}),", forces setting ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYSTEMD_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install systemd service and environment files to, or use ",(0,n.jsx)(t.code,{children:"/etc/systemd/system"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_EXEC"})}),(0,n.jsxs)(t.td,{children:["Command with flags to use for launching K3s in the service. If the command is not specified, and the ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' is set, it will default to "agent." If ',(0,n.jsx)(t.code,{children:"K3S_URL"}),' not set, it will default to "server." For help, refer to ',(0,n.jsx)(t.a,{href:"/installation/configuration#configuration-with-install-script",children:"this example."})]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_NAME"})}),(0,n.jsx)(t.td,{children:"Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_TYPE"})}),(0,n.jsx)(t.td,{children:"Type of systemd service to create, will default from the K3s exec command if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SELINUX_WARN"})}),(0,n.jsx)(t.td,{children:"If set to true will continue if k3s-selinux policy is not found."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM"})}),(0,n.jsx)(t.td,{children:"If set to true will skip automatic installation of the k3s RPM."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL_URL"})}),(0,n.jsxs)(t.td,{children:["Channel URL for fetching K3s download URL. Defaults to ",(0,n.jsx)(t.a,{href:"https://update.k3s.io/v1-release/channels",children:"https://update.k3s.io/v1-release/channels"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL"})}),(0,n.jsxs)(t.td,{children:['Channel to use for fetching K3s download URL. Defaults to "stable". Options include: ',(0,n.jsx)(t.code,{children:"stable"}),", ",(0,n.jsx)(t.code,{children:"latest"}),", ",(0,n.jsx)(t.code,{children:"testing"}),"."]})]})]})]}),"\n",(0,n.jsx)(t.p,{children:"This example shows where to place aforementioned environment variables as options (after the pipe):"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh -\n"})}),"\n",(0,n.jsxs)(t.p,{children:["Environment variables which begin with ",(0,n.jsx)(t.code,{children:"K3S_"})," will be preserved for the systemd and openrc services to use."]}),"\n",(0,n.jsxs)(t.p,{children:["Setting ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' without explicitly setting an exec command will default the command to "agent".']}),"\n",(0,n.jsxs)(t.p,{children:["When running the agent, ",(0,n.jsx)(t.code,{children:"K3S_TOKEN"})," must also be set."]})]})}function h(e={}){const{wrapper:t}={...(0,i.a)(),...e.components};return t?(0,n.jsx)(t,{...e,children:(0,n.jsx)(a,{...e})}):a(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>l,a:()=>d});var n=s(7294);const i={},r=n.createContext(i);function d(e){const t=n.useContext(r);return n.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function l(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:d(e.components),n.createElement(r.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[981],{9414:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>c,contentTitle:()=>d,default:()=>h,frontMatter:()=>r,metadata:()=>l,toc:()=>o});var n=s(5893),i=s(1151);const r={title:"Environment Variables"},d=void 0,l={id:"reference/env-variables",title:"Environment Variables",description:"As mentioned in the Quick-Start Guide, you can use the installation script available at https://get.k3s.io to install K3s as a service on systemd and openrc based systems.",source:"@site/docs/reference/env-variables.md",sourceDirName:"reference",slug:"/reference/env-variables",permalink:"/reference/env-variables",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/env-variables.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Environment Variables"},sidebar:"mySidebar",previous:{title:"Advanced Options / Configuration",permalink:"/advanced"},next:{title:"Flag Deprecation",permalink:"/reference/flag-deprecation"}},c={},o=[];function a(e){const t={a:"a",code:"code",p:"p",pre:"pre",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,i.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsxs)(t.p,{children:["As mentioned in the ",(0,n.jsx)(t.a,{href:"/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,n.jsx)(t.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,n.jsx)(t.p,{children:"The simplest form of this command is as follows:"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,n.jsx)(t.p,{children:"When using this method to install K3s, the following environment variables can be used to configure the installation:"}),"\n",(0,n.jsxs)(t.table,{children:[(0,n.jsx)(t.thead,{children:(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.th,{children:"Environment Variable"}),(0,n.jsx)(t.th,{children:"Description"})]})}),(0,n.jsxs)(t.tbody,{children:[(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD"})}),(0,n.jsx)(t.td,{children:"If set to true will not download K3s hash or binary."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYMLINK"})}),(0,n.jsx)(t.td,{children:"By default will create symlinks for the kubectl, crictl, and ctr binaries if the commands do not already exist in path. If set to 'skip' will not create symlinks and 'force' will overwrite."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_ENABLE"})}),(0,n.jsx)(t.td,{children:"If set to true will not enable or start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_START"})}),(0,n.jsx)(t.td,{children:"If set to true will not start K3s service."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_VERSION"})}),(0,n.jsx)(t.td,{children:"Version of K3s to download from Github. Will attempt to download from the stable channel if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install K3s binary, links, and uninstall script to, or use ",(0,n.jsx)(t.code,{children:"/usr/local/bin"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR_READ_ONLY"})}),(0,n.jsxs)(t.td,{children:["If set to true will not write files to ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_BIN_DIR"}),", forces setting ",(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_DOWNLOAD=true"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SYSTEMD_DIR"})}),(0,n.jsxs)(t.td,{children:["Directory to install systemd service and environment files to, or use ",(0,n.jsx)(t.code,{children:"/etc/systemd/system"})," as the default."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_EXEC"})}),(0,n.jsxs)(t.td,{children:["Command with flags to use for launching K3s in the service. If the command is not specified, and the ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' is set, it will default to "agent." If ',(0,n.jsx)(t.code,{children:"K3S_URL"}),' not set, it will default to "server." For help, refer to ',(0,n.jsx)(t.a,{href:"/installation/configuration#configuration-with-install-script",children:"this example."})]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_NAME"})}),(0,n.jsx)(t.td,{children:"Name of systemd service to create, will default to 'k3s' if running k3s as a server and 'k3s-agent' if running k3s as an agent. If specified the name will be prefixed with 'k3s-'."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_TYPE"})}),(0,n.jsx)(t.td,{children:"Type of systemd service to create, will default from the K3s exec command if not specified."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SELINUX_WARN"})}),(0,n.jsx)(t.td,{children:"If set to true will continue if k3s-selinux policy is not found."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_SKIP_SELINUX_RPM"})}),(0,n.jsx)(t.td,{children:"If set to true will skip automatic installation of the k3s RPM."})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL_URL"})}),(0,n.jsxs)(t.td,{children:["Channel URL for fetching K3s download URL. Defaults to ",(0,n.jsx)(t.a,{href:"https://update.k3s.io/v1-release/channels",children:"https://update.k3s.io/v1-release/channels"}),"."]})]}),(0,n.jsxs)(t.tr,{children:[(0,n.jsx)(t.td,{children:(0,n.jsx)(t.code,{children:"INSTALL_K3S_CHANNEL"})}),(0,n.jsxs)(t.td,{children:['Channel to use for fetching K3s download URL. Defaults to "stable". Options include: ',(0,n.jsx)(t.code,{children:"stable"}),", ",(0,n.jsx)(t.code,{children:"latest"}),", ",(0,n.jsx)(t.code,{children:"testing"}),"."]})]})]})]}),"\n",(0,n.jsx)(t.p,{children:"This example shows where to place aforementioned environment variables as options (after the pipe):"}),"\n",(0,n.jsx)(t.pre,{children:(0,n.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=latest sh -\n"})}),"\n",(0,n.jsxs)(t.p,{children:["Environment variables which begin with ",(0,n.jsx)(t.code,{children:"K3S_"})," will be preserved for the systemd and openrc services to use."]}),"\n",(0,n.jsxs)(t.p,{children:["Setting ",(0,n.jsx)(t.code,{children:"K3S_URL"}),' without explicitly setting an exec command will default the command to "agent".']}),"\n",(0,n.jsxs)(t.p,{children:["When running the agent, ",(0,n.jsx)(t.code,{children:"K3S_TOKEN"})," must also be set."]})]})}function h(e={}){const{wrapper:t}={...(0,i.a)(),...e.components};return t?(0,n.jsx)(t,{...e,children:(0,n.jsx)(a,{...e})}):a(e)}},1151:(e,t,s)=>{s.d(t,{Z:()=>l,a:()=>d});var n=s(7294);const i={},r=n.createContext(i);function d(e){const t=n.useContext(r);return n.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function l(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:d(e.components),n.createElement(r.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/6e9804bc.3146c892.js b/assets/js/6e9804bc.0dc8e83c.js
similarity index 99%
rename from assets/js/6e9804bc.3146c892.js
rename to assets/js/6e9804bc.0dc8e83c.js
index 7bb09f711..848a582cc 100644
--- a/assets/js/6e9804bc.3146c892.js
+++ b/assets/js/6e9804bc.0dc8e83c.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[393],{1218:(e,t,r)=>{r.r(t),r.d(t,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>a,toc:()=>d});var s=r(5893),n=r(1151);const i={title:"certificate"},c="k3s certificate",a={id:"cli/certificate",title:"certificate",description:"Client and Server Certificates",source:"@site/docs/cli/certificate.md",sourceDirName:"cli",slug:"/cli/certificate",permalink:"/cli/certificate",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/certificate.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"certificate"},sidebar:"mySidebar",previous:{title:"agent",permalink:"/cli/agent"},next:{title:"etcd-snapshot",permalink:"/cli/etcd-snapshot"}},o={},d=[{value:"Client and Server Certificates",id:"client-and-server-certificates",level:2},{value:"Rotating Client and Server Certificates",id:"rotating-client-and-server-certificates",level:3},{value:"Certificate Authority (CA) Certificates",id:"certificate-authority-ca-certificates",level:2},{value:"Using Custom CA Certificates",id:"using-custom-ca-certificates",level:3},{value:"Custom CA Topology",id:"custom-ca-topology",level:4},{value:"Using the Example Script",id:"using-the-example-script",level:4},{value:"Rotating Custom CA Certificates",id:"rotating-custom-ca-certificates",level:3},{value:"Using the Example Script",id:"using-the-example-script-1",level:4},{value:"Rotating Self-Signed CA Certificates",id:"rotating-self-signed-ca-certificates",level:3},{value:"Default CA Topology",id:"default-ca-topology",level:4},{value:"Using The Example Script",id:"using-the-example-script-2",level:4},{value:"Service-Account Issuer Key Rotation",id:"service-account-issuer-key-rotation",level:2}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",h4:"h4",header:"header",li:"li",mermaid:"mermaid",p:"p",pre:"pre",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.header,{children:(0,s.jsx)(t.h1,{id:"k3s-certificate",children:"k3s certificate"})}),"\n",(0,s.jsx)(t.h2,{id:"client-and-server-certificates",children:"Client and Server Certificates"}),"\n",(0,s.jsx)(t.p,{children:"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-client-and-server-certificates",children:"Rotating Client and Server Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate client and server certificates manually, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate"})," subcommand:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Stop K3s\nsystemctl stop k3s\n\n# Rotate certificates\nk3s certificate rotate\n\n# Start K3s\nsystemctl start k3s\n"})}),"\n",(0,s.jsx)(t.p,{children:"Individual or lists of certificates can be rotated by specifying the certificate name:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"k3s certificate rotate --service ,\n"})}),"\n",(0,s.jsxs)(t.p,{children:["The following certificates can be rotated: ",(0,s.jsx)(t.code,{children:"admin"}),", ",(0,s.jsx)(t.code,{children:"api-server"}),", ",(0,s.jsx)(t.code,{children:"controller-manager"}),", ",(0,s.jsx)(t.code,{children:"scheduler"}),", ",(0,s.jsx)(t.code,{children:"k3s-controller"}),", ",(0,s.jsx)(t.code,{children:"k3s-server"}),", ",(0,s.jsx)(t.code,{children:"cloud-controller"}),", ",(0,s.jsx)(t.code,{children:"etcd"}),", ",(0,s.jsx)(t.code,{children:"auth-proxy"}),", ",(0,s.jsx)(t.code,{children:"kubelet"}),", ",(0,s.jsx)(t.code,{children:"kube-proxy"}),"."]}),"\n",(0,s.jsx)(t.h2,{id:"certificate-authority-ca-certificates",children:"Certificate Authority (CA) Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["Kubernetes requires a number of CA certificates for proper operation. For more information on how Kubernetes uses CA certificates, see the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/setup/best-practices/certificates/#all-certificates",children:"PKI Certificates and Requirements"})," documentation."]}),"\n",(0,s.jsx)(t.p,{children:"By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed."}),"\n",(0,s.jsxs)(t.p,{children:["The authoritative CA certificates and keys are stored within the datastore's bootstrap key, encrypted using the ",(0,s.jsx)(t.a,{href:"/cli/token#server",children:"server token"})," as the PBKDF2 passphrase with AES256-GCM and HMAC-SHA1.\nCopies of the CA certificates and keys are extracted to disk during K3s server startup.\nAny server may generate leaf certificates for nodes as they join the cluster, and the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/",children:"Certificates API"})," controllers may issue additional certificates at runtime."]}),"\n",(0,s.jsxs)(t.p,{children:["To rotate CA certificates and keys, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command.\nThe command performs integrity checks to confirm that the updated certificates and keys are usable.\nIf the updated data is acceptable, the datastore's encrypted bootstrap key is updated, and the new certificates and keys will be used the next time K3s starts.\nIf problems are encountered while validating the certificates and keys, an error is reported to the system log and the operation is cancelled without changes."]}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command and the ability to use CA certificates signed by an external CA is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.h3,{id:"using-custom-ca-certificates",children:"Using Custom CA Certificates"}),"\n",(0,s.jsx)(t.p,{children:"If CA certificates and keys are found the correct location during initial startup of the first server in the cluster, automatic generation of CA certificates will be bypassed."}),"\n",(0,s.jsxs)(t.p,{children:["An example script to pre-create the appropriate certificates and keys is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/generate-custom-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/generate-custom-ca-certs.sh"})]}),".\nThis script should be run prior to starting K3s for the first time, and will create a full set of leaf CA certificates signed by common Root and Intermediate CA certificates.\nIf you have an existing Root or Intermediate CA, this script can be used (or used as a starting point) to create the correct CA certificates to provision a K3s cluster with PKI rooted in an existing authority."]}),"\n",(0,s.jsxs)(t.p,{children:["Custom Certificate Authority files must be placed in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),". The following files are required:"]}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"request-header-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"request-header-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: etcd files are required even if embedded etcd is not in use."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/server-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"etcd/server-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: This is the private key used to sign service-account tokens. It does not have a corresponding certificate."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"service.key"})}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"custom-ca-topology",children:"Custom CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"Custom CA Certificates should observe the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n root("Root CA")\n intermediate("Intermediate CA")\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates (Kubernetes <-> etcd)"]]\n\n root -.-|SHA256| root-hash\n root ---\x3e intermediate\n intermediate --\x3e server-ca ==> kube-server-certs\n intermediate --\x3e client-ca ==> kube-client-certs\n intermediate --\x3e request-header-ca ==> request-header-certs\n intermediate --\x3e etcd-peer-ca ==> etcd-peer-certs\n intermediate --\x3e etcd-server-ca ==> etcd-server-certs'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script",children:"Using the Example Script"}),"\n",(0,s.jsx)(t.admonition,{title:"Important",type:"info",children:(0,s.jsx)(t.p,{children:"If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script.\nIf the files do not exist, the script will create new root and intermediate CA certificates."})}),"\n",(0,s.jsx)(t.p,{children:"If you want to use only an existing root CA certificate, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"If you want to use existing root and intermediate CA certificates, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate-ca.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate custom certs and keys before starting K3s, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create the target directory for cert generation.\nmkdir -p /var/lib/rancher/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# For the purposes of this example, we assume you have existing root and intermediate CA files in /etc/ssl.\n# If you do not have an existing root and/or intermediate CA, the script will generate them for you.\ncp /etc/ssl/certs/root-ca.pem /etc/ssl/certs/intermediate-ca.pem /etc/ssl/private/intermediate-ca.key /var/lib/rancher/k3s/server/tls\n\n# Generate custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | bash -\n"})}),"\n",(0,s.jsx)(t.p,{children:"If the command completes successfully, you may install and/or start K3s for the first time.\nIf the script generated root and/or intermediate CA files, you should back up these files so that they can be reused if it is necessary to rotate the CA certificates at a later date."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-custom-ca-certificates",children:"Rotating Custom CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate custom CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used."}),"\n",(0,s.jsxs)(t.p,{children:["If a new root CA is required, the rotation will be disruptive. The ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca --force"})," option must be used, all nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-1",children:"Using the Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["The example ",(0,s.jsx)(t.code,{children:"generate-custom-ca-certs.sh"})," script linked above can also be used to generate updated certs in a new temporary directory, by copying files into the correct location and setting the ",(0,s.jsx)(t.code,{children:"DATA_DIR"})," environment variable.\nTo use the example script to generate updated certs and keys, run the following commands:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation.\nmkdir -p /opt/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# Non-disruptive rotation requires the same root CA that was used to generate the original certificates.\n# If the original files are still in the data directory, you can just run:\ncp /var/lib/rancher/k3s/server/tls/root-ca.* /var/lib/rancher/k3s/server/tls/intermediate-ca.* /opt/k3s/server/tls\n\n# Copy the current service-account signing key, so that existing service-account tokens are not invalidated.\ncp /var/lib/rancher/k3s/server/tls/service.key /opt/k3s/server/tls\n\n# Generate updated custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/k3s bash -\n\n# Load the updated CA certs and keys into the datastore.\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["If you used the ",(0,s.jsx)(t.code,{children:"--force"})," option or changed the root CA, ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," are reconfigured to use the new token value, prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h3,{id:"rotating-self-signed-ca-certificates",children:"Rotating Self-Signed CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate the K3s-generated self-signed CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsxs)(t.p,{children:["If the cluster has been started with default self-signed CA certificates, rotation will be disruptive. All nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," will need to be reconfigured to trust the new CA hash.\nIf the new CA certificates are not cross-signed by the old CA certificates, you will need to use the ",(0,s.jsx)(t.code,{children:"--force"})," option to bypass integrity checks, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"default-ca-topology",children:"Default CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"The default self-signed CA certificates have the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates (Kubernetes <-> etcd)"]]\n\n server-ca -.-|SHA256| root-hash\n server-ca ===> kube-server-certs\n client-ca ===> kube-client-certs\n request-header-ca ===> request-header-certs\n etcd-peer-ca ===> etcd-peer-certs\n etcd-server-ca ===> etcd-server-certs'}),"\n",(0,s.jsx)(t.p,{children:"When rotating the default self-signed CAs, a modified certificate topology with intermediate CAs and a new root CA cross-signed by the old CA can be used so that there is a continuous chain of trust between the old and new CAs:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca-old("Server CA (old)")\n client-ca-old("Client CA (old)")\n request-header-ca-old("API Aggregation CA (old)")\n etcd-peer-ca-old("etcd Peer CA (old)")\n etcd-server-ca-old("etcd Server CA (old)")\n\n root-hash>"Join token CA hash"]\n\n server-ca-xsigned("Server CA (cross-signed)")\n client-ca-xsigned("Client CA (cross-signed)")\n request-header-ca-xsigned("API Aggregation CA (cross-signed)")\n etcd-peer-ca-xsigned("etcd Peer CA (cross-signed)")\n etcd-server-ca-xsigned("etcd Server CA (cross-signed)")\n\n server-ca-ssigned("Server CA (self-signed)")\n client-ca-ssigned("Client CA (self-signed)")\n request-header-ca-ssigned("API Aggregation CA (self-signed)")\n etcd-peer-ca-ssigned("etcd Peer CA (self-signed)")\n etcd-server-ca-ssigned("etcd Server CA (self-signed)")\n\n server-ca("Intermediate Server CA")\n client-ca("Intermediate Client CA")\n request-header-ca("Intermediate API Aggregation CA")\n etcd-peer-ca("Intermediate etcd Peer CA")\n etcd-server-ca("Intermediate etcd Server CA")\n\n kube-server-certs[["Kubernetes servers (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates (Kubernetes <-> etcd)"]]\n\n server-ca-ssigned -.-|SHA256| root-hash\n server-ca-ssigned --\x3e server-ca ==> kube-server-certs\n server-ca-old --\x3e server-ca-xsigned --\x3e server-ca\n client-ca-ssigned --\x3e client-ca ==> kube-client-certs\n client-ca-old --\x3e client-ca-xsigned --\x3e client-ca\n request-header-ca-ssigned --\x3e request-header-ca ==> request-header-certs\n request-header-ca-old --\x3e request-header-ca-xsigned --\x3e request-header-ca\n etcd-peer-ca-ssigned --\x3e etcd-peer-ca ==> etcd-peer-certs\n etcd-peer-ca-old --\x3e etcd-peer-ca-xsigned --\x3e etcd-peer-ca\n etcd-server-ca-ssigned --\x3e etcd-server-ca ==> etcd-server-certs\n etcd-server-ca-old --\x3e etcd-server-ca-xsigned --\x3e etcd-server-ca'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-2",children:"Using The Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["An example script to create updated CA certificates and keys cross-signed by the existing CAs is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/rotate-default-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/rotate-default-ca-certs.sh"})]}),"."]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate updated self-signed certificates that are cross-signed by the existing CAs, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create updated CA certs and keys, cross-signed by the current CAs.\n# This script will create a new temporary directory containing the updated certs, and output the new token values.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/rotate-default-ca-certs.sh | bash -\n\n# Load the updated certs into the datastore; see the script output for the updated token values.\nk3s certificate rotate-ca --path=/var/lib/rancher/k3s/server/rotate-ca\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["Ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"}),", including other server nodes, are reconfigured to use the new token value prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h2,{id:"service-account-issuer-key-rotation",children:"Service-Account Issuer Key Rotation"}),"\n",(0,s.jsxs)(t.p,{children:["The service-account issuer key is an RSA private key used to sign service-account tokens.\nWhen rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated.\nIt can be rotated independent of the cluster CAs by using the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," to install only an updated ",(0,s.jsx)(t.code,{children:"service.key"})," file that includes both the new and old keys."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated key into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"For example, to rotate only the service-account issuer key, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation\nmkdir -p /opt/k3s/server/tls\n\n# Check OpenSSL version\nopenssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional\n\n# Generate a new key\nopenssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048\n\n# Append the existing key to avoid invalidating current tokens\ncat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key\n\n# Load the updated key into the datastore\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["It is normal to see warnings for files that are not being updated. If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all servers in the cluster. It is not necessary to restart agents or restart any pods."]})]})}function h(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(l,{...e})}):l(e)}},1151:(e,t,r)=>{r.d(t,{Z:()=>a,a:()=>c});var s=r(7294);const n={},i=s.createContext(n);function c(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function a(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:c(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[393],{1218:(e,t,r)=>{r.r(t),r.d(t,{assets:()=>o,contentTitle:()=>c,default:()=>h,frontMatter:()=>i,metadata:()=>a,toc:()=>d});var s=r(5893),n=r(1151);const i={title:"certificate"},c="k3s certificate",a={id:"cli/certificate",title:"certificate",description:"Client and Server Certificates",source:"@site/docs/cli/certificate.md",sourceDirName:"cli",slug:"/cli/certificate",permalink:"/cli/certificate",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/certificate.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"certificate"},sidebar:"mySidebar",previous:{title:"agent",permalink:"/cli/agent"},next:{title:"etcd-snapshot",permalink:"/cli/etcd-snapshot"}},o={},d=[{value:"Client and Server Certificates",id:"client-and-server-certificates",level:2},{value:"Rotating Client and Server Certificates",id:"rotating-client-and-server-certificates",level:3},{value:"Certificate Authority (CA) Certificates",id:"certificate-authority-ca-certificates",level:2},{value:"Using Custom CA Certificates",id:"using-custom-ca-certificates",level:3},{value:"Custom CA Topology",id:"custom-ca-topology",level:4},{value:"Using the Example Script",id:"using-the-example-script",level:4},{value:"Rotating Custom CA Certificates",id:"rotating-custom-ca-certificates",level:3},{value:"Using the Example Script",id:"using-the-example-script-1",level:4},{value:"Rotating Self-Signed CA Certificates",id:"rotating-self-signed-ca-certificates",level:3},{value:"Default CA Topology",id:"default-ca-topology",level:4},{value:"Using The Example Script",id:"using-the-example-script-2",level:4},{value:"Service-Account Issuer Key Rotation",id:"service-account-issuer-key-rotation",level:2}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",em:"em",h1:"h1",h2:"h2",h3:"h3",h4:"h4",header:"header",li:"li",mermaid:"mermaid",p:"p",pre:"pre",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.header,{children:(0,s.jsx)(t.h1,{id:"k3s-certificate",children:"k3s certificate"})}),"\n",(0,s.jsx)(t.h2,{id:"client-and-server-certificates",children:"Client and Server Certificates"}),"\n",(0,s.jsx)(t.p,{children:"K3s client and server certificates are valid for 365 days from their date of issuance. Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time K3s starts."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-client-and-server-certificates",children:"Rotating Client and Server Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate client and server certificates manually, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate"})," subcommand:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Stop K3s\nsystemctl stop k3s\n\n# Rotate certificates\nk3s certificate rotate\n\n# Start K3s\nsystemctl start k3s\n"})}),"\n",(0,s.jsx)(t.p,{children:"Individual or lists of certificates can be rotated by specifying the certificate name:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"k3s certificate rotate --service ,\n"})}),"\n",(0,s.jsxs)(t.p,{children:["The following certificates can be rotated: ",(0,s.jsx)(t.code,{children:"admin"}),", ",(0,s.jsx)(t.code,{children:"api-server"}),", ",(0,s.jsx)(t.code,{children:"controller-manager"}),", ",(0,s.jsx)(t.code,{children:"scheduler"}),", ",(0,s.jsx)(t.code,{children:"k3s-controller"}),", ",(0,s.jsx)(t.code,{children:"k3s-server"}),", ",(0,s.jsx)(t.code,{children:"cloud-controller"}),", ",(0,s.jsx)(t.code,{children:"etcd"}),", ",(0,s.jsx)(t.code,{children:"auth-proxy"}),", ",(0,s.jsx)(t.code,{children:"kubelet"}),", ",(0,s.jsx)(t.code,{children:"kube-proxy"}),"."]}),"\n",(0,s.jsx)(t.h2,{id:"certificate-authority-ca-certificates",children:"Certificate Authority (CA) Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["Kubernetes requires a number of CA certificates for proper operation. For more information on how Kubernetes uses CA certificates, see the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/setup/best-practices/certificates/#all-certificates",children:"PKI Certificates and Requirements"})," documentation."]}),"\n",(0,s.jsx)(t.p,{children:"By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed."}),"\n",(0,s.jsxs)(t.p,{children:["The authoritative CA certificates and keys are stored within the datastore's bootstrap key, encrypted using the ",(0,s.jsx)(t.a,{href:"/cli/token#server",children:"server token"})," as the PBKDF2 passphrase with AES256-GCM and HMAC-SHA1.\nCopies of the CA certificates and keys are extracted to disk during K3s server startup.\nAny server may generate leaf certificates for nodes as they join the cluster, and the Kubernetes ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/",children:"Certificates API"})," controllers may issue additional certificates at runtime."]}),"\n",(0,s.jsxs)(t.p,{children:["To rotate CA certificates and keys, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command.\nThe command performs integrity checks to confirm that the updated certificates and keys are usable.\nIf the updated data is acceptable, the datastore's encrypted bootstrap key is updated, and the new certificates and keys will be used the next time K3s starts.\nIf problems are encountered while validating the certificates and keys, an error is reported to the system log and the operation is cancelled without changes."]}),"\n",(0,s.jsx)(t.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(t.p,{children:["Support for the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," command and the ability to use CA certificates signed by an external CA is available starting with the 2023-02 releases (v1.26.2+k3s1, v1.25.7+k3s1, v1.24.11+k3s1, v1.23.17+k3s1)."]})}),"\n",(0,s.jsx)(t.h3,{id:"using-custom-ca-certificates",children:"Using Custom CA Certificates"}),"\n",(0,s.jsx)(t.p,{children:"If CA certificates and keys are found the correct location during initial startup of the first server in the cluster, automatic generation of CA certificates will be bypassed."}),"\n",(0,s.jsxs)(t.p,{children:["An example script to pre-create the appropriate certificates and keys is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/generate-custom-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/generate-custom-ca-certs.sh"})]}),".\nThis script should be run prior to starting K3s for the first time, and will create a full set of leaf CA certificates signed by common Root and Intermediate CA certificates.\nIf you have an existing Root or Intermediate CA, this script can be used (or used as a starting point) to create the correct CA certificates to provision a K3s cluster with PKI rooted in an existing authority."]}),"\n",(0,s.jsxs)(t.p,{children:["Custom Certificate Authority files must be placed in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),". The following files are required:"]}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"server-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"client-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"request-header-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"request-header-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: etcd files are required even if embedded etcd is not in use."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.crt"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/peer-ca.key"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"etcd/server-ca.crt"})}),"\n",(0,s.jsxs)(t.li,{children:[(0,s.jsx)(t.code,{children:"etcd/server-ca.key"}),(0,s.jsx)(t.br,{}),"\n",(0,s.jsx)(t.em,{children:"// note: This is the private key used to sign service-account tokens. It does not have a corresponding certificate."})]}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"service.key"})}),"\n"]}),"\n",(0,s.jsx)(t.h4,{id:"custom-ca-topology",children:"Custom CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"Custom CA Certificates should observe the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n root("Root CA")\n intermediate("Intermediate CA")\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates (Kubernetes <-> etcd)"]]\n\n root -.-|SHA256| root-hash\n root ---\x3e intermediate\n intermediate --\x3e server-ca ==> kube-server-certs\n intermediate --\x3e client-ca ==> kube-client-certs\n intermediate --\x3e request-header-ca ==> request-header-certs\n intermediate --\x3e etcd-peer-ca ==> etcd-peer-certs\n intermediate --\x3e etcd-server-ca ==> etcd-server-certs'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script",children:"Using the Example Script"}),"\n",(0,s.jsx)(t.admonition,{title:"Important",type:"info",children:(0,s.jsx)(t.p,{children:"If you want to sign the cluster CA certificates with an existing root CA using the example script, you must place the root and intermediate files in the target directory prior to running the script.\nIf the files do not exist, the script will create new root and intermediate CA certificates."})}),"\n",(0,s.jsx)(t.p,{children:"If you want to use only an existing root CA certificate, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"If you want to use existing root and intermediate CA certificates, provide the following files:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"root-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate-ca.pem"})}),"\n",(0,s.jsx)(t.li,{children:(0,s.jsx)(t.code,{children:"intermediate-ca.key"})}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate custom certs and keys before starting K3s, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create the target directory for cert generation.\nmkdir -p /var/lib/rancher/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# For the purposes of this example, we assume you have existing root and intermediate CA files in /etc/ssl.\n# If you do not have an existing root and/or intermediate CA, the script will generate them for you.\ncp /etc/ssl/certs/root-ca.pem /etc/ssl/certs/intermediate-ca.pem /etc/ssl/private/intermediate-ca.key /var/lib/rancher/k3s/server/tls\n\n# Generate custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | bash -\n"})}),"\n",(0,s.jsx)(t.p,{children:"If the command completes successfully, you may install and/or start K3s for the first time.\nIf the script generated root and/or intermediate CA files, you should back up these files so that they can be reused if it is necessary to rotate the CA certificates at a later date."}),"\n",(0,s.jsx)(t.h3,{id:"rotating-custom-ca-certificates",children:"Rotating Custom CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate custom CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used."}),"\n",(0,s.jsxs)(t.p,{children:["If a new root CA is required, the rotation will be disruptive. The ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca --force"})," option must be used, all nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-1",children:"Using the Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["The example ",(0,s.jsx)(t.code,{children:"generate-custom-ca-certs.sh"})," script linked above can also be used to generate updated certs in a new temporary directory, by copying files into the correct location and setting the ",(0,s.jsx)(t.code,{children:"DATA_DIR"})," environment variable.\nTo use the example script to generate updated certs and keys, run the following commands:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation.\nmkdir -p /opt/k3s/server/tls\n\n# Copy your root CA cert and intermediate CA cert+key into the correct location for the script.\n# Non-disruptive rotation requires the same root CA that was used to generate the original certificates.\n# If the original files are still in the data directory, you can just run:\ncp /var/lib/rancher/k3s/server/tls/root-ca.* /var/lib/rancher/k3s/server/tls/intermediate-ca.* /opt/k3s/server/tls\n\n# Copy the current service-account signing key, so that existing service-account tokens are not invalidated.\ncp /var/lib/rancher/k3s/server/tls/service.key /opt/k3s/server/tls\n\n# Generate updated custom CA certs and keys.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/k3s bash -\n\n# Load the updated CA certs and keys into the datastore.\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["If you used the ",(0,s.jsx)(t.code,{children:"--force"})," option or changed the root CA, ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," are reconfigured to use the new token value, prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h3,{id:"rotating-self-signed-ca-certificates",children:"Rotating Self-Signed CA Certificates"}),"\n",(0,s.jsxs)(t.p,{children:["To rotate the K3s-generated self-signed CA certificates, use the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," subcommand.\nUpdated files must be staged into a temporary directory, loaded into the datastore, and k3s must be restarted on all nodes to use the updated certificates."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated certificates and keys into a separate directory."]})}),"\n",(0,s.jsxs)(t.p,{children:["If the cluster has been started with default self-signed CA certificates, rotation will be disruptive. All nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"})," will need to be reconfigured to trust the new CA hash.\nIf the new CA certificates are not cross-signed by the old CA certificates, you will need to use the ",(0,s.jsx)(t.code,{children:"--force"})," option to bypass integrity checks, and pods will need to be restarted to trust the new root CA."]}),"\n",(0,s.jsx)(t.h4,{id:"default-ca-topology",children:"Default CA Topology"}),"\n",(0,s.jsx)(t.p,{children:"The default self-signed CA certificates have the following topology:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca("Server CA")\n client-ca("Client CA")\n request-header-ca("API Aggregation CA")\n etcd-peer-ca("etcd Peer CA")\n etcd-server-ca("etcd Server CA")\n\n root-hash>"Join token CA hash"]\n\n kube-server-certs[["Kubernetes servers (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates (Kubernetes <-> etcd)"]]\n\n server-ca -.-|SHA256| root-hash\n server-ca ===> kube-server-certs\n client-ca ===> kube-client-certs\n request-header-ca ===> request-header-certs\n etcd-peer-ca ===> etcd-peer-certs\n etcd-server-ca ===> etcd-server-certs'}),"\n",(0,s.jsx)(t.p,{children:"When rotating the default self-signed CAs, a modified certificate topology with intermediate CAs and a new root CA cross-signed by the old CA can be used so that there is a continuous chain of trust between the old and new CAs:"}),"\n",(0,s.jsx)(t.mermaid,{value:'graph TD\n server-ca-old("Server CA (old)")\n client-ca-old("Client CA (old)")\n request-header-ca-old("API Aggregation CA (old)")\n etcd-peer-ca-old("etcd Peer CA (old)")\n etcd-server-ca-old("etcd Server CA (old)")\n\n root-hash>"Join token CA hash"]\n\n server-ca-xsigned("Server CA (cross-signed)")\n client-ca-xsigned("Client CA (cross-signed)")\n request-header-ca-xsigned("API Aggregation CA (cross-signed)")\n etcd-peer-ca-xsigned("etcd Peer CA (cross-signed)")\n etcd-server-ca-xsigned("etcd Server CA (cross-signed)")\n\n server-ca-ssigned("Server CA (self-signed)")\n client-ca-ssigned("Client CA (self-signed)")\n request-header-ca-ssigned("API Aggregation CA (self-signed)")\n etcd-peer-ca-ssigned("etcd Peer CA (self-signed)")\n etcd-server-ca-ssigned("etcd Server CA (self-signed)")\n\n server-ca("Intermediate Server CA")\n client-ca("Intermediate Client CA")\n request-header-ca("Intermediate API Aggregation CA")\n etcd-peer-ca("Intermediate etcd Peer CA")\n etcd-server-ca("Intermediate etcd Server CA")\n\n kube-server-certs[["Kubernetes servers (control-plane and kubelet listeners)"]]\n kube-client-certs[["Kubernetes clients (apiserver and kubelet clients)"]]\n request-header-certs[["Kubernetes API aggregation (apiserver proxy client)"]]\n etcd-peer-certs[["etcd peer client/server (etcd replication)"]]\n etcd-server-certs[["etcd client/server certificates (Kubernetes <-> etcd)"]]\n\n server-ca-ssigned -.-|SHA256| root-hash\n server-ca-ssigned --\x3e server-ca ==> kube-server-certs\n server-ca-old --\x3e server-ca-xsigned --\x3e server-ca\n client-ca-ssigned --\x3e client-ca ==> kube-client-certs\n client-ca-old --\x3e client-ca-xsigned --\x3e client-ca\n request-header-ca-ssigned --\x3e request-header-ca ==> request-header-certs\n request-header-ca-old --\x3e request-header-ca-xsigned --\x3e request-header-ca\n etcd-peer-ca-ssigned --\x3e etcd-peer-ca ==> etcd-peer-certs\n etcd-peer-ca-old --\x3e etcd-peer-ca-xsigned --\x3e etcd-peer-ca\n etcd-server-ca-ssigned --\x3e etcd-server-ca ==> etcd-server-certs\n etcd-server-ca-old --\x3e etcd-server-ca-xsigned --\x3e etcd-server-ca'}),"\n",(0,s.jsx)(t.h4,{id:"using-the-example-script-2",children:"Using The Example Script"}),"\n",(0,s.jsxs)(t.p,{children:["An example script to create updated CA certificates and keys cross-signed by the existing CAs is available ",(0,s.jsxs)(t.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/rotate-default-ca-certs.sh",children:["in the K3s repo at ",(0,s.jsx)(t.code,{children:"contrib/util/rotate-default-ca-certs.sh"})]}),"."]}),"\n",(0,s.jsx)(t.p,{children:"To use the example script to generate updated self-signed certificates that are cross-signed by the existing CAs, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create updated CA certs and keys, cross-signed by the current CAs.\n# This script will create a new temporary directory containing the updated certs, and output the new token values.\ncurl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/rotate-default-ca-certs.sh | bash -\n\n# Load the updated certs into the datastore; see the script output for the updated token values.\nk3s certificate rotate-ca --path=/var/lib/rancher/k3s/server/rotate-ca\n"})}),"\n",(0,s.jsxs)(t.p,{children:["If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all nodes in the cluster - servers first, then agents."]}),"\n",(0,s.jsxs)(t.p,{children:["Ensure that any nodes that were joined with a ",(0,s.jsx)(t.a,{href:"/cli/token#secure",children:"secure token"}),", including other server nodes, are reconfigured to use the new token value prior to being restarted.\nThe token may be stored in a ",(0,s.jsx)(t.code,{children:".env"})," file, systemd unit, or config.yaml, depending on how the node was configured during initial installation."]}),"\n",(0,s.jsx)(t.h2,{id:"service-account-issuer-key-rotation",children:"Service-Account Issuer Key Rotation"}),"\n",(0,s.jsxs)(t.p,{children:["The service-account issuer key is an RSA private key used to sign service-account tokens.\nWhen rotating the service-account issuer key, at least one old key should be retained in the file so that existing service-account tokens are not invalidated.\nIt can be rotated independent of the cluster CAs by using the ",(0,s.jsx)(t.code,{children:"k3s certificate rotate-ca"})," to install only an updated ",(0,s.jsx)(t.code,{children:"service.key"})," file that includes both the new and old keys."]}),"\n",(0,s.jsx)(t.admonition,{type:"warning",children:(0,s.jsxs)(t.p,{children:["You must not overwrite the currently in-use data in ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/tls"}),".",(0,s.jsx)(t.br,{}),"\n","Stage the updated key into a separate directory."]})}),"\n",(0,s.jsx)(t.p,{children:"For example, to rotate only the service-account issuer key, run the following commands:"}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"# Create a temporary directory for cert generation\nmkdir -p /opt/k3s/server/tls\n\n# Check OpenSSL version\nopenssl version | grep -qF 'OpenSSL 3' && OPENSSL_GENRSA_FLAGS=-traditional\n\n# Generate a new key\nopenssl genrsa ${OPENSSL_GENRSA_FLAGS:-} -out /opt/k3s/server/tls/service.key 2048\n\n# Append the existing key to avoid invalidating current tokens\ncat /var/lib/rancher/k3s/server/tls/service.key >> /opt/k3s/server/tls/service.key\n\n# Load the updated key into the datastore\nk3s certificate rotate-ca --path=/opt/k3s/server\n"})}),"\n",(0,s.jsxs)(t.p,{children:["It is normal to see warnings for files that are not being updated. If the ",(0,s.jsx)(t.code,{children:"rotate-ca"})," command returns an error, check the service log for errors.\nIf the command completes successfully, restart K3s on all servers in the cluster. It is not necessary to restart agents or restart any pods."]})]})}function h(e={}){const{wrapper:t}={...(0,n.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(l,{...e})}):l(e)}},1151:(e,t,r)=>{r.d(t,{Z:()=>a,a:()=>c});var s=r(7294);const n={},i=s.createContext(n);function c(e){const t=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function a(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:c(e.components),s.createElement(i.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/72e14192.552d72fe.js b/assets/js/72e14192.b0908381.js
similarity index 98%
rename from assets/js/72e14192.552d72fe.js
rename to assets/js/72e14192.b0908381.js
index 4ef578e42..9ab3ff8ca 100644
--- a/assets/js/72e14192.552d72fe.js
+++ b/assets/js/72e14192.b0908381.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7239],{1658:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>l,contentTitle:()=>a,default:()=>h,frontMatter:()=>r,metadata:()=>o,toc:()=>c});var s=n(5893),i=n(1151);const r={title:"Quick-Start Guide"},a=void 0,o={id:"quick-start",title:"Quick-Start Guide",description:"This guide will help you quickly launch a cluster with default options. The installation section covers in greater detail how K3s can be set up.",source:"@site/docs/quick-start.md",sourceDirName:".",slug:"/quick-start",permalink:"/quick-start",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/quick-start.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Quick-Start Guide"},sidebar:"mySidebar",previous:{title:"K3s - Lightweight Kubernetes",permalink:"/"},next:{title:"Installation",permalink:"/installation/"}},l={},c=[{value:"Install Script",id:"install-script",level:2}];function d(e){const t={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(t.p,{children:["This guide will help you quickly launch a cluster with default options. The ",(0,s.jsx)(t.a,{href:"/installation/",children:"installation section"})," covers in greater detail how K3s can be set up."]}),"\n",(0,s.jsxs)(t.p,{children:["Make sure your nodes meet the ",(0,s.jsx)(t.a,{href:"/installation/requirements",children:"requirements"})," before proceeding."]}),"\n",(0,s.jsxs)(t.p,{children:["For information on how K3s components work together, refer to the ",(0,s.jsx)(t.a,{href:"/architecture",children:"architecture section."})]}),"\n",(0,s.jsx)(t.admonition,{type:"info",children:(0,s.jsxs)(t.p,{children:["New to Kubernetes? The official Kubernetes docs already have some great tutorials outlining the basics ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/tutorials/kubernetes-basics/",children:"here"}),"."]})}),"\n",(0,s.jsx)(t.h2,{id:"install-script",children:"Install Script"}),"\n",(0,s.jsxs)(t.p,{children:["K3s provides an installation script that is a convenient way to install it as a service on systemd or openrc based systems. This script is available at ",(0,s.jsx)(t.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"}),". To install K3s using this method, just run:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,s.jsx)(t.p,{children:"After running this installation:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:"The K3s service will be configured to automatically restart after node reboots or if the process crashes or is killed"}),"\n",(0,s.jsxs)(t.li,{children:["Additional utilities will be installed, including ",(0,s.jsx)(t.code,{children:"kubectl"}),", ",(0,s.jsx)(t.code,{children:"crictl"}),", ",(0,s.jsx)(t.code,{children:"ctr"}),", ",(0,s.jsx)(t.code,{children:"k3s-killall.sh"}),", and ",(0,s.jsx)(t.code,{children:"k3s-uninstall.sh"})]}),"\n",(0,s.jsxs)(t.li,{children:["A ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/",children:"kubeconfig"})," file will be written to ",(0,s.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," and the kubectl installed by K3s will automatically use it"]}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"A single-node server installation is a fully-functional Kubernetes cluster, including all the datastore, control-plane, kubelet, and container runtime components necessary to host workload pods. It is not necessary to add additional server or agents nodes, but you may want to do so to add additional capacity or redundancy to your cluster."}),"\n",(0,s.jsxs)(t.p,{children:["To install additional agent nodes and add them to the cluster, run the installation script with the ",(0,s.jsx)(t.code,{children:"K3S_URL"})," and ",(0,s.jsx)(t.code,{children:"K3S_TOKEN"})," environment variables. Here is an example showing how to join an agent:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh -\n"})}),"\n",(0,s.jsxs)(t.p,{children:["Setting the ",(0,s.jsx)(t.code,{children:"K3S_URL"})," parameter causes the installer to configure K3s as an agent, instead of a server. The K3s agent will register with the K3s server listening at the supplied URL. The value to use for ",(0,s.jsx)(t.code,{children:"K3S_TOKEN"})," is stored at ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/node-token"})," on your server node."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["Each machine must have a unique hostname. If your machines do not have unique hostnames, pass the ",(0,s.jsx)(t.code,{children:"K3S_NODE_NAME"})," environment variable and provide a value with a valid and unique hostname for each node."]})}),"\n",(0,s.jsxs)(t.p,{children:["If interested in having more server nodes, see ",(0,s.jsx)(t.a,{href:"/datastore/ha-embedded",children:"High Availability Embedded etcd"})," and ",(0,s.jsx)(t.a,{href:"/datastore/ha",children:"High Availability External DB"})," pages for more information."]})]})}function h(e={}){const{wrapper:t}={...(0,i.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>o,a:()=>a});var s=n(7294);const i={},r=s.createContext(i);function a(e){const t=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:a(e.components),s.createElement(r.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7239],{1658:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>l,contentTitle:()=>a,default:()=>h,frontMatter:()=>r,metadata:()=>o,toc:()=>c});var s=n(5893),i=n(1151);const r={title:"Quick-Start Guide"},a=void 0,o={id:"quick-start",title:"Quick-Start Guide",description:"This guide will help you quickly launch a cluster with default options. The installation section covers in greater detail how K3s can be set up.",source:"@site/docs/quick-start.md",sourceDirName:".",slug:"/quick-start",permalink:"/quick-start",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/quick-start.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Quick-Start Guide"},sidebar:"mySidebar",previous:{title:"K3s - Lightweight Kubernetes",permalink:"/"},next:{title:"Installation",permalink:"/installation/"}},l={},c=[{value:"Install Script",id:"install-script",level:2}];function d(e){const t={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",ul:"ul",...(0,i.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(t.p,{children:["This guide will help you quickly launch a cluster with default options. The ",(0,s.jsx)(t.a,{href:"/installation/",children:"installation section"})," covers in greater detail how K3s can be set up."]}),"\n",(0,s.jsxs)(t.p,{children:["Make sure your nodes meet the ",(0,s.jsx)(t.a,{href:"/installation/requirements",children:"requirements"})," before proceeding."]}),"\n",(0,s.jsxs)(t.p,{children:["For information on how K3s components work together, refer to the ",(0,s.jsx)(t.a,{href:"/architecture",children:"architecture section."})]}),"\n",(0,s.jsx)(t.admonition,{type:"info",children:(0,s.jsxs)(t.p,{children:["New to Kubernetes? The official Kubernetes docs already have some great tutorials outlining the basics ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/tutorials/kubernetes-basics/",children:"here"}),"."]})}),"\n",(0,s.jsx)(t.h2,{id:"install-script",children:"Install Script"}),"\n",(0,s.jsxs)(t.p,{children:["K3s provides an installation script that is a convenient way to install it as a service on systemd or openrc based systems. This script is available at ",(0,s.jsx)(t.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"}),". To install K3s using this method, just run:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | sh -\n"})}),"\n",(0,s.jsx)(t.p,{children:"After running this installation:"}),"\n",(0,s.jsxs)(t.ul,{children:["\n",(0,s.jsx)(t.li,{children:"The K3s service will be configured to automatically restart after node reboots or if the process crashes or is killed"}),"\n",(0,s.jsxs)(t.li,{children:["Additional utilities will be installed, including ",(0,s.jsx)(t.code,{children:"kubectl"}),", ",(0,s.jsx)(t.code,{children:"crictl"}),", ",(0,s.jsx)(t.code,{children:"ctr"}),", ",(0,s.jsx)(t.code,{children:"k3s-killall.sh"}),", and ",(0,s.jsx)(t.code,{children:"k3s-uninstall.sh"})]}),"\n",(0,s.jsxs)(t.li,{children:["A ",(0,s.jsx)(t.a,{href:"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/",children:"kubeconfig"})," file will be written to ",(0,s.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"})," and the kubectl installed by K3s will automatically use it"]}),"\n"]}),"\n",(0,s.jsx)(t.p,{children:"A single-node server installation is a fully-functional Kubernetes cluster, including all the datastore, control-plane, kubelet, and container runtime components necessary to host workload pods. It is not necessary to add additional server or agents nodes, but you may want to do so to add additional capacity or redundancy to your cluster."}),"\n",(0,s.jsxs)(t.p,{children:["To install additional agent nodes and add them to the cluster, run the installation script with the ",(0,s.jsx)(t.code,{children:"K3S_URL"})," and ",(0,s.jsx)(t.code,{children:"K3S_TOKEN"})," environment variables. Here is an example showing how to join an agent:"]}),"\n",(0,s.jsx)(t.pre,{children:(0,s.jsx)(t.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh -\n"})}),"\n",(0,s.jsxs)(t.p,{children:["Setting the ",(0,s.jsx)(t.code,{children:"K3S_URL"})," parameter causes the installer to configure K3s as an agent, instead of a server. The K3s agent will register with the K3s server listening at the supplied URL. The value to use for ",(0,s.jsx)(t.code,{children:"K3S_TOKEN"})," is stored at ",(0,s.jsx)(t.code,{children:"/var/lib/rancher/k3s/server/node-token"})," on your server node."]}),"\n",(0,s.jsx)(t.admonition,{type:"note",children:(0,s.jsxs)(t.p,{children:["Each machine must have a unique hostname. If your machines do not have unique hostnames, pass the ",(0,s.jsx)(t.code,{children:"K3S_NODE_NAME"})," environment variable and provide a value with a valid and unique hostname for each node."]})}),"\n",(0,s.jsxs)(t.p,{children:["If interested in having more server nodes, see ",(0,s.jsx)(t.a,{href:"/datastore/ha-embedded",children:"High Availability Embedded etcd"})," and ",(0,s.jsx)(t.a,{href:"/datastore/ha",children:"High Availability External DB"})," pages for more information."]})]})}function h(e={}){const{wrapper:t}={...(0,i.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>o,a:()=>a});var s=n(7294);const i={},r=s.createContext(i);function a(e){const t=s.useContext(r);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:a(e.components),s.createElement(r.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/7b8e2475.3fac7c8a.js b/assets/js/7b8e2475.4a4bd37f.js
similarity index 97%
rename from assets/js/7b8e2475.3fac7c8a.js
rename to assets/js/7b8e2475.4a4bd37f.js
index 06ee98a2b..07269abb0 100644
--- a/assets/js/7b8e2475.3fac7c8a.js
+++ b/assets/js/7b8e2475.4a4bd37f.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[79],{6498:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>d,contentTitle:()=>c,default:()=>l,frontMatter:()=>r,metadata:()=>o,toc:()=>a});var n=t(5893),i=t(1151);const r={title:"Security"},c=void 0,o={id:"security/security",title:"Security",description:"This section describes the methodology and means of securing a K3s cluster. It's broken into 2 sections. These guides assume k3s is running with embedded etcd.",source:"@site/docs/security/security.md",sourceDirName:"security",slug:"/security/",permalink:"/security/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/security.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Security"},sidebar:"mySidebar",previous:{title:"Automated Upgrades",permalink:"/upgrades/automated"},next:{title:"Secrets Encryption",permalink:"/security/secrets-encryption"}},d={},a=[];function u(e){const s={a:"a",li:"li",p:"p",ul:"ul",...(0,i.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.p,{children:"This section describes the methodology and means of securing a K3s cluster. It's broken into 2 sections. These guides assume k3s is running with embedded etcd."}),"\n",(0,n.jsx)(s.p,{children:"First the hardening guide provides a list of security best practices to secure a K3s cluster."}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsx)(s.li,{children:(0,n.jsx)(s.a,{href:"/security/hardening-guide",children:"Hardening Guide"})}),"\n"]}),"\n",(0,n.jsx)(s.p,{children:"Second, is the self assessment to validate a hardened cluster. We currently have two different assessments available:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.24",children:"CIS 1.24 Benchmark Self-Assessment Guide"}),", for K3s version v1.24"]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.7",children:"CIS 1.7 Benchmark Self-Assessment Guide"}),", for K3s version v1.25"]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.8",children:"CIS 1.8 Benchmark Self-Assessment Guide"}),", for K3s version v1.26-v1.29"]}),"\n"]}),"\n"]})]})}function l(e={}){const{wrapper:s}={...(0,i.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(u,{...e})}):u(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>o,a:()=>c});var n=t(7294);const i={},r=n.createContext(i);function c(e){const s=n.useContext(r);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function o(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:c(e.components),n.createElement(r.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[79],{6498:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>d,contentTitle:()=>c,default:()=>l,frontMatter:()=>r,metadata:()=>o,toc:()=>a});var n=t(5893),i=t(1151);const r={title:"Security"},c=void 0,o={id:"security/security",title:"Security",description:"This section describes the methodology and means of securing a K3s cluster. It's broken into 2 sections. These guides assume k3s is running with embedded etcd.",source:"@site/docs/security/security.md",sourceDirName:"security",slug:"/security/",permalink:"/security/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/security.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Security"},sidebar:"mySidebar",previous:{title:"Automated Upgrades",permalink:"/upgrades/automated"},next:{title:"Secrets Encryption",permalink:"/security/secrets-encryption"}},d={},a=[];function u(e){const s={a:"a",li:"li",p:"p",ul:"ul",...(0,i.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.p,{children:"This section describes the methodology and means of securing a K3s cluster. It's broken into 2 sections. These guides assume k3s is running with embedded etcd."}),"\n",(0,n.jsx)(s.p,{children:"First the hardening guide provides a list of security best practices to secure a K3s cluster."}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsx)(s.li,{children:(0,n.jsx)(s.a,{href:"/security/hardening-guide",children:"Hardening Guide"})}),"\n"]}),"\n",(0,n.jsx)(s.p,{children:"Second, is the self assessment to validate a hardened cluster. We currently have two different assessments available:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.24",children:"CIS 1.24 Benchmark Self-Assessment Guide"}),", for K3s version v1.24"]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.7",children:"CIS 1.7 Benchmark Self-Assessment Guide"}),", for K3s version v1.25"]}),"\n"]}),"\n",(0,n.jsxs)(s.li,{children:["\n",(0,n.jsxs)(s.p,{children:[(0,n.jsx)(s.a,{href:"/security/self-assessment-1.8",children:"CIS 1.8 Benchmark Self-Assessment Guide"}),", for K3s version v1.26-v1.29"]}),"\n"]}),"\n"]})]})}function l(e={}){const{wrapper:s}={...(0,i.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(u,{...e})}):u(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>o,a:()=>c});var n=t(7294);const i={},r=n.createContext(i);function c(e){const s=n.useContext(r);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function o(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:c(e.components),n.createElement(r.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/82406859.cc46603b.js b/assets/js/82406859.038c619c.js
similarity index 99%
rename from assets/js/82406859.cc46603b.js
rename to assets/js/82406859.038c619c.js
index c789878e3..b81890f42 100644
--- a/assets/js/82406859.cc46603b.js
+++ b/assets/js/82406859.038c619c.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3319],{6758:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>l,toc:()=>d});var t=s(5893),r=s(1151);const a={title:"Automated Upgrades"},o=void 0,l={id:"upgrades/automated",title:"Automated Upgrades",description:"Overview",source:"@site/docs/upgrades/automated.md",sourceDirName:"upgrades",slug:"/upgrades/automated",permalink:"/upgrades/automated",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/automated.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Automated Upgrades"},sidebar:"mySidebar",previous:{title:"Manual Upgrades",permalink:"/upgrades/manual"},next:{title:"Security",permalink:"/security/"}},i={},d=[{value:"Overview",id:"overview",level:3},{value:"Install the system-upgrade-controller",id:"install-the-system-upgrade-controller",level:3},{value:"Configure plans",id:"configure-plans",level:3},{value:"Downgrade Prevention",id:"downgrade-prevention",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",em:"em",h2:"h2",h3:"h3",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(n.h3,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(n.p,{children:["You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources",children:"custom resource definition (CRD)"}),", a ",(0,t.jsx)(n.code,{children:"plan"}),", and a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/architecture/controller/",children:"controller"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The plan defines upgrade policies and requirements. It also defines which nodes should be upgraded through a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/",children:"label selector"}),". See below for plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, please review the ",(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller/blob/master/pkg/apis/upgrade.cattle.io/v1/types.go",children:"CRD"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The controller schedules upgrades by monitoring plans and selecting nodes to run upgrade ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",children:"jobs"})," on. When a job has run to completion successfully, the controller will label the node on which it ran accordingly."]}),"\n",(0,t.jsxs)(n.admonition,{type:"note",children:[(0,t.jsx)(n.mdxAdmonitionTitle,{}),(0,t.jsx)(n.p,{children:"The upgrade job that is launched must be highly privileged. It is configured with the following:"}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsxs)(n.li,{children:["Host ",(0,t.jsx)(n.code,{children:"IPC"}),", ",(0,t.jsx)(n.code,{children:"NET"}),", and ",(0,t.jsx)(n.code,{children:"PID"})," namespaces"]}),"\n",(0,t.jsxs)(n.li,{children:["The ",(0,t.jsx)(n.code,{children:"CAP_SYS_BOOT"})," capability"]}),"\n",(0,t.jsxs)(n.li,{children:["Host root mounted at ",(0,t.jsx)(n.code,{children:"/host"})," with read and write permissions"]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"To automate upgrades in this manner, you must do the following:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsx)(n.li,{children:"Install the system-upgrade-controller into your cluster"}),"\n",(0,t.jsx)(n.li,{children:"Configure plans"}),"\n"]}),"\n",(0,t.jsxs)(n.admonition,{type:"warning",children:[(0,t.jsx)(n.p,{children:"If the K3s cluster is managed by Rancher, you should use the Rancher UI to manage upgrades."}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was imported into Rancher, Rancher will manage the system-upgrade-controller deployment and plans. Do not follow the steps on this page."}),"\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was provisioned by Rancher, Rancher will use system agent to manage version upgrades. Do not follow the steps on this page."}),"\n",(0,t.jsxs)(n.li,{children:["If the K3s cluster is ",(0,t.jsx)(n.em,{children:"not"})," managed Rancher, you may follow the steps below."]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"For more details on the design and architecture of the system-upgrade-controller or its integration with K3s, see the following Git repositories:"}),"\n",(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"system-upgrade-controller"})}),"\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade",children:"k3s-upgrade"})}),"\n"]}),"\n",(0,t.jsx)(n.admonition,{type:"tip",children:(0,t.jsxs)(n.p,{children:["When attempting to upgrade to a new version of K3s, the ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version."]})}),"\n",(0,t.jsx)(n.h3,{id:"install-the-system-upgrade-controller",children:"Install the system-upgrade-controller"}),"\n",(0,t.jsx)(n.p,{children:"The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml\n"})}),"\n",(0,t.jsx)(n.p,{children:"The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied."}),"\n",(0,t.jsx)(n.p,{children:"To be able to apply plans, the system-upgrade-controller CRD has to be deployed:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/crd.yaml\n"})}),"\n",(0,t.jsx)(n.h3,{id:"configure-plans",children:"Configure plans"}),"\n",(0,t.jsx)(n.p,{children:"It is recommended you create at least two plans: a plan for upgrading server (control-plane) nodes and a plan for upgrading agent nodes. You can create additional plans as needed to control the rollout of the upgrade across nodes. Once the plans are created, the controller will pick them up and begin to upgrade your cluster."}),"\n",(0,t.jsx)(n.p,{children:"The following two example plans will upgrade your cluster to K3s v1.24.6+k3s1:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:'# Server plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: server-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: In\n values:\n - "true"\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n---\n# Agent plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: agent-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: DoesNotExist\n prepare:\n args:\n - prepare\n - server-plan\n image: rancher/k3s-upgrade\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n'})}),"\n",(0,t.jsx)(n.p,{children:"There are a few important things to call out regarding these plans:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsx)(n.p,{children:"The plans must be created in the same namespace where the controller was deployed."}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"concurrency"})," field indicates how many nodes can be upgraded at the same time."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The server-plan targets server nodes by specifying a label selector that selects nodes with the ",(0,t.jsx)(n.code,{children:"node-role.kubernetes.io/control-plane"})," label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"prepare"})," step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["Both plans have the ",(0,t.jsx)(n.code,{children:"version"})," field set to v1.24.6+k3s1. Alternatively, you can omit the ",(0,t.jsx)(n.code,{children:"version"})," field and set the ",(0,t.jsx)(n.code,{children:"channel"})," field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This works well with the ",(0,t.jsx)(n.a,{href:"/upgrades/manual#release-channels",children:"release channels"}),". Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the newest stable release of K3s:"]}),"\n"]}),"\n"]}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:"apiVersion: upgrade.cattle.io/v1\nkind: Plan\n...\nspec:\n ...\n channel: https://update.k3s.io/v1-release/channels/stable\n\n"})}),"\n",(0,t.jsx)(n.p,{children:"As stated, the upgrade will begin as soon as the controller detects that a plan was created. Updating a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed."}),"\n",(0,t.jsx)(n.p,{children:"You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl -n system-upgrade get plans -o yaml\nkubectl -n system-upgrade get jobs -o yaml\n"})}),"\n",(0,t.jsx)(n.h2,{id:"downgrade-prevention",children:"Downgrade Prevention"}),"\n",(0,t.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(n.p,{children:["Starting with the 2023-07 releases (",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.27.4%2Bk3s1",children:"v1.27.4+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.26.7%2Bk3s1",children:"v1.26.7+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.25.12%2Bk3s1",children:"v1.25.12+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.24.16%2Bk3s1",children:"v1.24.16+k3s1"}),")"]})}),"\n",(0,t.jsx)(n.p,{children:"Kubernetes does not support downgrades of control-plane components. The k3s-upgrade image used by upgrade plans will refuse to downgrade K3s, failing the plan and leaving your nodes cordoned."}),"\n",(0,t.jsx)(n.p,{children:"Here is an example cluster, showing failed upgrade pods and cordoned nodes:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-console",children:"ubuntu@user:~$ kubectl get pods -n system-upgrade\nNAME READY STATUS RESTARTS AGE\napply-k3s-server-on-ip-172-31-0-16-with-7af95590a5af8e8c3-2cdc6 0/1 Error 0 9m25s\napply-k3s-server-on-ip-172-31-10-23-with-7af95590a5af8e8c-9xvwg 0/1 Error 0 14m\napply-k3s-server-on-ip-172-31-13-213-with-7af95590a5af8e8-8j72v 0/1 Error 0 18m\nsystem-upgrade-controller-7c4b84d5d9-kkzr6 1/1 Running 0 20m\nubuntu@user:~$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nip-172-31-0-16 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-10-23 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-13-213 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-2-13 Ready 19h v1.27.4+k3s1\n"})}),"\n",(0,t.jsx)(n.p,{children:"You can return your cordoned nodes to service by either of the following methods:"}),"\n",(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:"Change the version or channel on your plan to target a release that is the same or newer than what is currently running on the cluster, so that the plan succeeds."}),"\n",(0,t.jsxs)(n.li,{children:["Delete the plan and manually uncordon the nodes.\nUse ",(0,t.jsx)(n.code,{children:"kubectl get plan -n system-upgrade"})," to find the plan name, then ",(0,t.jsx)(n.code,{children:"kubectl delete plan -n system-upgrade PLAN_NAME"})," to delete it. Once the plan has been deleted, use ",(0,t.jsx)(n.code,{children:"kubectl uncordon NODE_NAME"})," to uncordon each of the nodes."]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,t.jsx)(n,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>o});var t=s(7294);const r={},a=t.createContext(r);function o(e){const n=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),t.createElement(a.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3319],{6758:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>i,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>l,toc:()=>d});var t=s(5893),r=s(1151);const a={title:"Automated Upgrades"},o=void 0,l={id:"upgrades/automated",title:"Automated Upgrades",description:"Overview",source:"@site/docs/upgrades/automated.md",sourceDirName:"upgrades",slug:"/upgrades/automated",permalink:"/upgrades/automated",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/upgrades/automated.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Automated Upgrades"},sidebar:"mySidebar",previous:{title:"Manual Upgrades",permalink:"/upgrades/manual"},next:{title:"Security",permalink:"/security/"}},i={},d=[{value:"Overview",id:"overview",level:3},{value:"Install the system-upgrade-controller",id:"install-the-system-upgrade-controller",level:3},{value:"Configure plans",id:"configure-plans",level:3},{value:"Downgrade Prevention",id:"downgrade-prevention",level:2}];function c(e){const n={a:"a",admonition:"admonition",code:"code",em:"em",h2:"h2",h3:"h3",li:"li",mdxAdmonitionTitle:"mdxAdmonitionTitle",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,r.a)(),...e.components};return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(n.h3,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(n.p,{children:["You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources",children:"custom resource definition (CRD)"}),", a ",(0,t.jsx)(n.code,{children:"plan"}),", and a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/architecture/controller/",children:"controller"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The plan defines upgrade policies and requirements. It also defines which nodes should be upgraded through a ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/",children:"label selector"}),". See below for plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, please review the ",(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller/blob/master/pkg/apis/upgrade.cattle.io/v1/types.go",children:"CRD"}),"."]}),"\n",(0,t.jsxs)(n.p,{children:["The controller schedules upgrades by monitoring plans and selecting nodes to run upgrade ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",children:"jobs"})," on. When a job has run to completion successfully, the controller will label the node on which it ran accordingly."]}),"\n",(0,t.jsxs)(n.admonition,{type:"note",children:[(0,t.jsx)(n.mdxAdmonitionTitle,{}),(0,t.jsx)(n.p,{children:"The upgrade job that is launched must be highly privileged. It is configured with the following:"}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsxs)(n.li,{children:["Host ",(0,t.jsx)(n.code,{children:"IPC"}),", ",(0,t.jsx)(n.code,{children:"NET"}),", and ",(0,t.jsx)(n.code,{children:"PID"})," namespaces"]}),"\n",(0,t.jsxs)(n.li,{children:["The ",(0,t.jsx)(n.code,{children:"CAP_SYS_BOOT"})," capability"]}),"\n",(0,t.jsxs)(n.li,{children:["Host root mounted at ",(0,t.jsx)(n.code,{children:"/host"})," with read and write permissions"]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"To automate upgrades in this manner, you must do the following:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsx)(n.li,{children:"Install the system-upgrade-controller into your cluster"}),"\n",(0,t.jsx)(n.li,{children:"Configure plans"}),"\n"]}),"\n",(0,t.jsxs)(n.admonition,{type:"warning",children:[(0,t.jsx)(n.p,{children:"If the K3s cluster is managed by Rancher, you should use the Rancher UI to manage upgrades."}),(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was imported into Rancher, Rancher will manage the system-upgrade-controller deployment and plans. Do not follow the steps on this page."}),"\n",(0,t.jsx)(n.li,{children:"If the K3s cluster was provisioned by Rancher, Rancher will use system agent to manage version upgrades. Do not follow the steps on this page."}),"\n",(0,t.jsxs)(n.li,{children:["If the K3s cluster is ",(0,t.jsx)(n.em,{children:"not"})," managed Rancher, you may follow the steps below."]}),"\n"]})]}),"\n",(0,t.jsx)(n.p,{children:"For more details on the design and architecture of the system-upgrade-controller or its integration with K3s, see the following Git repositories:"}),"\n",(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/rancher/system-upgrade-controller",children:"system-upgrade-controller"})}),"\n",(0,t.jsx)(n.li,{children:(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade",children:"k3s-upgrade"})}),"\n"]}),"\n",(0,t.jsx)(n.admonition,{type:"tip",children:(0,t.jsxs)(n.p,{children:["When attempting to upgrade to a new version of K3s, the ",(0,t.jsx)(n.a,{href:"https://kubernetes.io/docs/setup/release/version-skew-policy/",children:"Kubernetes version skew policy"})," applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version."]})}),"\n",(0,t.jsx)(n.h3,{id:"install-the-system-upgrade-controller",children:"Install the system-upgrade-controller"}),"\n",(0,t.jsx)(n.p,{children:"The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml\n"})}),"\n",(0,t.jsx)(n.p,{children:"The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied."}),"\n",(0,t.jsx)(n.p,{children:"To be able to apply plans, the system-upgrade-controller CRD has to be deployed:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/crd.yaml\n"})}),"\n",(0,t.jsx)(n.h3,{id:"configure-plans",children:"Configure plans"}),"\n",(0,t.jsx)(n.p,{children:"It is recommended you create at least two plans: a plan for upgrading server (control-plane) nodes and a plan for upgrading agent nodes. You can create additional plans as needed to control the rollout of the upgrade across nodes. Once the plans are created, the controller will pick them up and begin to upgrade your cluster."}),"\n",(0,t.jsx)(n.p,{children:"The following two example plans will upgrade your cluster to K3s v1.24.6+k3s1:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:'# Server plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: server-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: In\n values:\n - "true"\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n---\n# Agent plan\napiVersion: upgrade.cattle.io/v1\nkind: Plan\nmetadata:\n name: agent-plan\n namespace: system-upgrade\nspec:\n concurrency: 1\n cordon: true\n nodeSelector:\n matchExpressions:\n - key: node-role.kubernetes.io/control-plane\n operator: DoesNotExist\n prepare:\n args:\n - prepare\n - server-plan\n image: rancher/k3s-upgrade\n serviceAccountName: system-upgrade\n upgrade:\n image: rancher/k3s-upgrade\n version: v1.24.6+k3s1\n'})}),"\n",(0,t.jsx)(n.p,{children:"There are a few important things to call out regarding these plans:"}),"\n",(0,t.jsxs)(n.ol,{children:["\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsx)(n.p,{children:"The plans must be created in the same namespace where the controller was deployed."}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"concurrency"})," field indicates how many nodes can be upgraded at the same time."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The server-plan targets server nodes by specifying a label selector that selects nodes with the ",(0,t.jsx)(n.code,{children:"node-role.kubernetes.io/control-plane"})," label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["The ",(0,t.jsx)(n.code,{children:"prepare"})," step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute."]}),"\n"]}),"\n",(0,t.jsxs)(n.li,{children:["\n",(0,t.jsxs)(n.p,{children:["Both plans have the ",(0,t.jsx)(n.code,{children:"version"})," field set to v1.24.6+k3s1. Alternatively, you can omit the ",(0,t.jsx)(n.code,{children:"version"})," field and set the ",(0,t.jsx)(n.code,{children:"channel"})," field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This works well with the ",(0,t.jsx)(n.a,{href:"/upgrades/manual#release-channels",children:"release channels"}),". Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the newest stable release of K3s:"]}),"\n"]}),"\n"]}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-yaml",children:"apiVersion: upgrade.cattle.io/v1\nkind: Plan\n...\nspec:\n ...\n channel: https://update.k3s.io/v1-release/channels/stable\n\n"})}),"\n",(0,t.jsx)(n.p,{children:"As stated, the upgrade will begin as soon as the controller detects that a plan was created. Updating a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed."}),"\n",(0,t.jsx)(n.p,{children:"You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-bash",children:"kubectl -n system-upgrade get plans -o yaml\nkubectl -n system-upgrade get jobs -o yaml\n"})}),"\n",(0,t.jsx)(n.h2,{id:"downgrade-prevention",children:"Downgrade Prevention"}),"\n",(0,t.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,t.jsxs)(n.p,{children:["Starting with the 2023-07 releases (",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.27.4%2Bk3s1",children:"v1.27.4+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.26.7%2Bk3s1",children:"v1.26.7+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.25.12%2Bk3s1",children:"v1.25.12+k3s1"}),", ",(0,t.jsx)(n.a,{href:"https://github.com/k3s-io/k3s-upgrade/releases/tag/v1.24.16%2Bk3s1",children:"v1.24.16+k3s1"}),")"]})}),"\n",(0,t.jsx)(n.p,{children:"Kubernetes does not support downgrades of control-plane components. The k3s-upgrade image used by upgrade plans will refuse to downgrade K3s, failing the plan and leaving your nodes cordoned."}),"\n",(0,t.jsx)(n.p,{children:"Here is an example cluster, showing failed upgrade pods and cordoned nodes:"}),"\n",(0,t.jsx)(n.pre,{children:(0,t.jsx)(n.code,{className:"language-console",children:"ubuntu@user:~$ kubectl get pods -n system-upgrade\nNAME READY STATUS RESTARTS AGE\napply-k3s-server-on-ip-172-31-0-16-with-7af95590a5af8e8c3-2cdc6 0/1 Error 0 9m25s\napply-k3s-server-on-ip-172-31-10-23-with-7af95590a5af8e8c-9xvwg 0/1 Error 0 14m\napply-k3s-server-on-ip-172-31-13-213-with-7af95590a5af8e8-8j72v 0/1 Error 0 18m\nsystem-upgrade-controller-7c4b84d5d9-kkzr6 1/1 Running 0 20m\nubuntu@user:~$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nip-172-31-0-16 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-10-23 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-13-213 Ready,SchedulingDisabled control-plane,etcd,master 19h v1.27.4+k3s1\nip-172-31-2-13 Ready 19h v1.27.4+k3s1\n"})}),"\n",(0,t.jsx)(n.p,{children:"You can return your cordoned nodes to service by either of the following methods:"}),"\n",(0,t.jsxs)(n.ul,{children:["\n",(0,t.jsx)(n.li,{children:"Change the version or channel on your plan to target a release that is the same or newer than what is currently running on the cluster, so that the plan succeeds."}),"\n",(0,t.jsxs)(n.li,{children:["Delete the plan and manually uncordon the nodes.\nUse ",(0,t.jsx)(n.code,{children:"kubectl get plan -n system-upgrade"})," to find the plan name, then ",(0,t.jsx)(n.code,{children:"kubectl delete plan -n system-upgrade PLAN_NAME"})," to delete it. Once the plan has been deleted, use ",(0,t.jsx)(n.code,{children:"kubectl uncordon NODE_NAME"})," to uncordon each of the nodes."]}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,t.jsx)(n,{...e,children:(0,t.jsx)(c,{...e})}):c(e)}},1151:(e,n,s)=>{s.d(n,{Z:()=>l,a:()=>o});var t=s(7294);const r={},a=t.createContext(r);function o(e){const n=t.useContext(a);return t.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),t.createElement(a.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/82f1aa93.c65b3b6e.js b/assets/js/82f1aa93.20fca2c7.js
similarity index 99%
rename from assets/js/82f1aa93.c65b3b6e.js
rename to assets/js/82f1aa93.20fca2c7.js
index d2d9089b9..88bdcdb82 100644
--- a/assets/js/82f1aa93.c65b3b6e.js
+++ b/assets/js/82f1aa93.20fca2c7.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7709],{1587:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>l,contentTitle:()=>a,default:()=>u,frontMatter:()=>t,metadata:()=>o,toc:()=>c});var i=s(5893),r=s(1151);const t={title:"CIS Hardening Guide"},a=void 0,o={id:"security/hardening-guide",title:"CIS Hardening Guide",description:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS).",source:"@site/docs/security/hardening-guide.md",sourceDirName:"security",slug:"/security/hardening-guide",permalink:"/security/hardening-guide",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/hardening-guide.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"CIS Hardening Guide"},sidebar:"mySidebar",previous:{title:"Secrets Encryption",permalink:"/security/secrets-encryption"},next:{title:"CIS 1.8 Self Assessment Guide",permalink:"/security/self-assessment-1.8"}},l={},c=[{value:"Host-level Requirements",id:"host-level-requirements",level:2},{value:"Ensure protect-kernel-defaults is set",id:"ensure-protect-kernel-defaults-is-set",level:3},{value:"Set kernel parameters",id:"set-kernel-parameters",level:4},{value:"Kubernetes Runtime Requirements",id:"kubernetes-runtime-requirements",level:2},{value:"Pod Security",id:"pod-security",level:3},{value:"NetworkPolicies",id:"networkpolicies",level:3},{value:"API Server audit configuration",id:"api-server-audit-configuration",level:3},{value:"Configuration for Kubernetes Components",id:"configuration-for-kubernetes-components",level:2},{value:"Manual Operations",id:"manual-operations",level:2},{value:"Control 1.1.20",id:"control-1120",level:3},{value:"Control 1.2.9",id:"control-129",level:3},{value:"Control 1.2.11",id:"control-1211",level:3},{value:"Control 1.2.21",id:"control-1221",level:3},{value:"Control 4.2.13",id:"control-4213",level:3},{value:"Control 5.X",id:"control-5x",level:3},{value:"Conclusion",id:"conclusion",level:2}];function d(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",...(0,r.a)(),...e.components},{Details:s,TabItem:t,Tabs:a}=n;return s||p("Details",!0),t||p("TabItem",!0),a||p("Tabs",!0),(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS)."}),"\n",(0,i.jsx)(n.p,{children:"K3s has a number of security mitigations applied and turned on by default and will pass a number of the Kubernetes CIS controls without modification. There are some notable exceptions to this that require manual intervention to fully comply with the CIS Benchmark:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsx)(n.li,{children:"K3s will not modify the host operating system. Any host-level modifications will need to be done manually."}),"\n",(0,i.jsxs)(n.li,{children:["Certain CIS policy controls for ",(0,i.jsx)(n.code,{children:"NetworkPolicies"})," and ",(0,i.jsx)(n.code,{children:"PodSecurityStandards"})," (",(0,i.jsx)(n.code,{children:"PodSecurityPolicies"})," on v1.24 and older) will restrict the functionality of the cluster. You must opt into having K3s configure these by adding the appropriate options (enabling of admission plugins) to your command-line flags or configuration file as well as manually applying appropriate policies. Further details are presented in the sections below."]}),"\n"]}),"\n",(0,i.jsx)(n.p,{children:"The first section (1.1) of the CIS Benchmark concerns itself primarily with pod manifest permissions and ownership. K3s doesn't utilize these for the core components since everything is packaged into a single binary."}),"\n",(0,i.jsx)(n.h2,{id:"host-level-requirements",children:"Host-level Requirements"}),"\n",(0,i.jsx)(n.p,{children:"There are two areas of host-level requirements: kernel parameters and etcd process/directory configuration. These are outlined in this section."}),"\n",(0,i.jsxs)(n.h3,{id:"ensure-protect-kernel-defaults-is-set",children:["Ensure ",(0,i.jsx)(n.code,{children:"protect-kernel-defaults"})," is set"]}),"\n",(0,i.jsx)(n.p,{children:"This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults."}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.strong,{children:"Note:"})," ",(0,i.jsx)(n.code,{children:"protect-kernel-defaults"})," is exposed as a top-level flag for K3s."]}),"\n"]}),"\n",(0,i.jsx)(n.h4,{id:"set-kernel-parameters",children:"Set kernel parameters"}),"\n",(0,i.jsxs)(n.p,{children:["Create a file called ",(0,i.jsx)(n.code,{children:"/etc/sysctl.d/90-kubelet.conf"})," and add the snippet below. Then run ",(0,i.jsx)(n.code,{children:"sysctl -p /etc/sysctl.d/90-kubelet.conf"}),"."]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"vm.panic_on_oom=0\nvm.overcommit_memory=1\nkernel.panic=10\nkernel.panic_on_oops=1\n"})}),"\n",(0,i.jsx)(n.h2,{id:"kubernetes-runtime-requirements",children:"Kubernetes Runtime Requirements"}),"\n",(0,i.jsx)(n.p,{children:"The runtime requirements to comply with the CIS Benchmark are centered around pod security (via PSP or PSA), network policies and API Server auditing logs. These are outlined in this section."}),"\n",(0,i.jsxs)(n.p,{children:["By default, K3s does not include any pod security or network policies. However, K3s ships with a controller that will enforce network policies, if any are created. K3s doesn't enable auditing by default, so audit log configuration and audit policy must be created manually. By default, K3s runs with the both the ",(0,i.jsx)(n.code,{children:"PodSecurity"})," and ",(0,i.jsx)(n.code,{children:"NodeRestriction"})," admission controllers enabled, among others."]}),"\n",(0,i.jsx)(n.h3,{id:"pod-security",children:"Pod Security"}),"\n",(0,i.jsxs)(a,{groupId:"pod-sec",queryString:!0,children:[(0,i.jsxs)(t,{value:"v1.25 and Newer",default:!0,children:[(0,i.jsxs)(n.p,{children:["K3s v1.25 and newer support ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-admission/",children:"Pod Security Admissions (PSAs)"})," for controlling pod security. PSAs are enabled by passing the following flag to the K3s server:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{children:'--kube-apiserver-arg="admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n'})}),(0,i.jsxs)(n.p,{children:["The policy should be written to a file named ",(0,i.jsx)(n.code,{children:"psa.yaml"})," in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory."]}),(0,i.jsx)(n.p,{children:"Here is an example of a compliant PSA:"}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'apiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n- name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: "restricted"\n enforce-version: "latest"\n audit: "restricted"\n audit-version: "latest"\n warn: "restricted"\n warn-version: "latest"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [kube-system, cis-operator-system]\n'})})]}),(0,i.jsxs)(t,{value:"v1.24 and Older",default:!0,children:[(0,i.jsxs)(n.p,{children:["K3s v1.24 and older support ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-policy/",children:"Pod Security Policies (PSPs)"})," for controlling pod security. PSPs are enabled by passing the following flag to the K3s server:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{children:'--kube-apiserver-arg="enable-admission-plugins=NodeRestriction,PodSecurityPolicy"\n'})}),(0,i.jsxs)(n.p,{children:["This will have the effect of maintaining the ",(0,i.jsx)(n.code,{children:"NodeRestriction"})," plugin as well as enabling the ",(0,i.jsx)(n.code,{children:"PodSecurityPolicy"}),"."]}),(0,i.jsx)(n.p,{children:"When PSPs are enabled, a policy can be applied to satisfy the necessary controls described in section 5.2 of the CIS Benchmark."}),(0,i.jsx)(n.p,{children:"Here is an example of a compliant PSP:"}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false # CIS - 5.2.1\n allowPrivilegeEscalation: false # CIS - 5.2.5\n requiredDropCapabilities: # CIS - 5.2.7/8/9\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false # CIS - 5.2.4\n hostIPC: false # CIS - 5.2.3\n hostPID: false # CIS - 5.2.2\n runAsUser:\n rule: 'MustRunAsNonRoot' # CIS - 5.2.6\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n"})}),(0,i.jsx)(n.p,{children:'For the above PSP to be effective, we need to create a ClusterRole and a ClusterRoleBinding. We also need to include a "system unrestricted policy" which is needed for system-level pods that require additional privileges, and an additional policy that allows sysctls necessary for servicelb to function properly.'}),(0,i.jsxs)(n.p,{children:["Combining the configuration above with the ",(0,i.jsx)(n.a,{href:"#networkpolicies",children:"Network Policy"})," described in the next section, a single file can be placed in the ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory. Here is an example of a ",(0,i.jsx)(n.code,{children:"policy.yaml"})," file:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false\n allowPrivilegeEscalation: false\n requiredDropCapabilities:\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false\n hostIPC: false\n hostPID: false\n runAsUser:\n rule: 'MustRunAsNonRoot'\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: system-unrestricted-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: true\n allowedCapabilities:\n - '*'\n fsGroup:\n rule: RunAsAny\n hostIPC: true\n hostNetwork: true\n hostPID: true\n hostPorts:\n - max: 65535\n min: 0\n privileged: true\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n volumes:\n - '*'\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: svclb-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: false\n allowedCapabilities:\n - NET_ADMIN\n allowedUnsafeSysctls:\n - net.ipv4.ip_forward\n - net.ipv6.conf.all.forwarding\n fsGroup:\n rule: RunAsAny\n hostPorts:\n - max: 65535\n min: 0\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:restricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n verbs:\n - use\n resourceNames:\n - restricted-psp\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:system-unrestricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - system-unrestricted-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:svclb-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - svclb-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: default:restricted-psp\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:restricted-psp\nsubjects:\n- kind: Group\n name: system:authenticated\n apiGroup: rbac.authorization.k8s.io\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: system-unrestricted-node-psp-rolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: system-unrestricted-svc-acct-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:serviceaccounts\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: svclb-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:svclb-psp\nsubjects:\n- kind: ServiceAccount\n name: svclb\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: default\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: default\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-public\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-public\n"})})]})]}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.strong,{children:"Note:"})," The Kubernetes critical additions such as CNI, DNS, and Ingress are run as pods in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Therefore, this namespace will have a policy that is less restrictive so that these components can run properly."]}),"\n"]}),"\n",(0,i.jsx)(n.h3,{id:"networkpolicies",children:"NetworkPolicies"}),"\n",(0,i.jsx)(n.p,{children:"CIS requires that all namespaces have a network policy applied that reasonably limits traffic into namespaces and pods."}),"\n",(0,i.jsxs)(n.p,{children:["Network policies should be placed the ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory, where they will automatically be deployed on startup."]}),"\n",(0,i.jsx)(n.p,{children:"Here is an example of a compliant network policy."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"kind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n"})}),"\n",(0,i.jsx)(n.p,{children:"With the applied restrictions, DNS will be blocked unless purposely allowed. Below is a network policy that will allow for traffic to exist for DNS."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: default-network-dns-policy\n namespace: \nspec:\n ingress:\n - ports:\n - port: 53\n protocol: TCP\n - port: 53\n protocol: UDP\n podSelector:\n matchLabels:\n k8s-app: kube-dns\n policyTypes:\n - Ingress\n"})}),"\n",(0,i.jsx)(n.p,{children:"The metrics-server and Traefik ingress controller will be blocked by default if network policies are not created to allow access. Traefik v1 as packaged in K3s version 1.20 and below uses different labels than Traefik v2. Ensure that you only use the sample yaml below that is associated with the version of Traefik present on your cluster."}),"\n",(0,i.jsxs)(a,{children:[(0,i.jsx)(t,{value:"v1.21 and Newer",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v121-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app.kubernetes.io/name: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})}),(0,i.jsx)(t,{value:"v1.20 and Older",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v120-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})})]}),"\n",(0,i.jsx)(n.admonition,{type:"info",children:(0,i.jsx)(n.p,{children:"Operators must manage network policies as normal for additional namespaces that are created."})}),"\n",(0,i.jsx)(n.h3,{id:"api-server-audit-configuration",children:"API Server audit configuration"}),"\n",(0,i.jsx)(n.p,{children:"CIS requirements 1.2.22 to 1.2.25 are related to configuring audit logs for the API Server. K3s doesn't create by default the log directory and audit policy, as auditing requirements are specific to each user's policies and environment."}),"\n",(0,i.jsx)(n.p,{children:"The log directory, ideally, must be created before starting K3s. A restrictive access permission is recommended to avoid leaking potential sensitive information."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs\n"})}),"\n",(0,i.jsxs)(n.p,{children:["A starter audit policy to log request metadata is provided below. The policy should be written to a file named ",(0,i.jsx)(n.code,{children:"audit.yaml"})," in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory. Detailed information about policy configuration for the API server can be found in the Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/debug-application-cluster/audit/",children:"documentation"}),"."]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n- level: Metadata\n"})}),"\n",(0,i.jsx)(n.p,{children:"Both configurations must be passed as arguments to the API Server as:"}),"\n",(0,i.jsxs)(a,{children:[(0,i.jsx)(t,{value:"config",children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"kube-apiserver-arg:\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\n"})})}),(0,i.jsx)(t,{value:"cmdline",children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n--kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n"})})})]}),"\n",(0,i.jsx)(n.p,{children:"K3s must be restarted to load the new configuration."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"sudo systemctl daemon-reload\nsudo systemctl restart k3s.service\n"})}),"\n",(0,i.jsx)(n.h2,{id:"configuration-for-kubernetes-components",children:"Configuration for Kubernetes Components"}),"\n",(0,i.jsxs)(n.p,{children:["The configuration below should be placed in the ",(0,i.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"configuration file"}),", and contains all the necessary remediations to harden the Kubernetes components."]}),"\n",(0,i.jsxs)(a,{groupId:"pod-sec",queryString:!0,children:[(0,i.jsx)(t,{value:"v1.25 and Newer",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - \"enable-admission-plugins=NodeRestriction,EventRateLimit\"\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - \"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\"\n"})})}),(0,i.jsx)(t,{value:"v1.24 and Older",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,NamespaceLifecycle,ServiceAccount'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - 'make-iptables-util-chains=true'\n - \"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\"\n"})})})]}),"\n",(0,i.jsx)(n.h2,{id:"manual-operations",children:"Manual Operations"}),"\n",(0,i.jsx)(n.p,{children:"The following are controls that K3s currently does not pass by with the above configuration applied. These controls require manual intervention to fully comply with the CIS Benchmark."}),"\n",(0,i.jsx)(n.h3,{id:"control-1120",children:"Control 1.1.20"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nK3s PKI certificate files are stored in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/tls/"})," with permission 644.\nTo remediate, run the following command:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt\n"})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-129",children:"Control 1.2.9"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the admission control plugin EventRateLimit is set"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nFollow the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit",children:"Kubernetes documentation"})," and set the desired limits in a configuration file.\nFor this and other psa configuration, this documentation uses /var/lib/rancher/k3s/server/psa.yaml.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "enable-admission-plugins=NodeRestriction,EventRateLimit"\n - "admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-1211",children:"Control 1.2.11"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the admission control plugin AlwaysPullImages is set"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-1221",children:"Control 1.2.21"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the --request-timeout argument is set as appropriate"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-4213",children:"Control 4.2.13"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that a limit is set on pod PIDs"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nDecide on an appropriate level for this parameter and set it,\nIf using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,i.jsx)(n.code,{children:"podPidsLimit"})," to"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kubelet-arg:\n - "pod-max-pids="\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-5x",children:"Control 5.X"}),"\n",(0,i.jsx)(n.p,{children:"All the 5.X Controls are related to Kubernetes policy configuration. These controls are not enforced by K3s by default."}),"\n",(0,i.jsxs)(n.p,{children:["Refer to ",(0,i.jsx)(n.a,{href:"/security/self-assessment-1.8#51-rbac-and-service-accounts",children:"CIS 1.8 Section 5"})," for more information on how to create and apply these policies."]}),"\n",(0,i.jsx)(n.h2,{id:"conclusion",children:"Conclusion"}),"\n",(0,i.jsxs)(n.p,{children:["If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the ",(0,i.jsx)(n.a,{href:"/security/self-assessment-1.8",children:"CIS 1.8 Self-Assessment Guide"})," to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster."]})]})}function u(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}function p(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>a});var i=s(7294);const r={},t=i.createContext(r);function a(e){const n=i.useContext(t);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),i.createElement(t.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7709],{1587:(e,n,s)=>{s.r(n),s.d(n,{assets:()=>l,contentTitle:()=>a,default:()=>u,frontMatter:()=>t,metadata:()=>o,toc:()=>c});var i=s(5893),r=s(1151);const t={title:"CIS Hardening Guide"},a=void 0,o={id:"security/hardening-guide",title:"CIS Hardening Guide",description:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS).",source:"@site/docs/security/hardening-guide.md",sourceDirName:"security",slug:"/security/hardening-guide",permalink:"/security/hardening-guide",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/hardening-guide.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"CIS Hardening Guide"},sidebar:"mySidebar",previous:{title:"Secrets Encryption",permalink:"/security/secrets-encryption"},next:{title:"CIS 1.8 Self Assessment Guide",permalink:"/security/self-assessment-1.8"}},l={},c=[{value:"Host-level Requirements",id:"host-level-requirements",level:2},{value:"Ensure protect-kernel-defaults is set",id:"ensure-protect-kernel-defaults-is-set",level:3},{value:"Set kernel parameters",id:"set-kernel-parameters",level:4},{value:"Kubernetes Runtime Requirements",id:"kubernetes-runtime-requirements",level:2},{value:"Pod Security",id:"pod-security",level:3},{value:"NetworkPolicies",id:"networkpolicies",level:3},{value:"API Server audit configuration",id:"api-server-audit-configuration",level:3},{value:"Configuration for Kubernetes Components",id:"configuration-for-kubernetes-components",level:2},{value:"Manual Operations",id:"manual-operations",level:2},{value:"Control 1.1.20",id:"control-1120",level:3},{value:"Control 1.2.9",id:"control-129",level:3},{value:"Control 1.2.11",id:"control-1211",level:3},{value:"Control 1.2.21",id:"control-1221",level:3},{value:"Control 4.2.13",id:"control-4213",level:3},{value:"Control 5.X",id:"control-5x",level:3},{value:"Conclusion",id:"conclusion",level:2}];function d(e){const n={a:"a",admonition:"admonition",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",strong:"strong",...(0,r.a)(),...e.components},{Details:s,TabItem:t,Tabs:a}=n;return s||p("Details",!0),t||p("TabItem",!0),a||p("Tabs",!0),(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"This document provides prescriptive guidance for hardening a production installation of K3s. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS)."}),"\n",(0,i.jsx)(n.p,{children:"K3s has a number of security mitigations applied and turned on by default and will pass a number of the Kubernetes CIS controls without modification. There are some notable exceptions to this that require manual intervention to fully comply with the CIS Benchmark:"}),"\n",(0,i.jsxs)(n.ol,{children:["\n",(0,i.jsx)(n.li,{children:"K3s will not modify the host operating system. Any host-level modifications will need to be done manually."}),"\n",(0,i.jsxs)(n.li,{children:["Certain CIS policy controls for ",(0,i.jsx)(n.code,{children:"NetworkPolicies"})," and ",(0,i.jsx)(n.code,{children:"PodSecurityStandards"})," (",(0,i.jsx)(n.code,{children:"PodSecurityPolicies"})," on v1.24 and older) will restrict the functionality of the cluster. You must opt into having K3s configure these by adding the appropriate options (enabling of admission plugins) to your command-line flags or configuration file as well as manually applying appropriate policies. Further details are presented in the sections below."]}),"\n"]}),"\n",(0,i.jsx)(n.p,{children:"The first section (1.1) of the CIS Benchmark concerns itself primarily with pod manifest permissions and ownership. K3s doesn't utilize these for the core components since everything is packaged into a single binary."}),"\n",(0,i.jsx)(n.h2,{id:"host-level-requirements",children:"Host-level Requirements"}),"\n",(0,i.jsx)(n.p,{children:"There are two areas of host-level requirements: kernel parameters and etcd process/directory configuration. These are outlined in this section."}),"\n",(0,i.jsxs)(n.h3,{id:"ensure-protect-kernel-defaults-is-set",children:["Ensure ",(0,i.jsx)(n.code,{children:"protect-kernel-defaults"})," is set"]}),"\n",(0,i.jsx)(n.p,{children:"This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults."}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.strong,{children:"Note:"})," ",(0,i.jsx)(n.code,{children:"protect-kernel-defaults"})," is exposed as a top-level flag for K3s."]}),"\n"]}),"\n",(0,i.jsx)(n.h4,{id:"set-kernel-parameters",children:"Set kernel parameters"}),"\n",(0,i.jsxs)(n.p,{children:["Create a file called ",(0,i.jsx)(n.code,{children:"/etc/sysctl.d/90-kubelet.conf"})," and add the snippet below. Then run ",(0,i.jsx)(n.code,{children:"sysctl -p /etc/sysctl.d/90-kubelet.conf"}),"."]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"vm.panic_on_oom=0\nvm.overcommit_memory=1\nkernel.panic=10\nkernel.panic_on_oops=1\n"})}),"\n",(0,i.jsx)(n.h2,{id:"kubernetes-runtime-requirements",children:"Kubernetes Runtime Requirements"}),"\n",(0,i.jsx)(n.p,{children:"The runtime requirements to comply with the CIS Benchmark are centered around pod security (via PSP or PSA), network policies and API Server auditing logs. These are outlined in this section."}),"\n",(0,i.jsxs)(n.p,{children:["By default, K3s does not include any pod security or network policies. However, K3s ships with a controller that will enforce network policies, if any are created. K3s doesn't enable auditing by default, so audit log configuration and audit policy must be created manually. By default, K3s runs with the both the ",(0,i.jsx)(n.code,{children:"PodSecurity"})," and ",(0,i.jsx)(n.code,{children:"NodeRestriction"})," admission controllers enabled, among others."]}),"\n",(0,i.jsx)(n.h3,{id:"pod-security",children:"Pod Security"}),"\n",(0,i.jsxs)(a,{groupId:"pod-sec",queryString:!0,children:[(0,i.jsxs)(t,{value:"v1.25 and Newer",default:!0,children:[(0,i.jsxs)(n.p,{children:["K3s v1.25 and newer support ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-admission/",children:"Pod Security Admissions (PSAs)"})," for controlling pod security. PSAs are enabled by passing the following flag to the K3s server:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{children:'--kube-apiserver-arg="admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n'})}),(0,i.jsxs)(n.p,{children:["The policy should be written to a file named ",(0,i.jsx)(n.code,{children:"psa.yaml"})," in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory."]}),(0,i.jsx)(n.p,{children:"Here is an example of a compliant PSA:"}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'apiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n- name: PodSecurity\n configuration:\n apiVersion: pod-security.admission.config.k8s.io/v1beta1\n kind: PodSecurityConfiguration\n defaults:\n enforce: "restricted"\n enforce-version: "latest"\n audit: "restricted"\n audit-version: "latest"\n warn: "restricted"\n warn-version: "latest"\n exemptions:\n usernames: []\n runtimeClasses: []\n namespaces: [kube-system, cis-operator-system]\n'})})]}),(0,i.jsxs)(t,{value:"v1.24 and Older",default:!0,children:[(0,i.jsxs)(n.p,{children:["K3s v1.24 and older support ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-policy/",children:"Pod Security Policies (PSPs)"})," for controlling pod security. PSPs are enabled by passing the following flag to the K3s server:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{children:'--kube-apiserver-arg="enable-admission-plugins=NodeRestriction,PodSecurityPolicy"\n'})}),(0,i.jsxs)(n.p,{children:["This will have the effect of maintaining the ",(0,i.jsx)(n.code,{children:"NodeRestriction"})," plugin as well as enabling the ",(0,i.jsx)(n.code,{children:"PodSecurityPolicy"}),"."]}),(0,i.jsx)(n.p,{children:"When PSPs are enabled, a policy can be applied to satisfy the necessary controls described in section 5.2 of the CIS Benchmark."}),(0,i.jsx)(n.p,{children:"Here is an example of a compliant PSP:"}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false # CIS - 5.2.1\n allowPrivilegeEscalation: false # CIS - 5.2.5\n requiredDropCapabilities: # CIS - 5.2.7/8/9\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false # CIS - 5.2.4\n hostIPC: false # CIS - 5.2.3\n hostPID: false # CIS - 5.2.2\n runAsUser:\n rule: 'MustRunAsNonRoot' # CIS - 5.2.6\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n"})}),(0,i.jsx)(n.p,{children:'For the above PSP to be effective, we need to create a ClusterRole and a ClusterRoleBinding. We also need to include a "system unrestricted policy" which is needed for system-level pods that require additional privileges, and an additional policy that allows sysctls necessary for servicelb to function properly.'}),(0,i.jsxs)(n.p,{children:["Combining the configuration above with the ",(0,i.jsx)(n.a,{href:"#networkpolicies",children:"Network Policy"})," described in the next section, a single file can be placed in the ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory. Here is an example of a ",(0,i.jsx)(n.code,{children:"policy.yaml"})," file:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: restricted-psp\nspec:\n privileged: false\n allowPrivilegeEscalation: false\n requiredDropCapabilities:\n - ALL\n volumes:\n - 'configMap'\n - 'emptyDir'\n - 'projected'\n - 'secret'\n - 'downwardAPI'\n - 'csi'\n - 'persistentVolumeClaim'\n - 'ephemeral'\n hostNetwork: false\n hostIPC: false\n hostPID: false\n runAsUser:\n rule: 'MustRunAsNonRoot'\n seLinux:\n rule: 'RunAsAny'\n supplementalGroups:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: 'MustRunAs'\n ranges:\n - min: 1\n max: 65535\n readOnlyRootFilesystem: false\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: system-unrestricted-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: true\n allowedCapabilities:\n - '*'\n fsGroup:\n rule: RunAsAny\n hostIPC: true\n hostNetwork: true\n hostPID: true\n hostPorts:\n - max: 65535\n min: 0\n privileged: true\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n volumes:\n - '*'\n---\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: svclb-psp\n annotations:\n seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'\nspec:\n allowPrivilegeEscalation: false\n allowedCapabilities:\n - NET_ADMIN\n allowedUnsafeSysctls:\n - net.ipv4.ip_forward\n - net.ipv6.conf.all.forwarding\n fsGroup:\n rule: RunAsAny\n hostPorts:\n - max: 65535\n min: 0\n runAsUser:\n rule: RunAsAny\n seLinux:\n rule: RunAsAny\n supplementalGroups:\n rule: RunAsAny\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:restricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n verbs:\n - use\n resourceNames:\n - restricted-psp\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:system-unrestricted-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - system-unrestricted-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: psp:svclb-psp\nrules:\n- apiGroups:\n - policy\n resources:\n - podsecuritypolicies\n resourceNames:\n - svclb-psp\n verbs:\n - use\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: default:restricted-psp\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:restricted-psp\nsubjects:\n- kind: Group\n name: system:authenticated\n apiGroup: rbac.authorization.k8s.io\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: system-unrestricted-node-psp-rolebinding\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: system-unrestricted-svc-acct-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:system-unrestricted-psp\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:serviceaccounts\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: svclb-psp-rolebinding\n namespace: kube-system\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: psp:svclb-psp\nsubjects:\n- kind: ServiceAccount\n name: svclb\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: default\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: default\n---\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-public\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-public\n"})})]})]}),"\n",(0,i.jsxs)(n.blockquote,{children:["\n",(0,i.jsxs)(n.p,{children:[(0,i.jsx)(n.strong,{children:"Note:"})," The Kubernetes critical additions such as CNI, DNS, and Ingress are run as pods in the ",(0,i.jsx)(n.code,{children:"kube-system"})," namespace. Therefore, this namespace will have a policy that is less restrictive so that these components can run properly."]}),"\n"]}),"\n",(0,i.jsx)(n.h3,{id:"networkpolicies",children:"NetworkPolicies"}),"\n",(0,i.jsx)(n.p,{children:"CIS requires that all namespaces have a network policy applied that reasonably limits traffic into namespaces and pods."}),"\n",(0,i.jsxs)(n.p,{children:["Network policies should be placed the ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/manifests"})," directory, where they will automatically be deployed on startup."]}),"\n",(0,i.jsx)(n.p,{children:"Here is an example of a compliant network policy."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"kind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n name: intra-namespace\n namespace: kube-system\nspec:\n podSelector: {}\n ingress:\n - from:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n"})}),"\n",(0,i.jsx)(n.p,{children:"With the applied restrictions, DNS will be blocked unless purposely allowed. Below is a network policy that will allow for traffic to exist for DNS."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: default-network-dns-policy\n namespace: \nspec:\n ingress:\n - ports:\n - port: 53\n protocol: TCP\n - port: 53\n protocol: UDP\n podSelector:\n matchLabels:\n k8s-app: kube-dns\n policyTypes:\n - Ingress\n"})}),"\n",(0,i.jsx)(n.p,{children:"The metrics-server and Traefik ingress controller will be blocked by default if network policies are not created to allow access. Traefik v1 as packaged in K3s version 1.20 and below uses different labels than Traefik v2. Ensure that you only use the sample yaml below that is associated with the version of Traefik present on your cluster."}),"\n",(0,i.jsxs)(a,{children:[(0,i.jsx)(t,{value:"v1.21 and Newer",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v121-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app.kubernetes.io/name: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})}),(0,i.jsx)(t,{value:"v1.20 and Older",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-metrics-server\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n k8s-app: metrics-server\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-svclbtraefik-ingress\n namespace: kube-system\nspec:\n podSelector: \n matchLabels:\n svccontroller.k3s.cattle.io/svcname: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: allow-all-traefik-v120-ingress\n namespace: kube-system\nspec:\n podSelector:\n matchLabels:\n app: traefik\n ingress:\n - {}\n policyTypes:\n - Ingress\n---\n\n"})})})]}),"\n",(0,i.jsx)(n.admonition,{type:"info",children:(0,i.jsx)(n.p,{children:"Operators must manage network policies as normal for additional namespaces that are created."})}),"\n",(0,i.jsx)(n.h3,{id:"api-server-audit-configuration",children:"API Server audit configuration"}),"\n",(0,i.jsx)(n.p,{children:"CIS requirements 1.2.22 to 1.2.25 are related to configuring audit logs for the API Server. K3s doesn't create by default the log directory and audit policy, as auditing requirements are specific to each user's policies and environment."}),"\n",(0,i.jsx)(n.p,{children:"The log directory, ideally, must be created before starting K3s. A restrictive access permission is recommended to avoid leaking potential sensitive information."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"sudo mkdir -p -m 700 /var/lib/rancher/k3s/server/logs\n"})}),"\n",(0,i.jsxs)(n.p,{children:["A starter audit policy to log request metadata is provided below. The policy should be written to a file named ",(0,i.jsx)(n.code,{children:"audit.yaml"})," in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server"})," directory. Detailed information about policy configuration for the API server can be found in the Kubernetes ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/tasks/debug-application-cluster/audit/",children:"documentation"}),"."]}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"apiVersion: audit.k8s.io/v1\nkind: Policy\nrules:\n- level: Metadata\n"})}),"\n",(0,i.jsx)(n.p,{children:"Both configurations must be passed as arguments to the API Server as:"}),"\n",(0,i.jsxs)(a,{children:[(0,i.jsx)(t,{value:"config",children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"kube-apiserver-arg:\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\n"})})}),(0,i.jsx)(t,{value:"cmdline",children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n--kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n"})})})]}),"\n",(0,i.jsx)(n.p,{children:"K3s must be restarted to load the new configuration."}),"\n",(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"sudo systemctl daemon-reload\nsudo systemctl restart k3s.service\n"})}),"\n",(0,i.jsx)(n.h2,{id:"configuration-for-kubernetes-components",children:"Configuration for Kubernetes Components"}),"\n",(0,i.jsxs)(n.p,{children:["The configuration below should be placed in the ",(0,i.jsx)(n.a,{href:"/installation/configuration#configuration-file",children:"configuration file"}),", and contains all the necessary remediations to harden the Kubernetes components."]}),"\n",(0,i.jsxs)(a,{groupId:"pod-sec",queryString:!0,children:[(0,i.jsx)(t,{value:"v1.25 and Newer",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - \"enable-admission-plugins=NodeRestriction,EventRateLimit\"\n - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - \"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\"\n"})})}),(0,i.jsx)(t,{value:"v1.24 and Older",default:!0,children:(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:"protect-kernel-defaults: true\nsecrets-encryption: true\nkube-apiserver-arg:\n - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,NamespaceLifecycle,ServiceAccount'\n - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'\n - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'\n - 'audit-log-maxage=30'\n - 'audit-log-maxbackup=10'\n - 'audit-log-maxsize=100'\nkube-controller-manager-arg:\n - 'terminated-pod-gc-threshold=10'\nkubelet-arg:\n - 'streaming-connection-idle-timeout=5m'\n - 'make-iptables-util-chains=true'\n - \"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\"\n"})})})]}),"\n",(0,i.jsx)(n.h2,{id:"manual-operations",children:"Manual Operations"}),"\n",(0,i.jsx)(n.p,{children:"The following are controls that K3s currently does not pass by with the above configuration applied. These controls require manual intervention to fully comply with the CIS Benchmark."}),"\n",(0,i.jsx)(n.h3,{id:"control-1120",children:"Control 1.1.20"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nK3s PKI certificate files are stored in ",(0,i.jsx)(n.code,{children:"/var/lib/rancher/k3s/server/tls/"})," with permission 644.\nTo remediate, run the following command:"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-bash",children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt\n"})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-129",children:"Control 1.2.9"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the admission control plugin EventRateLimit is set"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nFollow the ",(0,i.jsx)(n.a,{href:"https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit",children:"Kubernetes documentation"})," and set the desired limits in a configuration file.\nFor this and other psa configuration, this documentation uses /var/lib/rancher/k3s/server/psa.yaml.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "enable-admission-plugins=NodeRestriction,EventRateLimit"\n - "admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-1211",children:"Control 1.2.11"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the admission control plugin AlwaysPullImages is set"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-1221",children:"Control 1.2.21"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that the --request-timeout argument is set as appropriate"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-4213",children:"Control 4.2.13"}),"\n",(0,i.jsx)(n.p,{children:"Ensure that a limit is set on pod PIDs"}),"\n",(0,i.jsxs)(s,{children:[(0,i.jsxs)(n.p,{children:[(0,i.jsx)("summary",{children:"Remediation"}),"\nDecide on an appropriate level for this parameter and set it,\nIf using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,i.jsx)(n.code,{children:"podPidsLimit"})," to"]}),(0,i.jsx)(n.pre,{children:(0,i.jsx)(n.code,{className:"language-yaml",children:'kubelet-arg:\n - "pod-max-pids="\n'})})]}),"\n",(0,i.jsx)(n.h3,{id:"control-5x",children:"Control 5.X"}),"\n",(0,i.jsx)(n.p,{children:"All the 5.X Controls are related to Kubernetes policy configuration. These controls are not enforced by K3s by default."}),"\n",(0,i.jsxs)(n.p,{children:["Refer to ",(0,i.jsx)(n.a,{href:"/security/self-assessment-1.8#51-rbac-and-service-accounts",children:"CIS 1.8 Section 5"})," for more information on how to create and apply these policies."]}),"\n",(0,i.jsx)(n.h2,{id:"conclusion",children:"Conclusion"}),"\n",(0,i.jsxs)(n.p,{children:["If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the ",(0,i.jsx)(n.a,{href:"/security/self-assessment-1.8",children:"CIS 1.8 Self-Assessment Guide"})," to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster."]})]})}function u(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}function p(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,s)=>{s.d(n,{Z:()=>o,a:()=>a});var i=s(7294);const r={},t=i.createContext(r);function a(e){const n=i.useContext(t);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:a(e.components),i.createElement(t.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/914a16f4.c42ed805.js b/assets/js/914a16f4.5cd97920.js
similarity index 98%
rename from assets/js/914a16f4.c42ed805.js
rename to assets/js/914a16f4.5cd97920.js
index 3b9150886..259354162 100644
--- a/assets/js/914a16f4.c42ed805.js
+++ b/assets/js/914a16f4.5cd97920.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7626],{6050:(e,n,o)=>{o.r(n),o.d(n,{assets:()=>l,contentTitle:()=>s,default:()=>p,frontMatter:()=>i,metadata:()=>a,toc:()=>c});var r=o(5893),t=o(1151);const i={title:"Flag Deprecation"},s=void 0,a={id:"reference/flag-deprecation",title:"Flag Deprecation",description:"K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.",source:"@site/docs/reference/flag-deprecation.md",sourceDirName:"reference",slug:"/reference/flag-deprecation",permalink:"/reference/flag-deprecation",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/flag-deprecation.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Flag Deprecation"},sidebar:"mySidebar",previous:{title:"Environment Variables",permalink:"/reference/env-variables"},next:{title:"Resource Profiling",permalink:"/reference/resource-profiling"}},l={},c=[{value:"Process",id:"process",level:2},{value:"Example",id:"example",level:2}];function d(e){const n={a:"a",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsxs)(n.p,{children:["K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/reference/using-api/deprecation-policy/",children:"Kubernetes Deprecation Policy"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"process",children:"Process"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:'Flags can be declared as "To Be Deprecated" at any time.'}),"\n",(0,r.jsx)(n.li,{children:'Flags that are "To Be Deprecated" must be labeled as such on the next patch of all currently supported releases. Additionally, the flag will begin to warn users that it is going to be deprecated in the next minor release.'}),"\n",(0,r.jsx)(n.li,{children:"On the next minor release, a flag will be marked as deprecated in the documentation and converted to a hidden flag in code. The flag will continue to operate and give warnings to users."}),"\n",(0,r.jsx)(n.li,{children:'In the following minor release branch, deprecated flags will become "nonoperational", causing a fatal error if used. This error must explain to the user any new flags or configuration that replace this flag.'}),"\n",(0,r.jsx)(n.li,{children:"In the next minor release, the nonoperational flags will be removed from documentation and code."}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"example",children:"Example"}),"\n",(0,r.jsx)(n.p,{children:"An example of the process:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"--foo"})," exists in v1.22.14, v1.23.10, and v1.24.2."]}),"\n",(0,r.jsxs)(n.li,{children:["After the v1.24.2 release, it is decided to deprecate ",(0,r.jsx)(n.code,{children:"--foo"})," in favor of ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.22.15, v1.23.11, and v1.24.3, ",(0,r.jsx)(n.code,{children:"--foo"})," continues to exist, but will warn users:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Warning] --foo will be deprecated in v1.25.0, use `--new-foo` instead\n"})}),"\n",(0,r.jsx)(n.code,{children:"--foo"})," will continue to exist as an operational flag for the life of v1.22, v1.23 and v1.24."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.25.0, ",(0,r.jsx)(n.code,{children:"--foo"})," is marked as deprecated in documentation and will be hidden in code. It will continue to work and warn users to move to ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.26.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will cause a fatal error if used. The error message will say:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Fatal] exit 1: --foo is no longer supported, use --new-foo instead\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.27.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will be removed completely from all code and documentation."]}),"\n"]})]})}function p(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,n,o)=>{o.d(n,{Z:()=>a,a:()=>s});var r=o(7294);const t={},i=r.createContext(t);function s(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:s(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7626],{6050:(e,n,o)=>{o.r(n),o.d(n,{assets:()=>l,contentTitle:()=>s,default:()=>p,frontMatter:()=>i,metadata:()=>a,toc:()=>c});var r=o(5893),t=o(1151);const i={title:"Flag Deprecation"},s=void 0,a={id:"reference/flag-deprecation",title:"Flag Deprecation",description:"K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the Kubernetes Deprecation Policy.",source:"@site/docs/reference/flag-deprecation.md",sourceDirName:"reference",slug:"/reference/flag-deprecation",permalink:"/reference/flag-deprecation",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/reference/flag-deprecation.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Flag Deprecation"},sidebar:"mySidebar",previous:{title:"Environment Variables",permalink:"/reference/env-variables"},next:{title:"Resource Profiling",permalink:"/reference/resource-profiling"}},l={},c=[{value:"Process",id:"process",level:2},{value:"Example",id:"example",level:2}];function d(e){const n={a:"a",code:"code",h2:"h2",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsxs)(n.p,{children:["K3s is a fast-moving project, and as such, we need a way to deprecate flags and configuration options. This page outlines the process for deprecating flags and configuration options. In order to ensure that users are not surprised by the removal of flags, the process is similar to the ",(0,r.jsx)(n.a,{href:"https://kubernetes.io/docs/reference/using-api/deprecation-policy/",children:"Kubernetes Deprecation Policy"}),"."]}),"\n",(0,r.jsx)(n.h2,{id:"process",children:"Process"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsx)(n.li,{children:'Flags can be declared as "To Be Deprecated" at any time.'}),"\n",(0,r.jsx)(n.li,{children:'Flags that are "To Be Deprecated" must be labeled as such on the next patch of all currently supported releases. Additionally, the flag will begin to warn users that it is going to be deprecated in the next minor release.'}),"\n",(0,r.jsx)(n.li,{children:"On the next minor release, a flag will be marked as deprecated in the documentation and converted to a hidden flag in code. The flag will continue to operate and give warnings to users."}),"\n",(0,r.jsx)(n.li,{children:'In the following minor release branch, deprecated flags will become "nonoperational", causing a fatal error if used. This error must explain to the user any new flags or configuration that replace this flag.'}),"\n",(0,r.jsx)(n.li,{children:"In the next minor release, the nonoperational flags will be removed from documentation and code."}),"\n"]}),"\n",(0,r.jsx)(n.h2,{id:"example",children:"Example"}),"\n",(0,r.jsx)(n.p,{children:"An example of the process:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"--foo"})," exists in v1.22.14, v1.23.10, and v1.24.2."]}),"\n",(0,r.jsxs)(n.li,{children:["After the v1.24.2 release, it is decided to deprecate ",(0,r.jsx)(n.code,{children:"--foo"})," in favor of ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.22.15, v1.23.11, and v1.24.3, ",(0,r.jsx)(n.code,{children:"--foo"})," continues to exist, but will warn users:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Warning] --foo will be deprecated in v1.25.0, use `--new-foo` instead\n"})}),"\n",(0,r.jsx)(n.code,{children:"--foo"})," will continue to exist as an operational flag for the life of v1.22, v1.23 and v1.24."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.25.0, ",(0,r.jsx)(n.code,{children:"--foo"})," is marked as deprecated in documentation and will be hidden in code. It will continue to work and warn users to move to ",(0,r.jsx)(n.code,{children:"--new-foo"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.26.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will cause a fatal error if used. The error message will say:","\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"[Fatal] exit 1: --foo is no longer supported, use --new-foo instead\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["In v1.27.0, ",(0,r.jsx)(n.code,{children:"--foo"})," will be removed completely from all code and documentation."]}),"\n"]})]})}function p(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(d,{...e})}):d(e)}},1151:(e,n,o)=>{o.d(n,{Z:()=>a,a:()=>s});var r=o(7294);const t={},i=r.createContext(t);function s(e){const n=r.useContext(i);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function a(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:s(e.components),r.createElement(i.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/97c4f258.0be8a102.js b/assets/js/97c4f258.8622c9bc.js
similarity index 99%
rename from assets/js/97c4f258.0be8a102.js
rename to assets/js/97c4f258.8622c9bc.js
index 67b92f9e7..702f1bbeb 100644
--- a/assets/js/97c4f258.0be8a102.js
+++ b/assets/js/97c4f258.8622c9bc.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[305],{8486:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>c});var s=i(5893),t=i(1151);const a={title:"Configuration Options"},o=void 0,r={id:"installation/configuration",title:"Configuration Options",description:"This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.",source:"@site/docs/installation/configuration.md",sourceDirName:"installation",slug:"/installation/configuration",permalink:"/installation/configuration",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/configuration.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Configuration Options"},sidebar:"mySidebar",previous:{title:"Requirements",permalink:"/installation/requirements"},next:{title:"Private Registry Configuration",permalink:"/installation/private-registry"}},l={},c=[{value:"Configuration with install script",id:"configuration-with-install-script",level:2},{value:"Configuration with binary",id:"configuration-with-binary",level:2},{value:"Configuration File",id:"configuration-file",level:2},{value:"Multiple Config Files",id:"multiple-config-files",level:3},{value:"Putting it all together",id:"putting-it-all-together",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on ",(0,s.jsx)(n.a,{href:"/advanced",children:"Advanced Options and Configuration"})," and the ",(0,s.jsx)(n.a,{href:"/cli/server",children:"server"})," and ",(0,s.jsx)(n.a,{href:"/cli/agent",children:"agent"})," command documentation for more in-depth coverage."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-install-script",children:"Configuration with install script"}),"\n",(0,s.jsxs)(n.p,{children:["As mentioned in the ",(0,s.jsx)(n.a,{href:"/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,s.jsx)(n.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,s.jsxs)(n.p,{children:["You can use a combination of ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"}),", ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables, and command flags to pass configuration to the service configuration.\nThe prefixed environment variables, ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"})," value, and trailing shell arguments are all persisted into the service configuration.\nAfter installation, configuration may be altered by editing the environment file, editing the service configuration, or simply re-running the installer with new options."]}),"\n",(0,s.jsx)(n.p,{children:"To illustrate this, the following commands all result in the same behavior of registering a server without flannel and with a token:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none --token 12345\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --flannel-backend none" K3S_TOKEN=12345 sh -s -\ncurl -sfL https://get.k3s.io | K3S_TOKEN=12345 sh -s - server --flannel-backend none\n# server is assumed below because there is no K3S_URL\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--flannel-backend none --token 12345" sh -s - \ncurl -sfL https://get.k3s.io | sh -s - --flannel-backend none --token 12345\n'})}),"\n",(0,s.jsx)(n.p,{children:"When registering an agent, the following commands all result in the same behavior:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent --server https://k3s.example.com --token mypassword" sh -s -\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" K3S_TOKEN="mypassword" sh -s - --server https://k3s.example.com\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com sh -s - agent --token mypassword\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com K3S_TOKEN=mypassword sh -s - # agent is assumed because of K3S_URL\n'})}),"\n",(0,s.jsxs)(n.p,{children:["For details on all environment variables, see ",(0,s.jsx)(n.a,{href:"/reference/env-variables",children:"Environment Variables."})]}),"\n",(0,s.jsxs)(n.admonition,{title:"Note",type:"info",children:[(0,s.jsx)(n.p,{children:"If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost."}),(0,s.jsxs)(n.p,{children:["The contents of the ",(0,s.jsx)(n.a,{href:"#configuration-file",children:"configuration file"})," are not managed by the install script.\nIf you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script."]})]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-binary",children:"Configuration with binary"}),"\n",(0,s.jsxs)(n.p,{children:["As stated, the installation script is primarily concerned with configuring K3s to run as a service.",(0,s.jsx)(n.br,{}),"\n","If you choose to not use the script, you can run K3s simply by downloading the binary from our ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/latest",children:"release page"}),", placing it on your path, and executing it. This is not particularly useful for permanent installations, but may be useful when performing quick tests that do not merit managing K3s as a system service."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -Lo /usr/local/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s; chmod a+x /usr/local/bin/k3s\n"})}),"\n",(0,s.jsxs)(n.p,{children:["You can pass configuration by setting ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or command flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s server --write-kubeconfig-mode=644\n"})}),"\n",(0,s.jsx)(n.p,{children:"The k3s agent can also be configured this way:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s agent --server https://k3s.example.com --token mypassword\n"})}),"\n",(0,s.jsxs)(n.p,{children:["For details on configuring the K3s server, see the ",(0,s.jsxs)(n.a,{href:"/cli/server",children:[(0,s.jsx)(n.code,{children:"k3s server"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","For details on configuring the K3s agent, see the ",(0,s.jsxs)(n.a,{href:"/cli/agent",children:[(0,s.jsx)(n.code,{children:"k3s agent"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","You can also use the ",(0,s.jsx)(n.code,{children:"--help"})," flag to see a list of all available options, and their corresponding environment variables."]}),"\n",(0,s.jsx)(n.admonition,{title:"Matching Flags",type:"info",children:(0,s.jsxs)(n.p,{children:["It is important to match critical flags on your server nodes. For example, if you use the flag\n",(0,s.jsx)(n.code,{children:"--disable servicelb"})," or ",(0,s.jsx)(n.code,{children:"--cluster-cidr=10.200.0.0/16"})," on your master node, but don't set it on other server nodes, the nodes will fail to join. They will print errors such as:\n",(0,s.jsx)(n.code,{children:"failed to validate server configuration: critical configuration value mismatch."}),"\nSee the Server Configuration documentation (linked above) for more information on which flags must be set identically on server nodes."]})}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file",children:"Configuration File"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,s.jsx)(n.p,{children:"In addition to configuring K3s with environment variables and CLI arguments, K3s can also use a config file."}),"\n",(0,s.jsxs)(n.p,{children:["By default, values present in a YAML file located at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," will be used on install."]}),"\n",(0,s.jsxs)(n.p,{children:["An example of a basic ",(0,s.jsx)(n.code,{children:"server"})," config file is below:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'write-kubeconfig-mode: "0644"\ntls-san:\n - "foo.local"\nnode-label:\n - "foo=bar"\n - "something=amazing"\ncluster-init: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"This is equivalent to the following CLI arguments:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'k3s server \\\n --write-kubeconfig-mode "0644" \\\n --tls-san "foo.local" \\\n --node-label "foo=bar" \\\n --node-label "something=amazing" \\\n --cluster-init\n'})}),"\n",(0,s.jsxs)(n.p,{children:["In general, CLI arguments map to their respective YAML key, with repeatable CLI arguments being represented as YAML lists. Boolean flags are represented as ",(0,s.jsx)(n.code,{children:"true"})," or ",(0,s.jsx)(n.code,{children:"false"})," in the YAML file."]}),"\n",(0,s.jsxs)(n.p,{children:["It is also possible to use both a configuration file and CLI arguments. In these situations, values will be loaded from both sources, but CLI arguments will take precedence. For repeatable arguments such as ",(0,s.jsx)(n.code,{children:"--node-label"}),", the CLI arguments will overwrite all values in the list."]}),"\n",(0,s.jsxs)(n.p,{children:["Finally, the location of the config file can be changed either through the CLI argument ",(0,s.jsx)(n.code,{children:"--config FILE, -c FILE"}),", or the environment variable ",(0,s.jsx)(n.code,{children:"$K3S_CONFIG_FILE"}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"multiple-config-files",children:"Multiple Config Files"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"})]})}),"\n",(0,s.jsxs)(n.p,{children:["Multiple configuration files are supported. By default, configuration files are read from ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," and ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml.d/*.yaml"})," in alphabetical order."]}),"\n",(0,s.jsxs)(n.p,{children:["By default, the last value found for a given key will be used. A ",(0,s.jsx)(n.code,{children:"+"})," can be appended to the key to append the value to the existing string or slice, instead of replacing it. All occurrences of this key in subsequent files will also require a ",(0,s.jsx)(n.code,{children:"+"})," to prevent overwriting the accumulated value."]}),"\n",(0,s.jsx)(n.p,{children:"An example of multiple config files is below:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"# config.yaml\ntoken: boop\nnode-label:\n - foo=bar\n - bar=baz\n\n\n# config.yaml.d/test1.yaml\nwrite-kubeconfig-mode: 600\nnode-taint:\n - alice=bob:NoExecute\n\n# config.yaml.d/test2.yaml\nwrite-kubeconfig-mode: 777\nnode-label:\n - other=what\n - foo=three\nnode-taint+:\n - charlie=delta:NoSchedule\n\n"})}),"\n",(0,s.jsx)(n.p,{children:"This results in a final configuration of:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"write-kubeconfig-mode: 777\ntoken: boop\nnode-label:\n - other=what\n - foo=three\nnode-taint:\n - alice=bob:NoExecute\n - charlie=delta:NoSchedule\n"})}),"\n",(0,s.jsx)(n.h2,{id:"putting-it-all-together",children:"Putting it all together"}),"\n",(0,s.jsx)(n.p,{children:"All of the above options can be combined into a single example."}),"\n",(0,s.jsxs)(n.p,{children:["A ",(0,s.jsx)(n.code,{children:"config.yaml"})," file is created at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'token: "secret"\ndebug: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"Then the installation script is run with a combination of environment variables and flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or if you have already installed the K3s Binary:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"This results in a server with:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["A kubeconfig file with permissions ",(0,s.jsx)(n.code,{children:"644"})]}),"\n",(0,s.jsxs)(n.li,{children:["Flannel backend set to ",(0,s.jsx)(n.code,{children:"none"})]}),"\n",(0,s.jsxs)(n.li,{children:["The token set to ",(0,s.jsx)(n.code,{children:"secret"})]}),"\n",(0,s.jsx)(n.li,{children:"Debug logging enabled"}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,n,i)=>{i.d(n,{Z:()=>r,a:()=>o});var s=i(7294);const t={},a=s.createContext(t);function o(e){const n=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(a.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[305],{8486:(e,n,i)=>{i.r(n),i.d(n,{assets:()=>l,contentTitle:()=>o,default:()=>h,frontMatter:()=>a,metadata:()=>r,toc:()=>c});var s=i(5893),t=i(1151);const a={title:"Configuration Options"},o=void 0,r={id:"installation/configuration",title:"Configuration Options",description:"This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on Advanced Options and Configuration and the server and agent command documentation for more in-depth coverage.",source:"@site/docs/installation/configuration.md",sourceDirName:"installation",slug:"/installation/configuration",permalink:"/installation/configuration",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/configuration.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Configuration Options"},sidebar:"mySidebar",previous:{title:"Requirements",permalink:"/installation/requirements"},next:{title:"Private Registry Configuration",permalink:"/installation/private-registry"}},l={},c=[{value:"Configuration with install script",id:"configuration-with-install-script",level:2},{value:"Configuration with binary",id:"configuration-with-binary",level:2},{value:"Configuration File",id:"configuration-file",level:2},{value:"Multiple Config Files",id:"multiple-config-files",level:3},{value:"Putting it all together",id:"putting-it-all-together",level:2}];function d(e){const n={a:"a",admonition:"admonition",br:"br",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",ul:"ul",...(0,t.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsxs)(n.p,{children:["This page focuses on the options that are commonly used when setting up K3s for the first time. Refer to the documentation on ",(0,s.jsx)(n.a,{href:"/advanced",children:"Advanced Options and Configuration"})," and the ",(0,s.jsx)(n.a,{href:"/cli/server",children:"server"})," and ",(0,s.jsx)(n.a,{href:"/cli/agent",children:"agent"})," command documentation for more in-depth coverage."]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-install-script",children:"Configuration with install script"}),"\n",(0,s.jsxs)(n.p,{children:["As mentioned in the ",(0,s.jsx)(n.a,{href:"/quick-start",children:"Quick-Start Guide"}),", you can use the installation script available at ",(0,s.jsx)(n.a,{href:"https://get.k3s.io",children:"https://get.k3s.io"})," to install K3s as a service on systemd and openrc based systems."]}),"\n",(0,s.jsxs)(n.p,{children:["You can use a combination of ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"}),", ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables, and command flags to pass configuration to the service configuration.\nThe prefixed environment variables, ",(0,s.jsx)(n.code,{children:"INSTALL_K3S_EXEC"})," value, and trailing shell arguments are all persisted into the service configuration.\nAfter installation, configuration may be altered by editing the environment file, editing the service configuration, or simply re-running the installer with new options."]}),"\n",(0,s.jsx)(n.p,{children:"To illustrate this, the following commands all result in the same behavior of registering a server without flannel and with a token:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none --token 12345\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --flannel-backend none" K3S_TOKEN=12345 sh -s -\ncurl -sfL https://get.k3s.io | K3S_TOKEN=12345 sh -s - server --flannel-backend none\n# server is assumed below because there is no K3S_URL\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--flannel-backend none --token 12345" sh -s - \ncurl -sfL https://get.k3s.io | sh -s - --flannel-backend none --token 12345\n'})}),"\n",(0,s.jsx)(n.p,{children:"When registering an agent, the following commands all result in the same behavior:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent --server https://k3s.example.com --token mypassword" sh -s -\ncurl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" K3S_TOKEN="mypassword" sh -s - --server https://k3s.example.com\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com sh -s - agent --token mypassword\ncurl -sfL https://get.k3s.io | K3S_URL=https://k3s.example.com K3S_TOKEN=mypassword sh -s - # agent is assumed because of K3S_URL\n'})}),"\n",(0,s.jsxs)(n.p,{children:["For details on all environment variables, see ",(0,s.jsx)(n.a,{href:"/reference/env-variables",children:"Environment Variables."})]}),"\n",(0,s.jsxs)(n.admonition,{title:"Note",type:"info",children:[(0,s.jsx)(n.p,{children:"If you set configuration when running the install script, but do not set it again when re-running the install script, the original values will be lost."}),(0,s.jsxs)(n.p,{children:["The contents of the ",(0,s.jsx)(n.a,{href:"#configuration-file",children:"configuration file"})," are not managed by the install script.\nIf you want your configuration to be independent from the install script, you should use a configuration file instead of passing environment variables or arguments to the install script."]})]}),"\n",(0,s.jsx)(n.h2,{id:"configuration-with-binary",children:"Configuration with binary"}),"\n",(0,s.jsxs)(n.p,{children:["As stated, the installation script is primarily concerned with configuring K3s to run as a service.",(0,s.jsx)(n.br,{}),"\n","If you choose to not use the script, you can run K3s simply by downloading the binary from our ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/latest",children:"release page"}),", placing it on your path, and executing it. This is not particularly useful for permanent installations, but may be useful when performing quick tests that do not merit managing K3s as a system service."]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"curl -Lo /usr/local/bin/k3s https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s; chmod a+x /usr/local/bin/k3s\n"})}),"\n",(0,s.jsxs)(n.p,{children:["You can pass configuration by setting ",(0,s.jsx)(n.code,{children:"K3S_"})," environment variables:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or command flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s server --write-kubeconfig-mode=644\n"})}),"\n",(0,s.jsx)(n.p,{children:"The k3s agent can also be configured this way:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"k3s agent --server https://k3s.example.com --token mypassword\n"})}),"\n",(0,s.jsxs)(n.p,{children:["For details on configuring the K3s server, see the ",(0,s.jsxs)(n.a,{href:"/cli/server",children:[(0,s.jsx)(n.code,{children:"k3s server"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","For details on configuring the K3s agent, see the ",(0,s.jsxs)(n.a,{href:"/cli/agent",children:[(0,s.jsx)(n.code,{children:"k3s agent"})," documentation"]}),".",(0,s.jsx)(n.br,{}),"\n","You can also use the ",(0,s.jsx)(n.code,{children:"--help"})," flag to see a list of all available options, and their corresponding environment variables."]}),"\n",(0,s.jsx)(n.admonition,{title:"Matching Flags",type:"info",children:(0,s.jsxs)(n.p,{children:["It is important to match critical flags on your server nodes. For example, if you use the flag\n",(0,s.jsx)(n.code,{children:"--disable servicelb"})," or ",(0,s.jsx)(n.code,{children:"--cluster-cidr=10.200.0.0/16"})," on your master node, but don't set it on other server nodes, the nodes will fail to join. They will print errors such as:\n",(0,s.jsx)(n.code,{children:"failed to validate server configuration: critical configuration value mismatch."}),"\nSee the Server Configuration documentation (linked above) for more information on which flags must be set identically on server nodes."]})}),"\n",(0,s.jsx)(n.h2,{id:"configuration-file",children:"Configuration File"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.19.1%2Bk3s1",children:"v1.19.1+k3s1"})]})}),"\n",(0,s.jsx)(n.p,{children:"In addition to configuring K3s with environment variables and CLI arguments, K3s can also use a config file."}),"\n",(0,s.jsxs)(n.p,{children:["By default, values present in a YAML file located at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," will be used on install."]}),"\n",(0,s.jsxs)(n.p,{children:["An example of a basic ",(0,s.jsx)(n.code,{children:"server"})," config file is below:"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'write-kubeconfig-mode: "0644"\ntls-san:\n - "foo.local"\nnode-label:\n - "foo=bar"\n - "something=amazing"\ncluster-init: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"This is equivalent to the following CLI arguments:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'k3s server \\\n --write-kubeconfig-mode "0644" \\\n --tls-san "foo.local" \\\n --node-label "foo=bar" \\\n --node-label "something=amazing" \\\n --cluster-init\n'})}),"\n",(0,s.jsxs)(n.p,{children:["In general, CLI arguments map to their respective YAML key, with repeatable CLI arguments being represented as YAML lists. Boolean flags are represented as ",(0,s.jsx)(n.code,{children:"true"})," or ",(0,s.jsx)(n.code,{children:"false"})," in the YAML file."]}),"\n",(0,s.jsxs)(n.p,{children:["It is also possible to use both a configuration file and CLI arguments. In these situations, values will be loaded from both sources, but CLI arguments will take precedence. For repeatable arguments such as ",(0,s.jsx)(n.code,{children:"--node-label"}),", the CLI arguments will overwrite all values in the list."]}),"\n",(0,s.jsxs)(n.p,{children:["Finally, the location of the config file can be changed either through the CLI argument ",(0,s.jsx)(n.code,{children:"--config FILE, -c FILE"}),", or the environment variable ",(0,s.jsx)(n.code,{children:"$K3S_CONFIG_FILE"}),"."]}),"\n",(0,s.jsx)(n.h3,{id:"multiple-config-files",children:"Multiple Config Files"}),"\n",(0,s.jsx)(n.admonition,{title:"Version Gate",type:"info",children:(0,s.jsxs)(n.p,{children:["Available as of ",(0,s.jsx)(n.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.21.0%2Bk3s1",children:"v1.21.0+k3s1"})]})}),"\n",(0,s.jsxs)(n.p,{children:["Multiple configuration files are supported. By default, configuration files are read from ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"})," and ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml.d/*.yaml"})," in alphabetical order."]}),"\n",(0,s.jsxs)(n.p,{children:["By default, the last value found for a given key will be used. A ",(0,s.jsx)(n.code,{children:"+"})," can be appended to the key to append the value to the existing string or slice, instead of replacing it. All occurrences of this key in subsequent files will also require a ",(0,s.jsx)(n.code,{children:"+"})," to prevent overwriting the accumulated value."]}),"\n",(0,s.jsx)(n.p,{children:"An example of multiple config files is below:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"# config.yaml\ntoken: boop\nnode-label:\n - foo=bar\n - bar=baz\n\n\n# config.yaml.d/test1.yaml\nwrite-kubeconfig-mode: 600\nnode-taint:\n - alice=bob:NoExecute\n\n# config.yaml.d/test2.yaml\nwrite-kubeconfig-mode: 777\nnode-label:\n - other=what\n - foo=three\nnode-taint+:\n - charlie=delta:NoSchedule\n\n"})}),"\n",(0,s.jsx)(n.p,{children:"This results in a final configuration of:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:"write-kubeconfig-mode: 777\ntoken: boop\nnode-label:\n - other=what\n - foo=three\nnode-taint:\n - alice=bob:NoExecute\n - charlie=delta:NoSchedule\n"})}),"\n",(0,s.jsx)(n.h2,{id:"putting-it-all-together",children:"Putting it all together"}),"\n",(0,s.jsx)(n.p,{children:"All of the above options can be combined into a single example."}),"\n",(0,s.jsxs)(n.p,{children:["A ",(0,s.jsx)(n.code,{children:"config.yaml"})," file is created at ",(0,s.jsx)(n.code,{children:"/etc/rancher/k3s/config.yaml"}),":"]}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-yaml",children:'token: "secret"\ndebug: true\n'})}),"\n",(0,s.jsx)(n.p,{children:"Then the installation script is run with a combination of environment variables and flags:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="server" sh -s - --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"Or if you have already installed the K3s Binary:"}),"\n",(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:'K3S_KUBECONFIG_MODE="644" k3s server --flannel-backend none\n'})}),"\n",(0,s.jsx)(n.p,{children:"This results in a server with:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsxs)(n.li,{children:["A kubeconfig file with permissions ",(0,s.jsx)(n.code,{children:"644"})]}),"\n",(0,s.jsxs)(n.li,{children:["Flannel backend set to ",(0,s.jsx)(n.code,{children:"none"})]}),"\n",(0,s.jsxs)(n.li,{children:["The token set to ",(0,s.jsx)(n.code,{children:"secret"})]}),"\n",(0,s.jsx)(n.li,{children:"Debug logging enabled"}),"\n"]})]})}function h(e={}){const{wrapper:n}={...(0,t.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,n,i)=>{i.d(n,{Z:()=>r,a:()=>o});var s=i(7294);const t={},a=s.createContext(t);function o(e){const n=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function r(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:o(e.components),s.createElement(a.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/9e39b1cd.e1d0f21d.js b/assets/js/9e39b1cd.b5cf9394.js
similarity index 98%
rename from assets/js/9e39b1cd.e1d0f21d.js
rename to assets/js/9e39b1cd.b5cf9394.js
index 2108f3357..7d1993456 100644
--- a/assets/js/9e39b1cd.e1d0f21d.js
+++ b/assets/js/9e39b1cd.b5cf9394.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7813],{4016:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>i,contentTitle:()=>d,default:()=>a,frontMatter:()=>c,metadata:()=>o,toc:()=>l});var s=n(5893),r=n(1151);const c={title:"CLI Tools"},d=void 0,o={id:"cli/cli",title:"CLI Tools",description:"The K3s binary contains a number of additional tools the help you manage your cluster.",source:"@site/docs/cli/cli.md",sourceDirName:"cli",slug:"/cli/",permalink:"/cli/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/cli.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"CLI Tools"},sidebar:"mySidebar",previous:{title:"CIS 1.24 Self Assessment Guide",permalink:"/security/self-assessment-1.24"},next:{title:"server",permalink:"/cli/server"}},i={},l=[];function h(e){const t={a:"a",code:"code",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.p,{children:"The K3s binary contains a number of additional tools the help you manage your cluster."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Command"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s server"})}),(0,s.jsxs)(t.td,{children:["Run a K3s server node, which launches the Kubernetes ",(0,s.jsx)(t.code,{children:"apiserver"}),", ",(0,s.jsx)(t.code,{children:"scheduler"}),", ",(0,s.jsx)(t.code,{children:"controller-manager"}),", and ",(0,s.jsx)(t.code,{children:"cloud-controller-manager"})," components, in addition a datastore and the agent components. See the ",(0,s.jsxs)(t.a,{href:"/cli/server",children:[(0,s.jsx)(t.code,{children:"k3s server"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s agent"})}),(0,s.jsxs)(t.td,{children:["Run the K3s agent node, which launches ",(0,s.jsx)(t.code,{children:"containerd"}),", ",(0,s.jsx)(t.code,{children:"flannel"}),", ",(0,s.jsx)(t.code,{children:"kube-router"})," network policy controller, and the Kubernetes ",(0,s.jsx)(t.code,{children:"kubelet"})," and ",(0,s.jsx)(t.code,{children:"kube-proxy"})," components. See the ",(0,s.jsxs)(t.a,{href:"/cli/agent",children:[(0,s.jsx)(t.code,{children:"k3s agent"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s kubectl"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://kubernetes.io/docs/reference/kubectl",children:[(0,s.jsx)(t.code,{children:"kubectl"})," command"]}),". This is a CLI for interacting with the Kubernetes apiserver. If the ",(0,s.jsx)(t.code,{children:"KUBECONFIG"})," environment variable is not set, this will automatically attempt to use the kubeconfig at ",(0,s.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s crictl"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md",children:[(0,s.jsx)(t.code,{children:"crictl"})," command"]}),". This is a CLI for interacting with Kubernetes's container runtime interface (CRI). Useful for debugging."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s ctr"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://github.com/projectatomic/containerd/blob/master/docs/cli.md",children:[(0,s.jsx)(t.code,{children:"ctr"})," command"]}),". This is a CLI for containerd, the container daemon used by K3s. Useful for debugging."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s token"})}),(0,s.jsxs)(t.td,{children:["Manage bootstrap tokens. See the ",(0,s.jsxs)(t.a,{href:"/cli/token",children:[(0,s.jsx)(t.code,{children:"k3s token"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s etcd-snapshot"})}),(0,s.jsxs)(t.td,{children:["Perform on demand backups of the K3s cluster data and upload to S3. See the ",(0,s.jsxs)(t.a,{href:"/cli/etcd-snapshot",children:[(0,s.jsx)(t.code,{children:"k3s etcd-snapshot"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s secrets-encrypt"})}),(0,s.jsxs)(t.td,{children:["Configure K3s to encrypt secrets when storing them in the cluster. See the ",(0,s.jsxs)(t.a,{href:"/cli/secrets-encrypt",children:[(0,s.jsx)(t.code,{children:"k3s secrets-encrypt"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s certificate"})}),(0,s.jsxs)(t.td,{children:["Manage K3s certificates. See the ",(0,s.jsxs)(t.a,{href:"/cli/certificate",children:[(0,s.jsx)(t.code,{children:"k3s certificate"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s completion"})}),(0,s.jsx)(t.td,{children:"Generate shell completion scripts for k3s"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s help"})}),(0,s.jsx)(t.td,{children:"Shows a list of commands or help for one command"})]})]})]})]})}function a(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(h,{...e})}):h(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>o,a:()=>d});var s=n(7294);const r={},c=s.createContext(r);function d(e){const t=s.useContext(c);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:d(e.components),s.createElement(c.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7813],{4016:(e,t,n)=>{n.r(t),n.d(t,{assets:()=>i,contentTitle:()=>d,default:()=>a,frontMatter:()=>c,metadata:()=>o,toc:()=>l});var s=n(5893),r=n(1151);const c={title:"CLI Tools"},d=void 0,o={id:"cli/cli",title:"CLI Tools",description:"The K3s binary contains a number of additional tools the help you manage your cluster.",source:"@site/docs/cli/cli.md",sourceDirName:"cli",slug:"/cli/",permalink:"/cli/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/cli/cli.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"CLI Tools"},sidebar:"mySidebar",previous:{title:"CIS 1.24 Self Assessment Guide",permalink:"/security/self-assessment-1.24"},next:{title:"server",permalink:"/cli/server"}},i={},l=[];function h(e){const t={a:"a",code:"code",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",...(0,r.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(t.p,{children:"The K3s binary contains a number of additional tools the help you manage your cluster."}),"\n",(0,s.jsxs)(t.table,{children:[(0,s.jsx)(t.thead,{children:(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.th,{children:"Command"}),(0,s.jsx)(t.th,{children:"Description"})]})}),(0,s.jsxs)(t.tbody,{children:[(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s server"})}),(0,s.jsxs)(t.td,{children:["Run a K3s server node, which launches the Kubernetes ",(0,s.jsx)(t.code,{children:"apiserver"}),", ",(0,s.jsx)(t.code,{children:"scheduler"}),", ",(0,s.jsx)(t.code,{children:"controller-manager"}),", and ",(0,s.jsx)(t.code,{children:"cloud-controller-manager"})," components, in addition a datastore and the agent components. See the ",(0,s.jsxs)(t.a,{href:"/cli/server",children:[(0,s.jsx)(t.code,{children:"k3s server"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s agent"})}),(0,s.jsxs)(t.td,{children:["Run the K3s agent node, which launches ",(0,s.jsx)(t.code,{children:"containerd"}),", ",(0,s.jsx)(t.code,{children:"flannel"}),", ",(0,s.jsx)(t.code,{children:"kube-router"})," network policy controller, and the Kubernetes ",(0,s.jsx)(t.code,{children:"kubelet"})," and ",(0,s.jsx)(t.code,{children:"kube-proxy"})," components. See the ",(0,s.jsxs)(t.a,{href:"/cli/agent",children:[(0,s.jsx)(t.code,{children:"k3s agent"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s kubectl"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://kubernetes.io/docs/reference/kubectl",children:[(0,s.jsx)(t.code,{children:"kubectl"})," command"]}),". This is a CLI for interacting with the Kubernetes apiserver. If the ",(0,s.jsx)(t.code,{children:"KUBECONFIG"})," environment variable is not set, this will automatically attempt to use the kubeconfig at ",(0,s.jsx)(t.code,{children:"/etc/rancher/k3s/k3s.yaml"}),"."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s crictl"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md",children:[(0,s.jsx)(t.code,{children:"crictl"})," command"]}),". This is a CLI for interacting with Kubernetes's container runtime interface (CRI). Useful for debugging."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s ctr"})}),(0,s.jsxs)(t.td,{children:["Run the embedded ",(0,s.jsxs)(t.a,{href:"https://github.com/projectatomic/containerd/blob/master/docs/cli.md",children:[(0,s.jsx)(t.code,{children:"ctr"})," command"]}),". This is a CLI for containerd, the container daemon used by K3s. Useful for debugging."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s token"})}),(0,s.jsxs)(t.td,{children:["Manage bootstrap tokens. See the ",(0,s.jsxs)(t.a,{href:"/cli/token",children:[(0,s.jsx)(t.code,{children:"k3s token"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s etcd-snapshot"})}),(0,s.jsxs)(t.td,{children:["Perform on demand backups of the K3s cluster data and upload to S3. See the ",(0,s.jsxs)(t.a,{href:"/cli/etcd-snapshot",children:[(0,s.jsx)(t.code,{children:"k3s etcd-snapshot"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s secrets-encrypt"})}),(0,s.jsxs)(t.td,{children:["Configure K3s to encrypt secrets when storing them in the cluster. See the ",(0,s.jsxs)(t.a,{href:"/cli/secrets-encrypt",children:[(0,s.jsx)(t.code,{children:"k3s secrets-encrypt"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s certificate"})}),(0,s.jsxs)(t.td,{children:["Manage K3s certificates. See the ",(0,s.jsxs)(t.a,{href:"/cli/certificate",children:[(0,s.jsx)(t.code,{children:"k3s certificate"})," command documentation"]})," for more information."]})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s completion"})}),(0,s.jsx)(t.td,{children:"Generate shell completion scripts for k3s"})]}),(0,s.jsxs)(t.tr,{children:[(0,s.jsx)(t.td,{children:(0,s.jsx)(t.code,{children:"k3s help"})}),(0,s.jsx)(t.td,{children:"Shows a list of commands or help for one command"})]})]})]})]})}function a(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,s.jsx)(t,{...e,children:(0,s.jsx)(h,{...e})}):h(e)}},1151:(e,t,n)=>{n.d(t,{Z:()=>o,a:()=>d});var s=n(7294);const r={},c=s.createContext(r);function d(e){const t=s.useContext(c);return s.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function o(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:d(e.components),s.createElement(c.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/9e7a009d.c32e204e.js b/assets/js/9e7a009d.32e63337.js
similarity index 99%
rename from assets/js/9e7a009d.c32e204e.js
rename to assets/js/9e7a009d.32e63337.js
index 71ec1eef0..2b8413d01 100644
--- a/assets/js/9e7a009d.c32e204e.js
+++ b/assets/js/9e7a009d.32e63337.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7251],{6253:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var i=t(5893),r=t(1151);const n={hide_table_of_contents:!0,sidebar_position:6},l="v1.25.X",h={id:"release-notes/v1.25.X",title:"v1.25.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.25.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.25.X",permalink:"/release-notes/v1.25.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.25.X.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,sidebarPosition:6,frontMatter:{hide_table_of_contents:!0,sidebar_position:6},sidebar:"mySidebar",previous:{title:"v1.26.X",permalink:"/release-notes/v1.26.X"},next:{title:"v1.24.X",permalink:"/release-notes/v1.24.X"}},c={},d=[{value:"Release v1.25.16+k3s4",id:"release-v12516k3s4",level:2},{value:"Changes since v1.25.15+k3s2:",id:"changes-since-v12515k3s2",level:3},{value:"Release v1.25.15+k3s2",id:"release-v12515k3s2",level:2},{value:"Changes since v1.25.15+k3s1:",id:"changes-since-v12515k3s1",level:3},{value:"Release v1.25.15+k3s1",id:"release-v12515k3s1",level:2},{value:"Changes since v1.25.14+k3s1:",id:"changes-since-v12514k3s1",level:3},{value:"Release v1.25.14+k3s1",id:"release-v12514k3s1",level:2},{value:"Changes since v1.25.13+k3s1:",id:"changes-since-v12513k3s1",level:3},{value:"Release v1.25.13+k3s1",id:"release-v12513k3s1",level:2},{value:"Changes since v1.25.12+k3s1:",id:"changes-since-v12512k3s1",level:3},{value:"Release v1.25.12+k3s1",id:"release-v12512k3s1",level:2},{value:"Changes since v1.25.11+k3s1:",id:"changes-since-v12511k3s1",level:3},{value:"Release v1.25.11+k3s1",id:"release-v12511k3s1",level:2},{value:"Changes since v1.25.10+k3s1:",id:"changes-since-v12510k3s1",level:3},{value:"Release v1.25.10+k3s1",id:"release-v12510k3s1",level:2},{value:"Changes since v1.25.9+k3s1:",id:"changes-since-v1259k3s1",level:3},{value:"Release v1.25.9+k3s1",id:"release-v1259k3s1",level:2},{value:"Changes since v1.25.8+k3s1:",id:"changes-since-v1258k3s1",level:3},{value:"Release v1.25.8+k3s1",id:"release-v1258k3s1",level:2},{value:"Changes since v1.25.7+k3s1:",id:"changes-since-v1257k3s1",level:3},{value:"Release v1.25.7+k3s1",id:"release-v1257k3s1",level:2},{value:"Changes since v1.25.6+k3s1:",id:"changes-since-v1256k3s1",level:3},{value:"Release v1.25.6+k3s1",id:"release-v1256k3s1",level:2},{value:"Changes since v1.25.5+k3s2:",id:"changes-since-v1255k3s2",level:3},{value:"Release v1.25.5+k3s2",id:"release-v1255k3s2",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3},{value:"Release v1.25.5+k3s1",id:"release-v1255k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.4+k3s1:",id:"changes-since-v1254k3s1",level:3},{value:"Release v1.25.4+k3s1",id:"release-v1254k3s1",level:2},{value:"Changes since v1.25.3+k3s1:",id:"changes-since-v1253k3s1",level:3},{value:"Release v1.25.3+k3s1",id:"release-v1253k3s1",level:2},{value:"Changes since v1.25.2+k3s1:",id:"changes-since-v1252k3s1",level:3},{value:"Release v1.25.2+k3s1",id:"release-v1252k3s1",level:2},{value:"Changes since v1.25.0+k3s1:",id:"changes-since-v1250k3s1",level:3},{value:"Release v1.25.0+k3s1",id:"release-v1250k3s1",level:2},{value:"Changes since v1.24.4+k3s1:",id:"changes-since-v1244k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.header,{children:(0,i.jsx)(s.h1,{id:"v125x",children:"v1.25.X"})}),"\n",(0,i.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,i.jsxs)(s.table,{children:[(0,i.jsx)(s.thead,{children:(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.th,{children:"Version"}),(0,i.jsx)(s.th,{children:"Release date"}),(0,i.jsx)(s.th,{children:"Kubernetes"}),(0,i.jsx)(s.th,{children:"Kine"}),(0,i.jsx)(s.th,{children:"SQLite"}),(0,i.jsx)(s.th,{children:"Etcd"}),(0,i.jsx)(s.th,{children:"Containerd"}),(0,i.jsx)(s.th,{children:"Runc"}),(0,i.jsx)(s.th,{children:"Flannel"}),(0,i.jsx)(s.th,{children:"Metrics-server"}),(0,i.jsx)(s.th,{children:"Traefik"}),(0,i.jsx)(s.th,{children:"CoreDNS"}),(0,i.jsx)(s.th,{children:"Helm-controller"}),(0,i.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,i.jsxs)(s.tbody,{children:[(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12516k3s4",children:"v1.25.16+k3s4"})}),(0,i.jsx)(s.td,{children:"Dec 07 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12516",children:"v1.25.16"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12515k3s2",children:"v1.25.15+k3s2"})}),(0,i.jsx)(s.td,{children:"Nov 08 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12515k3s1",children:"v1.25.15+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 30 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12514k3s1",children:"v1.25.14+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12514",children:"v1.25.14"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12513k3s1",children:"v1.25.13+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 05 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12513",children:"v1.25.13"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12512k3s1",children:"v1.25.12+k3s1"})}),(0,i.jsx)(s.td,{children:"Jul 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12512",children:"v1.25.12"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12511k3s1",children:"v1.25.11+k3s1"})}),(0,i.jsx)(s.td,{children:"Jun 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12511",children:"v1.25.11"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12510k3s1",children:"v1.25.10+k3s1"})}),(0,i.jsx)(s.td,{children:"May 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12510",children:"v1.25.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1259k3s1",children:"v1.25.9+k3s1"})}),(0,i.jsx)(s.td,{children:"Apr 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1259",children:"v1.25.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1258k3s1",children:"v1.25.8+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1258",children:"v1.25.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1257k3s1",children:"v1.25.7+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 10 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1257",children:"v1.25.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1256k3s1",children:"v1.25.6+k3s1"})}),(0,i.jsx)(s.td,{children:"Jan 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1256",children:"v1.25.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1255k3s2",children:"v1.25.5+k3s2"})}),(0,i.jsx)(s.td,{children:"Jan 11 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1255k3s1",children:"v1.25.5+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 20 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1254k3s1",children:"v1.25.4+k3s1"})}),(0,i.jsx)(s.td,{children:"Nov 18 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1254",children:"v1.25.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.1",children:"v0.20.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.0",children:"v0.13.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1253k3s1",children:"v1.25.3+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 25 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1253",children:"v1.25.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.1",children:"v2.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1252k3s1",children:"v1.25.2+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 28 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1252",children:"v1.25.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1250k3s1",children:"v1.25.0+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 12 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1250",children:"v1.25.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s2",children:"v1.5.13-k3s2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.1",children:"v0.19.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]})]})]}),"\n",(0,i.jsx)("br",{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12516k3s4",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.16+k3s4",children:"v1.25.16+k3s4"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.16, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12515k3s2",children:"Changes since v1.25.15+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Etcd status condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8819",children:"(#8819)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8880",children:"(#8880)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,i.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,i.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,i.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,i.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,i.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,i.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,i.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,i.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,i.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8889",children:"(#8889)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve dualStack log ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8867",children:"(#8867)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8904",children:"(#8904)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,i.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8939",children:"(#8939)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,i.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,i.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.16 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8923",children:"(#8923)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8993",children:"(#8993)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x from manifest script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8994",children:"(#8994)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12515k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s2",children:"v1.25.15+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12515k3s1",children:"Changes since v1.25.15+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8584",children:"(#8584)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8767",children:"(#8767)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8777",children:"(#8777)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8791",children:"(#8791)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12515k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s1",children:"v1.25.15+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12514",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12514k3s1",children:"Changes since v1.25.14+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix error reporting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8413",children:"(#8413)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add context to flannel errors ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8421",children:"(#8421)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Testing Backports for September ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8301",children:"(#8301)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8437",children:"(#8437)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8466",children:"(#8466)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8445",children:"(#8445)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8457",children:"(#8457)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8454",children:"(#8454)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8511",children:"(#8511)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8506",children:"(#8506)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8553",children:"(#8553)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Advertise address integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8518",children:"(#8518)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8560",children:"(#8560)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Server Token Rotation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8578",children:"(#8578)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,i.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8589",children:"(#8589)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8599",children:"(#8599)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8617",children:"(#8617)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8636",children:"(#8636)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8644",children:"(#8644)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Windows agent support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8646",children:"(#8646)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8654",children:"(#8654)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8664",children:"(#8664)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport etcd fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8692",children:"(#8692)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,i.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.15 and Go to v1.20.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8679",children:"(#8679)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8735",children:"(#8735)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12514k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.14+k3s1",children:"v1.25.14+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.14, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12513",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12513k3s1",children:"Changes since v1.25.13+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8326",children:"(#8326)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.14 and go to 1.20.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8350",children:"(#8350)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport containerd bump and and test fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8384",children:"(#8384)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,i.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,i.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,i.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12513k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.13+k3s1",children:"v1.25.13+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.13, and fixes a number of issues."}),"\n",(0,i.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,i.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12512",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12512k3s1",children:"Changes since v1.25.12+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and plugins ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8076",children:"(#8076)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8098",children:"(#8098)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8123",children:"(#8123)"})]}),"\n",(0,i.jsxs)(s.li,{children:["August Test Backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8127",children:"(#8127)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8132",children:"(#8132)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,i.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,i.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,i.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,i.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,i.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,i.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8145",children:"(#8145)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8169",children:"(#8169)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8190",children:"(#8190)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8213",children:"(#8213)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The version of ",(0,i.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,i.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8223",children:"(#8223)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.13 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8241",children:"(#8241)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix runc version bump ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8246",children:"(#8246)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8259",children:"(#8259)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Added a new ",(0,i.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8275",children:"(#8275)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12512k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.12+k3s1",children:"v1.25.12+k3s1"})]}),"\n",(0,i.jsxs)(s.p,{children:["This release updates Kubernetes to v1.25.12, and fixes a number of issues.",(0,i.jsx)(s.br,{}),"\n","\u200b\r\nFor more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12511",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12511k3s1",children:"Changes since v1.25.11+k3s1:"}),"\n",(0,i.jsx)(s.p,{children:"\u200b"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove file_windows.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7856",children:"(#7856)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix code spell check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7860",children:"(#7860)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7873",children:"(#7873)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7883",children:"(#7883)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7894",children:"(#7894)"})]}),"\n",(0,i.jsxs)(s.li,{children:["S3 and Startup tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7886",children:"(#7886)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix rootless node password ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7900",children:"(#7900)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7909",children:"(#7909)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7915",children:"(#7915)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7945",children:"(#7945)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Don't use zgrep in ",(0,i.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7954",children:"(#7954)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7969",children:"(#7969)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7984",children:"(#7984)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.12 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8021",children:"(#8021)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12511k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.11+k3s1",children:"v1.25.11+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.11, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12510",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12510k3s1",children:"Changes since v1.25.10+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7649",children:"(#7649)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7659",children:"(#7659)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Backports - June ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7705",children:"(#7705)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,i.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,i.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add private registry e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7722",children:"(#7722)"})]}),"\n",(0,i.jsxs)(s.li,{children:["VPN integration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7728",children:"(#7728)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spelling test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7752",children:"(#7752)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7758",children:"(#7758)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7718",children:"(#7718)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,i.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,i.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,i.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,i.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,i.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,i.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,i.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,i.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add format command on Makefile ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7763",children:"(#7763)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7784",children:"(#7784)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7788",children:"(#7788)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Path normalization affecting kubectl proxy conformance test for /api endpoint ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7818",children:"(#7818)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12510k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.10+k3s1",children:"v1.25.10+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1259",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1259k3s1",children:"Changes since v1.25.9+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7361",children:"(#7361)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add E2E testing in Drone ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7375",children:"(#7375)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags #7377 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7378",children:"(#7378)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7404",children:"(#7404)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,i.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,i.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7433",children:"(#7433)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Runc + Containerd + Docker for CVE fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7452",children:"(#7452)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7461",children:"(#7461)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Kube flags and longhorn storage tests 1.25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7466",children:"(#7466)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7473",children:"(#7473)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7515",children:"(#7515)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,i.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,i.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,i.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,i.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,i.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,i.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,i.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,i.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,i.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,i.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,i.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,i.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,i.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,i.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7535",children:"(#7535)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7548",children:"(#7548)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7574",children:"(#7574)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.10-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7582",children:"(#7582)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1259k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.9+k3s1",children:"v1.25.9+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.9, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1258",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1258k3s1",children:"Changes since v1.25.8+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Enhance ",(0,i.jsx)(s.code,{children:"check-config"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7164",children:"(#7164)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7121",children:"(#7121)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7228",children:"(#7228)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n",(0,i.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n",(0,i.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n",(0,i.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n",(0,i.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n",(0,i.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7221",children:"(#7221)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update klipper lb and helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7240",children:"(#7240)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7276",children:"(#7276)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.9-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7283",children:"(#7283)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1258k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.8+k3s1",children:"v1.25.8+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.8, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1257",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1257k3s1",children:"Changes since v1.25.7+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7061",children:"(#7061)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7043",children:"(#7043)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Enable dependabot ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7045",children:"(#7045)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7064",children:"(#7064)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7075",children:"(#7075)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7079",children:"(#7079)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,i.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.8-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7106",children:"(#7106)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7138",children:"(#7138)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1257k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.7+k3s1",children:"v1.25.7+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.7, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1256",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1256k3s1",children:"Changes since v1.25.6+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6782",children:"(#6782)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6798",children:"(#6798)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6837",children:"(#6837)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for cri-dockerd socket ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6853",children:"(#6853)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6858",children:"(#6858)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix cronjob example ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6864",children:"(#6864)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6867",children:"(#6867)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Consolidate E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6887",children:"(#6887)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6919",children:"(#6919)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6904",children:"(#6904)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,i.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6907",children:"(#6907)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6916",children:"(#6916)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport user-provided CA cert and ",(0,i.jsx)(s.code,{children:"kubeadm"})," bootstrap token support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6929",children:"(#6929)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now supports ",(0,i.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,i.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,i.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6936",children:"(#6936)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated flannel version to v0.21.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6915",children:"(#6915)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6941",children:"(#6941)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6954",children:"(#6954)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6987",children:"(#6987)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6975",children:"(#6975)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,i.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.7-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7010",children:"(#7010)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1256k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.6+k3s1",children:"v1.25.6+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.6, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1255",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s2",children:"Changes since v1.25.5+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6730",children:"(#6730)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6735",children:"(#6735)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6747",children:"(#6747)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport dependabot/updatecli updates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6761",children:"(#6761)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6768",children:"(#6768)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.6+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6775",children:"(#6775)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1255k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s2",children:"v1.25.5+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted."}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6694",children:"(#6694)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1255k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s1",children:"v1.25.5+k3s1"})]}),"\n",(0,i.jsxs)(s.blockquote,{children:["\n",(0,i.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,i.jsxs)(s.p,{children:["This release is affected by ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,i.jsx)(s.code,{children:"v1.25.5+k3s2"})," instead."]}),"\n"]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.5, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.strong,{children:"Breaking Change:"})," K3s no longer includes ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," binaries. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading K3s to this release."]}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1254",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1254k3s1",children:"Changes since v1.25.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix log for flannelExternalIP use case ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6531",children:"(#6531)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Carolines github id ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6464",children:"(#6464)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Github CI Updates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6522",children:"(#6522)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new ",(0,i.jsx)(s.code,{children:"prefer-bundled-bin"})," experimental flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6420",children:"(#6420)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6512",children:"(#6512)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been updated to v1.6.10-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Stage the Traefik charts through k3s-charts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6519",children:"(#6519)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Make rootless settings configurable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6498",children:"(#6498)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The rootless ",(0,i.jsx)(s.code,{children:"port-driver"}),", ",(0,i.jsx)(s.code,{children:"cidr"}),", ",(0,i.jsx)(s.code,{children:"mtu"}),", ",(0,i.jsx)(s.code,{children:"enable-ipv6"}),", and ",(0,i.jsx)(s.code,{children:"disable-host-loopback"})," settings can now be configured via environment variables."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6517",children:"(#6517)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.25.4+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6534",children:"(#6534)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"prefer-bundled-bin"})," as an agent flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6545",children:"(#6545)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump klipper-helm and klipper-lb versions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6549",children:"(#6549)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded Load-Balancer controller image has been bumped to klipper-lb",":v0",".4.0, which includes support for the ",(0,i.jsx)(s.a,{href:"https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges",children:"LoadBalancerSourceRanges"})," field."]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded Helm controller image has been bumped to klipper-helm",":v0",".7.4-build20221121"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Switch from Google Buckets to AWS S3 Buckets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6497",children:"(#6497)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix passing AWS creds through Dapper ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6567",children:"(#6567)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix artifact upload with ",(0,i.jsx)(s.code,{children:"aws s3 cp"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6568",children:"(#6568)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Disable CCM metrics port when legacy CCM functionality is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6572",children:"(#6572)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the ",(0,i.jsx)(s.code,{children:"--disable-cloud-controller"})," flag is set."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Sync packaged component Deployment config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6552",children:"(#6552)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count."}),"\n",(0,i.jsx)(s.li,{children:"The packaged metrics-server has been bumped to v0.6.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Mark secrets-encryption flag as GA ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6582",children:"(#6582)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump k3s root to v0.12.0 and remove strongswan binaries ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6400",children:"(#6400)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading k3s."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to v0.20.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6588",children:"(#6588)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ADR for security bumps automation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6559",children:"(#6559)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update node12->node16 based GH actions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6593",children:"(#6593)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Updating rel docs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6237",children:"(#6237)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update install.sh to recommend current version of k3s-selinux ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6453",children:"(#6453)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.5-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6622",children:"(#6622)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6631",children:"(#6631)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.12"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6646",children:"(#6646)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1254k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.4+k3s1",children:"v1.25.4+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.4, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1253",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1253k3s1",children:"Changes since v1.25.3+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add the gateway parameter in netplan ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6292",children:"(#6292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bumped dynamiclistener library to v0.3.5 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6300",children:"(#6300)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router to v1.5.1 with extra logging ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6345",children:"(#6345)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update maintainers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6298",children:"(#6298)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump testing to opensuse Leap 15.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6337",children:"(#6337)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update E2E docs with more info on ubuntu 22.04 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6316",children:"(#6316)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Netpol test for podSelector & ingress ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6247",children:"(#6247)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump all alpine images to 3.16 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6334",children:"(#6334)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.6 / sqlite3 v3.39.2 (",(0,i.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2022-35737",children:"CVE-2022-35737"}),") ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6317",children:"(#6317)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add hardened cluster and upgrade tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6320",children:"(#6320)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled Traefik helm chart has been updated to v18.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6353",children:"(#6353)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.25.3+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6338",children:"(#6338)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded helm controller has been bumped to v0.13.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6294",children:"(#6294)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6295",children:"(#6295)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Replace fedora-coreos with fedora 36 for install tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6315",children:"(#6315)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert containerd config.toml.tmpl Linux template to v2 syntax ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6267",children:"(#6267)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add test for node-external-ip config parameter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6359",children:"(#6359)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use debugger-friendly compile settings if DEBUG is set ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6147",children:"(#6147)"})]}),"\n",(0,i.jsxs)(s.li,{children:["update e2e tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6354",children:"(#6354)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused vagrant development scripts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6395",children:"(#6395)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled Traefik has been updated to v2.9.4 / helm chart v18.3.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6397",children:"(#6397)"})]}),"\n",(0,i.jsxs)(s.li,{children:["None ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6371",children:"(#6371)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix incorrect defer usage ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6296",children:"(#6296)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add snapshot restore e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6396",children:"(#6396)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix sonobouy tests on v1.25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6399",children:"(#6399)"})]}),"\n",(0,i.jsx)(s.li,{children:"Bump packaged component versions"}),"\n",(0,i.jsx)(s.li,{children:"The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressClass support by default."}),"\n",(0,i.jsx)(s.li,{children:"The packaged local-path-provisioner has been bumped to v0.0.23"}),"\n",(0,i.jsxs)(s.li,{children:["The packaged coredns has been bumped to v1.9.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6408",children:"(#6408)"})]}),"\n",(0,i.jsxs)(s.li,{children:["log kube-router version when starting netpol controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6405",children:"(#6405)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Kairos to ADOPTERS ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6417",children:"(#6417)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel to 0.20.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6388",children:"(#6388)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Avoid wrong config for ",(0,i.jsx)(s.code,{children:"flannel-external-ip"})," and add warning if unencrypted backend ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6403",children:"(#6403)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix test-mods to allow for pinning version from k8s.io ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6413",children:"(#6413)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix for metrics-server in the multi-cloud cluster env ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6386",children:"(#6386)"})]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6409",children:"(#6409)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert test output to JSON format ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6410",children:"(#6410)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pull traefik helm chart directly from GH ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6468",children:"(#6468)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Nightly test fix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6475",children:"(#6475)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6477",children:"(#6477)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6492",children:"(#6492)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The packaged traefik helm chart has been bumped to 19.0.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6494",children:"(#6494)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Move traefik chart repo again ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6508",children:"(#6508)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1253k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.3+k3s1",children:"v1.25.3+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.3, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1252",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1252k3s1",children:"Changes since v1.25.2+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["E2E: Groundwork for PR runs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6131",children:"(#6131)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix flannel for deployments of nodes which do not belong to the same network and connect using their public IP ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6180",children:"(#6180)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.24.6+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6193",children:"(#6193)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add cluster reset test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6161",children:"(#6161)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded metrics-server version has been bumped to v0.6.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6151",children:"(#6151)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6181",children:"(#6181)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Events recorded to the cluster by embedded controllers are now properly formatted in the service logs. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6203",children:"(#6203)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ",(0,i.jsx)(s.code,{children:"error dialing backend"})," errors in apiserver network proxy ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6216",children:"(#6216)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,i.jsx)(s.code,{children:"kubectl exec"})," to occasionally fail with ",(0,i.jsx)(s.code,{children:"error dialing backend: EOF"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,i.jsx)(s.code,{children:"kubectl exec"})," and ",(0,i.jsx)(s.code,{children:"kubectl logs"})," to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix the typo in the test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6183",children:"(#6183)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use setup-go action to cache dependencies ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6220",children:"(#6220)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add journalctl logs to E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6224",children:"(#6224)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6223",children:"(#6223)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix flakey etcd test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6232",children:"(#6232)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Replace deprecated ioutil package ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6230",children:"(#6230)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix dualStack test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6245",children:"(#6245)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ServiceAccount for svclb pods ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6253",children:"(#6253)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.3-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6269",children:"(#6269)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Return ProviderID in URI format ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6284",children:"(#6284)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6306",children:"(#6306)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added a new --flannel-external-ip flag. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6321",children:"(#6321)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"When enabled, Flannel traffic will now use the nodes external IPs, instead of internal."}),"\n",(0,i.jsx)(s.li,{children:"This is meant for use with distributed clusters that are not all on the same local network."}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1252k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.2+k3s1",children:"v1.25.2+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.2, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1250",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1250k3s1",children:"Changes since v1.25.0+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add k3s v1.25 to the release channel ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6129",children:"(#6129)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Restore original INSTALL_K3S_SKIP_DOWNLOAD behavior ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6130",children:"(#6130)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add K3S Release Documentation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6135",children:"(#6135)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6140",children:"(#6140)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.2-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6168",children:"(#6168)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1250k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.0+k3s1",children:"v1.25.0+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release is K3S's first in the v1.25 line. This release updates Kubernetes to v1.25.0."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.strong,{children:"Important Note:"})," Kubernetes v1.25 removes the beta ",(0,i.jsx)(s.code,{children:"PodSecurityPolicy"})," admission plugin. Please follow the ",(0,i.jsx)(s.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/",children:"upstream documentation"})," to migrate from PSP if using the built-in PodSecurity Admission Plugin, prior to upgrading to v1.25.0+k3s1."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1244k3s1",children:"Changes since v1.24.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6040",children:"(#6040)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove ",(0,i.jsx)(s.code,{children:"--containerd"})," flag from windows kubelet args ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6028",children:"(#6028)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E: Add support for CentOS 7 and Rocky 8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6015",children:"(#6015)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert install tests to run PR build of k3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6003",children:"(#6003)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CI: update Fedora 34 -> 35 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5996",children:"(#5996)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix dualStack test and change ipv6 network prefix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6023",children:"(#6023)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix e2e tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6018",children:"(#6018)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update README.md ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6048",children:"(#6048)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove wireguard interfaces when deleting the cluster ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6055",children:"(#6055)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add validation check to confirm correct golang version for Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6050",children:"(#6050)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Expand startup integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6030",children:"(#6030)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update go.mod version to 1.19 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6049",children:"(#6049)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Usage of ",(0,i.jsx)(s.code,{children:"--cluster-secret"}),", ",(0,i.jsx)(s.code,{children:"--no-deploy"}),", and ",(0,i.jsx)(s.code,{children:"--no-flannel"})," is no longer supported. Attempts to use these flags will cause fatal errors. See ",(0,i.jsx)(s.a,{href:"https://k3s-io.github.io/docs/reference/server-config#deprecated-options",children:"the docs"})," for their replacement. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6069",children:"(#6069)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel version to fix older iptables version issue. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6090",children:"(#6090)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled version of runc has been bumped to v1.1.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6071",children:"(#6071)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.8-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6078",children:"(#6078)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix deprecation message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6112",children:"(#6112)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added warning message for flannel backend additional options deprecation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6111",children:"(#6111)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var i=t(7294);const r={},n=i.createContext(r);function l(e){const s=i.useContext(n);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(n.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[7251],{6253:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var i=t(5893),r=t(1151);const n={hide_table_of_contents:!0,sidebar_position:6},l="v1.25.X",h={id:"release-notes/v1.25.X",title:"v1.25.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.25.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.25.X",permalink:"/release-notes/v1.25.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.25.X.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,sidebarPosition:6,frontMatter:{hide_table_of_contents:!0,sidebar_position:6},sidebar:"mySidebar",previous:{title:"v1.26.X",permalink:"/release-notes/v1.26.X"},next:{title:"v1.24.X",permalink:"/release-notes/v1.24.X"}},c={},d=[{value:"Release v1.25.16+k3s4",id:"release-v12516k3s4",level:2},{value:"Changes since v1.25.15+k3s2:",id:"changes-since-v12515k3s2",level:3},{value:"Release v1.25.15+k3s2",id:"release-v12515k3s2",level:2},{value:"Changes since v1.25.15+k3s1:",id:"changes-since-v12515k3s1",level:3},{value:"Release v1.25.15+k3s1",id:"release-v12515k3s1",level:2},{value:"Changes since v1.25.14+k3s1:",id:"changes-since-v12514k3s1",level:3},{value:"Release v1.25.14+k3s1",id:"release-v12514k3s1",level:2},{value:"Changes since v1.25.13+k3s1:",id:"changes-since-v12513k3s1",level:3},{value:"Release v1.25.13+k3s1",id:"release-v12513k3s1",level:2},{value:"Changes since v1.25.12+k3s1:",id:"changes-since-v12512k3s1",level:3},{value:"Release v1.25.12+k3s1",id:"release-v12512k3s1",level:2},{value:"Changes since v1.25.11+k3s1:",id:"changes-since-v12511k3s1",level:3},{value:"Release v1.25.11+k3s1",id:"release-v12511k3s1",level:2},{value:"Changes since v1.25.10+k3s1:",id:"changes-since-v12510k3s1",level:3},{value:"Release v1.25.10+k3s1",id:"release-v12510k3s1",level:2},{value:"Changes since v1.25.9+k3s1:",id:"changes-since-v1259k3s1",level:3},{value:"Release v1.25.9+k3s1",id:"release-v1259k3s1",level:2},{value:"Changes since v1.25.8+k3s1:",id:"changes-since-v1258k3s1",level:3},{value:"Release v1.25.8+k3s1",id:"release-v1258k3s1",level:2},{value:"Changes since v1.25.7+k3s1:",id:"changes-since-v1257k3s1",level:3},{value:"Release v1.25.7+k3s1",id:"release-v1257k3s1",level:2},{value:"Changes since v1.25.6+k3s1:",id:"changes-since-v1256k3s1",level:3},{value:"Release v1.25.6+k3s1",id:"release-v1256k3s1",level:2},{value:"Changes since v1.25.5+k3s2:",id:"changes-since-v1255k3s2",level:3},{value:"Release v1.25.5+k3s2",id:"release-v1255k3s2",level:2},{value:"Changes since v1.25.5+k3s1:",id:"changes-since-v1255k3s1",level:3},{value:"Release v1.25.5+k3s1",id:"release-v1255k3s1",level:2},{value:"\u26a0\ufe0f WARNING",id:"\ufe0f-warning",level:2},{value:"Changes since v1.25.4+k3s1:",id:"changes-since-v1254k3s1",level:3},{value:"Release v1.25.4+k3s1",id:"release-v1254k3s1",level:2},{value:"Changes since v1.25.3+k3s1:",id:"changes-since-v1253k3s1",level:3},{value:"Release v1.25.3+k3s1",id:"release-v1253k3s1",level:2},{value:"Changes since v1.25.2+k3s1:",id:"changes-since-v1252k3s1",level:3},{value:"Release v1.25.2+k3s1",id:"release-v1252k3s1",level:2},{value:"Changes since v1.25.0+k3s1:",id:"changes-since-v1250k3s1",level:3},{value:"Release v1.25.0+k3s1",id:"release-v1250k3s1",level:2},{value:"Changes since v1.24.4+k3s1:",id:"changes-since-v1244k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",blockquote:"blockquote",br:"br",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(s.header,{children:(0,i.jsx)(s.h1,{id:"v125x",children:"v1.25.X"})}),"\n",(0,i.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,i.jsxs)(s.table,{children:[(0,i.jsx)(s.thead,{children:(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.th,{children:"Version"}),(0,i.jsx)(s.th,{children:"Release date"}),(0,i.jsx)(s.th,{children:"Kubernetes"}),(0,i.jsx)(s.th,{children:"Kine"}),(0,i.jsx)(s.th,{children:"SQLite"}),(0,i.jsx)(s.th,{children:"Etcd"}),(0,i.jsx)(s.th,{children:"Containerd"}),(0,i.jsx)(s.th,{children:"Runc"}),(0,i.jsx)(s.th,{children:"Flannel"}),(0,i.jsx)(s.th,{children:"Metrics-server"}),(0,i.jsx)(s.th,{children:"Traefik"}),(0,i.jsx)(s.th,{children:"CoreDNS"}),(0,i.jsx)(s.th,{children:"Helm-controller"}),(0,i.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,i.jsxs)(s.tbody,{children:[(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12516k3s4",children:"v1.25.16+k3s4"})}),(0,i.jsx)(s.td,{children:"Dec 07 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12516",children:"v1.25.16"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.0",children:"v0.11.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12515k3s2",children:"v1.25.15+k3s2"})}),(0,i.jsx)(s.td,{children:"Nov 08 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12515k3s1",children:"v1.25.15+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 30 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12515",children:"v1.25.15"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.7-k3s1",children:"v1.7.7-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.5",children:"v2.10.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12514k3s1",children:"v1.25.14+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12514",children:"v1.25.14"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.3",children:"v0.10.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.6-k3s1",children:"v1.7.6-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12513k3s1",children:"v1.25.13+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 05 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12513",children:"v1.25.13"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.2",children:"v0.10.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_42_0.html",children:"3.42.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.3-k3s1",children:"v1.7.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.8",children:"v1.1.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.2",children:"v0.22.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.4",children:"v0.15.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12512k3s1",children:"v1.25.12+k3s1"})}),(0,i.jsx)(s.td,{children:"Jul 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12512",children:"v1.25.12"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.2",children:"v0.15.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12511k3s1",children:"v1.25.11+k3s1"})}),(0,i.jsx)(s.td,{children:"Jun 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12511",children:"v1.25.11"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.22.0",children:"v0.22.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3",children:"v0.6.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.0",children:"v0.15.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v12510k3s1",children:"v1.25.10+k3s1"})}),(0,i.jsx)(s.td,{children:"May 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v12510",children:"v1.25.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.10.1",children:"v0.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.1-k3s1",children:"v1.7.1-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.7",children:"v1.1.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.10",children:"v2.9.10"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.14.0",children:"v0.14.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1259k3s1",children:"v1.25.9+k3s1"})}),(0,i.jsx)(s.td,{children:"Apr 20 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1259",children:"v1.25.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.5",children:"v1.1.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.3",children:"v0.13.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.24",children:"v0.0.24"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1258k3s1",children:"v1.25.8+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 27 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1258",children:"v1.25.8"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.19-k3s1",children:"v1.6.19-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.4",children:"v0.21.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1257k3s1",children:"v1.25.7+k3s1"})}),(0,i.jsx)(s.td,{children:"Mar 10 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1257",children:"v1.25.7"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.9",children:"v0.9.9"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.21.1",children:"v0.21.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1256k3s1",children:"v1.25.6+k3s1"})}),(0,i.jsx)(s.td,{children:"Jan 26 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1256",children:"v1.25.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.15-k3s1",children:"v1.6.15-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1255k3s2",children:"v1.25.5+k3s2"})}),(0,i.jsx)(s.td,{children:"Jan 11 2023"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.14-k3s1",children:"v1.6.14-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1255k3s1",children:"v1.25.5+k3s1"})}),(0,i.jsx)(s.td,{children:"Dec 20 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1255",children:"v1.25.5"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.12-k3s1",children:"v1.6.12-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.2",children:"v0.20.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2",children:"v0.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.1",children:"v0.13.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1254k3s1",children:"v1.25.4+k3s1"})}),(0,i.jsx)(s.td,{children:"Nov 18 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1254",children:"v1.25.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.6",children:"v0.9.6"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_39_2.html",children:"3.39.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.20.1",children:"v0.20.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.4",children:"v2.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.4",children:"v1.9.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.13.0",children:"v0.13.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.23",children:"v0.0.23"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1253k3s1",children:"v1.25.3+k3s1"})}),(0,i.jsx)(s.td,{children:"Oct 25 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1253",children:"v1.25.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1",children:"v0.6.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.9.1",children:"v2.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1252k3s1",children:"v1.25.2+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 28 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1252",children:"v1.25.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.6.8-k3s1",children:"v1.6.8-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.4",children:"v1.1.4"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.2",children:"v0.19.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]}),(0,i.jsxs)(s.tr,{children:[(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"/release-notes/v1.25.X#release-v1250k3s1",children:"v1.25.0+k3s1"})}),(0,i.jsx)(s.td,{children:"Sep 12 2022"}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#v1250",children:"v1.25.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.9.3",children:"v0.9.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_36_0.html",children:"3.36.0"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.3-k3s1",children:"v3.5.3-k3s1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.5.13-k3s2",children:"v1.5.13-k3s2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.3",children:"v1.1.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.19.1",children:"v0.19.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2",children:"v0.5.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.6.2",children:"v2.6.2"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.9.1",children:"v1.9.1"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.12.3",children:"v0.12.3"})}),(0,i.jsx)(s.td,{children:(0,i.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.21",children:"v0.0.21"})})]})]})]}),"\n",(0,i.jsx)("br",{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12516k3s4",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.16+k3s4",children:"v1.25.16+k3s4"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.16, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12515k3s2",children:"Changes since v1.25.15+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Etcd status condition ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8819",children:"(#8819)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-11 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8880",children:"(#8880)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["New timezone info in Docker image allows the use of ",(0,i.jsx)(s.code,{children:"spec.timeZone"})," in CronJobs"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation."}),"\n",(0,i.jsxs)(s.li,{children:["Containerd may now be configured to use rdt or blockio configuration by defining ",(0,i.jsx)(s.code,{children:"rdt_config.yaml"})," or ",(0,i.jsx)(s.code,{children:"blockio_config.yaml"})," files."]}),"\n",(0,i.jsx)(s.li,{children:"Add agent flag disable-apiserver-lb, agent will not start load balance proxy."}),"\n",(0,i.jsx)(s.li,{children:"Improved ingress IP ordering from ServiceLB"}),"\n",(0,i.jsx)(s.li,{children:"Disable helm CRD installation for disable-helm-controller"}),"\n",(0,i.jsx)(s.li,{children:"Omit snapshot list configmap entries for snapshots without extra metadata"}),"\n",(0,i.jsx)(s.li,{children:"Add jitter to client config retry to avoid hammering servers when they are starting up"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Handle nil pointer when runtime core is not ready in etcd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8889",children:"(#8889)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve dualStack log ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8867",children:"(#8867)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump dynamiclistener; reduce snapshot controller log spew ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8904",children:"(#8904)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret"}),"\n",(0,i.jsx)(s.li,{children:"Reduced etcd snapshot log spam during initial cluster startup"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd snapshot S3 issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8939",children:"(#8939)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Don't apply S3 retention if S3 client failed to initialize"}),"\n",(0,i.jsx)(s.li,{children:"Don't request metadata when listing S3 snapshots"}),"\n",(0,i.jsx)(s.li,{children:"Print key instead of file path in snapshot metadata log message"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.16 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8923",children:"(#8923)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x steps temporarily since runners are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8993",children:"(#8993)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove s390x from manifest script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8994",children:"(#8994)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12515k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s2",children:"v1.25.15+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12515k3s1",children:"Changes since v1.25.15+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["E2E Domain Drone Cleanup ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8584",children:"(#8584)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix SystemdCgroup in templates_linux.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8767",children:"(#8767)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue with identifying additional container runtimes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik chart to v25.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8777",children:"(#8777)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update traefik to fix registry value ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8791",children:"(#8791)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12515k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.15+k3s1",children:"v1.25.15+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.15, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12514",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12514k3s1",children:"Changes since v1.25.14+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix error reporting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8413",children:"(#8413)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add context to flannel errors ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8421",children:"(#8421)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Testing Backports for September ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8301",children:"(#8301)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Include the interface name in the error message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8437",children:"(#8437)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add extraArgs to tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8466",children:"(#8466)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8445",children:"(#8445)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added error when cluster reset while using server flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8457",children:"(#8457)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The user will receive a error when --cluster-reset with the --server flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Cluster reset from non bootstrap nodes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8454",children:"(#8454)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spellcheck problem ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8511",children:"(#8511)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Take IPFamily precedence based on order ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8506",children:"(#8506)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Network defaults are duplicated, remove one ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8553",children:"(#8553)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Advertise address integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8518",children:"(#8518)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed tailscale node IP dualstack mode in case of IPv4 only node ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8560",children:"(#8560)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Server Token Rotation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8578",children:"(#8578)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Users can now rotate the server token using ",(0,i.jsx)(s.code,{children:"k3s token rotate -t --new-token "}),". After command succeeds, all server nodes must be restarted with the new token."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Clear remove annotations on cluster reset ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8589",children:"(#8589)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Use IPv6 in case is the first configured IP with dualstack ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8599",children:"(#8599)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-10 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8617",children:"(#8617)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router package in build script ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8636",children:"(#8636)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add etcd-only/control-plane-only server test and fix control-plane-only server crash ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8644",children:"(#8644)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Windows agent support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8646",children:"(#8646)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use ",(0,i.jsx)(s.code,{children:"version.Program"})," not K3s in token rotate logs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8654",children:"(#8654)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add --image-service-endpoint flag (#8279) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8664",children:"(#8664)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"--image-service-endpoint"})," flag to specify an external image service socket."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport etcd fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8692",children:"(#8692)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Re-enable etcd endpoint auto-sync"}),"\n",(0,i.jsx)(s.li,{children:"Manually requeue configmap reconcile when no nodes have reconciled snapshots"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.15 and Go to v1.20.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8679",children:"(#8679)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix s3 snapshot restore ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8735",children:"(#8735)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12514k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.14+k3s1",children:"v1.25.14+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.14, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12513",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12513k3s1",children:"Changes since v1.25.13+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.10.3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8326",children:"(#8326)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.14 and go to 1.20.8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8350",children:"(#8350)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport containerd bump and and test fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8384",children:"(#8384)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Bump embedded containerd to v1.7.6"}),"\n",(0,i.jsx)(s.li,{children:"Bump embedded stargz-snapshotter plugin to latest"}),"\n",(0,i.jsx)(s.li,{children:"Fixed intermittent drone CI failures due to race conditions in test environment setup scripts"}),"\n",(0,i.jsx)(s.li,{children:"Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12513k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.13+k3s1",children:"v1.25.13+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.13, and fixes a number of issues."}),"\n",(0,i.jsx)(s.admonition,{title:"Important",type:"warning",children:(0,i.jsxs)(s.p,{children:["This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2",children:"https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2"})," for more information, including mandatory steps necessary to harden clusters against this vulnerability."]})}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12512",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12512k3s1",children:"Changes since v1.25.12+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and plugins ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8076",children:"(#8076)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix tailscale bug with ip modes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8098",children:"(#8098)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Etcd snapshots retention when node name changes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8123",children:"(#8123)"})]}),"\n",(0,i.jsxs)(s.li,{children:["August Test Backports ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8127",children:"(#8127)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8132",children:"(#8132)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries."}),"\n",(0,i.jsxs)(s.li,{children:["K3s no longer enables the apiserver's ",(0,i.jsx)(s.code,{children:"enable-aggregator-routing"})," flag when the egress proxy is not being used to route connections to in-cluster endpoints."]}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded containerd to v1.7.3+k3s1"}),"\n",(0,i.jsx)(s.li,{children:"Updated the embedded runc to v1.1.8"}),"\n",(0,i.jsxs)(s.li,{children:["User-provided containerd config templates may now use ",(0,i.jsx)(s.code,{children:'{{ template "base" . }}'})," to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file."]}),"\n",(0,i.jsx)(s.li,{children:"Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client."}),"\n",(0,i.jsx)(s.li,{children:"Updated kine to v0.10.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["K3s etcd-snapshot delete fail to delete local file when called with s3 flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8145",children:"(#8145)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix for cluster-reset backup from s3 when etcd snapshots are disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8169",children:"(#8169)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed the etcd retention to delete orphaned snapshots based on the date ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8190",children:"(#8190)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Additional backports for 2023-08 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8213",children:"(#8213)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The version of ",(0,i.jsx)(s.code,{children:"helm"})," used by the bundled helm controller's job image has been updated to v3.12.3"]}),"\n",(0,i.jsx)(s.li,{children:"Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes."}),"\n",(0,i.jsx)(s.li,{children:"The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Move flannel to 0.22.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8223",children:"(#8223)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.13 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8241",children:"(#8241)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix runc version bump ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8246",children:"(#8246)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new CLI flag to enable TLS SAN CN filtering ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8259",children:"(#8259)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Added a new ",(0,i.jsx)(s.code,{children:"--tls-san-security"})," option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add RWMutex to address controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8275",children:"(#8275)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12512k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.12+k3s1",children:"v1.25.12+k3s1"})]}),"\n",(0,i.jsxs)(s.p,{children:["This release updates Kubernetes to v1.25.12, and fixes a number of issues.",(0,i.jsx)(s.br,{}),"\n","\u200b\r\nFor more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12511",children:"Kubernetes release notes"}),".\r\n\u200b"]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12511k3s1",children:"Changes since v1.25.11+k3s1:"}),"\n",(0,i.jsx)(s.p,{children:"\u200b"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Remove file_windows.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7856",children:"(#7856)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix code spell check ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7860",children:"(#7860)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow k3s to customize apiServerPort on helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7873",children:"(#7873)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Check if we are on ipv4, ipv6 or dualStack when doing tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7883",children:"(#7883)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Support setting control server URL for Tailscale. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7894",children:"(#7894)"})]}),"\n",(0,i.jsxs)(s.li,{children:["S3 and Startup tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7886",children:"(#7886)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix rootless node password ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7900",children:"(#7900)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backports for 2023-07 release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7909",children:"(#7909)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," command now supports the data-dir flag."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adding cli to custom klipper helm image ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7915",children:"(#7915)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The default helm-controller job image can now be overridden with the --helm-job-image CLI flag"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Generation of certs and keys for etcd gated if etcd is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7945",children:"(#7945)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Don't use zgrep in ",(0,i.jsx)(s.code,{children:"check-config"})," if apparmor profile is enforced ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7954",children:"(#7954)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix image_scan.sh script and download trivy version (#7950) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7969",children:"(#7969)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Adjust default kubeconfig file permissions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7984",children:"(#7984)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.12 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/8021",children:"(#8021)"}),"\r\n\u200b"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12511k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.11+k3s1",children:"v1.25.11+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.11, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12510",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v12510k3s1",children:"Changes since v1.25.10+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7649",children:"(#7649)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant libvirt with fix for plugin installs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7659",children:"(#7659)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E Backports - June ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7705",children:"(#7705)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Shortcircuit commands with version or help flags #7683"}),"\n",(0,i.jsx)(s.li,{children:"Add Rotation certification Check, remove func to restart agents #7097"}),"\n",(0,i.jsx)(s.li,{children:"E2E: Sudo for RunCmdOnNode #7686"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add private registry e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7722",children:"(#7722)"})]}),"\n",(0,i.jsxs)(s.li,{children:["VPN integration ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7728",children:"(#7728)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix spelling test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7752",children:"(#7752)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused libvirt config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7758",children:"(#7758)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7718",children:"(#7718)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default."}),"\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"coredns-custom"})," ConfigMap now allows for ",(0,i.jsx)(s.code,{children:"*.override"})," sections to be included in the ",(0,i.jsx)(s.code,{children:".:53"})," default server block."]}),"\n",(0,i.jsx)(s.li,{children:"The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user."}),"\n",(0,i.jsx)(s.li,{children:"Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local."}),"\n",(0,i.jsx)(s.li,{children:"Make LB image configurable when compiling k3s"}),"\n",(0,i.jsx)(s.li,{children:"K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod."}),"\n",(0,i.jsx)(s.li,{children:"The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release."}),"\n",(0,i.jsx)(s.li,{children:"The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Add format command on Makefile ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7763",children:"(#7763)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix logging and cleanup in Tailscale ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7784",children:"(#7784)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.11 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7788",children:"(#7788)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Path normalization affecting kubectl proxy conformance test for /api endpoint ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7818",children:"(#7818)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v12510k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.10+k3s1",children:"v1.25.10+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.10, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1259",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1259k3s1",children:"Changes since v1.25.9+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Ensure that klog verbosity is set to the same level as logrus ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7361",children:"(#7361)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add E2E testing in Drone ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7375",children:"(#7375)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add integration tests for etc-snapshot server flags #7377 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7378",children:"(#7378)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CLI + Config Enhancement ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7404",children:"(#7404)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"--Tls-sans"})," now accepts multiple arguments: ",(0,i.jsx)(s.code,{children:'--tls-sans="foo,bar"'})]}),"\n",(0,i.jsxs)(s.li,{children:[(0,i.jsx)(s.code,{children:"Prefer-bundled-bin: true"})," now works properly when set in ",(0,i.jsx)(s.code,{children:"config.yaml.d"})," files"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Migrate netutil methods into /utils/net.go ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7433",children:"(#7433)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump Runc + Containerd + Docker for CVE fixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7452",children:"(#7452)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kube-router version to fix a bug when a port name is used ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7461",children:"(#7461)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Kube flags and longhorn storage tests 1.25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7466",children:"(#7466)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Local-storage: Fix permission ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7473",children:"(#7473)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7515",children:"(#7515)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:'K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.'}),"\n",(0,i.jsx)(s.li,{children:"K3s once again supports aarch64 nodes with page size > 4k"}),"\n",(0,i.jsx)(s.li,{children:"The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0"}),"\n",(0,i.jsxs)(s.li,{children:["K3s now prints a more meaningful error when attempting to run from a filesystem mounted ",(0,i.jsx)(s.code,{children:"noexec"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now exits with a proper error message when the server token uses a bootstrap token ",(0,i.jsx)(s.code,{children:"id.secret"})," format."]}),"\n",(0,i.jsx)(s.li,{children:"Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content."}),"\n",(0,i.jsx)(s.li,{children:"Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component."}),"\n",(0,i.jsx)(s.li,{children:"Fixed an regression that prevented the pod and cluster egress-selector modes from working properly."}),"\n",(0,i.jsx)(s.li,{children:"K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes."}),"\n",(0,i.jsx)(s.li,{children:"K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.10.1. This replaces the legacy ",(0,i.jsx)(s.code,{children:"lib/pq"})," postgres driver with ",(0,i.jsx)(s.code,{children:"pgx"}),"."]}),"\n",(0,i.jsx)(s.li,{children:"The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle."}),"\n",(0,i.jsx)(s.li,{children:"The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd/runc to v1.7.1-k3s1/v1.1.7 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7535",children:"(#7535)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Wrap error stating that it is coming from netpol ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7548",children:"(#7548)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add '-all' flag to apply to inactive units ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7574",children:"(#7574)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.10-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7582",children:"(#7582)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1259k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.9+k3s1",children:"v1.25.9+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.9, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1258",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1258k3s1",children:"Changes since v1.25.8+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Enhance ",(0,i.jsx)(s.code,{children:"check-config"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7164",children:"(#7164)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970) ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7121",children:"(#7121)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport version bumps and bugfixes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7228",children:"(#7228)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The bundled local-path-provisioner version has been bumped to v0.0.24"}),"\n",(0,i.jsx)(s.li,{children:"The bundled runc version has been bumped to v1.1.5"}),"\n",(0,i.jsx)(s.li,{children:"The bundled coredns version has been bumped to v1.10.1"}),"\n",(0,i.jsx)(s.li,{children:"When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously."}),"\n",(0,i.jsx)(s.li,{children:"The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member."}),"\n",(0,i.jsx)(s.li,{children:"Fixed a race condition during cluster reset that could cause the operation to hang and time out."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated kube-router to move the default ACCEPT rule at the end of the chain ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7221",children:"(#7221)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update klipper lb and helm-controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7240",children:"(#7240)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Kube-router ACCEPT rule insertion and install script to clean rules before start ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7276",children:"(#7276)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.9-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7283",children:"(#7283)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1258k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.8+k3s1",children:"v1.25.8+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.8, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1257",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1257k3s1",children:"Changes since v1.25.7+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update flannel and kube-router ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7061",children:"(#7061)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump various dependencies for CVEs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7043",children:"(#7043)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Enable dependabot ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7045",children:"(#7045)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for kubelet port to be ready before setting ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7064",children:"(#7064)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Adds a warning about editing to the containerd config.toml file ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7075",children:"(#7075)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Improve support for rotating the default self-signed certs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7079",children:"(#7079)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The ",(0,i.jsx)(s.code,{children:"k3s certificate rotate-ca"})," checks now support rotating self-signed certificates without the ",(0,i.jsx)(s.code,{children:"--force"})," option."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.8-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7106",children:"(#7106)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to fix NAT issue with old iptables version ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7138",children:"(#7138)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1257k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.7+k3s1",children:"v1.25.7+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.7, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1256",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1256k3s1",children:"Changes since v1.25.6+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add jitter to scheduled snapshots and retry harder on conflicts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6782",children:"(#6782)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump cri-dockerd ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6798",children:"(#6798)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cri-dockerd has been updated to v0.3.1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bugfix: do not break cert-manager when pprof is enabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6837",children:"(#6837)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Wait for cri-dockerd socket ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6853",children:"(#6853)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump vagrant boxes to fedora37 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6858",children:"(#6858)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix cronjob example ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6864",children:"(#6864)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ensure flag type consistency ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6867",children:"(#6867)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Consolidate E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6887",children:"(#6887)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Ignore value conflicts when reencrypting secrets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6919",children:"(#6919)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use default address family when adding kubernetes service address to SAN list ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6904",children:"(#6904)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Allow ServiceLB to honor ",(0,i.jsx)(s.code,{children:"ExternalTrafficPolicy=Local"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6907",children:"(#6907)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix issue with servicelb startup failure when validating webhooks block creation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6916",children:"(#6916)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Backport user-provided CA cert and ",(0,i.jsx)(s.code,{children:"kubeadm"})," bootstrap token support ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6929",children:"(#6929)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh",children:"contrib/util/certs.sh"}),"."]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now supports ",(0,i.jsx)(s.code,{children:"kubeadm"})," style join tokens. ",(0,i.jsx)(s.code,{children:"k3s token create"})," now creates join token secrets, optionally with a limited TTL."]}),"\n",(0,i.jsx)(s.li,{children:"K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6936",children:"(#6936)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Updated flannel version to v0.21.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6915",children:"(#6915)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Allow for multiple sets of leader-elected controllers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6941",children:"(#6941)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix etcd and ca-cert rotate issues ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6954",children:"(#6954)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ServiceLB dual-stack ingress IP listing ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6987",children:"(#6987)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.9 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6975",children:"(#6975)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at ",(0,i.jsx)(s.code,{children:"info"})," level for increased visibility."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.7-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7010",children:"(#7010)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1256k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.6+k3s1",children:"v1.25.6+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.6, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1255",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s2",children:"Changes since v1.25.5+k3s2:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Pass through default tls-cipher-suites ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6730",children:"(#6730)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values."}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.15-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6735",children:"(#6735)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.15-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump action/download-artifact to v3 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6747",children:"(#6747)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Backport dependabot/updatecli updates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6761",children:"(#6761)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Drone plugins/docker tag for 32 bit arm ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6768",children:"(#6768)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.6+k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6775",children:"(#6775)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1255k3s2",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s2",children:"v1.25.5+k3s2"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted."}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1255k3s1",children:"Changes since v1.25.5+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.14-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6694",children:"(#6694)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"containerd/7843"})," which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod."]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1255k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.5+k3s1",children:"v1.25.5+k3s1"})]}),"\n",(0,i.jsxs)(s.blockquote,{children:["\n",(0,i.jsx)(s.h2,{id:"\ufe0f-warning",children:"\u26a0\ufe0f WARNING"}),"\n",(0,i.jsxs)(s.p,{children:["This release is affected by ",(0,i.jsx)(s.a,{href:"https://github.com/containerd/containerd/issues/7843",children:"https://github.com/containerd/containerd/issues/7843"}),", which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use ",(0,i.jsx)(s.code,{children:"v1.25.5+k3s2"})," instead."]}),"\n"]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.5, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.strong,{children:"Breaking Change:"})," K3s no longer includes ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," binaries. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading K3s to this release."]}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1254",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1254k3s1",children:"Changes since v1.25.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fix log for flannelExternalIP use case ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6531",children:"(#6531)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix Carolines github id ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6464",children:"(#6464)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Github CI Updates ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6522",children:"(#6522)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add new ",(0,i.jsx)(s.code,{children:"prefer-bundled-bin"})," experimental flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6420",children:"(#6420)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.10 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6512",children:"(#6512)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been updated to v1.6.10-k3s1"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Stage the Traefik charts through k3s-charts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6519",children:"(#6519)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Make rootless settings configurable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6498",children:"(#6498)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The rootless ",(0,i.jsx)(s.code,{children:"port-driver"}),", ",(0,i.jsx)(s.code,{children:"cidr"}),", ",(0,i.jsx)(s.code,{children:"mtu"}),", ",(0,i.jsx)(s.code,{children:"enable-ipv6"}),", and ",(0,i.jsx)(s.code,{children:"disable-host-loopback"})," settings can now be configured via environment variables."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6517",children:"(#6517)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.25.4+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6534",children:"(#6534)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ",(0,i.jsx)(s.code,{children:"prefer-bundled-bin"})," as an agent flag ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6545",children:"(#6545)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump klipper-helm and klipper-lb versions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6549",children:"(#6549)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded Load-Balancer controller image has been bumped to klipper-lb",":v0",".4.0, which includes support for the ",(0,i.jsx)(s.a,{href:"https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges",children:"LoadBalancerSourceRanges"})," field."]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded Helm controller image has been bumped to klipper-helm",":v0",".7.4-build20221121"]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Switch from Google Buckets to AWS S3 Buckets ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6497",children:"(#6497)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix passing AWS creds through Dapper ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6567",children:"(#6567)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix artifact upload with ",(0,i.jsx)(s.code,{children:"aws s3 cp"})," ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6568",children:"(#6568)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Disable CCM metrics port when legacy CCM functionality is disabled ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6572",children:"(#6572)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the ",(0,i.jsx)(s.code,{children:"--disable-cloud-controller"})," flag is set."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Sync packaged component Deployment config ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6552",children:"(#6552)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count."}),"\n",(0,i.jsx)(s.li,{children:"The packaged metrics-server has been bumped to v0.6.2"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Mark secrets-encryption flag as GA ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6582",children:"(#6582)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump k3s root to v0.12.0 and remove strongswan binaries ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6400",children:"(#6400)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1."}),"\n",(0,i.jsxs)(s.li,{children:["The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan ",(0,i.jsx)(s.code,{children:"swanctl"})," and ",(0,i.jsx)(s.code,{children:"charon"})," packages are installed on your node before upgrading k3s."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Update flannel to v0.20.2 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6588",children:"(#6588)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ADR for security bumps automation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6559",children:"(#6559)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update node12->node16 based GH actions ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6593",children:"(#6593)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Updating rel docs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6237",children:"(#6237)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update install.sh to recommend current version of k3s-selinux ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6453",children:"(#6453)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.5-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6622",children:"(#6622)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump containerd to v1.6.12-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6631",children:"(#6631)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"The embedded containerd version has been bumped to v1.6.12"}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Preload iptable_filter/ip6table_filter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6646",children:"(#6646)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1254k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.4+k3s1",children:"v1.25.4+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.4, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1253",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1253k3s1",children:"Changes since v1.25.3+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add the gateway parameter in netplan ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6292",children:"(#6292)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bumped dynamiclistener library to v0.3.5 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6300",children:"(#6300)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update kube-router to v1.5.1 with extra logging ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6345",children:"(#6345)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update maintainers ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6298",children:"(#6298)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump testing to opensuse Leap 15.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6337",children:"(#6337)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update E2E docs with more info on ubuntu 22.04 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6316",children:"(#6316)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Netpol test for podSelector & ingress ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6247",children:"(#6247)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump all alpine images to 3.16 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6334",children:"(#6334)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Bump kine to v0.9.6 / sqlite3 v3.39.2 (",(0,i.jsx)(s.a,{href:"https://nvd.nist.gov/vuln/detail/CVE-2022-35737",children:"CVE-2022-35737"}),") ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6317",children:"(#6317)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add hardened cluster and upgrade tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6320",children:"(#6320)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled Traefik helm chart has been updated to v18.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6353",children:"(#6353)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.25.3+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6338",children:"(#6338)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded helm controller has been bumped to v0.13.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6294",children:"(#6294)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6295",children:"(#6295)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Replace fedora-coreos with fedora 36 for install tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6315",children:"(#6315)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert containerd config.toml.tmpl Linux template to v2 syntax ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6267",children:"(#6267)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add test for node-external-ip config parameter ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6359",children:"(#6359)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use debugger-friendly compile settings if DEBUG is set ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6147",children:"(#6147)"})]}),"\n",(0,i.jsxs)(s.li,{children:["update e2e tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6354",children:"(#6354)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove unused vagrant development scripts ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6395",children:"(#6395)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled Traefik has been updated to v2.9.4 / helm chart v18.3.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6397",children:"(#6397)"})]}),"\n",(0,i.jsxs)(s.li,{children:["None ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6371",children:"(#6371)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix incorrect defer usage ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6296",children:"(#6296)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add snapshot restore e2e test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6396",children:"(#6396)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix sonobouy tests on v1.25 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6399",children:"(#6399)"})]}),"\n",(0,i.jsx)(s.li,{children:"Bump packaged component versions"}),"\n",(0,i.jsx)(s.li,{children:"The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressClass support by default."}),"\n",(0,i.jsx)(s.li,{children:"The packaged local-path-provisioner has been bumped to v0.0.23"}),"\n",(0,i.jsxs)(s.li,{children:["The packaged coredns has been bumped to v1.9.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6408",children:"(#6408)"})]}),"\n",(0,i.jsxs)(s.li,{children:["log kube-router version when starting netpol controller ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6405",children:"(#6405)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add Kairos to ADOPTERS ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6417",children:"(#6417)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel to 0.20.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6388",children:"(#6388)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Avoid wrong config for ",(0,i.jsx)(s.code,{children:"flannel-external-ip"})," and add warning if unencrypted backend ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6403",children:"(#6403)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix test-mods to allow for pinning version from k8s.io ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6413",children:"(#6413)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix for metrics-server in the multi-cloud cluster env ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6386",children:"(#6386)"})]}),"\n",(0,i.jsxs)(s.li,{children:["K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6409",children:"(#6409)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert test output to JSON format ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6410",children:"(#6410)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Pull traefik helm chart directly from GH ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6468",children:"(#6468)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Nightly test fix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6475",children:"(#6475)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6477",children:"(#6477)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove stuff which belongs in the windows executor implementation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6492",children:"(#6492)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The packaged traefik helm chart has been bumped to 19.0.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6494",children:"(#6494)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Move traefik chart repo again ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6508",children:"(#6508)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1253k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.3+k3s1",children:"v1.25.3+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.3, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1252",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1252k3s1",children:"Changes since v1.25.2+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["E2E: Groundwork for PR runs ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6131",children:"(#6131)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix flannel for deployments of nodes which do not belong to the same network and connect using their public IP ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6180",children:"(#6180)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Mark v1.24.6+k3s1 as stable ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6193",children:"(#6193)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add cluster reset test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6161",children:"(#6161)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded metrics-server version has been bumped to v0.6.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6151",children:"(#6151)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6181",children:"(#6181)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Events recorded to the cluster by embedded controllers are now properly formatted in the service logs. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6203",children:"(#6203)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix ",(0,i.jsx)(s.code,{children:"error dialing backend"})," errors in apiserver network proxy ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6216",children:"(#6216)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,i.jsx)(s.code,{children:"kubectl exec"})," to occasionally fail with ",(0,i.jsx)(s.code,{children:"error dialing backend: EOF"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fixed an issue with the apiserver network proxy that caused ",(0,i.jsx)(s.code,{children:"kubectl exec"})," and ",(0,i.jsx)(s.code,{children:"kubectl logs"})," to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules."]}),"\n"]}),"\n"]}),"\n",(0,i.jsxs)(s.li,{children:["Fix the typo in the test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6183",children:"(#6183)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Use setup-go action to cache dependencies ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6220",children:"(#6220)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add journalctl logs to E2E tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6224",children:"(#6224)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6223",children:"(#6223)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix flakey etcd test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6232",children:"(#6232)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Replace deprecated ioutil package ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6230",children:"(#6230)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix dualStack test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6245",children:"(#6245)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add ServiceAccount for svclb pods ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6253",children:"(#6253)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.3-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6269",children:"(#6269)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Return ProviderID in URI format ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6284",children:"(#6284)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6306",children:"(#6306)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added a new --flannel-external-ip flag. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6321",children:"(#6321)"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsx)(s.li,{children:"When enabled, Flannel traffic will now use the nodes external IPs, instead of internal."}),"\n",(0,i.jsx)(s.li,{children:"This is meant for use with distributed clusters that are not all on the same local network."}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1252k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.2+k3s1",children:"v1.25.2+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release updates Kubernetes to v1.25.2, and fixes a number of issues."}),"\n",(0,i.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1250",children:"Kubernetes release notes"}),"."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1250k3s1",children:"Changes since v1.25.0+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Add k3s v1.25 to the release channel ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6129",children:"(#6129)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Restore original INSTALL_K3S_SKIP_DOWNLOAD behavior ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6130",children:"(#6130)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add K3S Release Documentation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6135",children:"(#6135)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6140",children:"(#6140)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update to v1.25.2-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6168",children:"(#6168)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{}),"\n",(0,i.jsxs)(s.h2,{id:"release-v1250k3s1",children:["Release ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.25.0+k3s1",children:"v1.25.0+k3s1"})]}),"\n",(0,i.jsx)(s.p,{children:"This release is K3S's first in the v1.25 line. This release updates Kubernetes to v1.25.0."}),"\n",(0,i.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]}),"\n",(0,i.jsxs)(s.p,{children:[(0,i.jsx)(s.strong,{children:"Important Note:"})," Kubernetes v1.25 removes the beta ",(0,i.jsx)(s.code,{children:"PodSecurityPolicy"})," admission plugin. Please follow the ",(0,i.jsx)(s.a,{href:"https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/",children:"upstream documentation"})," to migrate from PSP if using the built-in PodSecurity Admission Plugin, prior to upgrading to v1.25.0+k3s1."]}),"\n",(0,i.jsx)(s.h3,{id:"changes-since-v1244k3s1",children:"Changes since v1.24.4+k3s1:"}),"\n",(0,i.jsxs)(s.ul,{children:["\n",(0,i.jsxs)(s.li,{children:["Update Kubernetes to v1.25.0 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6040",children:"(#6040)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove ",(0,i.jsx)(s.code,{children:"--containerd"})," flag from windows kubelet args ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6028",children:"(#6028)"})]}),"\n",(0,i.jsxs)(s.li,{children:["E2E: Add support for CentOS 7 and Rocky 8 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6015",children:"(#6015)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Convert install tests to run PR build of k3s ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6003",children:"(#6003)"})]}),"\n",(0,i.jsxs)(s.li,{children:["CI: update Fedora 34 -> 35 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/5996",children:"(#5996)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix dualStack test and change ipv6 network prefix ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6023",children:"(#6023)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix e2e tests ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6018",children:"(#6018)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update README.md ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6048",children:"(#6048)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Remove wireguard interfaces when deleting the cluster ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6055",children:"(#6055)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Add validation check to confirm correct golang version for Kubernetes ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6050",children:"(#6050)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Expand startup integration test ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6030",children:"(#6030)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update go.mod version to 1.19 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6049",children:"(#6049)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Usage of ",(0,i.jsx)(s.code,{children:"--cluster-secret"}),", ",(0,i.jsx)(s.code,{children:"--no-deploy"}),", and ",(0,i.jsx)(s.code,{children:"--no-flannel"})," is no longer supported. Attempts to use these flags will cause fatal errors. See ",(0,i.jsx)(s.a,{href:"https://k3s-io.github.io/docs/reference/server-config#deprecated-options",children:"the docs"})," for their replacement. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6069",children:"(#6069)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Update Flannel version to fix older iptables version issue. ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6090",children:"(#6090)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The bundled version of runc has been bumped to v1.1.4 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6071",children:"(#6071)"})]}),"\n",(0,i.jsxs)(s.li,{children:["The embedded containerd version has been bumped to v1.6.8-k3s1 ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6078",children:"(#6078)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Fix deprecation message ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6112",children:"(#6112)"})]}),"\n",(0,i.jsxs)(s.li,{children:["Added warning message for flannel backend additional options deprecation ",(0,i.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/6111",children:"(#6111)"})]}),"\n"]}),"\n",(0,i.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,i.jsx)(s,{...e,children:(0,i.jsx)(a,{...e})}):a(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>h,a:()=>l});var i=t(7294);const r={},n=i.createContext(r);function l(e){const s=i.useContext(n);return i.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:l(e.components),i.createElement(n.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/9f491e05.37cd3ff8.js b/assets/js/9f491e05.3075f29e.js
similarity index 99%
rename from assets/js/9f491e05.37cd3ff8.js
rename to assets/js/9f491e05.3075f29e.js
index b2141bedf..d2765c171 100644
--- a/assets/js/9f491e05.37cd3ff8.js
+++ b/assets/js/9f491e05.3075f29e.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3189],{9297:(e,r,t)=>{t.r(r),t.d(r,{assets:()=>l,contentTitle:()=>i,default:()=>h,frontMatter:()=>a,metadata:()=>c,toc:()=>o});var s=t(5893),n=t(1151);const a={title:"CIS 1.23 Self Assessment Guide"},i=void 0,c={id:"security/self-assessment-1.23",title:"CIS 1.23 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.23.md",sourceDirName:"security",slug:"/security/self-assessment-1.23",permalink:"/security/self-assessment-1.23",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.23.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"CIS 1.23 Self Assessment Guide"}},l={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)",id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)",id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",level:3},{value:"1.2.18 Ensure that the --profiling argument is set to false (Automated)",id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)",id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",level:3},{value:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)",id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",level:3},{value:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)",id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",level:3},{value:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)",id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",level:3},{value:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)",id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)",id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)",id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",level:3},{value:"3.1 Authentication and Authorization",id:"31-authentication-and-authorization",level:2},{value:"3.1.1 Client certificate authentication should not be used for users (Manual)",id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",level:3},{value:"3.2 Logging",id:"32-logging",level:2},{value:"3.2.1 Ensure that a minimal audit policy is created (Manual)",id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",level:3},{value:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)",id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Manual)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Manual)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)",id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)",id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)",id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",level:3},{value:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)",id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)",id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",level:3},{value:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)",id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",level:3},{value:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Automated)",id:"522-minimize-the-admission-of-privileged-containers-automated",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,s.jsxs)(r.p,{children:["This document is a companion to the ",(0,s.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,s.jsxs)(r.p,{children:["This guide is specific to the ",(0,s.jsx)(r.strong,{children:"v1.22-v1.23"})," release lines of K3s and the ",(0,s.jsx)(r.strong,{children:"v1.23"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,s.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in ",(0,s.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,s.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,s.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,s.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,s.jsxs)(r.blockquote,{children:["\n",(0,s.jsxs)(r.p,{children:["NOTE: Only ",(0,s.jsx)(r.code,{children:"automated"})," tests (previously called ",(0,s.jsx)(r.code,{children:"scored"}),") are covered in this guide."]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the\ncontrol plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 "})]}),"\n",(0,s.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root "})]}),"\n",(0,s.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\nchmod 700 /var/lib/etcd"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.1.11\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'700' is equal to '700'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"700\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd",":etcd"," /var/lib/etcd"]}),"\n",(0,s.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chown root",":root"," /etc/kubernetes/admin.conf"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 scheduler"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root scheduler"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root",":root"," controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown -R root",":root"," /etc/kubernetes/pki/"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 644 /etc/kubernetes/pki/*.crt"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.crt\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 600 /etc/kubernetes/pki/*.key"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.key\n"})}),"\n",(0,s.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,s.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--anonymous-auth=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and configure alternate mechanisms for authentication. Then,\nedit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"--token-auth-file="})," parameter."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--token-auth-file' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"DenyServiceExternalIPs"}),"\nfrom enabled admission plugins."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",children:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter."]}),"\n",(0,s.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the\napiserver and kubelets. Then, edit API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\nkubelet client certificate and key parameters as below."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--kubelet-client-certificate=\n--kubelet-client-key=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-client-certificate' is present AND '--kubelet-client-key' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority\n",(0,s.jsx)(r.code,{children:"--kubelet-certificate-authority="}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-certificate-authority' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow.\nOne such example could be as below.\n--authorization-mode=RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes Node.\n--authorization-mode=Node,RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'Node'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes RBAC,\nfor example ",(0,s.jsx)(r.code,{children:"--authorization-mode=Node,RBAC"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'RBAC'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\nand set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--enable-admission-plugins=...,EventRateLimit,...\n--admission-control-config-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'EventRateLimit'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --enable-admission-plugins parameter, or set it to a\nvalue that does not include AlwaysAdmit."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nAlwaysPullImages.\n--enable-admission-plugins=...,AlwaysPullImages,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create ServiceAccount objects as per your environment.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and ensure that the --disable-admission-plugins parameter is set to a\nvalue that does not include ServiceAccount."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --disable-admission-plugins parameter to\nensure it does not include NamespaceLifecycle."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to a\nvalue that includes NodeRestriction.\n--enable-admission-plugins=...,NodeRestriction,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'NodeRestriction'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",children:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --secure-port parameter or\nset it to a different (non-zero) desired port."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--secure-port' is greater than 0 OR '--secure-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.18 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",children:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,\n--audit-log-path=/var/log/apiserver/audit.log"]}),"\n",(0,s.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",children:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxage parameter to 30\nor as an appropriate number of days, for example,\n--audit-log-maxage=30"]}),"\n",(0,s.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",children:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate\nvalue. For example,\n--audit-log-maxbackup=10"]}),"\n",(0,s.jsx)(r.h3,{id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",children:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB.\nFor example, to set it as 100 MB, --audit-log-maxsize=100"]}),"\n",(0,s.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--service-account-lookup=true\nAlternatively, you can delete the --service-account-lookup parameter from this file so\nthat the default takes effect."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-lookup' is not present OR '--service-account-lookup' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",children:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --service-account-key-file parameter\nto the public key file for service accounts. For example,\n",(0,s.jsx)(r.code,{children:"--service-account-key-file="}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate and key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--etcd-certfile=\n--etcd-keyfile=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.2.29\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-certfile' is present AND '--etcd-keyfile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--etcd-certfile AND --etcd-keyfile\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the TLS certificate and private key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=\n--tls-private-key-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key" Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the client certificate authority file.\n",(0,s.jsx)(r.code,{children:"--client-ca-file="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate authority file parameter.\n",(0,s.jsx)(r.code,{children:"--etcd-cafile="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-cafile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --encryption-provider-config parameter to the path of that file.\nFor example, ",(0,s.jsx)(r.code,{children:"--encryption-provider-config="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nIn this file, choose aescbc, kms or secretbox as the encryption provider."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"grep aescbc /path/to/encryption-config.json\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\nTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,\nTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,\nTLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,s.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,s.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,\nfor example, --terminated-pod-gc-threshold=10"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node to set the below parameter.\n--use-service-account-credentials=true"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--use-service-account-credentials' is not equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --service-account-private-key-file parameter\nto the private key file for service accounts. For example,\n",(0,s.jsx)(r.code,{children:"--service-account-private-key-file="}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --root-ca-file parameter to the certificate bundle file.\n",(0,s.jsx)(r.code,{children:"--root-ca-file="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--root-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.\n--feature-gates=RotateKubeletServerCertificate=true"]}),"\n",(0,s.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is present OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,s.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,s.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure TLS encryption.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml\non the master node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--cert-file=\n--key-file=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"cert-file AND key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key cert-file AND key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--client-cert-auth="true"']}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --auto-tls parameter or set it to false.\n--auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.3\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'ETCD_AUTO_TLS' is not present OR 'ETCD_AUTO_TLS' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory\n"})}),"\n",(0,s.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure peer TLS encryption as appropriate\nfor your etcd cluster.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--peer-client-file=\n--peer-key-file=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.4\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"peer-cert-file AND peer-key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key peer-cert-file AND peer-key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--peer-client-cert-auth=true"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.5\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\n--peer-auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.6\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--peer-auto-tls' is not present OR '--peer-auto-tls' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--peer-auto-tls=false error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory --peer-auto-tls=false\n"})}),"\n",(0,s.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\n[Manual test]\nFollow the etcd documentation and create a dedicated certificate authority setup for the\netcd service.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameter.\n",(0,s.jsx)(r.code,{children:"--trusted-ca-file="})]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.7\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'trusted-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--trusted-ca-file trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt --trusted-ca-file\n"})}),"\n",(0,s.jsx)(r.h2,{id:"31-authentication-and-authorization",children:"3.1 Authentication and Authorization"}),"\n",(0,s.jsx)(r.h3,{id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",children:"3.1.1 Client certificate authentication should not be used for users (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAlternative mechanisms provided by Kubernetes such as the use of OIDC should be\nimplemented in place of client certificates."]}),"\n",(0,s.jsx)(r.h2,{id:"32-logging",children:"3.2 Logging"}),"\n",(0,s.jsx)(r.h3,{id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",children:"3.2.1 Ensure that a minimal audit policy is created (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate an audit policy file for your cluster."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",children:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the audit policy provided for the cluster and ensure that it covers\nat least the following areas,"]}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"Access to Secrets managed by the cluster. Care should be taken to only\nlog Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in\norder to avoid risk of logging sensitive data."}),"\n",(0,s.jsx)(r.li,{children:"Modification of Pod and Deployment objects."}),"\n",(0,s.jsxs)(r.li,{children:["Use of ",(0,s.jsx)(r.code,{children:"pods/exec"}),", ",(0,s.jsx)(r.code,{children:"pods/portforward"}),", ",(0,s.jsx)(r.code,{children:"pods/proxy"})," and ",(0,s.jsx)(r.code,{children:"services/proxy"}),".\nFor most requests, minimally logging at the Metadata level is recommended\n(the most basic level of logging)."]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'permissions' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chown root",":root"," /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is equal to '644'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the file permissions of the\n--client-ca-file: ",(0,s.jsx)(r.code,{children:"chmod 644 "})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is present OR '640' is present OR '600' is equal to '600' OR '444' is present OR '440' is present OR '400' is present OR '000' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 600\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the ownership of the --client-ca-file:\n",(0,s.jsx)(r.code,{children:"chown root:root "}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchown root",":root"," /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,s.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication: anonymous: enabled"})," to\n",(0,s.jsx)(r.code,{children:"false"}),".\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--anonymous-auth=false"}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--anonymous-auth' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--anonymous-auth=false Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authorization.mode"})," to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--authorization-mode=Webhook Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication.x509.clientCAFile"})," to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--client-ca-file="}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",children:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"readOnlyPort"})," to 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--read-only-port' is equal to '0' OR '--read-only-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"streamingConnectionIdleTimeout"})," to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"protectKernelDefaults"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"makeIPTablesUtilChains"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",children:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"eventRecordQPS"})," to an appropriate level.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h3,{id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",children:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"tlsCertFile"})," to the location\nof the certificate file to use to identify this Kubelet, and ",(0,s.jsx)(r.code,{children:"tlsPrivateKeyFile"}),"\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=\n--tls-private-key-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:"Based on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to add the line ",(0,s.jsx)(r.code,{children:"rotateCertificates"})," to ",(0,s.jsx)(r.code,{children:"true"})," or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",children:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"TLSCipherSuites"})," to\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nor to a subset of these values.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the --tls-cipher-suites parameter as follows, or to a subset of these values.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,s.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,s.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,s.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,s.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,s.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,s.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,s.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,s.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-automated",children:"5.2.2 Minimize the admission of privileged containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,s.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,s.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,s.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,s.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,s.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,s.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,s.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,s.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabilities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,s.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,s.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,s.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,s.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,s.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,s.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,s.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,s.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,s.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,s.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,s.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,s.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,s.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,s.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,s.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,s.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,s.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,r,t)=>{t.d(r,{Z:()=>c,a:()=>i});var s=t(7294);const n={},a=s.createContext(n);function i(e){const r=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function c(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),s.createElement(a.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3189],{9297:(e,r,t)=>{t.r(r),t.d(r,{assets:()=>l,contentTitle:()=>i,default:()=>h,frontMatter:()=>a,metadata:()=>c,toc:()=>o});var s=t(5893),n=t(1151);const a={title:"CIS 1.23 Self Assessment Guide"},i=void 0,c={id:"security/self-assessment-1.23",title:"CIS 1.23 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.23.md",sourceDirName:"security",slug:"/security/self-assessment-1.23",permalink:"/security/self-assessment-1.23",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.23.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"CIS 1.23 Self Assessment Guide"}},l={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)",id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)",id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",level:3},{value:"1.2.18 Ensure that the --profiling argument is set to false (Automated)",id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)",id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",level:3},{value:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)",id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",level:3},{value:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)",id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",level:3},{value:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)",id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",level:3},{value:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)",id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)",id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)",id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",level:3},{value:"3.1 Authentication and Authorization",id:"31-authentication-and-authorization",level:2},{value:"3.1.1 Client certificate authentication should not be used for users (Manual)",id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",level:3},{value:"3.2 Logging",id:"32-logging",level:2},{value:"3.2.1 Ensure that a minimal audit policy is created (Manual)",id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",level:3},{value:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)",id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Manual)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Manual)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)",id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)",id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)",id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",level:3},{value:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)",id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)",id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",level:3},{value:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)",id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",level:3},{value:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Automated)",id:"522-minimize-the-admission-of-privileged-containers-automated",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",blockquote:"blockquote",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components};return(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,s.jsxs)(r.p,{children:["This document is a companion to the ",(0,s.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,s.jsxs)(r.p,{children:["This guide is specific to the ",(0,s.jsx)(r.strong,{children:"v1.22-v1.23"})," release lines of K3s and the ",(0,s.jsx)(r.strong,{children:"v1.23"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,s.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in ",(0,s.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,s.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,s.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,s.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,s.jsxs)(r.blockquote,{children:["\n",(0,s.jsxs)(r.p,{children:["NOTE: Only ",(0,s.jsx)(r.code,{children:"automated"})," tests (previously called ",(0,s.jsx)(r.code,{children:"scored"}),") are covered in this guide."]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the\ncontrol plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /etc/kubernetes/manifests/etcd.yaml"})]}),"\n",(0,s.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 644 "})]}),"\n",(0,s.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root "})]}),"\n",(0,s.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\nchmod 700 /var/lib/etcd"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.1.11\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'700' is equal to '700'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"700\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nOn the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd",":etcd"," /var/lib/etcd"]}),"\n",(0,s.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, chown root",":root"," /etc/kubernetes/admin.conf"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 scheduler"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root scheduler"})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod 644 controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions has permissions 644, expected 644 or more restrictive\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown root",":root"," controllermanager"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchown -R root",":root"," /etc/kubernetes/pki/"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 644 /etc/kubernetes/pki/*.crt"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.crt\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-manual",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example,\nchmod -R 600 /etc/kubernetes/pki/*.key"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %n %a /var/lib/rancher/k3s/server/tls/*.key\n"})}),"\n",(0,s.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,s.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-manual",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--anonymous-auth=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and configure alternate mechanisms for authentication. Then,\nedit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"--token-auth-file="})," parameter."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--token-auth-file' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the ",(0,s.jsx)(r.code,{children:"DenyServiceExternalIPs"}),"\nfrom enabled admission plugins."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",children:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter."]}),"\n",(0,s.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the\napiserver and kubelets. Then, edit API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\nkubelet client certificate and key parameters as below."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--kubelet-client-certificate=\n--kubelet-client-key=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-client-certificate' is present AND '--kubelet-client-key' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority\n",(0,s.jsx)(r.code,{children:"--kubelet-certificate-authority="}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--kubelet-certificate-authority' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow.\nOne such example could be as below.\n--authorization-mode=RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes Node.\n--authorization-mode=Node,RBAC"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'Node'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --authorization-mode parameter to a value that includes RBAC,\nfor example ",(0,s.jsx)(r.code,{children:"--authorization-mode=Node,RBAC"}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' has 'RBAC'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\nand set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--enable-admission-plugins=...,EventRateLimit,...\n--admission-control-config-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'EventRateLimit'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --enable-admission-plugins parameter, or set it to a\nvalue that does not include AlwaysAdmit."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nAlwaysPullImages.\n--enable-admission-plugins=...,AlwaysPullImages,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create ServiceAccount objects as per your environment.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and ensure that the --disable-admission-plugins parameter is set to a\nvalue that does not include ServiceAccount."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --disable-admission-plugins parameter to\nensure it does not include NamespaceLifecycle."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to a\nvalue that includes NodeRestriction.\n--enable-admission-plugins=...,NodeRestriction,..."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--enable-admission-plugins' has 'NodeRestriction'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",children:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and either remove the --secure-port parameter or\nset it to a different (non-zero) desired port."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--secure-port' is greater than 0 OR '--secure-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.18 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-path-argument-is-set-automated",children:"1.2.19 Ensure that the --audit-log-path argument is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,\n--audit-log-path=/var/log/apiserver/audit.log"]}),"\n",(0,s.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",children:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxage parameter to 30\nor as an appropriate number of days, for example,\n--audit-log-maxage=30"]}),"\n",(0,s.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",children:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate\nvalue. For example,\n--audit-log-maxbackup=10"]}),"\n",(0,s.jsx)(r.h3,{id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",children:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB.\nFor example, to set it as 100 MB, --audit-log-maxsize=100"]}),"\n",(0,s.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--service-account-lookup=true\nAlternatively, you can delete the --service-account-lookup parameter from this file so\nthat the default takes effect."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-lookup' is not present OR '--service-account-lookup' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1225-ensure-that-the---request-timeout-argument-is-set-as-appropriate-automated",children:"1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --service-account-key-file parameter\nto the public key file for service accounts. For example,\n",(0,s.jsx)(r.code,{children:"--service-account-key-file="}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate and key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--etcd-certfile=\n--etcd-keyfile=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 1.2.29\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-certfile' is present AND '--etcd-keyfile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--etcd-certfile AND --etcd-keyfile\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the TLS certificate and private key file parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=\n--tls-private-key-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key" Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the client certificate authority file.\n",(0,s.jsx)(r.code,{children:"--client-ca-file="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the etcd certificate authority file parameter.\n",(0,s.jsx)(r.code,{children:"--etcd-cafile="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--etcd-cafile' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nThen, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --encryption-provider-config parameter to the path of that file.\nFor example, ",(0,s.jsx)(r.code,{children:"--encryption-provider-config="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and configure a EncryptionConfig file.\nIn this file, choose aescbc, kms or secretbox as the encryption provider."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"grep aescbc /path/to/encryption-config.json\n"})}),"\n",(0,s.jsx)(r.h3,{id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the below parameter.\n--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\nTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\nTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,\nTLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,\nTLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,s.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,s.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,\nfor example, --terminated-pod-gc-threshold=10"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node to set the below parameter.\n--use-service-account-credentials=true"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--use-service-account-credentials' is not equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --service-account-private-key-file parameter\nto the private key file for service accounts. For example,\n",(0,s.jsx)(r.code,{children:"--service-account-private-key-file="}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--service-account-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --root-ca-file parameter to the certificate bundle file.\n",(0,s.jsx)(r.code,{children:"--root-ca-file="})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--root-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-controller-manager --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --use-service-account-credentials=true"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.\n--feature-gates=RotateKubeletServerCertificate=true"]}),"\n",(0,s.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -ef | grep containerd | grep -v grep\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is present OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root 1616 1600 6 13:26 ? 00:01:28 containerd -c /var/lib/rancher/k3s/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/k3s/agent/containerd root 2318 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id b41ec3297be4625c2406ad8b7b4f8b91cddd60850c420050c4c3273f809b3e7e -address /run/k3s/containerd/containerd.sock root 2341 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id e7999a65ae0a4e9969f32317ec48ae4f7071b62f92e5236696737973be77c2e1 -address /run/k3s/containerd/containerd.sock root 3199 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 90c4e63d6ee29d40a48c2fdaf2738c2472cba1139dde8a550466c452184f8528 -address /run/k3s/containerd/containerd.sock root 3923 1 0 13:27 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id be5f4b9bd1ed9239362b7000b47f353acb8bc8ca52a9c9145cba0e902ec1c4b9 -address /run/k3s/containerd/containerd.sock root 4559 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 04cd40ea6b6078797f177c902c89412c70e523ad2a687a62829bf1d16ff0e19c -address /run/k3s/containerd/containerd.sock root 4647 1 0 13:28 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 48f37a480315b6adce2d2a5c5d67a85412dd0ba7a2e82816434e0deb9fa75de9 -address /run/k3s/containerd/containerd.sock root 6610 1 0 13:47 ? 00:00:00 /var/lib/rancher/k3s/data/577968fa3d58539cc4265245941b7be688833e6bf5ad7869fa2afe02f15f1cd2/bin/containerd-shim-runc-v2 -namespace k8s.io -id 1cf71c22f568468055e517ab363437c0e54e45274c64024d337cc5bcce66341d -address /run/k3s/containerd/containerd.sock\n"})}),"\n",(0,s.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,s.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file\non the control plane node and set the below parameter.\n--profiling=false"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--profiling' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml\non the control plane node and ensure the correct value for the --bind-address parameter"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/kube-scheduler --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})}),"\n",(0,s.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,s.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure TLS encryption.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml\non the master node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--cert-file=\n--key-file=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"cert-file AND key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key cert-file AND key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--client-cert-auth="true"']}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --auto-tls parameter or set it to false.\n--auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.3\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'ETCD_AUTO_TLS' is not present OR 'ETCD_AUTO_TLS' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory\n"})}),"\n",(0,s.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the etcd service documentation and configure peer TLS encryption as appropriate\nfor your etcd cluster.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--peer-client-file=\n--peer-key-file=\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.4\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'cert-file' is present AND 'key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"peer-cert-file AND peer-key-file cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key peer-cert-file AND peer-key-file\n"})}),"\n",(0,s.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and set the below parameter.\n--peer-client-cert-auth=true"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.5\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-cert-auth' is present OR 'client-cert-auth' is equal to 'true'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--client-cert-auth=true client-cert-auth: true --client-cert-auth=true\n"})}),"\n",(0,s.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\n--peer-auto-tls=false"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.6\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--peer-auto-tls' is not present OR '--peer-auto-tls' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--peer-auto-tls=false error: process ID list syntax error Usage: ps [options] Try 'ps --help ' or 'ps --help ' for additional help text. For more details see ps(1). cat: /proc//environ: No such file or directory --peer-auto-tls=false\n"})}),"\n",(0,s.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-manual",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\n[Manual test]\nFollow the etcd documentation and create a dedicated certificate authority setup for the\netcd service.\nThen, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the\nmaster node and set the below parameter.\n",(0,s.jsx)(r.code,{children:"--trusted-ca-file="})]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Audit Script:"})," ",(0,s.jsx)(r.code,{children:"check_for_k3s_etcd.sh"})]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'#!/bin/bash\n\n# This script is used to ensure that k3s is actually running etcd (and not other databases like sqlite3)\n# before it checks the requirement\nset -eE\n\nhandle_error() {\n echo "false"\n}\n\ntrap \'handle_error\' ERR\n\n\nif [[ "$(journalctl -D /var/log/journal -u k3s | grep \'Managed etcd cluster initializing\' | grep -v grep | wc -l)" -gt 0 ]]; then\n case $1 in \n "1.1.11")\n echo $(stat -c %a /var/lib/rancher/k3s/server/db/etcd);;\n "1.2.29")\n echo $(journalctl -D /var/log/journal -u k3s | grep \'Running kube-apiserver\' | tail -n1 | grep \'etcd-\');;\n "2.1")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.2")\n echo $(grep -A 5 \'client-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.3")\n echo $(grep \'auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.4")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep -E \'cert-file|key-file\');;\n "2.5")\n echo $(grep -A 5 \'peer-transport-security\' /var/lib/rancher/k3s/server/db/etcd/config | grep \'client-cert-auth\');;\n "2.6")\n echo $(grep \'peer-auto-tls\' /var/lib/rancher/k3s/server/db/etcd/config);;\n "2.7")\n echo $(grep \'trusted-ca-file\' /var/lib/rancher/k3s/server/db/etcd/config);;\n esac\nelse\n# If another database is running, return whatever is required to pass the scan\n case $1 in\n "1.1.11")\n echo "700";;\n "1.2.29")\n echo "--etcd-certfile AND --etcd-keyfile";;\n "2.1")\n echo "cert-file AND key-file";;\n "2.2")\n echo "--client-cert-auth=true";;\n "2.3")\n echo "false";;\n "2.4")\n echo "peer-cert-file AND peer-key-file";;\n "2.5")\n echo "--client-cert-auth=true";;\n "2.6")\n echo "--peer-auto-tls=false";;\n "2.7")\n echo "--trusted-ca-file";;\n esac\nfi\n\n'})}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit Execution:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"./check_for_k3s_etcd.sh 2.7\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'trusted-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"--trusted-ca-file trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt --trusted-ca-file\n"})}),"\n",(0,s.jsx)(r.h2,{id:"31-authentication-and-authorization",children:"3.1 Authentication and Authorization"}),"\n",(0,s.jsx)(r.h3,{id:"311-client-certificate-authentication-should-not-be-used-for-users-manual",children:"3.1.1 Client certificate authentication should not be used for users (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAlternative mechanisms provided by Kubernetes such as the use of OIDC should be\nimplemented in place of client certificates."]}),"\n",(0,s.jsx)(r.h2,{id:"32-logging",children:"3.2 Logging"}),"\n",(0,s.jsx)(r.h3,{id:"321-ensure-that-a-minimal-audit-policy-is-created-manual",children:"3.2.1 Ensure that a minimal audit policy is created (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate an audit policy file for your cluster."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"322-ensure-that-the-audit-policy-covers-key-security-concerns-manual",children:"3.2.2 Ensure that the audit policy covers key security concerns (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the audit policy provided for the cluster and ensure that it covers\nat least the following areas,"]}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsx)(r.li,{children:"Access to Secrets managed by the cluster. Care should be taken to only\nlog Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in\norder to avoid risk of logging sensitive data."}),"\n",(0,s.jsx)(r.li,{children:"Modification of Pod and Deployment objects."}),"\n",(0,s.jsxs)(r.li,{children:["Use of ",(0,s.jsx)(r.code,{children:"pods/exec"}),", ",(0,s.jsx)(r.code,{children:"pods/portforward"}),", ",(0,s.jsx)(r.code,{children:"pods/proxy"})," and ",(0,s.jsx)(r.code,{children:"services/proxy"}),".\nFor most requests, minimally logging at the Metadata level is recommended\n(the most basic level of logging)."]}),"\n"]}),"\n",(0,s.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /etc/systemd/system/kubelet.service.d/10-kubeadm.conf"]}),"\n",(0,s.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'permissions' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-manual",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example, chown root",":root"," /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is present OR '/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is equal to '644'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 644\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the each worker node.\nFor example,\nchown root",":root"," /var/lib/rancher/k3s/server/cred/admin.kubeconfig"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-644-or-more-restrictive-manual",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the file permissions of the\n--client-ca-file: ",(0,s.jsx)(r.code,{children:"chmod 644 "})]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'644' is present OR '640' is present OR '600' is equal to '600' OR '444' is present OR '440' is present OR '400' is present OR '000' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"644 600\n"})}),"\n",(0,s.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-manual",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command to modify the ownership of the --client-ca-file:\n",(0,s.jsx)(r.code,{children:"chown root:root "}),"."]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'root:root' is equal to 'root:root'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root root:root\n"})}),"\n",(0,s.jsx)(r.h3,{id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-644-or-more-restrictive-automated",children:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchmod 644 /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsxs)(r.h3,{id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",children:["4.1.10 Ensure that the kubelet --config configuration file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the following command (using the config file location identified in the Audit step)\nchown root",":root"," /var/lib/kubelet/config.yaml"]}),"\n",(0,s.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,s.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication: anonymous: enabled"})," to\n",(0,s.jsx)(r.code,{children:"false"}),".\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--anonymous-auth=false"}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--anonymous-auth' is equal to 'false'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--anonymous-auth=false Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authorization.mode"})," to Webhook. If\nusing executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n--authorization-mode=Webhook\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--authorization-mode' does not have 'AlwaysAllow'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--authorization-mode=Webhook Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"authentication.x509.clientCAFile"})," to\nthe location of the client CA file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_AUTHZ_ARGS variable.\n",(0,s.jsx)(r.code,{children:"--client-ca-file="}),"\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\'\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--client-ca-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt Sep 13 13:26:40 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:40Z" level=info msg="Running kube-apiserver --advertise-address=172.31.0.140 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"424-ensure-that-the---read-only-port-argument-is-set-to-0-manual",children:"4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"readOnlyPort"})," to 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--read-only-port=0\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--read-only-port' is equal to '0' OR '--read-only-port' is not present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"streamingConnectionIdleTimeout"})," to a\nvalue other than 0.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--streaming-connection-idle-timeout=5m\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'\n"})}),"\n",(0,s.jsx)(r.h3,{id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"protectKernelDefaults"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\n--protect-kernel-defaults=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"makeIPTablesUtilChains"})," to ",(0,s.jsx)(r.code,{children:"true"}),".\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove the --make-iptables-util-chains argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"428-ensure-that-the---hostname-override-argument-is-not-set-manual",children:"4.2.8 Ensure that the --hostname-override argument is not set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and remove the --hostname-override argument from the\nKUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"429-ensure-that-the---event-qps-argument-is-set-to-0-or-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"eventRecordQPS"})," to an appropriate level.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h3,{id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-manual",children:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," pass"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"tlsCertFile"})," to the location\nof the certificate file to use to identify this Kubelet, and ",(0,s.jsx)(r.code,{children:"tlsPrivateKeyFile"}),"\nto the location of the corresponding private key file.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the below parameters in KUBELET_CERTIFICATE_ARGS variable."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:"--tls-cert-file=\n--tls-private-key-file=\n"})}),"\n",(0,s.jsx)(r.p,{children:"Based on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"'--tls-cert-file' is present AND '--tls-private-key-file' is present\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Returned Value"}),":"]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Sep 13 13:26:50 k3s-123-cis-pool2-98604672-hr9p5 k3s[1592]: time="2022-09-13T13:26:50Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool2-98604672-hr9p5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=00c4e7a0-5497-4367-a70c-0b836757eae8 --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key" Sep 13 13:26:44 k3s-123-cis-pool3-b403f678-bzdg5 k3s[1600]: time="2022-09-13T13:26:44Z" level=info msg="Running kubelet --address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=k3s-123-cis-pool3-b403f678-bzdg5 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --node-labels=rke.cattle.io/machine=109d596c-89f5-4c10-8c7f-6b82a38edd8f --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to add the line ",(0,s.jsx)(r.code,{children:"rotateCertificates"})," to ",(0,s.jsx)(r.code,{children:"true"})," or\nremove it altogether to use the default value.\nIf using command line arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nremove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS\nvariable.\nBased on your system, restart the kubelet service. For example,\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-manual",children:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf\non each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.\n--feature-gates=RotateKubeletServerCertificate=true\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.h3,{id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf using a Kubelet config file, edit the file to set ",(0,s.jsx)(r.code,{children:"TLSCipherSuites"})," to\nTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nor to a subset of these values.\nIf using executable arguments, edit the kubelet service file\n/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and\nset the --tls-cipher-suites parameter as follows, or to a subset of these values.\n--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256\nBased on your system, restart the kubelet service. For example:\nsystemctl daemon-reload\nsystemctl restart kubelet.service"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/ps -fC containerd\n"})}),"\n",(0,s.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,s.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,s.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,s.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,s.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,s.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,s.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,s.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,s.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-automated",children:"5.2.2 Minimize the admission of privileged containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,s.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,s.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,s.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,s.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,s.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,s.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,s.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,s.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabilities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,s.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,s.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,s.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,s.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,s.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,s.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,s.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,s.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,s.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,s.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,s.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,s.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,s.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,s.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,s.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,s.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,s.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," warn"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function h(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,r,t)=>{t.d(r,{Z:()=>c,a:()=>i});var s=t(7294);const n={},a=s.createContext(n);function i(e){const r=s.useContext(a);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function c(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:i(e.components),s.createElement(a.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/a09c2993.bf3a0eee.js b/assets/js/a09c2993.f6378292.js
similarity index 98%
rename from assets/js/a09c2993.bf3a0eee.js
rename to assets/js/a09c2993.f6378292.js
index ea98c20d3..ca991d4c2 100644
--- a/assets/js/a09c2993.bf3a0eee.js
+++ b/assets/js/a09c2993.f6378292.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4128],{8152:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>l,default:()=>h,frontMatter:()=>r,metadata:()=>o,toc:()=>c});var i=t(5893),s=t(1151);const r={slug:"/",title:"K3s - Lightweight Kubernetes"},l="What is K3s?",o={id:"introduction",title:"K3s - Lightweight Kubernetes",description:"Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 100 MB.",source:"@site/docs/introduction.md",sourceDirName:".",slug:"/",permalink:"/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/introduction.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{slug:"/",title:"K3s - Lightweight Kubernetes"},sidebar:"mySidebar",next:{title:"Quick-Start Guide",permalink:"/quick-start"}},a={},c=[];function d(e){const n={h1:"h1",header:"header",li:"li",p:"p",ul:"ul",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 100 MB."}),"\n",(0,i.jsx)(n.p,{children:"Great for:"}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Edge"}),"\n",(0,i.jsx)(n.li,{children:"Homelab"}),"\n",(0,i.jsx)(n.li,{children:"Internet of Things (IoT)"}),"\n",(0,i.jsx)(n.li,{children:"Continuous Integration (CI)"}),"\n",(0,i.jsx)(n.li,{children:"Development"}),"\n",(0,i.jsx)(n.li,{children:"Single board computers (ARM)"}),"\n",(0,i.jsx)(n.li,{children:"Air-gapped environments"}),"\n",(0,i.jsx)(n.li,{children:"Embedded K8s"}),"\n",(0,i.jsx)(n.li,{children:"Situations where a PhD in K8s clusterology is infeasible"}),"\n"]}),"\n",(0,i.jsx)(n.header,{children:(0,i.jsx)(n.h1,{id:"what-is-k3s",children:"What is K3s?"})}),"\n",(0,i.jsx)(n.p,{children:"K3s is a fully compliant Kubernetes distribution with the following enhancements:"}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Distributed as a single binary or minimal container image."}),"\n",(0,i.jsx)(n.li,{children:"Lightweight datastore based on sqlite3 as the default storage backend. etcd3, MySQL, and Postgres are also available."}),"\n",(0,i.jsx)(n.li,{children:"Wrapped in simple launcher that handles a lot of the complexity of TLS and options."}),"\n",(0,i.jsx)(n.li,{children:"Secure by default with reasonable defaults for lightweight environments."}),"\n",(0,i.jsx)(n.li,{children:"Operation of all Kubernetes control plane components is encapsulated in a single binary and process, allowing K3s to automate and manage complex cluster operations like distributing certificates."}),"\n",(0,i.jsx)(n.li,{children:"External dependencies have been minimized; the only requirements are a modern kernel and cgroup mounts."}),"\n",(0,i.jsxs)(n.li,{children:['Packages the required dependencies for easy "batteries-included" cluster creation:',"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"containerd / cri-dockerd container runtime (CRI)"}),"\n",(0,i.jsx)(n.li,{children:"Flannel Container Network Interface (CNI)"}),"\n",(0,i.jsx)(n.li,{children:"CoreDNS Cluster DNS"}),"\n",(0,i.jsx)(n.li,{children:"Traefik Ingress controller"}),"\n",(0,i.jsx)(n.li,{children:"ServiceLB Load-Balancer controller"}),"\n",(0,i.jsx)(n.li,{children:"Kube-router Network Policy controller"}),"\n",(0,i.jsx)(n.li,{children:"Local-path-provisioner Persistent Volume controller"}),"\n",(0,i.jsx)(n.li,{children:"Spegel distributed container image registry mirror"}),"\n",(0,i.jsx)(n.li,{children:"Host utilities (iptables, socat, etc)"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(n.h1,{id:"whats-with-the-name",children:"What's with the name?"}),"\n",(0,i.jsx)(n.p,{children:"We wanted an installation of Kubernetes that was half the size in terms of memory footprint. Kubernetes is a 10-letter word stylized as K8s. So something half as big as Kubernetes would be a 5-letter word stylized as K3s. There is no long form of K3s and no official pronunciation."})]})}function h(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>o,a:()=>l});var i=t(7294);const s={},r=i.createContext(s);function l(e){const n=i.useContext(r);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:l(e.components),i.createElement(r.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4128],{8152:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>a,contentTitle:()=>l,default:()=>h,frontMatter:()=>r,metadata:()=>o,toc:()=>c});var i=t(5893),s=t(1151);const r={slug:"/",title:"K3s - Lightweight Kubernetes"},l="What is K3s?",o={id:"introduction",title:"K3s - Lightweight Kubernetes",description:"Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 100 MB.",source:"@site/docs/introduction.md",sourceDirName:".",slug:"/",permalink:"/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/introduction.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{slug:"/",title:"K3s - Lightweight Kubernetes"},sidebar:"mySidebar",next:{title:"Quick-Start Guide",permalink:"/quick-start"}},a={},c=[];function d(e){const n={h1:"h1",header:"header",li:"li",p:"p",ul:"ul",...(0,s.a)(),...e.components};return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsx)(n.p,{children:"Lightweight Kubernetes. Easy to install, half the memory, all in a binary of less than 100 MB."}),"\n",(0,i.jsx)(n.p,{children:"Great for:"}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Edge"}),"\n",(0,i.jsx)(n.li,{children:"Homelab"}),"\n",(0,i.jsx)(n.li,{children:"Internet of Things (IoT)"}),"\n",(0,i.jsx)(n.li,{children:"Continuous Integration (CI)"}),"\n",(0,i.jsx)(n.li,{children:"Development"}),"\n",(0,i.jsx)(n.li,{children:"Single board computers (ARM)"}),"\n",(0,i.jsx)(n.li,{children:"Air-gapped environments"}),"\n",(0,i.jsx)(n.li,{children:"Embedded K8s"}),"\n",(0,i.jsx)(n.li,{children:"Situations where a PhD in K8s clusterology is infeasible"}),"\n"]}),"\n",(0,i.jsx)(n.header,{children:(0,i.jsx)(n.h1,{id:"what-is-k3s",children:"What is K3s?"})}),"\n",(0,i.jsx)(n.p,{children:"K3s is a fully compliant Kubernetes distribution with the following enhancements:"}),"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"Distributed as a single binary or minimal container image."}),"\n",(0,i.jsx)(n.li,{children:"Lightweight datastore based on sqlite3 as the default storage backend. etcd3, MySQL, and Postgres are also available."}),"\n",(0,i.jsx)(n.li,{children:"Wrapped in simple launcher that handles a lot of the complexity of TLS and options."}),"\n",(0,i.jsx)(n.li,{children:"Secure by default with reasonable defaults for lightweight environments."}),"\n",(0,i.jsx)(n.li,{children:"Operation of all Kubernetes control plane components is encapsulated in a single binary and process, allowing K3s to automate and manage complex cluster operations like distributing certificates."}),"\n",(0,i.jsx)(n.li,{children:"External dependencies have been minimized; the only requirements are a modern kernel and cgroup mounts."}),"\n",(0,i.jsxs)(n.li,{children:['Packages the required dependencies for easy "batteries-included" cluster creation:',"\n",(0,i.jsxs)(n.ul,{children:["\n",(0,i.jsx)(n.li,{children:"containerd / cri-dockerd container runtime (CRI)"}),"\n",(0,i.jsx)(n.li,{children:"Flannel Container Network Interface (CNI)"}),"\n",(0,i.jsx)(n.li,{children:"CoreDNS Cluster DNS"}),"\n",(0,i.jsx)(n.li,{children:"Traefik Ingress controller"}),"\n",(0,i.jsx)(n.li,{children:"ServiceLB Load-Balancer controller"}),"\n",(0,i.jsx)(n.li,{children:"Kube-router Network Policy controller"}),"\n",(0,i.jsx)(n.li,{children:"Local-path-provisioner Persistent Volume controller"}),"\n",(0,i.jsx)(n.li,{children:"Spegel distributed container image registry mirror"}),"\n",(0,i.jsx)(n.li,{children:"Host utilities (iptables, socat, etc)"}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,i.jsx)(n.h1,{id:"whats-with-the-name",children:"What's with the name?"}),"\n",(0,i.jsx)(n.p,{children:"We wanted an installation of Kubernetes that was half the size in terms of memory footprint. Kubernetes is a 10-letter word stylized as K8s. So something half as big as Kubernetes would be a 5-letter word stylized as K3s. There is no long form of K3s and no official pronunciation."})]})}function h(e={}){const{wrapper:n}={...(0,s.a)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(d,{...e})}):d(e)}},1151:(e,n,t)=>{t.d(n,{Z:()=>o,a:()=>l});var i=t(7294);const s={},r=i.createContext(s);function l(e){const n=i.useContext(r);return i.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function o(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(s):e.components||s:l(e.components),i.createElement(r.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/ab388925.dd5c6ec3.js b/assets/js/ab388925.b7cfffff.js
similarity index 99%
rename from assets/js/ab388925.dd5c6ec3.js
rename to assets/js/ab388925.b7cfffff.js
index d76f1b154..819ed8d1e 100644
--- a/assets/js/ab388925.dd5c6ec3.js
+++ b/assets/js/ab388925.b7cfffff.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4548],{9027:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>n,metadata:()=>i,toc:()=>c});var a=s(5893),r=s(1151);const n={title:"Cluster Datastore"},o=void 0,i={id:"datastore/datastore",title:"Cluster Datastore",description:"The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. For example:",source:"@site/docs/datastore/datastore.md",sourceDirName:"datastore",slug:"/datastore/",permalink:"/datastore/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/datastore.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Cluster Datastore"},sidebar:"mySidebar",previous:{title:"Uninstalling K3s",permalink:"/installation/uninstall"},next:{title:"Backup and Restore",permalink:"/datastore/backup-restore"}},d={},c=[{value:"External Datastore Configuration Parameters",id:"external-datastore-configuration-parameters",level:3},{value:"Datastore Endpoint Format and Functionality",id:"datastore-endpoint-format-and-functionality",level:3}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",h3:"h3",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components},{TabItem:s,Tabs:n}=t;return s||u("TabItem",!0),n||u("Tabs",!0),(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(t.p,{children:"The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. For example:"}),"\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsx)(t.li,{children:"If your team doesn't have expertise in operating etcd, you can choose an enterprise-grade SQL database like MySQL or PostgreSQL"}),"\n",(0,a.jsx)(t.li,{children:"If you need to run a simple, short-lived cluster in your CI/CD environment, you can use the embedded SQLite database"}),"\n",(0,a.jsx)(t.li,{children:"If you wish to deploy Kubernetes on the edge and require a highly available solution but can't afford the operational overhead of managing a database at the edge, you can use K3s's embedded HA datastore built on top of embedded etcd."}),"\n"]}),"\n",(0,a.jsx)(t.p,{children:"K3s supports the following datastore options:"}),"\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:[(0,a.jsxs)(t.strong,{children:["Embedded ",(0,a.jsx)(t.a,{href:"https://www.sqlite.org/index.html",children:"SQLite"})]}),(0,a.jsx)(t.br,{}),"\n","SQLite cannot be used on clusters with multiple servers.",(0,a.jsx)(t.br,{}),"\n","SQLite is the default datastore, and will be used if no other datastore configuration is present, and no embedded etcd database files are present on disk."]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.strong,{children:"Embedded etcd"}),(0,a.jsx)(t.br,{}),"\n","See the ",(0,a.jsx)(t.a,{href:"/datastore/ha-embedded",children:"High Availability Embedded etcd"})," documentation for more information on using embedded etcd with multiple servers.\nEmbedded etcd will be automatically selected if K3s is configured to initialize a new etcd cluster, join an existing etcd cluster, or if etcd database files are present on disk during startup."]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.strong,{children:"External Database"}),(0,a.jsx)(t.br,{}),"\n","See the ",(0,a.jsx)(t.a,{href:"/datastore/ha",children:"High Availability External DB"})," documentation for more information on using external datastores with multiple servers.",(0,a.jsx)(t.br,{}),"\n","The following external datastores are supported:","\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://etcd.io/",children:"etcd"})," (certified against version 3.5.4)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://www.mysql.com/",children:"MySQL"})," (certified against versions 5.7 and 8.0)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://mariadb.org/",children:"MariaDB"})," (certified against version 10.6.8)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://www.postgresql.org/",children:"PostgreSQL"})," (certified against versions 12.16, 13.12, 14.9 and 15.4)"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,a.jsx)(t.admonition,{title:"Prepared Statement Support",type:"warning",children:(0,a.jsxs)(t.p,{children:["K3s requires prepared statements support from the DB. This means that connection poolers such as ",(0,a.jsx)(t.a,{href:"https://www.pgbouncer.org/faq.html#how-to-use-prepared-statements-with-transaction-pooling",children:"PgBouncer"})," may require additional configuration to work with K3s."]})}),"\n",(0,a.jsx)(t.h3,{id:"external-datastore-configuration-parameters",children:"External Datastore Configuration Parameters"}),"\n",(0,a.jsxs)(t.p,{children:["If you wish to use an external datastore such as PostgreSQL, MySQL, or etcd you must set the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter so that K3s knows how to connect to it. You may also specify parameters to configure the authentication and encryption of the connection. The below table summarizes these parameters, which can be passed as either CLI flags or environment variables."]}),"\n",(0,a.jsxs)(t.table,{children:[(0,a.jsx)(t.thead,{children:(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.th,{children:"CLI Flag"}),(0,a.jsx)(t.th,{children:"Environment Variable"}),(0,a.jsx)(t.th,{children:"Description"})]})}),(0,a.jsxs)(t.tbody,{children:[(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-endpoint"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,a.jsx)(t.td,{children:"Specify a PostgreSQL, MySQL, or etcd connection string. This is a string used to describe the connection to the datastore. The structure of this string is specific to each backend and is detailed below."})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-cafile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,a.jsx)(t.td,{children:"TLS Certificate Authority (CA) file used to help secure communication with the datastore. If your datastore serves requests over TLS using a certificate signed by a custom certificate authority, you can specify that CA using this parameter so that the K3s client can properly verify the certificate."})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-certfile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,a.jsxs)(t.td,{children:["TLS certificate file used for client certificate based authentication to your datastore. To use this feature, your datastore must be configured to support client certificate based authentication. If you specify this parameter, you must also specify the ",(0,a.jsx)(t.code,{children:"datastore-keyfile"})," parameter."]})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-keyfile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,a.jsxs)(t.td,{children:["TLS key file used for client certificate based authentication to your datastore. See the previous ",(0,a.jsx)(t.code,{children:"datastore-certfile"})," parameter for more details."]})]})]})]}),"\n",(0,a.jsx)(t.p,{children:"As a best practice we recommend setting these parameters as environment variables rather than command line arguments so that your database credentials or other sensitive information aren't exposed as part of the process info."}),"\n",(0,a.jsx)(t.h3,{id:"datastore-endpoint-format-and-functionality",children:"Datastore Endpoint Format and Functionality"}),"\n",(0,a.jsxs)(t.p,{children:["As mentioned, the format of the value passed to the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter is dependent upon the datastore backend. The following details this format and functionality for each supported external datastore."]}),"\n",(0,a.jsxs)(n,{queryString:"ext-db",children:[(0,a.jsxs)(s,{value:"PostgreSQL",children:[(0,a.jsx)(t.p,{children:"In its most common form, the datastore-endpoint parameter for PostgreSQL has the following format:"}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"postgres://username:password@hostname:port/database-name"})}),(0,a.jsxs)(t.p,{children:["More advanced configuration parameters are available. For more information on these, please see ",(0,a.jsx)(t.a,{href:"https://godoc.org/github.com/lib/pq",children:"https://godoc.org/github.com/lib/pq"}),"."]}),(0,a.jsx)(t.p,{children:"If you specify a database name and it does not exist, the server will attempt to create it."}),(0,a.jsxs)(t.p,{children:["If you only supply ",(0,a.jsx)(t.code,{children:"postgres://"})," as the endpoint, K3s will attempt to do the following:"]}),(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:["Connect to localhost using ",(0,a.jsx)(t.code,{children:"postgres"})," as the username and password"]}),"\n",(0,a.jsxs)(t.li,{children:["Create a database named ",(0,a.jsx)(t.code,{children:"kubernetes"})]}),"\n"]})]}),(0,a.jsxs)(s,{value:"MySQL / MariaDB",children:[(0,a.jsxs)(t.p,{children:["In its most common form, the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter for MySQL and MariaDB has the following format:"]}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"mysql://username:password@tcp(hostname:3306)/database-name"})}),(0,a.jsxs)(t.p,{children:["More advanced configuration parameters are available. For more information on these, please see ",(0,a.jsx)(t.a,{href:"https://github.com/go-sql-driver/mysql#dsn-data-source-name",children:"https://github.com/go-sql-driver/mysql#dsn-data-source-name"})]}),(0,a.jsxs)(t.p,{children:["Note that due to a ",(0,a.jsx)(t.a,{href:"https://github.com/k3s-io/k3s/issues/1093",children:"known issue"})," in K3s, you cannot set the ",(0,a.jsx)(t.code,{children:"tls"}),' parameter. TLS communication is supported, but you cannot, for example, set this parameter to "skip-verify" to cause K3s to skip certificate verification.']}),(0,a.jsx)(t.p,{children:"If you specify a database name and it does not exist, the server will attempt to create it."}),(0,a.jsxs)(t.p,{children:["If you only supply ",(0,a.jsx)(t.code,{children:"mysql://"})," as the endpoint, K3s will attempt to do the following:"]}),(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:["Connect to the MySQL socket at ",(0,a.jsx)(t.code,{children:"/var/run/mysqld/mysqld.sock"})," using the ",(0,a.jsx)(t.code,{children:"root"})," user and no password"]}),"\n",(0,a.jsxs)(t.li,{children:["Create a database with the name ",(0,a.jsx)(t.code,{children:"kubernetes"})]}),"\n"]})]}),(0,a.jsxs)(s,{value:"etcd",children:[(0,a.jsxs)(t.p,{children:["In its most common form, the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter for etcd has the following format:"]}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"https://etcd-host-1:2379,https://etcd-host-2:2379,https://etcd-host-3:2379"})}),(0,a.jsx)(t.p,{children:"The above assumes a typical three node etcd cluster. The parameter can accept one more comma separated etcd URLs."})]})]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,a.jsx)(t,{...e,children:(0,a.jsx)(l,{...e})}):l(e)}function u(e,t){throw new Error("Expected "+(t?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,t,s)=>{s.d(t,{Z:()=>i,a:()=>o});var a=s(7294);const r={},n=a.createContext(r);function o(e){const t=a.useContext(n);return a.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function i(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),a.createElement(n.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[4548],{9027:(e,t,s)=>{s.r(t),s.d(t,{assets:()=>d,contentTitle:()=>o,default:()=>h,frontMatter:()=>n,metadata:()=>i,toc:()=>c});var a=s(5893),r=s(1151);const n={title:"Cluster Datastore"},o=void 0,i={id:"datastore/datastore",title:"Cluster Datastore",description:"The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. For example:",source:"@site/docs/datastore/datastore.md",sourceDirName:"datastore",slug:"/datastore/",permalink:"/datastore/",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/datastore.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Cluster Datastore"},sidebar:"mySidebar",previous:{title:"Uninstalling K3s",permalink:"/installation/uninstall"},next:{title:"Backup and Restore",permalink:"/datastore/backup-restore"}},d={},c=[{value:"External Datastore Configuration Parameters",id:"external-datastore-configuration-parameters",level:3},{value:"Datastore Endpoint Format and Functionality",id:"datastore-endpoint-format-and-functionality",level:3}];function l(e){const t={a:"a",admonition:"admonition",br:"br",code:"code",h3:"h3",li:"li",p:"p",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components},{TabItem:s,Tabs:n}=t;return s||u("TabItem",!0),n||u("Tabs",!0),(0,a.jsxs)(a.Fragment,{children:[(0,a.jsx)(t.p,{children:"The ability to run Kubernetes using a datastore other than etcd sets K3s apart from other Kubernetes distributions. This feature provides flexibility to Kubernetes operators. The available datastore options allow you to select a datastore that best fits your use case. For example:"}),"\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsx)(t.li,{children:"If your team doesn't have expertise in operating etcd, you can choose an enterprise-grade SQL database like MySQL or PostgreSQL"}),"\n",(0,a.jsx)(t.li,{children:"If you need to run a simple, short-lived cluster in your CI/CD environment, you can use the embedded SQLite database"}),"\n",(0,a.jsx)(t.li,{children:"If you wish to deploy Kubernetes on the edge and require a highly available solution but can't afford the operational overhead of managing a database at the edge, you can use K3s's embedded HA datastore built on top of embedded etcd."}),"\n"]}),"\n",(0,a.jsx)(t.p,{children:"K3s supports the following datastore options:"}),"\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:[(0,a.jsxs)(t.strong,{children:["Embedded ",(0,a.jsx)(t.a,{href:"https://www.sqlite.org/index.html",children:"SQLite"})]}),(0,a.jsx)(t.br,{}),"\n","SQLite cannot be used on clusters with multiple servers.",(0,a.jsx)(t.br,{}),"\n","SQLite is the default datastore, and will be used if no other datastore configuration is present, and no embedded etcd database files are present on disk."]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.strong,{children:"Embedded etcd"}),(0,a.jsx)(t.br,{}),"\n","See the ",(0,a.jsx)(t.a,{href:"/datastore/ha-embedded",children:"High Availability Embedded etcd"})," documentation for more information on using embedded etcd with multiple servers.\nEmbedded etcd will be automatically selected if K3s is configured to initialize a new etcd cluster, join an existing etcd cluster, or if etcd database files are present on disk during startup."]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.strong,{children:"External Database"}),(0,a.jsx)(t.br,{}),"\n","See the ",(0,a.jsx)(t.a,{href:"/datastore/ha",children:"High Availability External DB"})," documentation for more information on using external datastores with multiple servers.",(0,a.jsx)(t.br,{}),"\n","The following external datastores are supported:","\n",(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://etcd.io/",children:"etcd"})," (certified against version 3.5.4)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://www.mysql.com/",children:"MySQL"})," (certified against versions 5.7 and 8.0)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://mariadb.org/",children:"MariaDB"})," (certified against version 10.6.8)"]}),"\n",(0,a.jsxs)(t.li,{children:[(0,a.jsx)(t.a,{href:"https://www.postgresql.org/",children:"PostgreSQL"})," (certified against versions 12.16, 13.12, 14.9 and 15.4)"]}),"\n"]}),"\n"]}),"\n"]}),"\n",(0,a.jsx)(t.admonition,{title:"Prepared Statement Support",type:"warning",children:(0,a.jsxs)(t.p,{children:["K3s requires prepared statements support from the DB. This means that connection poolers such as ",(0,a.jsx)(t.a,{href:"https://www.pgbouncer.org/faq.html#how-to-use-prepared-statements-with-transaction-pooling",children:"PgBouncer"})," may require additional configuration to work with K3s."]})}),"\n",(0,a.jsx)(t.h3,{id:"external-datastore-configuration-parameters",children:"External Datastore Configuration Parameters"}),"\n",(0,a.jsxs)(t.p,{children:["If you wish to use an external datastore such as PostgreSQL, MySQL, or etcd you must set the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter so that K3s knows how to connect to it. You may also specify parameters to configure the authentication and encryption of the connection. The below table summarizes these parameters, which can be passed as either CLI flags or environment variables."]}),"\n",(0,a.jsxs)(t.table,{children:[(0,a.jsx)(t.thead,{children:(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.th,{children:"CLI Flag"}),(0,a.jsx)(t.th,{children:"Environment Variable"}),(0,a.jsx)(t.th,{children:"Description"})]})}),(0,a.jsxs)(t.tbody,{children:[(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-endpoint"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_ENDPOINT"})}),(0,a.jsx)(t.td,{children:"Specify a PostgreSQL, MySQL, or etcd connection string. This is a string used to describe the connection to the datastore. The structure of this string is specific to each backend and is detailed below."})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-cafile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_CAFILE"})}),(0,a.jsx)(t.td,{children:"TLS Certificate Authority (CA) file used to help secure communication with the datastore. If your datastore serves requests over TLS using a certificate signed by a custom certificate authority, you can specify that CA using this parameter so that the K3s client can properly verify the certificate."})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-certfile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_CERTFILE"})}),(0,a.jsxs)(t.td,{children:["TLS certificate file used for client certificate based authentication to your datastore. To use this feature, your datastore must be configured to support client certificate based authentication. If you specify this parameter, you must also specify the ",(0,a.jsx)(t.code,{children:"datastore-keyfile"})," parameter."]})]}),(0,a.jsxs)(t.tr,{children:[(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"--datastore-keyfile"})}),(0,a.jsx)(t.td,{children:(0,a.jsx)(t.code,{children:"K3S_DATASTORE_KEYFILE"})}),(0,a.jsxs)(t.td,{children:["TLS key file used for client certificate based authentication to your datastore. See the previous ",(0,a.jsx)(t.code,{children:"datastore-certfile"})," parameter for more details."]})]})]})]}),"\n",(0,a.jsx)(t.p,{children:"As a best practice we recommend setting these parameters as environment variables rather than command line arguments so that your database credentials or other sensitive information aren't exposed as part of the process info."}),"\n",(0,a.jsx)(t.h3,{id:"datastore-endpoint-format-and-functionality",children:"Datastore Endpoint Format and Functionality"}),"\n",(0,a.jsxs)(t.p,{children:["As mentioned, the format of the value passed to the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter is dependent upon the datastore backend. The following details this format and functionality for each supported external datastore."]}),"\n",(0,a.jsxs)(n,{queryString:"ext-db",children:[(0,a.jsxs)(s,{value:"PostgreSQL",children:[(0,a.jsx)(t.p,{children:"In its most common form, the datastore-endpoint parameter for PostgreSQL has the following format:"}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"postgres://username:password@hostname:port/database-name"})}),(0,a.jsxs)(t.p,{children:["More advanced configuration parameters are available. For more information on these, please see ",(0,a.jsx)(t.a,{href:"https://godoc.org/github.com/lib/pq",children:"https://godoc.org/github.com/lib/pq"}),"."]}),(0,a.jsx)(t.p,{children:"If you specify a database name and it does not exist, the server will attempt to create it."}),(0,a.jsxs)(t.p,{children:["If you only supply ",(0,a.jsx)(t.code,{children:"postgres://"})," as the endpoint, K3s will attempt to do the following:"]}),(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:["Connect to localhost using ",(0,a.jsx)(t.code,{children:"postgres"})," as the username and password"]}),"\n",(0,a.jsxs)(t.li,{children:["Create a database named ",(0,a.jsx)(t.code,{children:"kubernetes"})]}),"\n"]})]}),(0,a.jsxs)(s,{value:"MySQL / MariaDB",children:[(0,a.jsxs)(t.p,{children:["In its most common form, the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter for MySQL and MariaDB has the following format:"]}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"mysql://username:password@tcp(hostname:3306)/database-name"})}),(0,a.jsxs)(t.p,{children:["More advanced configuration parameters are available. For more information on these, please see ",(0,a.jsx)(t.a,{href:"https://github.com/go-sql-driver/mysql#dsn-data-source-name",children:"https://github.com/go-sql-driver/mysql#dsn-data-source-name"})]}),(0,a.jsxs)(t.p,{children:["Note that due to a ",(0,a.jsx)(t.a,{href:"https://github.com/k3s-io/k3s/issues/1093",children:"known issue"})," in K3s, you cannot set the ",(0,a.jsx)(t.code,{children:"tls"}),' parameter. TLS communication is supported, but you cannot, for example, set this parameter to "skip-verify" to cause K3s to skip certificate verification.']}),(0,a.jsx)(t.p,{children:"If you specify a database name and it does not exist, the server will attempt to create it."}),(0,a.jsxs)(t.p,{children:["If you only supply ",(0,a.jsx)(t.code,{children:"mysql://"})," as the endpoint, K3s will attempt to do the following:"]}),(0,a.jsxs)(t.ul,{children:["\n",(0,a.jsxs)(t.li,{children:["Connect to the MySQL socket at ",(0,a.jsx)(t.code,{children:"/var/run/mysqld/mysqld.sock"})," using the ",(0,a.jsx)(t.code,{children:"root"})," user and no password"]}),"\n",(0,a.jsxs)(t.li,{children:["Create a database with the name ",(0,a.jsx)(t.code,{children:"kubernetes"})]}),"\n"]})]}),(0,a.jsxs)(s,{value:"etcd",children:[(0,a.jsxs)(t.p,{children:["In its most common form, the ",(0,a.jsx)(t.code,{children:"datastore-endpoint"})," parameter for etcd has the following format:"]}),(0,a.jsx)(t.p,{children:(0,a.jsx)(t.code,{children:"https://etcd-host-1:2379,https://etcd-host-2:2379,https://etcd-host-3:2379"})}),(0,a.jsx)(t.p,{children:"The above assumes a typical three node etcd cluster. The parameter can accept one more comma separated etcd URLs."})]})]})]})}function h(e={}){const{wrapper:t}={...(0,r.a)(),...e.components};return t?(0,a.jsx)(t,{...e,children:(0,a.jsx)(l,{...e})}):l(e)}function u(e,t){throw new Error("Expected "+(t?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,t,s)=>{s.d(t,{Z:()=>i,a:()=>o});var a=s(7294);const r={},n=a.createContext(r);function o(e){const t=a.useContext(n);return a.useMemo((function(){return"function"==typeof e?e(t):{...t,...e}}),[t,e])}function i(e){let t;return t=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:o(e.components),a.createElement(n.Provider,{value:t},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/ab60f49a.961512bd.js b/assets/js/ab60f49a.814ea337.js
similarity index 99%
rename from assets/js/ab60f49a.961512bd.js
rename to assets/js/ab60f49a.814ea337.js
index 5d8e1caef..d2dc60f1e 100644
--- a/assets/js/ab60f49a.961512bd.js
+++ b/assets/js/ab60f49a.814ea337.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3555],{2688:(e,r,t)=>{t.r(r),t.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var s=t(5893),n=t(1151);const i={title:"CIS 1.24 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.24",title:"CIS 1.24 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.24.md",sourceDirName:"security",slug:"/security/self-assessment-1.24",permalink:"/security/self-assessment-1.24",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.24.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"CIS 1.24 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS 1.7 Self Assessment Guide",permalink:"/security/self-assessment-1.7"},next:{title:"CLI Tools",permalink:"/cli/"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)",id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)",id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",level:3},{value:"1.2.18 Ensure that the --profiling argument is set to false (Automated)",id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.19 Ensure that the --audit-log-path argument is set (Manual)",id:"1219-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)",id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",level:3},{value:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)",id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",level:3},{value:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)",id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",level:3},{value:"1.2.23 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1223-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.25 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1225-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)",id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)",id:"419-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root (Automated)",id:"4110-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)",id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.8 Ensure that the --hostname-override argument is not set (Automated)",id:"428-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.9 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"429-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:t}=r;return t||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,s.jsxs)(r.p,{children:["This document is a companion to the ",(0,s.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,s.jsxs)(r.p,{children:["This guide is specific to the ",(0,s.jsx)(r.strong,{children:"v1.24"})," release line of K3s and the ",(0,s.jsx)(r.strong,{children:"v1.24"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,s.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in ",(0,s.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,s.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,s.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,s.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,s.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks."}),"\n",(0,s.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks."}),"\n",(0,s.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,s.jsx)(r.code,{children:"chmod 700 /var/lib/etcd"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,s.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," INFO"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]}),"\n",(0,s.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown -R root:root /etc/kubernetes/pki/"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,s.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,s.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,s.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false. If it is set to true,\nedit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",children:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," INFO"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter."]}),"\n",(0,s.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate="\n - "kubelet-client-key="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Follow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.\n--kubelet-certificate-authority="})]}),"\n",(0,s.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,s.jsx)(r.h3,{id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,s.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file="\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,..."})]}),"\n",(0,s.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'ServiceAccount'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",children:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--secure-port' is greater than 0 OR '--secure-port' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the secure port to 6444.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "secure-port="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.18 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.19 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-path'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",children:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxage'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",children:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxbackup'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",children:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxsize'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1223-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.23 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,s.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,s.jsx)(r.h3,{id:"1225-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.25 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'service-account-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile="\n - "etcd-keyfile="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the client certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "client-ca-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-cafile' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the etcd certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-cafile="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--encryption-provider-config' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json."})]}),"\n",(0,s.jsx)(r.h3,{id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"ENCRYPTION_PROVIDER_CONFIG=$(journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -o 'providers\\\"\\:\\[.*\\]' $ENCRYPTION_PROVIDER_CONFIG | grep -o \"[A-Za-z]*\" | head -2 | tail -1 | sed 's/^/provider=/'; fi\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'provider' contains valid elements from 'aescbc,kms,secretbox'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"provider=aescbc\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest. K3s will utilize the aescbc provider.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json"})]}),"\n",(0,s.jsx)(r.h3,{id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",children:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["By default, the K3s kube-apiserver complies with this test. Changes to these values may cause regression, therefore ensure that all apiserver clients support the new TLS configuration before applying it in production deployments.\nIf a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.\nIf this check fails, remove any custom configuration around ",(0,s.jsx)(r.code,{children:"tls-cipher-suites"})," or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:"]}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,s.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--terminated-pod-gc-threshold' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node\nand set the --terminated-pod-gc-threshold to an appropriate threshold,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--use-service-account-credentials' is not equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --use-service-account-credentials argument to true.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "use-service-account-credentials=false"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the service account private key file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "service-account-private-key-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--root-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the root CA file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "root-ca-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--feature-gates' does not have 'RotateKubeletServerCertificate=false' OR '--feature-gates' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "feature-gate=RotateKubeletServerCertificate"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "bind-address="\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,s.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-scheduler-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-scheduler-arg:\n - "bind-address="\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,s.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' AND '.client-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.key'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom cert and key files."})]}),"\n",(0,s.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable client certificate authentication."})]}),"\n",(0,s.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.auto-tls' is present OR '.client-transport-security.auto-tls' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --auto-tls parameter or set it to false.\nclient-transport-security:\nauto-tls: false"})]}),"\n",(0,s.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt' AND '.peer-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates peer cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom peer cert and key files."})]}),"\n",(0,s.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable peer client certificate authentication."})]}),"\n",(0,s.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.auto-tls' is present OR '.peer-transport-security.auto-tls' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\npeer-transport-security:\nauto-tls: false"})]}),"\n",(0,s.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.trusted-ca-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates a unique certificate authority for etcd.\nThis is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use a shared certificate authority."})]}),"\n",(0,s.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubelet.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubelet.kubeconfig; fi' \n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c permissions=%a /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the following command to modify the file permissions of the\n--client-ca-file ",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the following command to modify the ownership of the --client-ca-file.\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"419-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive-automated",children:"4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsxs)(r.h3,{id:"4110-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-automated",children:["4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,s.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth to false. If you have set this to a different value, you\nshould set it back to false. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "anonymous-auth=true"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="anonymous-auth=true"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "authorization-mode=AlwaysAllow"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="authorization-mode=AlwaysAllow"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the client ca certificate for the Kubelet.\nIt is generated and located at /var/lib/rancher/k3s/agent/client-ca.crt"})]}),"\n",(0,s.jsx)(r.h3,{id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",children:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--read-only-port' is equal to '0' OR '--read-only-port' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --read-only-port to 0. If you have set this to a different value, you\nshould set it back to 0. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "read-only-port=XXXX"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="read-only-port=XXXX"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--streaming-connection-idle-timeout' is not equal to '0' OR '--streaming-connection-idle-timeout' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="streaming-connection-idle-timeout=5m".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--protect-kernel-defaults' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter.\nprotect-kernel-defaults: true\nIf using the command line, run K3s with --protect-kernel-defaults=true.\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service"})]}),"\n",(0,s.jsx)(r.h3,{id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--make-iptables-util-chains' is equal to 'true' OR '--make-iptables-util-chains' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "make-iptables-util-chains=true"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="make-iptables-util-chains=true".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"428-ensure-that-the---hostname-override-argument-is-not-set-automated",children:"4.2.8 Ensure that the --hostname-override argument is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s does set the --hostname-override argument. Per CIS guidelines, this is to comply\nwith cloud providers that require this flag to ensure that hostname matches node names."}),"\n",(0,s.jsx)(r.h3,{id:"429-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.9 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--event-qps' is equal to '0'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the event-qps to 0. Should you wish to change this,\nIf using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "event-qps="\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="event-qps=".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the TLS certificate and private key for the Kubelet.\nThey are generated and located at /var/lib/rancher/k3s/agent/serving-kubelet.crt and /var/lib/rancher/k3s/agent/serving-kubelet.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--rotate-certificates' is present OR '--rotate-certificates' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["By default, K3s does not set the --rotate-certificates argument. If you have set this flag with a value of ",(0,s.jsx)(r.code,{children:"false"}),", you should either set it to ",(0,s.jsx)(r.code,{children:"true"}),' or completely remove the flag.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any rotate-certificates parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="rotate-certificates".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service']})]}),"\n",(0,s.jsx)(r.h3,{id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'RotateKubeletServerCertificate' is present OR 'RotateKubeletServerCertificate' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:'By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any feature-gate=RotateKubeletServerCertificate parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="feature-gate=RotateKubeletServerCertificate".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,s.jsx)(r.code,{children:"TLSCipherSuites"})," to"]}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})}),(0,s.jsx)(r.p,{children:'or to a subset of these values.\nIf using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites="\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,s.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,s.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,s.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,s.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,s.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,s.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,s.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,s.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-manual",children:"5.2.2 Minimize the admission of privileged containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,s.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,s.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,s.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,s.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,s.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,s.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,s.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,s.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,s.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,s.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,s.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,s.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,s.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,s.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,s.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,s.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,s.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,s.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,s.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,s.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,s.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,s.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,s.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,s.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,s.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,r,t)=>{t.d(r,{Z:()=>l,a:()=>a});var s=t(7294);const n={},i=s.createContext(n);function a(e){const r=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),s.createElement(i.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[3555],{2688:(e,r,t)=>{t.r(r),t.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var s=t(5893),n=t(1151);const i={title:"CIS 1.24 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.24",title:"CIS 1.24 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.24.md",sourceDirName:"security",slug:"/security/self-assessment-1.24",permalink:"/security/self-assessment-1.24",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.24.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"CIS 1.24 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS 1.7 Self Assessment Guide",permalink:"/security/self-assessment-1.7"},next:{title:"CLI Tools",permalink:"/cli/"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)",id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)",id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",level:3},{value:"1.2.18 Ensure that the --profiling argument is set to false (Automated)",id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.19 Ensure that the --audit-log-path argument is set (Manual)",id:"1219-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)",id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",level:3},{value:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)",id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",level:3},{value:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)",id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",level:3},{value:"1.2.23 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1223-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.25 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1225-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)",id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)",id:"419-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root (Automated)",id:"4110-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)",id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.8 Ensure that the --hostname-override argument is not set (Automated)",id:"428-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.9 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"429-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:t}=r;return t||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,s.jsxs)(r.p,{children:["This document is a companion to the ",(0,s.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,s.jsxs)(r.p,{children:["This guide is specific to the ",(0,s.jsx)(r.strong,{children:"v1.24"})," release line of K3s and the ",(0,s.jsx)(r.strong,{children:"v1.24"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,s.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.6. You can download the benchmark, after creating a free account, in ",(0,s.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,s.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,s.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,s.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,s.jsxs)(r.ul,{children:["\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,s.jsxs)(r.li,{children:[(0,s.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,s.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,s.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-644-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,s.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,s.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks."}),"\n",(0,s.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks."}),"\n",(0,s.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,s.jsx)(r.code,{children:"chmod 700 /var/lib/etcd"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,s.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," INFO"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]}),"\n",(0,s.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"find /var/lib/rancher/k3s/server/tls | xargs stat -c %U:%G\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown -R root:root /etc/kubernetes/pki/"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,s.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,s.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,s.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false. If it is set to true,\nedit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-https-argument-is-set-to-true-automated",children:"1.2.4 Ensure that the --kubelet-https argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," INFO"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and remove the --kubelet-https parameter."]}),"\n",(0,s.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate="\n - "kubelet-client-key="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"126-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Follow the Kubernetes documentation and setup the TLS connection between\nthe apiserver and kubelets. Then, edit the API server pod specification file\n/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the\n--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.\n--kubelet-certificate-authority="})]}),"\n",(0,s.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,s.jsx)(r.h3,{id:"129-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,s.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file="\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'SecurityContextDeny' OR '--enable-admission-plugins' has 'PodSecurityPolicy'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml\non the control plane node and set the --enable-admission-plugins parameter to include\nSecurityContextDeny, unless PodSecurityPolicy is already in place.\n--enable-admission-plugins=...,SecurityContextDeny,..."})]}),"\n",(0,s.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'ServiceAccount'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1216-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1217-ensure-that-the---secure-port-argument-is-not-set-to-0-automated",children:"1.2.17 Ensure that the --secure-port argument is not set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--secure-port' is greater than 0 OR '--secure-port' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the secure port to 6444.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "secure-port="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1218-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.18 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.19 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-path'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-automated",children:"1.2.20 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxage'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1221-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-automated",children:"1.2.21 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxbackup'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1222-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-automated",children:"1.2.22 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-log-maxsize'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1223-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.23 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,s.jsx)(r.h3,{id:"1224-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.24 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,s.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,s.jsx)(r.h3,{id:"1225-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.25 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'service-account-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1226-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile="\n - "etcd-keyfile="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1227-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.27 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1228-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"1.2.28 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the client certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "client-ca-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1229-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",children:"1.2.29 Ensure that the --etcd-cafile argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-cafile' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the etcd certificate authority file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-cafile="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"1230-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",children:"1.2.30 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--encryption-provider-config' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json."})]}),"\n",(0,s.jsx)(r.h3,{id:"1231-ensure-that-encryption-providers-are-appropriately-configured-manual",children:"1.2.31 Ensure that encryption providers are appropriately configured (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"ENCRYPTION_PROVIDER_CONFIG=$(journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\\([^ ]*\\).*%\\1%')\nif test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -o 'providers\\\"\\:\\[.*\\]' $ENCRYPTION_PROVIDER_CONFIG | grep -o \"[A-Za-z]*\" | head -2 | tail -1 | sed 's/^/provider=/'; fi\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'provider' contains valid elements from 'aescbc,kms,secretbox'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"provider=aescbc\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"K3s can be configured to use encryption providers to encrypt secrets at rest. K3s will utilize the aescbc provider.\nEdit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and set the below parameter.\nsecrets-encryption: true\nSecrets encryption can then be managed with the k3s secrets-encrypt command line tool.\nIf needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json"})]}),"\n",(0,s.jsx)(r.h3,{id:"1232-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",children:"1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["By default, the K3s kube-apiserver complies with this test. Changes to these values may cause regression, therefore ensure that all apiserver clients support the new TLS configuration before applying it in production deployments.\nIf a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.\nIf this check fails, remove any custom configuration around ",(0,s.jsx)(r.code,{children:"tls-cipher-suites"})," or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:"]}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"13-controller-manager",children:"1.3 Controller Manager"}),"\n",(0,s.jsx)(r.h3,{id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",children:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--terminated-pod-gc-threshold' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node\nand set the --terminated-pod-gc-threshold to an appropriate threshold,"}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "terminated-pod-gc-threshold=10"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.3.2 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",children:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--use-service-account-credentials' is not equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --use-service-account-credentials argument to true.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "use-service-account-credentials=false"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",children:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the service account private key file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "service-account-private-key-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",children:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--root-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the root CA file.\nIt is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "root-ca-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--feature-gates' does not have 'RotateKubeletServerCertificate=false' OR '--feature-gates' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "feature-gate=RotateKubeletServerCertificate"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-controller-manager --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.42.0.0/16 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/k3s/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/k3s/server/tls/server-ca.key --configure-cloud-routes=false --controllers=*,tokencleaner,-service,-route,-cloud-node-lifecycle --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/k3s/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/k3s/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --terminated-pod-gc-threshold=10 --use-service-account-credentials=true"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-controller-manager-arg:\n - "bind-address="\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"14-scheduler",children:"1.4 Scheduler"}),"\n",(0,s.jsx)(r.h3,{id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.4.1 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-scheduler-arg:\n - "profiling=true"\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",children:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--bind-address' is equal to '127.0.0.1' OR '--bind-address' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --bind-address argument to 127.0.0.1\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kube-scheduler-arg:\n - "bind-address="\n'})})]}),"\n",(0,s.jsx)(r.h2,{id:"2-etcd-node-configuration",children:"2 Etcd Node Configuration"}),"\n",(0,s.jsx)(r.h3,{id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",children:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' AND '.client-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/server-client.key'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom cert and key files."})]}),"\n",(0,s.jsx)(r.h3,{id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",children:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable client certificate authentication."})]}),"\n",(0,s.jsx)(r.h3,{id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",children:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.client-transport-security.auto-tls' is present OR '.client-transport-security.auto-tls' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --auto-tls parameter or set it to false.\nclient-transport-security:\nauto-tls: false"})]}),"\n",(0,s.jsx)(r.h3,{id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",children:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.cert-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt' AND '.peer-transport-security.key-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates peer cert and key files for etcd.\nThese are located in /var/lib/rancher/k3s/server/tls/etcd/.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use custom peer cert and key files."})]}),"\n",(0,s.jsx)(r.h3,{id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",children:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.client-cert-auth' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to disable peer client certificate authentication."})]}),"\n",(0,s.jsx)(r.h3,{id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",children:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.auto-tls' is present OR '.peer-transport-security.auto-tls' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.\nIf this check fails, edit the etcd pod specification file /var/lib/rancher/k3s/server/db/etcd/config on the master\nnode and either remove the --peer-auto-tls parameter or set it to false.\npeer-transport-security:\nauto-tls: false"})]}),"\n",(0,s.jsx)(r.h3,{id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",children:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '.peer-transport-security.trusted-ca-file' is equal to '/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"advertise-client-urls: https://10.10.10.100:2379\nclient-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt\ndata-dir: /var/lib/rancher/k3s/server/db/etcd\nelection-timeout: 5000\nexperimental-initial-corrupt-check: true\nheartbeat-interval: 500\ninitial-advertise-peer-urls: https://10.10.10.100:2380\ninitial-cluster: server-0-ee1de912=https://10.10.10.100:2380\ninitial-cluster-state: new\nlisten-client-urls: https://127.0.0.1:2379,https://10.10.10.100:2379\nlisten-metrics-urls: http://127.0.0.1:2381\nlisten-peer-urls: https://127.0.0.1:2380,https://10.10.10.100:2380\nlog-outputs:\n- stderr\nlogger: zap\nname: server-0-ee1de912\npeer-transport-security:\n cert-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt\n client-cert-auth: true\n key-file: /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key\n trusted-ca-file: /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt\nsnapshot-count: 10000\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If running on with sqlite or a external DB, etcd checks are Not Applicable.\nWhen running with embedded-etcd, K3s generates a unique certificate authority for etcd.\nThis is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.\nIf this check fails, ensure that the configuration file /var/lib/rancher/k3s/server/db/etcd/config\nhas not been modified to use a shared certificate authority."})]}),"\n",(0,s.jsx)(r.h2,{id:"41-worker-node-configuration-files",children:"4.1 Worker Node Configuration Files"}),"\n",(0,s.jsx)(r.h3,{id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsxs)(r.h3,{id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",children:["4.1.2 Ensure that the kubelet service file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet service file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsx)(r.h3,{id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi' \n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",children:["4.1.4 If proxy kubeconfig file exists ensure ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example, ",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/agent/kubelet.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/agent/kubelet.kubeconfig; fi' \n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",children:["4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the each worker node.\nFor example,\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/kubelet.kubeconfig"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c permissions=%a /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the following command to modify the file permissions of the\n--client-ca-file ",(0,s.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,s.jsxs)(r.h3,{id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",children:["4.1.8 Ensure that the client certificate authorities file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/agent/client-ca.crt\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["Run the following command to modify the ownership of the --client-ca-file.\n",(0,s.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/agent/client-ca.crt"})]})]}),"\n",(0,s.jsx)(r.h3,{id:"419-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-permissions-set-to-600-or-more-restrictive-automated",children:"4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsxs)(r.h3,{id:"4110-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-automated",children:["4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root",":root"," (Automated)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime."}),"\n",(0,s.jsx)(r.h2,{id:"42-kubelet",children:"4.2 Kubelet"}),"\n",(0,s.jsx)(r.h3,{id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth to false. If you have set this to a different value, you\nshould set it back to false. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "anonymous-auth=true"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="anonymous-auth=true"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "authorization-mode=AlwaysAllow"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="authorization-mode=AlwaysAllow"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",children:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:'/bin/sh -c \'if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi\' \n'})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--client-ca-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:04 server-0 k3s[2366]: time="2024-08-09T18:56:04Z" level=info msg="Running kube-apiserver --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --feature-gates=JobTrackingWithFinalizers=true --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the client ca certificate for the Kubelet.\nIt is generated and located at /var/lib/rancher/k3s/agent/client-ca.crt"})]}),"\n",(0,s.jsx)(r.h3,{id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",children:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--read-only-port' is equal to '0' OR '--read-only-port' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the --read-only-port to 0. If you have set this to a different value, you\nshould set it back to 0. If using the K3s config file /etc/rancher/k3s/config.yaml, remove any lines similar to below."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "read-only-port=XXXX"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, edit the K3s service file and remove the below argument.\n--kubelet-arg="read-only-port=XXXX"\nBased on your system, restart the k3s service. For example,\nsystemctl daemon-reload\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",children:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--streaming-connection-idle-timeout' is not equal to '0' OR '--streaming-connection-idle-timeout' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "streaming-connection-idle-timeout=5m"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="streaming-connection-idle-timeout=5m".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"426-ensure-that-the---protect-kernel-defaults-argument-is-set-to-true-automated",children:"4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--protect-kernel-defaults' is equal to 'true'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter.\nprotect-kernel-defaults: true\nIf using the command line, run K3s with --protect-kernel-defaults=true.\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service"})]}),"\n",(0,s.jsx)(r.h3,{id:"427-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",children:"4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--make-iptables-util-chains' is equal to 'true' OR '--make-iptables-util-chains' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"If using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "make-iptables-util-chains=true"\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="make-iptables-util-chains=true".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"428-ensure-that-the---hostname-override-argument-is-not-set-automated",children:"4.2.8 Ensure that the --hostname-override argument is not set (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,s.jsx)(r.p,{children:"By default, K3s does set the --hostname-override argument. Per CIS guidelines, this is to comply\nwith cloud providers that require this flag to ensure that hostname matches node names."}),"\n",(0,s.jsx)(r.h3,{id:"429-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",children:"4.2.9 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--event-qps' is equal to '0'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s sets the event-qps to 0. Should you wish to change this,\nIf using the K3s config file /etc/rancher/k3s/config.yaml, set the following parameter to an appropriate value."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "event-qps="\n'})}),(0,s.jsx)(r.p,{children:'If using the command line, run K3s with --kubelet-arg="event-qps=".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"4210-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:"By default, K3s automatically provides the TLS certificate and private key for the Kubelet.\nThey are generated and located at /var/lib/rancher/k3s/agent/serving-kubelet.crt and /var/lib/rancher/k3s/agent/serving-kubelet.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cert-file="\n - "tls-private-key-file="\n'})})]}),"\n",(0,s.jsx)(r.h3,{id:"4211-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",children:"4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--rotate-certificates' is present OR '--rotate-certificates' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["By default, K3s does not set the --rotate-certificates argument. If you have set this flag with a value of ",(0,s.jsx)(r.code,{children:"false"}),", you should either set it to ",(0,s.jsx)(r.code,{children:"true"}),' or completely remove the flag.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any rotate-certificates parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="rotate-certificates".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service']})]}),"\n",(0,s.jsx)(r.h3,{id:"4212-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",children:"4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," 'RotateKubeletServerCertificate' is present OR 'RotateKubeletServerCertificate' is not present"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsx)(r.p,{children:'By default, K3s does not set the RotateKubeletServerCertificate feature gate.\nIf you have enabled this feature gate, you should remove it.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, remove any feature-gate=RotateKubeletServerCertificate parameter.\nIf using the command line, remove the K3s flag --kubelet-arg="feature-gate=RotateKubeletServerCertificate".\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h3,{id:"4213-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",children:"4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,s.jsx)(r.p,{children:(0,s.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s -u k3s-agent | grep 'Running kubelet' | tail -n1\n"})}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cipher-suites' contains valid elements from 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256'"]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Returned Value:"})}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{className:"language-console",children:'Aug 09 18:56:06 server-0 k3s[2366]: time="2024-08-09T18:56:06Z" level=info msg="Running kubelet --address=0.0.0.0 --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --cgroup-driver=systemd --client-ca-file=/var/lib/rancher/k3s/agent/client-ca.crt --cloud-provider=external --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime-endpoint=unix:///run/k3s/containerd/containerd.sock --containerd=/run/k3s/containerd/containerd.sock --event-qps=0 --eviction-hard=imagefs.available<5%,nodefs.available<5% --eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1 --hostname-override=server-0 --kubeconfig=/var/lib/rancher/k3s/agent/kubelet.kubeconfig --make-iptables-util-chains=true --node-ip=10.10.10.100 --node-labels= --pod-infra-container-image=rancher/mirrored-pause:3.6 --pod-manifest-path=/var/lib/rancher/k3s/agent/pod-manifests --protect-kernel-defaults=true --read-only-port=0 --resolv-conf=/run/systemd/resolve/resolv.conf --serialize-image-pulls=false --streaming-connection-idle-timeout=5m --tls-cert-file=/var/lib/rancher/k3s/agent/serving-kubelet.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/agent/serving-kubelet.key"\n'})})]}),"\n",(0,s.jsxs)(t,{children:[(0,s.jsx)("summary",{children:(0,s.jsx)("b",{children:"Remediation:"})}),(0,s.jsxs)(r.p,{children:["If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set ",(0,s.jsx)(r.code,{children:"TLSCipherSuites"})," to"]}),(0,s.jsx)(r.pre,{children:(0,s.jsx)(r.code,{children:'kubelet-arg:\n - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"\n'})}),(0,s.jsx)(r.p,{children:'or to a subset of these values.\nIf using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites="\nBased on your system, restart the k3s service. For example,\nsystemctl restart k3s.service'})]}),"\n",(0,s.jsx)(r.h2,{id:"51-rbac-and-service-accounts",children:"5.1 RBAC and Service Accounts"}),"\n",(0,s.jsx)(r.h3,{id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",children:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIdentify all clusterrolebindings to the cluster-admin role. Check if they are used and\nif they need this role or if they could use a role with fewer privileges.\nWhere possible, first bind users to a lower privileged role and then remove the\nclusterrolebinding to the cluster-admin role :\nkubectl delete clusterrolebinding [name]"]}),"\n",(0,s.jsx)(r.h3,{id:"512-minimize-access-to-secrets-manual",children:"5.1.2 Minimize access to secrets (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove get, list and watch access to Secret objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",children:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible replace any use of wildcards in clusterroles and roles with specific\nobjects or actions."]}),"\n",(0,s.jsx)(r.h3,{id:"514-minimize-access-to-create-pods-manual",children:"5.1.4 Minimize access to create pods (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove create access to pod objects in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",children:"5.1.5 Ensure that default service accounts are not actively used. (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate explicit service accounts wherever a Kubernetes workload requires specific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\nautomountServiceAccountToken: false"]}),"\n",(0,s.jsx)(r.h3,{id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",children:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nModify the definition of pods and service accounts which do not need to mount service\naccount tokens to disable it."]}),"\n",(0,s.jsxs)(r.h3,{id:"517-avoid-use-of-system-group-manual",children:["5.1.7 Avoid use of system",":masters"," group (Manual)"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRemove the system",":masters"," group from all users in the cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",children:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nWhere possible, remove the impersonate, bind and escalate rights from subjects."]}),"\n",(0,s.jsx)(r.h2,{id:"52-pod-security-standards",children:"5.2 Pod Security Standards"}),"\n",(0,s.jsx)(r.h3,{id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",children:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that either Pod Security Admission or an external policy control system is in place\nfor every namespace which contains user workloads."]}),"\n",(0,s.jsx)(r.h3,{id:"522-minimize-the-admission-of-privileged-containers-manual",children:"5.2.2 Minimize the admission of privileged containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of privileged containers."]}),"\n",(0,s.jsx)(r.h3,{id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",children:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostPID"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",children:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostIPC"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",children:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of ",(0,s.jsx)(r.code,{children:"hostNetwork"})," containers."]}),"\n",(0,s.jsx)(r.h3,{id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",children:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:".spec.allowPrivilegeEscalation"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"527-minimize-the-admission-of-root-containers-automated",children:"5.2.7 Minimize the admission of root containers (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nCreate a policy for each namespace in the cluster, ensuring that either ",(0,s.jsx)(r.code,{children:"MustRunAsNonRoot"}),"\nor ",(0,s.jsx)(r.code,{children:"MustRunAs"})," with the range of UIDs not including 0, is set."]}),"\n",(0,s.jsx)(r.h3,{id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",children:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with the ",(0,s.jsx)(r.code,{children:"NET_RAW"})," capability."]}),"\n",(0,s.jsx)(r.h3,{id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",children:"5.2.9 Minimize the admission of containers with added capabilities (Automated)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that ",(0,s.jsx)(r.code,{children:"allowedCapabilities"})," is not present in policies for the cluster unless\nit is set to an empty array."]}),"\n",(0,s.jsx)(r.h3,{id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",children:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nReview the use of capabilities in applications running on your cluster. Where a namespace\ncontains applications which do not require any Linux capabities to operate consider adding\na PSP which forbids the admission of containers which do not drop all capabilities."]}),"\n",(0,s.jsx)(r.h3,{id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",children:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers that have ",(0,s.jsx)(r.code,{children:".securityContext.windowsOptions.hostProcess"})," set to ",(0,s.jsx)(r.code,{children:"true"}),"."]}),"\n",(0,s.jsx)(r.h3,{id:"5212-minimize-the-admission-of-hostpath-volumes-manual",children:"5.2.12 Minimize the admission of HostPath volumes (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers with ",(0,s.jsx)(r.code,{children:"hostPath"})," volumes."]}),"\n",(0,s.jsx)(r.h3,{id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",children:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nAdd policies to each namespace in the cluster which has user workloads to restrict the\nadmission of containers which use ",(0,s.jsx)(r.code,{children:"hostPort"})," sections."]}),"\n",(0,s.jsx)(r.h2,{id:"53-network-policies-and-cni",children:"5.3 Network Policies and CNI"}),"\n",(0,s.jsx)(r.h3,{id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",children:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf the CNI plugin in use does not support network policies, consideration should be given to\nmaking use of a different plugin, or finding an alternate mechanism for restricting traffic\nin the Kubernetes cluster."]}),"\n",(0,s.jsx)(r.h3,{id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",children:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create NetworkPolicy objects as you need them."]}),"\n",(0,s.jsx)(r.h2,{id:"54-secrets-management",children:"5.4 Secrets Management"}),"\n",(0,s.jsx)(r.h3,{id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",children:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nIf possible, rewrite application code to read Secrets from mounted secret files, rather than\nfrom environment variables."]}),"\n",(0,s.jsx)(r.h3,{id:"542-consider-external-secret-storage-manual",children:"5.4.2 Consider external secret storage (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nRefer to the Secrets management options offered by your cloud provider or a third-party\nsecrets management solution."]}),"\n",(0,s.jsx)(r.h2,{id:"55-extensible-admission-control",children:"5.5 Extensible Admission Control"}),"\n",(0,s.jsx)(r.h3,{id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",children:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and setup image provenance."]}),"\n",(0,s.jsx)(r.h2,{id:"57-general-policies",children:"5.7 General Policies"}),"\n",(0,s.jsx)(r.h3,{id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",children:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the documentation and create namespaces for objects in your deployment as you need\nthem."]}),"\n",(0,s.jsx)(r.h3,{id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",children:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nUse ",(0,s.jsx)(r.code,{children:"securityContext"})," to enable the docker/default seccomp profile in your pod definitions.\nAn example is as below:\nsecurityContext:\nseccompProfile:\ntype: RuntimeDefault"]}),"\n",(0,s.jsx)(r.h3,{id:"573-apply-securitycontext-to-your-pods-and-containers-manual",children:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and apply SecurityContexts to your Pods. For a\nsuggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker\nContainers."]}),"\n",(0,s.jsx)(r.h3,{id:"574-the-default-namespace-should-not-be-used-manual",children:"5.7.4 The default namespace should not be used (Manual)"}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,s.jsxs)(r.p,{children:[(0,s.jsx)(r.strong,{children:"Remediation:"}),"\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes\nresources and that all new resources are created in a specific namespace."]})]})}function u(e={}){const{wrapper:r}={...(0,n.a)(),...e.components};return r?(0,s.jsx)(r,{...e,children:(0,s.jsx)(d,{...e})}):d(e)}},1151:(e,r,t)=>{t.d(r,{Z:()=>l,a:()=>a});var s=t(7294);const n={},i=s.createContext(n);function a(e){const r=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(r):{...r,...e}}),[r,e])}function l(e){let r;return r=e.disableParentContext?"function"==typeof e.components?e.components(n):e.components||n:a(e.components),s.createElement(i.Provider,{value:r},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/ac75af2e.24e1c6b5.js b/assets/js/ac75af2e.1880f0c7.js
similarity index 99%
rename from assets/js/ac75af2e.24e1c6b5.js
rename to assets/js/ac75af2e.1880f0c7.js
index 6f200c637..321040e70 100644
--- a/assets/js/ac75af2e.24e1c6b5.js
+++ b/assets/js/ac75af2e.1880f0c7.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1199],{6455:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>d,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>a});var s=t(5893),r=t(1151);const i={title:"Requirements"},d=void 0,l={id:"installation/requirements",title:"Requirements",description:"K3s is very lightweight, but has some minimum requirements as outlined below.",source:"@site/docs/installation/requirements.md",sourceDirName:"installation",slug:"/installation/requirements",permalink:"/installation/requirements",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/requirements.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"Requirements"},sidebar:"mySidebar",previous:{title:"Installation",permalink:"/installation/"},next:{title:"Configuration Options",permalink:"/installation/configuration"}},o={},a=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Architecture",id:"architecture",level:2},{value:"Operating Systems",id:"operating-systems",level:2},{value:"Hardware",id:"hardware",level:2},{value:"Disks",id:"disks",level:4},{value:"Networking",id:"networking",level:2},{value:"Inbound Rules for K3s Nodes",id:"inbound-rules-for-k3s-nodes",level:3},{value:"Large Clusters",id:"large-clusters",level:2},{value:"CPU and Memory",id:"cpu-and-memory",level:3},{value:"Disks",id:"disks-1",level:3},{value:"Network",id:"network",level:3},{value:"Database",id:"database",level:3}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components},{TabItem:t,Tabs:i}=n;return t||u("TabItem",!0),i||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"K3s is very lightweight, but has some minimum requirements as outlined below."}),"\n",(0,s.jsx)(n.p,{children:"Whether you're configuring K3s to run in a container or as a native Linux service, each node running K3s should meet the following minimum requirements. These requirements are baseline for K3s and its packaged components, and do not include resources consumed by the workload itself."}),"\n",(0,s.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,s.jsx)(n.p,{children:"Two nodes cannot have the same hostname."}),"\n",(0,s.jsxs)(n.p,{children:["If multiple nodes will have the same hostname, or if hostnames may be reused by an automated provisioning system, use the ",(0,s.jsx)(n.code,{children:"--with-node-id"})," option to append a random suffix for each node, or devise a unique name to pass with ",(0,s.jsx)(n.code,{children:"--node-name"})," or ",(0,s.jsx)(n.code,{children:"$K3S_NODE_NAME"})," for each node you add to the cluster."]}),"\n",(0,s.jsx)(n.h2,{id:"architecture",children:"Architecture"}),"\n",(0,s.jsx)(n.p,{children:"K3s is available for the following architectures:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"x86_64"}),"\n",(0,s.jsx)(n.li,{children:"armhf"}),"\n",(0,s.jsx)(n.li,{children:"arm64/aarch64"}),"\n",(0,s.jsx)(n.li,{children:"s390x"}),"\n"]}),"\n",(0,s.jsx)(n.admonition,{title:"ARM64 Page Size",type:"warning",children:(0,s.jsxs)(n.p,{children:["Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on ",(0,s.jsx)(n.code,{children:"aarch64/arm64"})," systems, the kernel must use 4k pages. ",(0,s.jsx)(n.strong,{children:"RHEL9"}),", ",(0,s.jsx)(n.strong,{children:"Ubuntu"}),", ",(0,s.jsx)(n.strong,{children:"Raspberry PI OS"}),", and ",(0,s.jsx)(n.strong,{children:"SLES"})," all meet this requirement."]})}),"\n",(0,s.jsx)(n.h2,{id:"operating-systems",children:"Operating Systems"}),"\n",(0,s.jsx)(n.p,{children:"K3s is expected to work on most modern Linux systems."}),"\n",(0,s.jsx)(n.p,{children:"Some OSs have additional setup requirements:"}),"\n",(0,s.jsxs)(i,{queryString:"os",children:[(0,s.jsxs)(t,{value:"suse",label:"SUSE Linux Enterprise / openSUSE",children:[(0,s.jsx)(n.p,{children:"It is recommended to turn off firewalld:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep firewalld enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]})]}),(0,s.jsxs)(t,{value:"rhel",label:"Red Hat Enterprise Linux / CentOS / Fedora",children:[(0,s.jsx)(n.p,{children:"It is recommended to turn off firewalld:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep firewalld enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]}),(0,s.jsx)(n.p,{children:"If enabled, it is required to disable nm-cloud-setup and reboot the node:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable nm-cloud-setup.service nm-cloud-setup.timer\nreboot\n"})})]}),(0,s.jsxs)(t,{value:"debian",label:"Ubuntu / Debian",children:[(0,s.jsxs)(n.p,{children:["Older Debian release may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsx)(n.p,{children:"It is recommended to turn off ufw (uncomplicated firewall):"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw disable\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep ufw enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw allow 6443/tcp #apiserver\nufw allow from 10.42.0.0/16 to any #pods\nufw allow from 10.43.0.0/16 to any #services\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]})]}),(0,s.jsxs)(t,{value:"pi",label:"Raspberry Pi",children:[(0,s.jsxs)(n.p,{children:["Raspberry Pi OS is Debian based, and may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsxs)(n.p,{children:["Standard Raspberry Pi OS installations do not start with ",(0,s.jsx)(n.code,{children:"cgroups"})," enabled. ",(0,s.jsx)(n.strong,{children:"K3S"})," needs ",(0,s.jsx)(n.code,{children:"cgroups"})," to start the systemd service. ",(0,s.jsx)(n.code,{children:"cgroups"}),"can be enabled by appending ",(0,s.jsx)(n.code,{children:"cgroup_memory=1 cgroup_enable=memory"})," to ",(0,s.jsx)(n.code,{children:"/boot/cmdline.txt"}),"."]}),(0,s.jsx)(n.p,{children:"Example cmdline.txt:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory\n"})}),(0,s.jsx)(n.p,{children:"With Ubuntu 21.10 to Ubuntu 23.10, vxlan support on Raspberry Pi was moved into a separate kernel module. This step in not required for Ubuntu 24.04 and later."}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo apt install linux-modules-extra-raspi\n"})})]})]}),"\n",(0,s.jsxs)(n.p,{children:["For more information on which OSs were tested with Rancher managed K3s clusters, refer to the ",(0,s.jsx)(n.a,{href:"https://rancher.com/support-maintenance-terms/",children:"Rancher support and maintenance terms."})]}),"\n",(0,s.jsx)(n.h2,{id:"hardware",children:"Hardware"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here."}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Spec"}),(0,s.jsx)(n.th,{children:"Minimum"}),(0,s.jsx)(n.th,{children:"Recommended"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"CPU"}),(0,s.jsx)(n.td,{children:"1 core"}),(0,s.jsx)(n.td,{children:"2 cores"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"RAM"}),(0,s.jsx)(n.td,{children:"512 MB"}),(0,s.jsx)(n.td,{children:"1 GB"})]})]})]}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"/reference/resource-profiling",children:"Resource Profiling"})," captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent. It also contains analysis about what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads."]}),"\n",(0,s.jsx)(n.admonition,{title:"Raspberry Pi and embedded etcd",type:"info",children:(0,s.jsx)(n.p,{children:"If deploying K3s with embedded etcd on a Raspberry Pi, it is recommended that you use an external SSD. etcd is write intensive, and SD cards cannot handle the IO load."})}),"\n",(0,s.jsx)(n.h4,{id:"disks",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"K3s performance depends on the performance of the database. To ensure optimal speed, we recommend using an SSD when possible. Disk performance will vary on ARM devices utilizing an SD card or eMMC."}),"\n",(0,s.jsx)(n.h2,{id:"networking",children:"Networking"}),"\n",(0,s.jsx)(n.p,{children:"The K3s server needs port 6443 to be accessible by all nodes."}),"\n",(0,s.jsx)(n.p,{children:"The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend, or over UDP port 51820 (and 51821 if IPv6 is used) when using the Flannel WireGuard backend. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s."}),"\n",(0,s.jsx)(n.p,{children:"If you wish to utilize the metrics server, all nodes must be accessible to each other on port 10250."}),"\n",(0,s.jsx)(n.p,{children:"If you plan on achieving high availability with embedded etcd, server nodes must be accessible to each other on ports 2379 and 2380."}),"\n",(0,s.jsx)(n.admonition,{title:"Important",type:"tip",children:(0,s.jsx)(n.p,{children:"The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472."})}),"\n",(0,s.jsx)(n.admonition,{type:"danger",children:(0,s.jsxs)(n.p,{children:["Flannel relies on the ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/main/bridge/",children:"Bridge CNI plugin"})," to create a L2 network that switches traffic. Rogue pods with ",(0,s.jsx)(n.code,{children:"NET_RAW"})," capabilities can abuse that L2 network to launch attacks such as ",(0,s.jsx)(n.a,{href:"https://static.sched.com/hosted_files/kccncna19/72/ARP%20DNS%20spoof.pdf",children:"ARP spoofing"}),". Therefore, as documented in the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-standards/",children:"Kubernetes docs"}),", please set a restricted profile that disables ",(0,s.jsx)(n.code,{children:"NET_RAW"})," on non-trustable pods."]})}),"\n",(0,s.jsx)(n.h3,{id:"inbound-rules-for-k3s-nodes",children:"Inbound Rules for K3s Nodes"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Protocol"}),(0,s.jsx)(n.th,{children:"Port"}),(0,s.jsx)(n.th,{children:"Source"}),(0,s.jsx)(n.th,{children:"Destination"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"2379-2380"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Required only for HA with embedded etcd"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"Agents"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"K3s supervisor and Kubernetes API Server"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"8472"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel VXLAN"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"10250"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Kubelet metrics"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51820"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv4"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51821"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv6"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"5001"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]})]})]}),"\n",(0,s.jsx)(n.p,{children:"Typically, all outbound traffic is allowed."}),"\n",(0,s.jsx)(n.p,{children:"Additional changes to the firewall may be required depending on the OS used."}),"\n",(0,s.jsx)(n.h2,{id:"large-clusters",children:"Large Clusters"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"MySQL"}),"\n",(0,s.jsx)(n.li,{children:"PostgreSQL"}),"\n",(0,s.jsx)(n.li,{children:"etcd"}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"cpu-and-memory",children:"CPU and Memory"}),"\n",(0,s.jsx)(n.p,{children:"The following are the minimum CPU and memory requirements for nodes in a high-availability K3s server:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"disks-1",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"The cluster performance depends on database performance. To ensure optimal speed, we recommend always using SSD disks to back your K3s cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS."}),"\n",(0,s.jsx)(n.h3,{id:"network",children:"Network"}),"\n",(0,s.jsxs)(n.p,{children:["You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," option to K3s server upon starting."]}),"\n",(0,s.jsx)(n.h3,{id:"database",children:"Database"}),"\n",(0,s.jsxs)(n.p,{children:["K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd. See ",(0,s.jsx)(n.a,{href:"/datastore/",children:"Cluster Datastore"})," for more info."]}),"\n",(0,s.jsx)(n.p,{children:"The following is a sizing guide for the database resources you need to run large clusters:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"1"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>d});var s=t(7294);const r={},i=s.createContext(r);function d(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:d(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[1199],{6455:(e,n,t)=>{t.r(n),t.d(n,{assets:()=>o,contentTitle:()=>d,default:()=>h,frontMatter:()=>i,metadata:()=>l,toc:()=>a});var s=t(5893),r=t(1151);const i={title:"Requirements"},d=void 0,l={id:"installation/requirements",title:"Requirements",description:"K3s is very lightweight, but has some minimum requirements as outlined below.",source:"@site/docs/installation/requirements.md",sourceDirName:"installation",slug:"/installation/requirements",permalink:"/installation/requirements",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/installation/requirements.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"Requirements"},sidebar:"mySidebar",previous:{title:"Installation",permalink:"/installation/"},next:{title:"Configuration Options",permalink:"/installation/configuration"}},o={},a=[{value:"Prerequisites",id:"prerequisites",level:2},{value:"Architecture",id:"architecture",level:2},{value:"Operating Systems",id:"operating-systems",level:2},{value:"Hardware",id:"hardware",level:2},{value:"Disks",id:"disks",level:4},{value:"Networking",id:"networking",level:2},{value:"Inbound Rules for K3s Nodes",id:"inbound-rules-for-k3s-nodes",level:3},{value:"Large Clusters",id:"large-clusters",level:2},{value:"CPU and Memory",id:"cpu-and-memory",level:3},{value:"Disks",id:"disks-1",level:3},{value:"Network",id:"network",level:3},{value:"Database",id:"database",level:3}];function c(e){const n={a:"a",admonition:"admonition",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",p:"p",pre:"pre",strong:"strong",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,r.a)(),...e.components},{TabItem:t,Tabs:i}=n;return t||u("TabItem",!0),i||u("Tabs",!0),(0,s.jsxs)(s.Fragment,{children:[(0,s.jsx)(n.p,{children:"K3s is very lightweight, but has some minimum requirements as outlined below."}),"\n",(0,s.jsx)(n.p,{children:"Whether you're configuring K3s to run in a container or as a native Linux service, each node running K3s should meet the following minimum requirements. These requirements are baseline for K3s and its packaged components, and do not include resources consumed by the workload itself."}),"\n",(0,s.jsx)(n.h2,{id:"prerequisites",children:"Prerequisites"}),"\n",(0,s.jsx)(n.p,{children:"Two nodes cannot have the same hostname."}),"\n",(0,s.jsxs)(n.p,{children:["If multiple nodes will have the same hostname, or if hostnames may be reused by an automated provisioning system, use the ",(0,s.jsx)(n.code,{children:"--with-node-id"})," option to append a random suffix for each node, or devise a unique name to pass with ",(0,s.jsx)(n.code,{children:"--node-name"})," or ",(0,s.jsx)(n.code,{children:"$K3S_NODE_NAME"})," for each node you add to the cluster."]}),"\n",(0,s.jsx)(n.h2,{id:"architecture",children:"Architecture"}),"\n",(0,s.jsx)(n.p,{children:"K3s is available for the following architectures:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"x86_64"}),"\n",(0,s.jsx)(n.li,{children:"armhf"}),"\n",(0,s.jsx)(n.li,{children:"arm64/aarch64"}),"\n",(0,s.jsx)(n.li,{children:"s390x"}),"\n"]}),"\n",(0,s.jsx)(n.admonition,{title:"ARM64 Page Size",type:"warning",children:(0,s.jsxs)(n.p,{children:["Prior to May 2023 releases (v1.24.14+k3s1, v1.25.10+k3s1, v1.26.5+k3s1, v1.27.2+k3s1), on ",(0,s.jsx)(n.code,{children:"aarch64/arm64"})," systems, the kernel must use 4k pages. ",(0,s.jsx)(n.strong,{children:"RHEL9"}),", ",(0,s.jsx)(n.strong,{children:"Ubuntu"}),", ",(0,s.jsx)(n.strong,{children:"Raspberry PI OS"}),", and ",(0,s.jsx)(n.strong,{children:"SLES"})," all meet this requirement."]})}),"\n",(0,s.jsx)(n.h2,{id:"operating-systems",children:"Operating Systems"}),"\n",(0,s.jsx)(n.p,{children:"K3s is expected to work on most modern Linux systems."}),"\n",(0,s.jsx)(n.p,{children:"Some OSs have additional setup requirements:"}),"\n",(0,s.jsxs)(i,{queryString:"os",children:[(0,s.jsxs)(t,{value:"suse",label:"SUSE Linux Enterprise / openSUSE",children:[(0,s.jsx)(n.p,{children:"It is recommended to turn off firewalld:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep firewalld enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]})]}),(0,s.jsxs)(t,{value:"rhel",label:"Red Hat Enterprise Linux / CentOS / Fedora",children:[(0,s.jsx)(n.p,{children:"It is recommended to turn off firewalld:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable firewalld --now\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep firewalld enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"firewall-cmd --permanent --add-port=6443/tcp #apiserver\nfirewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 #pods\nfirewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 #services\nfirewall-cmd --reload\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]}),(0,s.jsx)(n.p,{children:"If enabled, it is required to disable nm-cloud-setup and reboot the node:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"systemctl disable nm-cloud-setup.service nm-cloud-setup.timer\nreboot\n"})})]}),(0,s.jsxs)(t,{value:"debian",label:"Ubuntu / Debian",children:[(0,s.jsxs)(n.p,{children:["Older Debian release may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsx)(n.p,{children:"It is recommended to turn off ufw (uncomplicated firewall):"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw disable\n"})}),(0,s.jsx)(n.p,{children:"If you wish to keep ufw enabled, by default, the following rules are required:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"ufw allow 6443/tcp #apiserver\nufw allow from 10.42.0.0/16 to any #pods\nufw allow from 10.43.0.0/16 to any #services\n"})}),(0,s.jsxs)(n.p,{children:["Additional ports may need to be opened depending on your setup. See ",(0,s.jsx)(n.a,{href:"#inbound-rules-for-k3s-nodes",children:"Inbound Rules"})," for more information. If you change the default CIDR for pods or services, you will need to update the firewall rules accordingly."]})]}),(0,s.jsxs)(t,{value:"pi",label:"Raspberry Pi",children:[(0,s.jsxs)(n.p,{children:["Raspberry Pi OS is Debian based, and may suffer from a known iptables bug. See ",(0,s.jsx)(n.a,{href:"/known-issues#iptables",children:"Known Issues"}),"."]}),(0,s.jsxs)(n.p,{children:["Standard Raspberry Pi OS installations do not start with ",(0,s.jsx)(n.code,{children:"cgroups"})," enabled. ",(0,s.jsx)(n.strong,{children:"K3S"})," needs ",(0,s.jsx)(n.code,{children:"cgroups"})," to start the systemd service. ",(0,s.jsx)(n.code,{children:"cgroups"}),"can be enabled by appending ",(0,s.jsx)(n.code,{children:"cgroup_memory=1 cgroup_enable=memory"})," to ",(0,s.jsx)(n.code,{children:"/boot/cmdline.txt"}),"."]}),(0,s.jsx)(n.p,{children:"Example cmdline.txt:"}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{children:"console=serial0,115200 console=tty1 root=PARTUUID=58b06195-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait cgroup_memory=1 cgroup_enable=memory\n"})}),(0,s.jsx)(n.p,{children:"With Ubuntu 21.10 to Ubuntu 23.10, vxlan support on Raspberry Pi was moved into a separate kernel module. This step in not required for Ubuntu 24.04 and later."}),(0,s.jsx)(n.pre,{children:(0,s.jsx)(n.code,{className:"language-bash",children:"sudo apt install linux-modules-extra-raspi\n"})})]})]}),"\n",(0,s.jsxs)(n.p,{children:["For more information on which OSs were tested with Rancher managed K3s clusters, refer to the ",(0,s.jsx)(n.a,{href:"https://rancher.com/support-maintenance-terms/",children:"Rancher support and maintenance terms."})]}),"\n",(0,s.jsx)(n.h2,{id:"hardware",children:"Hardware"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here."}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Spec"}),(0,s.jsx)(n.th,{children:"Minimum"}),(0,s.jsx)(n.th,{children:"Recommended"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"CPU"}),(0,s.jsx)(n.td,{children:"1 core"}),(0,s.jsx)(n.td,{children:"2 cores"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"RAM"}),(0,s.jsx)(n.td,{children:"512 MB"}),(0,s.jsx)(n.td,{children:"1 GB"})]})]})]}),"\n",(0,s.jsxs)(n.p,{children:[(0,s.jsx)(n.a,{href:"/reference/resource-profiling",children:"Resource Profiling"})," captures the results of tests to determine minimum resource requirements for the K3s agent, the K3s server with a workload, and the K3s server with one agent. It also contains analysis about what has the biggest impact on K3s server and agent utilization, and how the cluster datastore can be protected from interference from agents and workloads."]}),"\n",(0,s.jsx)(n.admonition,{title:"Raspberry Pi and embedded etcd",type:"info",children:(0,s.jsx)(n.p,{children:"If deploying K3s with embedded etcd on a Raspberry Pi, it is recommended that you use an external SSD. etcd is write intensive, and SD cards cannot handle the IO load."})}),"\n",(0,s.jsx)(n.h4,{id:"disks",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"K3s performance depends on the performance of the database. To ensure optimal speed, we recommend using an SSD when possible. Disk performance will vary on ARM devices utilizing an SD card or eMMC."}),"\n",(0,s.jsx)(n.h2,{id:"networking",children:"Networking"}),"\n",(0,s.jsx)(n.p,{children:"The K3s server needs port 6443 to be accessible by all nodes."}),"\n",(0,s.jsx)(n.p,{children:"The nodes need to be able to reach other nodes over UDP port 8472 when using the Flannel VXLAN backend, or over UDP port 51820 (and 51821 if IPv6 is used) when using the Flannel WireGuard backend. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then the ports needed by Flannel are not needed by K3s."}),"\n",(0,s.jsx)(n.p,{children:"If you wish to utilize the metrics server, all nodes must be accessible to each other on port 10250."}),"\n",(0,s.jsx)(n.p,{children:"If you plan on achieving high availability with embedded etcd, server nodes must be accessible to each other on ports 2379 and 2380."}),"\n",(0,s.jsx)(n.admonition,{title:"Important",type:"tip",children:(0,s.jsx)(n.p,{children:"The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472."})}),"\n",(0,s.jsx)(n.admonition,{type:"danger",children:(0,s.jsxs)(n.p,{children:["Flannel relies on the ",(0,s.jsx)(n.a,{href:"https://www.cni.dev/plugins/current/main/bridge/",children:"Bridge CNI plugin"})," to create a L2 network that switches traffic. Rogue pods with ",(0,s.jsx)(n.code,{children:"NET_RAW"})," capabilities can abuse that L2 network to launch attacks such as ",(0,s.jsx)(n.a,{href:"https://static.sched.com/hosted_files/kccncna19/72/ARP%20DNS%20spoof.pdf",children:"ARP spoofing"}),". Therefore, as documented in the ",(0,s.jsx)(n.a,{href:"https://kubernetes.io/docs/concepts/security/pod-security-standards/",children:"Kubernetes docs"}),", please set a restricted profile that disables ",(0,s.jsx)(n.code,{children:"NET_RAW"})," on non-trustable pods."]})}),"\n",(0,s.jsx)(n.h3,{id:"inbound-rules-for-k3s-nodes",children:"Inbound Rules for K3s Nodes"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{children:"Protocol"}),(0,s.jsx)(n.th,{children:"Port"}),(0,s.jsx)(n.th,{children:"Source"}),(0,s.jsx)(n.th,{children:"Destination"}),(0,s.jsx)(n.th,{children:"Description"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"2379-2380"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"Required only for HA with embedded etcd"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"Agents"}),(0,s.jsx)(n.td,{children:"Servers"}),(0,s.jsx)(n.td,{children:"K3s supervisor and Kubernetes API Server"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"8472"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel VXLAN"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"10250"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Kubelet metrics"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51820"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv4"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"UDP"}),(0,s.jsx)(n.td,{children:"51821"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for Flannel Wireguard with IPv6"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"5001"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{children:"TCP"}),(0,s.jsx)(n.td,{children:"6443"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"All nodes"}),(0,s.jsx)(n.td,{children:"Required only for embedded distributed registry (Spegel)"})]})]})]}),"\n",(0,s.jsx)(n.p,{children:"Typically, all outbound traffic is allowed."}),"\n",(0,s.jsx)(n.p,{children:"Additional changes to the firewall may be required depending on the OS used."}),"\n",(0,s.jsx)(n.h2,{id:"large-clusters",children:"Large Clusters"}),"\n",(0,s.jsx)(n.p,{children:"Hardware requirements are based on the size of your K3s cluster. For production and large clusters, we recommend using a high-availability setup with an external database. The following options are recommended for the external database in production:"}),"\n",(0,s.jsxs)(n.ul,{children:["\n",(0,s.jsx)(n.li,{children:"MySQL"}),"\n",(0,s.jsx)(n.li,{children:"PostgreSQL"}),"\n",(0,s.jsx)(n.li,{children:"etcd"}),"\n"]}),"\n",(0,s.jsx)(n.h3,{id:"cpu-and-memory",children:"CPU and Memory"}),"\n",(0,s.jsx)(n.p,{children:"The following are the minimum CPU and memory requirements for nodes in a high-availability K3s server:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]}),"\n",(0,s.jsx)(n.h3,{id:"disks-1",children:"Disks"}),"\n",(0,s.jsx)(n.p,{children:"The cluster performance depends on database performance. To ensure optimal speed, we recommend always using SSD disks to back your K3s cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPS."}),"\n",(0,s.jsx)(n.h3,{id:"network",children:"Network"}),"\n",(0,s.jsxs)(n.p,{children:["You should consider increasing the subnet size for the cluster CIDR so that you don't run out of IPs for the pods. You can do that by passing the ",(0,s.jsx)(n.code,{children:"--cluster-cidr"})," option to K3s server upon starting."]}),"\n",(0,s.jsx)(n.h3,{id:"database",children:"Database"}),"\n",(0,s.jsxs)(n.p,{children:["K3s supports different databases including MySQL, PostgreSQL, MariaDB, and etcd. See ",(0,s.jsx)(n.a,{href:"/datastore/",children:"Cluster Datastore"})," for more info."]}),"\n",(0,s.jsx)(n.p,{children:"The following is a sizing guide for the database resources you need to run large clusters:"}),"\n",(0,s.jsxs)(n.table,{children:[(0,s.jsx)(n.thead,{children:(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Deployment Size"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"Nodes"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"VCPUS"}),(0,s.jsx)(n.th,{style:{textAlign:"center"},children:"RAM"})]})}),(0,s.jsxs)(n.tbody,{children:[(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Small"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 10"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"1"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Medium"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 100"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"2"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 250"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"4"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"X-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"Up to 500"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"8"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"32 GB"})]}),(0,s.jsxs)(n.tr,{children:[(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"XX-Large"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"500+"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"16"}),(0,s.jsx)(n.td,{style:{textAlign:"center"},children:"64 GB"})]})]})]})]})}function h(e={}){const{wrapper:n}={...(0,r.a)(),...e.components};return n?(0,s.jsx)(n,{...e,children:(0,s.jsx)(c,{...e})}):c(e)}function u(e,n){throw new Error("Expected "+(n?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}},1151:(e,n,t)=>{t.d(n,{Z:()=>l,a:()=>d});var s=t(7294);const r={},i=s.createContext(r);function d(e){const n=s.useContext(i);return s.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function l(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:d(e.components),s.createElement(i.Provider,{value:n},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/b36bdd38.80268a8f.js b/assets/js/b36bdd38.c1d4835e.js
similarity index 98%
rename from assets/js/b36bdd38.80268a8f.js
rename to assets/js/b36bdd38.c1d4835e.js
index 5e5de40f0..d46b31dd2 100644
--- a/assets/js/b36bdd38.80268a8f.js
+++ b/assets/js/b36bdd38.c1d4835e.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6895],{5020:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>i,default:()=>h,frontMatter:()=>d,metadata:()=>a,toc:()=>l});var n=t(5893),r=t(1151);const d={title:"High Availability Embedded etcd"},i=void 0,a={id:"datastore/ha-embedded",title:"High Availability Embedded etcd",description:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.",source:"@site/docs/datastore/ha-embedded.md",sourceDirName:"datastore",slug:"/datastore/ha-embedded",permalink:"/datastore/ha-embedded",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/ha-embedded.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"High Availability Embedded etcd"},sidebar:"mySidebar",previous:{title:"Backup and Restore",permalink:"/datastore/backup-restore"},next:{title:"High Availability External DB",permalink:"/datastore/ha"}},o={},l=[{value:"Existing single-node clusters",id:"existing-single-node-clusters",level:2}];function c(e){const s={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,r.a)(),...e.components},{Details:t}=s;return t||function(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.admonition,{type:"warning",children:(0,n.jsx)(s.p,{children:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards."})}),"\n",(0,n.jsxs)(t,{children:[(0,n.jsx)("summary",{children:"Why An Odd Number Of Server Nodes?"}),(0,n.jsx)(s.p,{children:"HA embedded etcd cluster must be comprised of an odd number of server nodes for etcd to maintain quorum. For a cluster with n servers, quorum is (n/2)+1. For any odd-sized cluster, adding one node will always increase the number of nodes necessary for quorum. Although adding a node to an odd-sized cluster appears better since there are more machines, the fault tolerance is worse since exactly the same number of nodes may fail without losing quorum but there are more nodes that can fail."})]}),"\n",(0,n.jsx)(s.p,{children:"An HA K3s cluster with embedded etcd is composed of:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["Three or more ",(0,n.jsx)(s.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services, as well as host the embedded etcd datastore."]}),"\n",(0,n.jsxs)(s.li,{children:["Optional: Zero or more ",(0,n.jsx)(s.strong,{children:"agent nodes"})," that are designated to run your apps and services"]}),"\n",(0,n.jsxs)(s.li,{children:["Optional: A ",(0,n.jsx)(s.strong,{children:"fixed registration address"})," for agent nodes to register with the cluster"]}),"\n"]}),"\n",(0,n.jsx)(s.admonition,{type:"note",children:(0,n.jsxs)(s.p,{children:["To rapidly deploy large HA clusters, see ",(0,n.jsx)(s.a,{href:"/related-projects",children:"Related Projects"})]})}),"\n",(0,n.jsxs)(s.p,{children:["To get started, first launch a server node with the ",(0,n.jsx)(s.code,{children:"cluster-init"})," flag to enable clustering and a token that will be used as a shared secret to join additional servers to the cluster."]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server \\\n --cluster-init \\\n --tls-san= # Optional, needed if using a fixed registration address\n"})}),"\n",(0,n.jsx)(s.p,{children:"After launching the first server, join the second and third servers to the cluster using the shared secret:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server \\\n --server https://:6443 \\\n --tls-san= # Optional, needed if using a fixed registration address\n"})}),"\n",(0,n.jsx)(s.p,{children:"Check to see that the second and third servers are now part of the cluster:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nserver1 Ready control-plane,etcd,master 28m vX.Y.Z\nserver2 Ready control-plane,etcd,master 13m vX.Y.Z\nserver3 Ready control-plane,etcd,master 10m vX.Y.Z\n"})}),"\n",(0,n.jsxs)(s.p,{children:["Now you have a highly available control plane. Any successfully clustered servers can be used in the ",(0,n.jsx)(s.code,{children:"--server"})," argument to join additional server and agent nodes. Joining additional agent nodes to the cluster follows the same procedure as servers:"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - agent --server https://:6443\n"})}),"\n",(0,n.jsx)(s.p,{children:"There are a few config flags that must be the same in all server nodes:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["Network related flags: ",(0,n.jsx)(s.code,{children:"--cluster-dns"}),", ",(0,n.jsx)(s.code,{children:"--cluster-domain"}),", ",(0,n.jsx)(s.code,{children:"--cluster-cidr"}),", ",(0,n.jsx)(s.code,{children:"--service-cidr"})]}),"\n",(0,n.jsxs)(s.li,{children:["Flags controlling the deployment of certain components: ",(0,n.jsx)(s.code,{children:"--disable-helm-controller"}),", ",(0,n.jsx)(s.code,{children:"--disable-kube-proxy"}),", ",(0,n.jsx)(s.code,{children:"--disable-network-policy"})," and any component passed to ",(0,n.jsx)(s.code,{children:"--disable"})]}),"\n",(0,n.jsxs)(s.li,{children:["Feature related flags: ",(0,n.jsx)(s.code,{children:"--secrets-encryption"})]}),"\n"]}),"\n",(0,n.jsx)(s.h2,{id:"existing-single-node-clusters",children:"Existing single-node clusters"}),"\n",(0,n.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,n.jsxs)(s.p,{children:["Available as of ",(0,n.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.2%2Bk3s1",children:"v1.22.2+k3s1"})]})}),"\n",(0,n.jsxs)(s.p,{children:["If you have an existing cluster using the default embedded SQLite database, you can convert it to etcd by simply restarting your K3s server with the ",(0,n.jsx)(s.code,{children:"--cluster-init"})," flag. Once you've done that, you'll be able to add additional instances as described above."]}),"\n",(0,n.jsxs)(s.p,{children:["If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (",(0,n.jsx)(s.code,{children:"--cluster-init"}),", ",(0,n.jsx)(s.code,{children:"--server"}),", ",(0,n.jsx)(s.code,{children:"--datastore-endpoint"}),", etc) are ignored."]})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(c,{...e})}):c(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>a,a:()=>i});var n=t(7294);const r={},d=n.createContext(r);function i(e){const s=n.useContext(d);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function a(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:i(e.components),n.createElement(d.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[6895],{5020:(e,s,t)=>{t.r(s),t.d(s,{assets:()=>o,contentTitle:()=>i,default:()=>h,frontMatter:()=>d,metadata:()=>a,toc:()=>l});var n=t(5893),r=t(1151);const d={title:"High Availability Embedded etcd"},i=void 0,a={id:"datastore/ha-embedded",title:"High Availability Embedded etcd",description:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards.",source:"@site/docs/datastore/ha-embedded.md",sourceDirName:"datastore",slug:"/datastore/ha-embedded",permalink:"/datastore/ha-embedded",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/datastore/ha-embedded.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,frontMatter:{title:"High Availability Embedded etcd"},sidebar:"mySidebar",previous:{title:"Backup and Restore",permalink:"/datastore/backup-restore"},next:{title:"High Availability External DB",permalink:"/datastore/ha"}},o={},l=[{value:"Existing single-node clusters",id:"existing-single-node-clusters",level:2}];function c(e){const s={a:"a",admonition:"admonition",code:"code",h2:"h2",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,r.a)(),...e.components},{Details:t}=s;return t||function(e,s){throw new Error("Expected "+(s?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(s.admonition,{type:"warning",children:(0,n.jsx)(s.p,{children:"Embedded etcd (HA) may have performance issues on slower disks such as Raspberry Pis running with SD cards."})}),"\n",(0,n.jsxs)(t,{children:[(0,n.jsx)("summary",{children:"Why An Odd Number Of Server Nodes?"}),(0,n.jsx)(s.p,{children:"HA embedded etcd cluster must be comprised of an odd number of server nodes for etcd to maintain quorum. For a cluster with n servers, quorum is (n/2)+1. For any odd-sized cluster, adding one node will always increase the number of nodes necessary for quorum. Although adding a node to an odd-sized cluster appears better since there are more machines, the fault tolerance is worse since exactly the same number of nodes may fail without losing quorum but there are more nodes that can fail."})]}),"\n",(0,n.jsx)(s.p,{children:"An HA K3s cluster with embedded etcd is composed of:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["Three or more ",(0,n.jsx)(s.strong,{children:"server nodes"})," that will serve the Kubernetes API and run other control plane services, as well as host the embedded etcd datastore."]}),"\n",(0,n.jsxs)(s.li,{children:["Optional: Zero or more ",(0,n.jsx)(s.strong,{children:"agent nodes"})," that are designated to run your apps and services"]}),"\n",(0,n.jsxs)(s.li,{children:["Optional: A ",(0,n.jsx)(s.strong,{children:"fixed registration address"})," for agent nodes to register with the cluster"]}),"\n"]}),"\n",(0,n.jsx)(s.admonition,{type:"note",children:(0,n.jsxs)(s.p,{children:["To rapidly deploy large HA clusters, see ",(0,n.jsx)(s.a,{href:"/related-projects",children:"Related Projects"})]})}),"\n",(0,n.jsxs)(s.p,{children:["To get started, first launch a server node with the ",(0,n.jsx)(s.code,{children:"cluster-init"})," flag to enable clustering and a token that will be used as a shared secret to join additional servers to the cluster."]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server \\\n --cluster-init \\\n --tls-san= # Optional, needed if using a fixed registration address\n"})}),"\n",(0,n.jsx)(s.p,{children:"After launching the first server, join the second and third servers to the cluster using the shared secret:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - server \\\n --server https://:6443 \\\n --tls-san= # Optional, needed if using a fixed registration address\n"})}),"\n",(0,n.jsx)(s.p,{children:"Check to see that the second and third servers are now part of the cluster:"}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"$ kubectl get nodes\nNAME STATUS ROLES AGE VERSION\nserver1 Ready control-plane,etcd,master 28m vX.Y.Z\nserver2 Ready control-plane,etcd,master 13m vX.Y.Z\nserver3 Ready control-plane,etcd,master 10m vX.Y.Z\n"})}),"\n",(0,n.jsxs)(s.p,{children:["Now you have a highly available control plane. Any successfully clustered servers can be used in the ",(0,n.jsx)(s.code,{children:"--server"})," argument to join additional server and agent nodes. Joining additional agent nodes to the cluster follows the same procedure as servers:"]}),"\n",(0,n.jsx)(s.pre,{children:(0,n.jsx)(s.code,{className:"language-bash",children:"curl -sfL https://get.k3s.io | K3S_TOKEN=SECRET sh -s - agent --server https://:6443\n"})}),"\n",(0,n.jsx)(s.p,{children:"There are a few config flags that must be the same in all server nodes:"}),"\n",(0,n.jsxs)(s.ul,{children:["\n",(0,n.jsxs)(s.li,{children:["Network related flags: ",(0,n.jsx)(s.code,{children:"--cluster-dns"}),", ",(0,n.jsx)(s.code,{children:"--cluster-domain"}),", ",(0,n.jsx)(s.code,{children:"--cluster-cidr"}),", ",(0,n.jsx)(s.code,{children:"--service-cidr"})]}),"\n",(0,n.jsxs)(s.li,{children:["Flags controlling the deployment of certain components: ",(0,n.jsx)(s.code,{children:"--disable-helm-controller"}),", ",(0,n.jsx)(s.code,{children:"--disable-kube-proxy"}),", ",(0,n.jsx)(s.code,{children:"--disable-network-policy"})," and any component passed to ",(0,n.jsx)(s.code,{children:"--disable"})]}),"\n",(0,n.jsxs)(s.li,{children:["Feature related flags: ",(0,n.jsx)(s.code,{children:"--secrets-encryption"})]}),"\n"]}),"\n",(0,n.jsx)(s.h2,{id:"existing-single-node-clusters",children:"Existing single-node clusters"}),"\n",(0,n.jsx)(s.admonition,{title:"Version Gate",type:"info",children:(0,n.jsxs)(s.p,{children:["Available as of ",(0,n.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.22.2%2Bk3s1",children:"v1.22.2+k3s1"})]})}),"\n",(0,n.jsxs)(s.p,{children:["If you have an existing cluster using the default embedded SQLite database, you can convert it to etcd by simply restarting your K3s server with the ",(0,n.jsx)(s.code,{children:"--cluster-init"})," flag. Once you've done that, you'll be able to add additional instances as described above."]}),"\n",(0,n.jsxs)(s.p,{children:["If an etcd datastore is found on disk either because that node has either initialized or joined a cluster already, the datastore arguments (",(0,n.jsx)(s.code,{children:"--cluster-init"}),", ",(0,n.jsx)(s.code,{children:"--server"}),", ",(0,n.jsx)(s.code,{children:"--datastore-endpoint"}),", etc) are ignored."]})]})}function h(e={}){const{wrapper:s}={...(0,r.a)(),...e.components};return s?(0,n.jsx)(s,{...e,children:(0,n.jsx)(c,{...e})}):c(e)}},1151:(e,s,t)=>{t.d(s,{Z:()=>a,a:()=>i});var n=t(7294);const r={},d=n.createContext(r);function i(e){const s=n.useContext(d);return n.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function a(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(r):e.components||r:i(e.components),n.createElement(d.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/b8002741.78f49153.js b/assets/js/b8002741.1d77b91e.js
similarity index 99%
rename from assets/js/b8002741.78f49153.js
rename to assets/js/b8002741.1d77b91e.js
index 8c03adbd5..059a55547 100644
--- a/assets/js/b8002741.78f49153.js
+++ b/assets/js/b8002741.1d77b91e.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2573],{3338:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:1},l="v1.30.X",h={id:"release-notes/v1.30.X",title:"v1.30.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.30.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.30.X",permalink:"/release-notes/v1.30.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.30.X.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,sidebarPosition:1,frontMatter:{hide_table_of_contents:!0,sidebar_position:1},sidebar:"mySidebar",previous:{title:"Resource Profiling",permalink:"/reference/resource-profiling"},next:{title:"v1.29.X",permalink:"/release-notes/v1.29.X"}},c={},d=[{value:"Release v1.30.3+k3s1",id:"release-v1303k3s1",level:2},{value:"Changes since v1.30.2+k3s2:",id:"changes-since-v1302k3s2",level:3},{value:"Release v1.30.2+k3s2",id:"release-v1302k3s2",level:2},{value:"Changes since v1.30.2+k3s1:",id:"changes-since-v1302k3s1",level:3},{value:"Release v1.30.2+k3s1",id:"release-v1302k3s1",level:2},{value:"Changes since v1.30.1+k3s1:",id:"changes-since-v1301k3s1",level:3},{value:"Release v1.30.1+k3s1",id:"release-v1301k3s1",level:2},{value:"Changes since v1.30.0+k3s1:",id:"changes-since-v1300k3s1",level:3},{value:"Release v1.30.0+k3s1",id:"release-v1300k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v130x",children:"v1.30.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1303k3s1",children:"v1.30.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1303",children:"v1.30.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1302k3s2",children:"v1.30.2+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1302k3s1",children:"v1.30.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1301k3s1",children:"v1.30.1+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1301",children:"v1.30.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.8-0.20240430184817-f9ce6f8da97b",children:"v0.11.8-0.20240430184817-f9ce6f8da97b"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1-0.20240502205943-2f32059d43e6",children:"v0.16.1-0.20240502205943-2f32059d43e6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1300k3s1",children:"v1.30.0+k3s1"})}),(0,r.jsx)(s.td,{children:"May 10 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1300",children:"v1.30.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1303k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.3+k3s1",children:"v1.30.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s2",children:"Changes since v1.30.2+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel server for k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10446",children:"(#10446)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10460",children:"(#10460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10497",children:"(#10497)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10507",children:"(#10507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.3-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10536",children:"(#10536)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10596",children:"(#10596)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s2",children:"v1.30.2+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s1",children:"Changes since v1.30.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.6+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10417",children:"(#10417)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10422",children:"(#10422)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s1",children:"v1.30.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1301",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1301k3s1",children:"Changes since v1.30.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10074",children:"(#10074)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add WithSkipMissing to not fail import on missing blobs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10136",children:"(#10136)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use fixed stream server bind address for cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9975",children:"(#9975)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch stargz over to cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9977",children:"(#9977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump to containerd v1.7.17, etcd v3.5.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10123",children:"(#10123)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10118",children:"(#10118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue installing artifacts from PR builds with multiple runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10122",children:"(#10122)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with ",(0,r.jsx)(s.code,{children:"externalTrafficPolicy: Local"})," for single-stack services on dual-stack nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9963",children:"(#9963)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update local-path-provisioner helper script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9964",children:"(#9964)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for svclb pod PriorityClassName ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10045",children:"(#10045)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Drop check for legacy traefik v1 chart ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9593",children:"(#9593)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s no longer automatically skips deploying traefik v2 if traefik v1 is present. All clusters should have been upgraded to v2 at some point over the last three years."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10177",children:"(#10177)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Create ADR for branching strategy ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10147",children:"(#10147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump minio-go to v7.0.70 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10081",children:"(#10081)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.11.9 to fix pagination ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10082",children:"(#10082)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update valid resolv conf ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9948",children:"(#9948)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing kernel config check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10100",children:"(#10100)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Git workflow file name correction ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10131",children:"(#10131)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"None"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Follow directory symlinks in auto deploying manifests (#9288) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10049",children:"(#10049)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug: allow helm controller set owner reference ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10048",children:"(#10048)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10192",children:"(#10192)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10146",children:"(#10146)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test: add agent with auth file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10119",children:"(#10119)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10145",children:"(#10145)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server for may 2024 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10137",children:"(#10137)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-helm image for tls secret support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10187",children:"(#10187)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updating the script binary_size_check to complete the command name by\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9992",children:"(#9992)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with k3s-etcd informers not starting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10047",children:"(#10047)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable serving supervisor metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10019",children:"(#10019)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /conformance ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10210",children:"(#10210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10211",children:"(#10211)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump ubuntu from 22.04 to 24.04 in /tests/e2e/scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10040",children:"(#10040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10039",children:"(#10039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol crash when node remains tainted uninitialized ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10073",children:"(#10073)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue caused by sole server marked as failed under load ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10241",children:"(#10241)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add write-kubeconfig-group flag to server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9233",children:"(#9233)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"New flag in k3s server: --write-kubeconfig-group"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix embedded mirror blocked by SAR RBAC and re-enable test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10257",children:"(#10257)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10268",children:"(#10268)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Use actual warningPeriod in certmonitor ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10271",children:"(#10271)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug that caused agents to bypass local loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10280",children:"(#10280)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ADR for support for etcd s3 config secret ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9364",children:"(#9364)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10302",children:"(#10302)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10293",children:"(#10293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA golang caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10307",children:"(#10307)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10318",children:"(#10318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10296",children:"(#10296)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.30.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10349",children:"(#10349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10352",children:"(#10352)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10372",children:"(#10372)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1301k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.1+k3s1",children:"v1.30.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1300",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1300k3s1",children:"Changes since v1.30.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10084",children:"(#10084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channels with 1.30 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10097",children:"(#10097)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Address 461 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10112",children:"(#10112)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.1-k3s1 and Go 1.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10105",children:"(#10105)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1300k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.0+k3s1",children:"v1.30.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.30 line. This release updates Kubernetes to v1.30.0."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Kubernetes V1.30.0-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10063",children:"(#10063)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated ",(0,r.jsx)(s.code,{children:"pod-infra-container-image"})," kubelet flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7409",children:"(#7409)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10061",children:"(#10061)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
+"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2573],{3338:(e,s,i)=>{i.r(s),i.d(s,{assets:()=>c,contentTitle:()=>l,default:()=>o,frontMatter:()=>n,metadata:()=>h,toc:()=>d});var r=i(5893),t=i(1151);const n={hide_table_of_contents:!0,sidebar_position:1},l="v1.30.X",h={id:"release-notes/v1.30.X",title:"v1.30.X",description:"Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.",source:"@site/docs/release-notes/v1.30.X.md",sourceDirName:"release-notes",slug:"/release-notes/v1.30.X",permalink:"/release-notes/v1.30.X",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/release-notes/v1.30.X.md",tags:[],version:"current",lastUpdatedAt:1723747404e3,sidebarPosition:1,frontMatter:{hide_table_of_contents:!0,sidebar_position:1},sidebar:"mySidebar",previous:{title:"Resource Profiling",permalink:"/reference/resource-profiling"},next:{title:"v1.29.X",permalink:"/release-notes/v1.29.X"}},c={},d=[{value:"Release v1.30.3+k3s1",id:"release-v1303k3s1",level:2},{value:"Changes since v1.30.2+k3s2:",id:"changes-since-v1302k3s2",level:3},{value:"Release v1.30.2+k3s2",id:"release-v1302k3s2",level:2},{value:"Changes since v1.30.2+k3s1:",id:"changes-since-v1302k3s1",level:3},{value:"Release v1.30.2+k3s1",id:"release-v1302k3s1",level:2},{value:"Changes since v1.30.1+k3s1:",id:"changes-since-v1301k3s1",level:3},{value:"Release v1.30.1+k3s1",id:"release-v1301k3s1",level:2},{value:"Changes since v1.30.0+k3s1:",id:"changes-since-v1300k3s1",level:3},{value:"Release v1.30.0+k3s1",id:"release-v1300k3s1",level:2},{value:"Changes since v1.29.4+k3s1:",id:"changes-since-v1294k3s1",level:3}];function a(e){const s={a:"a",admonition:"admonition",code:"code",h1:"h1",h2:"h2",h3:"h3",header:"header",hr:"hr",li:"li",p:"p",table:"table",tbody:"tbody",td:"td",th:"th",thead:"thead",tr:"tr",ul:"ul",...(0,t.a)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(s.header,{children:(0,r.jsx)(s.h1,{id:"v130x",children:"v1.30.X"})}),"\n",(0,r.jsx)(s.admonition,{title:"Upgrade Notice",type:"warning",children:(0,r.jsxs)(s.p,{children:["Before upgrading from earlier releases, be sure to read the Kubernetes ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#urgent-upgrade-notes",children:"Urgent Upgrade Notes"}),"."]})}),"\n",(0,r.jsxs)(s.table,{children:[(0,r.jsx)(s.thead,{children:(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.th,{children:"Version"}),(0,r.jsx)(s.th,{children:"Release date"}),(0,r.jsx)(s.th,{children:"Kubernetes"}),(0,r.jsx)(s.th,{children:"Kine"}),(0,r.jsx)(s.th,{children:"SQLite"}),(0,r.jsx)(s.th,{children:"Etcd"}),(0,r.jsx)(s.th,{children:"Containerd"}),(0,r.jsx)(s.th,{children:"Runc"}),(0,r.jsx)(s.th,{children:"Flannel"}),(0,r.jsx)(s.th,{children:"Metrics-server"}),(0,r.jsx)(s.th,{children:"Traefik"}),(0,r.jsx)(s.th,{children:"CoreDNS"}),(0,r.jsx)(s.th,{children:"Helm-controller"}),(0,r.jsx)(s.th,{children:"Local-path-provisioner"})]})}),(0,r.jsxs)(s.tbody,{children:[(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1303k3s1",children:"v1.30.3+k3s1"})}),(0,r.jsx)(s.td,{children:"Jul 31 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1303",children:"v1.30.3"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.11",children:"v0.11.11"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.28",children:"v0.0.28"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1302k3s2",children:"v1.30.2+k3s2"})}),(0,r.jsx)(s.td,{children:"Jul 03 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.4",children:"v0.25.4"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1302k3s1",children:"v1.30.2+k3s1"})}),(0,r.jsx)(s.td,{children:"Jun 25 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1302",children:"v1.30.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.9",children:"v0.11.9"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.13-k3s1",children:"v3.5.13-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.17-k3s1",children:"v1.7.17-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.25.2",children:"v0.25.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.27",children:"v0.0.27"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1301k3s1",children:"v1.30.1+k3s1"})}),(0,r.jsx)(s.td,{children:"May 22 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1301",children:"v1.30.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.8-0.20240430184817-f9ce6f8da97b",children:"v0.11.8-0.20240430184817-f9ce6f8da97b"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12-k3s1",children:"v1.1.12-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.16.1-0.20240502205943-2f32059d43e6",children:"v0.16.1-0.20240502205943-2f32059d43e6"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]}),(0,r.jsxs)(s.tr,{children:[(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"/release-notes/v1.30.X#release-v1300k3s1",children:"v1.30.0+k3s1"})}),(0,r.jsx)(s.td,{children:"May 10 2024"}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1300",children:"v1.30.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/kine/releases/tag/v0.11.7",children:"v0.11.8"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://sqlite.org/releaselog/3_44_0.html",children:"3.44.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/etcd/releases/tag/v3.5.9-k3s1",children:"v3.5.9-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/containerd/releases/tag/v1.7.15-k3s1",children:"v1.7.15-k3s1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/opencontainers/runc/releases/tag/v1.1.12",children:"v1.1.12"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/flannel-io/flannel/releases/tag/v0.24.2",children:"v0.24.2"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0",children:"v0.7.0"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/traefik/traefik/releases/tag/v2.10.7",children:"v2.10.7"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/coredns/coredns/releases/tag/v1.10.1",children:"v1.10.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/helm-controller/releases/tag/v0.15.9",children:"v0.16.1"})}),(0,r.jsx)(s.td,{children:(0,r.jsx)(s.a,{href:"https://github.com/rancher/local-path-provisioner/releases/tag/v0.0.26",children:"v0.0.26"})})]})]})]}),"\n",(0,r.jsx)("br",{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1303k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.3+k3s1",children:"v1.30.3+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.3, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s2",children:"Changes since v1.30.2+k3s2:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update channel server for k3s2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10446",children:"(#10446)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Set correct release channel for e2e upgrade test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10460",children:"(#10460)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Backports for 2024-07 release cycle ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10497",children:"(#10497)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Bump k3s-root to v0.14.0"}),"\n",(0,r.jsx)(s.li,{children:"Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7"}),"\n",(0,r.jsx)(s.li,{children:"Bump Local Path Provisioner version"}),"\n",(0,r.jsx)(s.li,{children:"Ensure remotedialer kubelet connections use kubelet bind address"}),"\n",(0,r.jsx)(s.li,{children:"Chore: Bump Trivy version"}),"\n",(0,r.jsx)(s.li,{children:"Add etcd s3 config secret implementation"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["July Test Backports ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10507",children:"(#10507)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.3-k3s1 and Go 1.22.5 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10536",children:"(#10536)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issues loading data-dir value from env vars or dropping config files ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10596",children:"(#10596)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s2",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s2",children:"v1.30.2+k3s2"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1302",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1302k3s1",children:"Changes since v1.30.2+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.6+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10417",children:"(#10417)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update flannel to v0.25.4 and fixed issue with IPv6 mask ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10422",children:"(#10422)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1302k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.2+k3s1",children:"v1.30.2+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.2, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1301",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1301k3s1",children:"Changes since v1.30.1+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using tailscale config by file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10074",children:"(#10074)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add WithSkipMissing to not fail import on missing blobs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10136",children:"(#10136)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Use fixed stream server bind address for cri-dockerd ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9975",children:"(#9975)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Switch stargz over to cri registry config_path ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9977",children:"(#9977)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump to containerd v1.7.17, etcd v3.5.13 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10123",children:"(#10123)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump spegel version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10118",children:"(#10118)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue installing artifacts from PR builds with multiple runs ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10122",children:"(#10122)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with ",(0,r.jsx)(s.code,{children:"externalTrafficPolicy: Local"})," for single-stack services on dual-stack nodes ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9963",children:"(#9963)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update local-path-provisioner helper script ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9964",children:"(#9964)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add support for svclb pod PriorityClassName ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10045",children:"(#10045)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["ServiceLB now sets the priorityClassName on svclb pods to ",(0,r.jsx)(s.code,{children:"system-node-critical"})," by default. This can be overridden on a per-service basis via the ",(0,r.jsx)(s.code,{children:"svccontroller.k3s.cattle.io/priorityclassname"})," annotation."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Drop check for legacy traefik v1 chart ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9593",children:"(#9593)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"K3s no longer automatically skips deploying traefik v2 if traefik v1 is present. All clusters should have been upgraded to v2 at some point over the last three years."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Update kube-router version to v2.1.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10177",children:"(#10177)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Create ADR for branching strategy ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10147",children:"(#10147)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump minio-go to v7.0.70 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10081",children:"(#10081)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump kine to v0.11.9 to fix pagination ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10082",children:"(#10082)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update valid resolv conf ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9948",children:"(#9948)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add missing kernel config check ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10100",children:"(#10100)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Git workflow file name correction ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10131",children:"(#10131)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"None"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Follow directory symlinks in auto deploying manifests (#9288) ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10049",children:"(#10049)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug: allow helm controller set owner reference ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10048",children:"(#10048)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix go.mod ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10192",children:"(#10192)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump flannel version to v0.25.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10146",children:"(#10146)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Test: add agent with auth file ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10119",children:"(#10119)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Fix bug when using ",(0,r.jsx)(s.code,{children:"vpn-auth-file"})," in the agent"]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add extra log in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10145",children:"(#10145)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channel server for may 2024 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10137",children:"(#10137)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump klipper-helm image for tls secret support ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10187",children:"(#10187)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Updating the script binary_size_check to complete the command name by\u2026 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9992",children:"(#9992)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue with k3s-etcd informers not starting ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10047",children:"(#10047)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Enable serving supervisor metrics ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10019",children:"(#10019)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Enable-pprof"})," can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port."]}),"\n",(0,r.jsxs)(s.li,{children:[(0,r.jsx)(s.code,{children:"--Supervisor-metrics"})," can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /conformance ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10210",children:"(#10210)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump alpine from 3.18 to 3.20 in /package ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10211",children:"(#10211)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump ubuntu from 22.04 to 24.04 in /tests/e2e/scripts ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10040",children:"(#10040)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Trivy version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10039",children:"(#10039)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix netpol crash when node remains tainted uninitialized ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10073",children:"(#10073)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue caused by sole server marked as failed under load ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10241",children:"(#10241)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks."}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Add write-kubeconfig-group flag to server ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9233",children:"(#9233)"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsx)(s.li,{children:"New flag in k3s server: --write-kubeconfig-group"}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(s.li,{children:["Fix embedded mirror blocked by SAR RBAC and re-enable test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10257",children:"(#10257)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump Local Path Provisioner version ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10268",children:"(#10268)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix: Use actual warningPeriod in certmonitor ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10271",children:"(#10271)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix bug that caused agents to bypass local loadbalancer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10280",children:"(#10280)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add ADR for support for etcd s3 config secret ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9364",children:"(#9364)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add test for ",(0,r.jsx)(s.code,{children:"isValidResolvConf"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10302",children:"(#10302)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add snapshot retention etcd-s3-folder fix ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10293",children:"(#10293)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Expand GHA golang caching to include newest release branch ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10307",children:"(#10307)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix race condition panic in loadbalancer.nextServer ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10318",children:"(#10318)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix typo, use ",(0,r.jsx)(s.code,{children:"rancher/permissions"})," ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10296",children:"(#10296)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update Kubernetes to v1.30.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10349",children:"(#10349)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix agent supervisor port using apiserver port instead ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10352",children:"(#10352)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix issue that allowed multiple simultaneous snapshots to be allowed ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10372",children:"(#10372)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1301k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.1+k3s1",children:"v1.30.1+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release updates Kubernetes to v1.30.1, and fixes a number of issues."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1300",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1300k3s1",children:"Changes since v1.30.0+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Replace deprecated ruby function in e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10084",children:"(#10084)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update channels with 1.30 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10097",children:"(#10097)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Address 461 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10112",children:"(#10112)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update to v1.30.1-k3s1 and Go 1.22.2 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10105",children:"(#10105)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{}),"\n",(0,r.jsxs)(s.h2,{id:"release-v1300k3s1",children:["Release ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/releases/tag/v1.30.0+k3s1",children:"v1.30.0+k3s1"})]}),"\n",(0,r.jsx)(s.p,{children:"This release is K3S's first in the v1.30 line. This release updates Kubernetes to v1.30.0."}),"\n",(0,r.jsxs)(s.p,{children:["For more details on what's new, see the ",(0,r.jsx)(s.a,{href:"https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290",children:"Kubernetes release notes"}),"."]}),"\n",(0,r.jsx)(s.h3,{id:"changes-since-v1294k3s1",children:"Changes since v1.29.4+k3s1:"}),"\n",(0,r.jsxs)(s.ul,{children:["\n",(0,r.jsxs)(s.li,{children:["Kubernetes V1.30.0-k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10063",children:"(#10063)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Update stable channel to v1.29.4+k3s1 ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10031",children:"(#10031)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Add E2E Split Server to Drone, support parallel testing in Drone ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/9940",children:"(#9940)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Bump E2E opensuse leap to 15.6, fix btrfs test ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10057",children:"(#10057)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Remove deprecated ",(0,r.jsx)(s.code,{children:"pod-infra-container-image"})," kubelet flag ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/7409",children:"(#7409)"})]}),"\n",(0,r.jsxs)(s.li,{children:["Fix e2e tests ",(0,r.jsx)(s.a,{href:"https://github.com/k3s-io/k3s/pull/10061",children:"(#10061)"})]}),"\n"]}),"\n",(0,r.jsx)(s.hr,{})]})}function o(e={}){const{wrapper:s}={...(0,t.a)(),...e.components};return s?(0,r.jsx)(s,{...e,children:(0,r.jsx)(a,{...e})}):a(e)}},1151:(e,s,i)=>{i.d(s,{Z:()=>h,a:()=>l});var r=i(7294);const t={},n=r.createContext(t);function l(e){const s=r.useContext(n);return r.useMemo((function(){return"function"==typeof e?e(s):{...s,...e}}),[s,e])}function h(e){let s;return s=e.disableParentContext?"function"==typeof e.components?e.components(t):e.components||t:l(e.components),r.createElement(n.Provider,{value:s},e.children)}}}]);
\ No newline at end of file
diff --git a/assets/js/b9a30a37.4bd0940f.js b/assets/js/b9a30a37.cd039b94.js
similarity index 99%
rename from assets/js/b9a30a37.4bd0940f.js
rename to assets/js/b9a30a37.cd039b94.js
index aa4ab4190..147ad99db 100644
--- a/assets/js/b9a30a37.4bd0940f.js
+++ b/assets/js/b9a30a37.cd039b94.js
@@ -1 +1 @@
-"use strict";(self.webpackChunkk_3_s_docs=self.webpackChunkk_3_s_docs||[]).push([[2038],{9763:(e,r,s)=>{s.r(r),s.d(r,{assets:()=>c,contentTitle:()=>a,default:()=>u,frontMatter:()=>i,metadata:()=>l,toc:()=>o});var t=s(5893),n=s(1151);const i={title:"CIS 1.8 Self Assessment Guide"},a=void 0,l={id:"security/self-assessment-1.8",title:"CIS 1.8 Self Assessment Guide",description:"Overview",source:"@site/docs/security/self-assessment-1.8.md",sourceDirName:"security",slug:"/security/self-assessment-1.8",permalink:"/security/self-assessment-1.8",draft:!1,unlisted:!1,editUrl:"https://github.com/k3s-io/docs/edit/main/docs/security/self-assessment-1.8.md",tags:[],version:"current",lastUpdatedAt:1723651727e3,frontMatter:{title:"CIS 1.8 Self Assessment Guide"},sidebar:"mySidebar",previous:{title:"CIS Hardening Guide",permalink:"/security/hardening-guide"},next:{title:"CIS 1.7 Self Assessment Guide",permalink:"/security/self-assessment-1.7"}},c={},o=[{value:"Overview",id:"overview",level:2},{value:"Testing controls methodology",id:"testing-controls-methodology",level:3},{value:"1.1 Control Plane Node Configuration Files",id:"11-control-plane-node-configuration-files",level:2},{value:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)",id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.2 Ensure that the API server pod specification file ownership is set to root (Automated)",id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)",id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.4 Ensure that the controller manager pod specification file ownership is set to root (Automated)",id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)",id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.6 Ensure that the scheduler pod specification file ownership is set to root (Automated)",id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)",id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.8 Ensure that the etcd pod specification file ownership is set to root (Automated)",id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)",id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.10 Ensure that the Container Network Interface file ownership is set to root (Manual)",id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",level:3},{value:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)",id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",level:3},{value:"1.1.12 Ensure that the etcd data directory ownership is set to etcd (Automated)",id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",level:3},{value:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)",id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.14 Ensure that the admin.conf file ownership is set to root (Automated)",id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)",id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.16 Ensure that the scheduler.conf file ownership is set to root (Automated)",id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)",id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"1.1.18 Ensure that the controller-manager.conf file ownership is set to root (Automated)",id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root (Automated)",id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",level:3},{value:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)",id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",level:3},{value:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)",id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",level:3},{value:"1.2 API Server",id:"12-api-server",level:2},{value:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)",id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",level:3},{value:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)",id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",level:3},{value:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)",id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)",id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)",id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",level:3},{value:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)",id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",level:3},{value:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)",id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",level:3},{value:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)",id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",level:3},{value:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)",id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",level:3},{value:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)",id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",level:3},{value:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)",id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",level:3},{value:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)",id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",level:3},{value:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)",id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",level:3},{value:"1.2.16 Ensure that the --profiling argument is set to false (Automated)",id:"1216-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.2.17 Ensure that the --audit-log-path argument is set (Manual)",id:"1217-ensure-that-the---audit-log-path-argument-is-set-manual",level:3},{value:"1.2.18 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)",id:"1218-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",level:3},{value:"1.2.19 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)",id:"1219-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",level:3},{value:"1.2.20 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)",id:"1220-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",level:3},{value:"1.2.21 Ensure that the --request-timeout argument is set as appropriate (Manual)",id:"1221-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.22 Ensure that the --service-account-lookup argument is set to true (Automated)",id:"1222-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",level:3},{value:"1.2.23 Ensure that the --service-account-key-file argument is set as appropriate (Automated)",id:"1223-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.24 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)",id:"1224-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.25 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"1225-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"1.2.26 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"1226-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.27 Ensure that the --etcd-cafile argument is set as appropriate (Automated)",id:"1227-ensure-that-the---etcd-cafile-argument-is-set-as-appropriate-automated",level:3},{value:"1.2.28 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)",id:"1228-ensure-that-the---encryption-provider-config-argument-is-set-as-appropriate-manual",level:3},{value:"1.2.29 Ensure that encryption providers are appropriately configured (Manual)",id:"1229-ensure-that-encryption-providers-are-appropriately-configured-manual",level:3},{value:"1.2.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)",id:"1230-ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers-automated",level:3},{value:"1.3 Controller Manager",id:"13-controller-manager",level:2},{value:"1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)",id:"131-ensure-that-the---terminated-pod-gc-threshold-argument-is-set-as-appropriate-manual",level:3},{value:"1.3.2 Ensure that the --profiling argument is set to false (Automated)",id:"132-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)",id:"133-ensure-that-the---use-service-account-credentials-argument-is-set-to-true-automated",level:3},{value:"1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)",id:"134-ensure-that-the---service-account-private-key-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)",id:"135-ensure-that-the---root-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"136-ensure-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"137-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"1.4 Scheduler",id:"14-scheduler",level:2},{value:"1.4.1 Ensure that the --profiling argument is set to false (Automated)",id:"141-ensure-that-the---profiling-argument-is-set-to-false-automated",level:3},{value:"1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)",id:"142-ensure-that-the---bind-address-argument-is-set-to-127001-automated",level:3},{value:"2 Etcd Node Configuration",id:"2-etcd-node-configuration",level:2},{value:"2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)",id:"21-ensure-that-the---cert-file-and---key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.2 Ensure that the --client-cert-auth argument is set to true (Automated)",id:"22-ensure-that-the---client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.3 Ensure that the --auto-tls argument is not set to true (Automated)",id:"23-ensure-that-the---auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)",id:"24-ensure-that-the---peer-cert-file-and---peer-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)",id:"25-ensure-that-the---peer-client-cert-auth-argument-is-set-to-true-automated",level:3},{value:"2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)",id:"26-ensure-that-the---peer-auto-tls-argument-is-not-set-to-true-automated",level:3},{value:"2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)",id:"27-ensure-that-a-unique-certificate-authority-is-used-for-etcd-automated",level:3},{value:"4.1 Worker Node Configuration Files",id:"41-worker-node-configuration-files",level:2},{value:"4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)",id:"411-ensure-that-the-kubelet-service-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.2 Ensure that the kubelet service file ownership is set to root (Automated)",id:"412-ensure-that-the-kubelet-service-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)",id:"413-if-proxy-kubeconfig-file-exists-ensure-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.4 If proxy kubeconfig file exists ensure ownership is set to root (Automated)",id:"414-if-proxy-kubeconfig-file-exists-ensure-ownership-is-set-to-root-automated",level:3},{value:"4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)",id:"415-ensure-that-the---kubeconfig-kubeletconf-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root (Automated)",id:"416-ensure-that-the---kubeconfig-kubeletconf-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)",id:"417-ensure-that-the-certificate-authorities-file-permissions-are-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.8 Ensure that the client certificate authorities file ownership is set to root (Automated)",id:"418-ensure-that-the-client-certificate-authorities-file-ownership-is-set-to-root-automated",level:3},{value:"4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)",id:"419-ensure-that-the-kubelet---config-configuration-file-has-permissions-set-to-600-or-more-restrictive-automated",level:3},{value:"4.1.10 Ensure that the kubelet --config configuration file ownership is set to root (Automated)",id:"4110-ensure-that-the-kubelet---config-configuration-file-ownership-is-set-to-root-automated",level:3},{value:"4.2 Kubelet",id:"42-kubelet",level:2},{value:"4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)",id:"421-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",level:3},{value:"4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)",id:"422-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",level:3},{value:"4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)",id:"423-ensure-that-the---client-ca-file-argument-is-set-as-appropriate-automated",level:3},{value:"4.2.4 Verify that the --read-only-port argument is set to 0 (Automated)",id:"424-verify-that-the---read-only-port-argument-is-set-to-0-automated",level:3},{value:"4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)",id:"425-ensure-that-the---streaming-connection-idle-timeout-argument-is-not-set-to-0-manual",level:3},{value:"4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)",id:"426-ensure-that-the---make-iptables-util-chains-argument-is-set-to-true-automated",level:3},{value:"4.2.7 Ensure that the --hostname-override argument is not set (Automated)",id:"427-ensure-that-the---hostname-override-argument-is-not-set-automated",level:3},{value:"4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)",id:"428-ensure-that-the-eventrecordqps-argument-is-set-to-a-level-which-ensures-appropriate-event-capture-manual",level:3},{value:"4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)",id:"429-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",level:3},{value:"4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)",id:"4210-ensure-that-the---rotate-certificates-argument-is-not-set-to-false-automated",level:3},{value:"4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Automated)",id:"4211-verify-that-the-rotatekubeletservercertificate-argument-is-set-to-true-automated",level:3},{value:"4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)",id:"4212-ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers-manual",level:3},{value:"4.2.13 Ensure that a limit is set on pod PIDs (Manual)",id:"4213-ensure-that-a-limit-is-set-on-pod-pids-manual",level:3},{value:"5.1 RBAC and Service Accounts",id:"51-rbac-and-service-accounts",level:2},{value:"5.1.1 Ensure that the cluster-admin role is only used where required (Manual)",id:"511-ensure-that-the-cluster-admin-role-is-only-used-where-required-manual",level:3},{value:"5.1.2 Minimize access to secrets (Manual)",id:"512-minimize-access-to-secrets-manual",level:3},{value:"5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)",id:"513-minimize-wildcard-use-in-roles-and-clusterroles-manual",level:3},{value:"5.1.4 Minimize access to create pods (Manual)",id:"514-minimize-access-to-create-pods-manual",level:3},{value:"5.1.5 Ensure that default service accounts are not actively used. (Manual)",id:"515-ensure-that-default-service-accounts-are-not-actively-used-manual",level:3},{value:"5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)",id:"516-ensure-that-service-account-tokens-are-only-mounted-where-necessary-manual",level:3},{value:"5.1.7 Avoid use of system group (Manual)",id:"517-avoid-use-of-system-group-manual",level:3},{value:"5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)",id:"518-limit-use-of-the-bind-impersonate-and-escalate-permissions-in-the-kubernetes-cluster-manual",level:3},{value:"5.1.9 Minimize access to create persistent volumes (Manual)",id:"519-minimize-access-to-create-persistent-volumes-manual",level:3},{value:"5.1.10 Minimize access to the proxy sub-resource of nodes (Manual)",id:"5110-minimize-access-to-the-proxy-sub-resource-of-nodes-manual",level:3},{value:"5.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)",id:"5111-minimize-access-to-the-approval-sub-resource-of-certificatesigningrequests-objects-manual",level:3},{value:"5.1.12 Minimize access to webhook configuration objects (Manual)",id:"5112-minimize-access-to-webhook-configuration-objects-manual",level:3},{value:"5.1.13 Minimize access to the service account token creation (Manual)",id:"5113-minimize-access-to-the-service-account-token-creation-manual",level:3},{value:"5.2 Pod Security Standards",id:"52-pod-security-standards",level:2},{value:"5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)",id:"521-ensure-that-the-cluster-has-at-least-one-active-policy-control-mechanism-in-place-manual",level:3},{value:"5.2.2 Minimize the admission of privileged containers (Manual)",id:"522-minimize-the-admission-of-privileged-containers-manual",level:3},{value:"5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)",id:"523-minimize-the-admission-of-containers-wishing-to-share-the-host-process-id-namespace-automated",level:3},{value:"5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)",id:"524-minimize-the-admission-of-containers-wishing-to-share-the-host-ipc-namespace-automated",level:3},{value:"5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)",id:"525-minimize-the-admission-of-containers-wishing-to-share-the-host-network-namespace-automated",level:3},{value:"5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)",id:"526-minimize-the-admission-of-containers-with-allowprivilegeescalation-automated",level:3},{value:"5.2.7 Minimize the admission of root containers (Automated)",id:"527-minimize-the-admission-of-root-containers-automated",level:3},{value:"5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)",id:"528-minimize-the-admission-of-containers-with-the-net_raw-capability-automated",level:3},{value:"5.2.9 Minimize the admission of containers with added capabilities (Automated)",id:"529-minimize-the-admission-of-containers-with-added-capabilities-automated",level:3},{value:"5.2.10 Minimize the admission of containers with capabilities assigned (Manual)",id:"5210-minimize-the-admission-of-containers-with-capabilities-assigned-manual",level:3},{value:"5.2.11 Minimize the admission of Windows HostProcess containers (Manual)",id:"5211-minimize-the-admission-of-windows-hostprocess-containers-manual",level:3},{value:"5.2.12 Minimize the admission of HostPath volumes (Manual)",id:"5212-minimize-the-admission-of-hostpath-volumes-manual",level:3},{value:"5.2.13 Minimize the admission of containers which use HostPorts (Manual)",id:"5213-minimize-the-admission-of-containers-which-use-hostports-manual",level:3},{value:"5.3 Network Policies and CNI",id:"53-network-policies-and-cni",level:2},{value:"5.3.1 Ensure that the CNI in use supports NetworkPolicies (Manual)",id:"531-ensure-that-the-cni-in-use-supports-networkpolicies-manual",level:3},{value:"5.3.2 Ensure that all Namespaces have NetworkPolicies defined (Manual)",id:"532-ensure-that-all-namespaces-have-networkpolicies-defined-manual",level:3},{value:"5.4 Secrets Management",id:"54-secrets-management",level:2},{value:"5.4.1 Prefer using Secrets as files over Secrets as environment variables (Manual)",id:"541-prefer-using-secrets-as-files-over-secrets-as-environment-variables-manual",level:3},{value:"5.4.2 Consider external secret storage (Manual)",id:"542-consider-external-secret-storage-manual",level:3},{value:"5.5 Extensible Admission Control",id:"55-extensible-admission-control",level:2},{value:"5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)",id:"551-configure-image-provenance-using-imagepolicywebhook-admission-controller-manual",level:3},{value:"5.7 General Policies",id:"57-general-policies",level:2},{value:"5.7.1 Create administrative boundaries between resources using namespaces (Manual)",id:"571-create-administrative-boundaries-between-resources-using-namespaces-manual",level:3},{value:"5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)",id:"572-ensure-that-the-seccomp-profile-is-set-to-dockerdefault-in-your-pod-definitions-manual",level:3},{value:"5.7.3 Apply SecurityContext to your Pods and Containers (Manual)",id:"573-apply-securitycontext-to-your-pods-and-containers-manual",level:3},{value:"5.7.4 The default namespace should not be used (Manual)",id:"574-the-default-namespace-should-not-be-used-manual",level:3}];function d(e){const r={a:"a",code:"code",h2:"h2",h3:"h3",li:"li",p:"p",pre:"pre",strong:"strong",ul:"ul",...(0,n.a)(),...e.components},{Details:s}=r;return s||function(e,r){throw new Error("Expected "+(r?"component":"object")+" `"+e+"` to be defined: you likely forgot to import, pass, or provide it.")}("Details",!0),(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(r.h2,{id:"overview",children:"Overview"}),"\n",(0,t.jsxs)(r.p,{children:["This document is a companion to the ",(0,t.jsx)(r.a,{href:"/security/hardening-guide",children:"K3s security hardening guide"}),". The hardening guide provides prescriptive guidance for hardening a production installation of K3s, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes Benchmark. It is to be used by K3s operators, security teams, auditors, and decision-makers."]}),"\n",(0,t.jsxs)(r.p,{children:["This guide is specific to the ",(0,t.jsx)(r.strong,{children:"v1.26-v1.29"})," release line of K3s and the ",(0,t.jsx)(r.strong,{children:"v1.8"})," release of the CIS Kubernetes Benchmark."]}),"\n",(0,t.jsxs)(r.p,{children:["For more information about each control, including detailed descriptions and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.8. You can download the benchmark, after creating a free account, in ",(0,t.jsx)(r.a,{href:"https://www.cisecurity.org/benchmark/kubernetes/",children:"Center for Internet Security (CIS)"}),"."]}),"\n",(0,t.jsx)(r.h3,{id:"testing-controls-methodology",children:"Testing controls methodology"}),"\n",(0,t.jsx)(r.p,{children:"Each control in the CIS Kubernetes Benchmark was evaluated against a K3s cluster that was configured according to the accompanying hardening guide."}),"\n",(0,t.jsx)(r.p,{children:"Where control audits differ from the original CIS benchmark, the audit commands specific to K3s are provided for testing."}),"\n",(0,t.jsx)(r.p,{children:"These are the possible results for each control:"}),"\n",(0,t.jsxs)(r.ul,{children:["\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Pass"})," - The K3s cluster under test passed the audit outlined in the benchmark."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Not Applicable"})," - The control is not applicable to K3s because of how it is designed to operate. The remediation section will explain why this is so."]}),"\n",(0,t.jsxs)(r.li,{children:[(0,t.jsx)(r.strong,{children:"Warn"})," - The control is manual in the CIS benchmark and it depends on the cluster's use case or some other factor that must be determined by the cluster operator. These controls have been evaluated to ensure K3s does not prevent their implementation, but no further configuration or auditing of the cluster under test has been performed."]}),"\n"]}),"\n",(0,t.jsx)(r.p,{children:'This guide makes the assumption that K3s is running as a Systemd unit. Your installation may vary and will require you to adjust the "audit" commands to fit your scenario.'}),"\n",(0,t.jsx)(r.h2,{id:"11-control-plane-node-configuration-files",children:"1.1 Control Plane Node Configuration Files"}),"\n",(0,t.jsx)(r.h3,{id:"111-ensure-that-the-api-server-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"112-ensure-that-the-api-server-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.2 Ensure that the API server pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the api server within the k3s process. There is no API server pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"113-ensure-that-the-controller-manager-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"114-ensure-that-the-controller-manager-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.4 Ensure that the controller manager pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the controller manager within the k3s process. There is no controller manager pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"115-ensure-that-the-scheduler-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"116-ensure-that-the-scheduler-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.6 Ensure that the scheduler pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds the scheduler within the k3s process. There is no scheduler pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"117-ensure-that-the-etcd-pod-specification-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsxs)(r.h3,{id:"118-ensure-that-the-etcd-pod-specification-file-ownership-is-set-to-root-automated",children:["1.1.8 Ensure that the etcd pod specification file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"By default, K3s embeds etcd within the k3s process. There is no etcd pod specification file."}),"\n",(0,t.jsx)(r.h3,{id:"119-ensure-that-the-container-network-interface-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["By default, K3s sets the CNI file permissions to 600.\nNote that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.\nIf you modify your CNI configuration, ensure that the permissions are set to 600.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/cni/networks/"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1110-ensure-that-the-container-network-interface-file-ownership-is-set-to-root-manual",children:["1.1.10 Ensure that the Container Network Interface file ownership is set to root",":root"," (Manual)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root "})]}),"\n",(0,t.jsx)(r.h3,{id:"1111-ensure-that-the-etcd-data-directory-permissions-are-set-to-700-or-more-restrictive-automated",children:"1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:'if [ "$(journalctl -u k3s | grep -m1 \'Managed etcd cluster\' | wc -l)" -gt 0 ]; then\n stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd\nelse\n echo "permissions=700"\nfi\n'})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 700, expected 700 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=700\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\nRun the below command (based on the etcd data directory found above). For example,\n",(0,t.jsx)(r.code,{children:"chmod 700 /var/lib/etcd"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1112-ensure-that-the-etcd-data-directory-ownership-is-set-to-etcd-automated",children:["1.1.12 Ensure that the etcd data directory ownership is set to etcd",":etcd"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsxs)(r.p,{children:["For K3s, etcd is embedded within the k3s process. There is no separate etcd process.\nTherefore the etcd data directory ownership is managed by the k3s process and should be root",":root","."]}),"\n",(0,t.jsx)(r.h3,{id:"1113-ensure-that-the-adminconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1114-ensure-that-the-adminconf-file-ownership-is-set-to-root-automated",children:["1.1.14 Ensure that the admin.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example, ",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1115-ensure-that-the-schedulerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1116-ensure-that-the-schedulerconf-file-ownership-is-set-to-root-automated",children:["1.1.16 Ensure that the scheduler.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1117-ensure-that-the-controller-managerconf-file-permissions-are-set-to-600-or-more-restrictive-automated",children:"1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod 600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1118-ensure-that-the-controller-managerconf-file-ownership-is-set-to-root-automated",children:["1.1.18 Ensure that the controller-manager.conf file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/cred/controller.kubeconfig\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is equal to 'root",":root","'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown root:root /var/lib/rancher/k3s/server/cred/controller.kubeconfig"})]})]}),"\n",(0,t.jsxs)(r.h3,{id:"1119-ensure-that-the-kubernetes-pki-directory-and-file-ownership-is-set-to-root-automated",children:["1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root",":root"," (Automated)"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"stat -c %U:%G /var/lib/rancher/k3s/server/tls\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," 'root",":root","' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"root:root\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the control plane node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chown -R root:root /var/lib/rancher/k3s/server/tls"})]})]}),"\n",(0,t.jsx)(r.h3,{id:"1120-ensure-that-the-kubernetes-pki-certificate-file-permissions-are-set-to-600-or-more-restrictive-manual",children:"1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nRun the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt"})]}),"\n",(0,t.jsx)(r.h3,{id:"1121-ensure-that-the-kubernetes-pki-key-file-permissions-are-set-to-600-automated",children:"1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"/bin/sh -c 'stat -c permissions=%a /var/lib/rancher/k3s/server/tls/*.key'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," permissions has permissions 600, expected 600 or more restrictive"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:"permissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\npermissions=600\n"})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsxs)(r.p,{children:["Run the below command (based on the file location on your system) on the master node.\nFor example,\n",(0,t.jsx)(r.code,{children:"chmod -R 600 /var/lib/rancher/k3s/server/tls/*.key"})]})]}),"\n",(0,t.jsx)(r.h2,{id:"12-api-server",children:"1.2 API Server"}),"\n",(0,t.jsx)(r.h3,{id:"121-ensure-that-the---anonymous-auth-argument-is-set-to-false-automated",children:"1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--anonymous-auth' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --anonymous-auth argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "anonymous-auth=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"122-ensure-that-the---token-auth-file-parameter-is-not-set-automated",children:"1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--token-auth-file' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Follow the documentation and configure alternate mechanisms for authentication.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "token-auth-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"123-ensure-that-the---denyserviceexternalips-is-not-set-automated",children:"1.2.3 Ensure that the --DenyServiceExternalIPs is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'DenyServiceExternalIPs' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set DenyServiceExternalIPs.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=DenyServiceExternalIPs"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"124-ensure-that-the---kubelet-client-certificate-and---kubelet-client-key-arguments-are-set-as-appropriate-automated",children:"1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-client-certificate' is present AND '--kubelet-client-key' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet client certificate and key.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key\nIf for some reason you need to provide your own certificate and key, you can set the\nbelow parameters in the K3s config file /etc/rancher/k3s/config.yaml."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-client-certificate="\n - "kubelet-client-key="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"125-ensure-that-the---kubelet-certificate-authority-argument-is-set-as-appropriate-automated",children:"1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--kubelet-certificate-authority' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically provides the kubelet CA cert file, at /var/lib/rancher/k3s/server/tls/server-ca.crt.\nIf for some reason you need to provide your own ca certificate, look at using the k3s certificate command line tool.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "kubelet-certificate-authority="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"126-ensure-that-the---authorization-mode-argument-is-not-set-to-alwaysallow-automated",children:"1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' does not have 'AlwaysAllow'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --authorization-mode to AlwaysAllow.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "authorization-mode=AlwaysAllow"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"127-ensure-that-the---authorization-mode-argument-includes-node-automated",children:"1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'Node'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"128-ensure-that-the---authorization-mode-argument-includes-rbac-automated",children:"1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--authorization-mode' has 'RBAC'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --authorization-mode to Node and RBAC.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml,\nensure that you are not overriding authorization-mode."})]}),"\n",(0,t.jsx)(r.h3,{id:"129-ensure-that-the-admission-control-plugin-eventratelimit-is-set-manual",children:"1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),"\nFollow the Kubernetes documentation and set the desired limits in a configuration file.\nThen, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters."]}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,EventRateLimit,..."\n - "admission-control-config-file="\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1210-ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set-automated",children:"1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' does not have 'AlwaysAdmit' OR '--enable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=AlwaysAdmit"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1211-ensure-that-the-admission-control-plugin-alwayspullimages-is-set-manual",children:"1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"This setting could impact offline or isolated clusters, which have images pre-loaded and\ndo not have access to a registry to pull in-use images. This setting is not appropriate for\nclusters which use this configuration."\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,AlwaysPullImages,..."\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1212-ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used-manual",children:"1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," Not Applicable"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Rationale:"})}),"\n",(0,t.jsx)(r.p,{children:"Enabling Pod Security Policy is no longer supported on K3s v1.25+ and will cause applications to unexpectedly fail."}),"\n",(0,t.jsx)(r.h3,{id:"1213-ensure-that-the-admission-control-plugin-serviceaccount-is-set-automated",children:"1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nFollow the documentation and create ServiceAccount objects as per your environment.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=ServiceAccount"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1214-ensure-that-the-admission-control-plugin-namespacelifecycle-is-set-automated",children:"1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--disable-admission-plugins' is present OR '--disable-admission-plugins' is not present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --disable-admission-plugins to anything.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "disable-admission-plugins=...,NamespaceLifecycle,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1215-ensure-that-the-admission-control-plugin-noderestriction-is-set-automated",children:"1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--enable-admission-plugins' has 'NodeRestriction'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --enable-admission-plugins to NodeRestriction.\nIf using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.\nIf you are, include NodeRestriction in the list."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "enable-admission-plugins=...,NodeRestriction,..."\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1216-ensure-that-the---profiling-argument-is-set-to-false-automated",children:"1.2.16 Ensure that the --profiling argument is set to false (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--profiling' is equal to 'false'"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s sets the --profiling argument to false.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "profiling=true"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1217-ensure-that-the---audit-log-path-argument-is-set-manual",children:"1.2.17 Ensure that the --audit-log-path argument is set (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-path' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and\nfile where you would like audit logs to be written, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1218-ensure-that-the---audit-log-maxage-argument-is-set-to-30-or-as-appropriate-manual",children:"1.2.18 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxage' is greater or equal to 30"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxage=30"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1219-ensure-that-the---audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate-manual",children:"1.2.19 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxbackup' is greater or equal to 10"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxbackup=10"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1220-ensure-that-the---audit-log-maxsize-argument-is-set-to-100-or-as-appropriate-manual",children:"1.2.20 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--audit-log-maxsize' is greater or equal to 100"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and\nset the audit-log-maxsize parameter to an appropriate size in MB. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "audit-log-maxsize=100"\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1221-ensure-that-the---request-timeout-argument-is-set-as-appropriate-manual",children:"1.2.21 Ensure that the --request-timeout argument is set as appropriate (Manual)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," WARN"]}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Remediation:"}),'\nPermissive, per CIS guidelines,\n"it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed".\nEdit the K3s config file /etc/rancher/k3s/config.yaml\nand set the below parameter if needed. For example,']}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "request-timeout=300s"\n'})}),"\n",(0,t.jsx)(r.h3,{id:"1222-ensure-that-the---service-account-lookup-argument-is-set-to-true-automated",children:"1.2.22 Ensure that the --service-account-lookup argument is set to true (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-lookup' is not present OR '--service-account-lookup' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s does not set the --service-account-lookup argument.\nEdit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,"}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-lookup=true"\n'})}),(0,t.jsx)(r.p,{children:"Alternatively, you can delete the service-account-lookup parameter from this file so\nthat the default takes effect."})]}),"\n",(0,t.jsx)(r.h3,{id:"1223-ensure-that-the---service-account-key-file-argument-is-set-as-appropriate-automated",children:"1.2.23 Ensure that the --service-account-key-file argument is set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -u k3s | grep 'Running kube-apiserver' | tail -n1\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--service-account-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the service account key file.\nIt is located at /var/lib/rancher/k3s/server/tls/service.key.\nIf this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "service-account-key-file="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1224-ensure-that-the---etcd-certfile-and---etcd-keyfile-arguments-are-set-as-appropriate-automated",children:"1.2.24 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"if [ \"$(journalctl -u k3s | grep -m1 'Managed etcd cluster' | wc -l)\" -gt 0 ]; then\n journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1\nelse\n echo \"--etcd-certfile AND --etcd-keyfile\"\nfi\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--etcd-certfile' is present AND '--etcd-keyfile' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"K3s automatically generates and sets the etcd certificate and key files.\nThey are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "etcd-certfile="\n - "etcd-keyfile="\n'})})]}),"\n",(0,t.jsx)(r.h3,{id:"1225-ensure-that-the---tls-cert-file-and---tls-private-key-file-arguments-are-set-as-appropriate-automated",children:"1.2.25 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Result:"})," PASS"]}),"\n",(0,t.jsx)(r.p,{children:(0,t.jsx)(r.strong,{children:"Audit:"})}),"\n",(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-bash",children:"journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2\n"})}),"\n",(0,t.jsxs)(r.p,{children:[(0,t.jsx)(r.strong,{children:"Expected Result:"})," '--tls-cert-file' is present AND '--tls-private-key-file' is present"]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Returned Value:"})}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{className:"language-console",children:'Aug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-apiserver --admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml --advertise-address=10.10.10.100 --advertise-port=6443 --allow-privileged=true --anonymous-auth=false --api-audiences=https://kubernetes.default.svc.cluster.local,k3s --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log --audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml --authorization-mode=Node,RBAC --bind-address=127.0.0.1 --cert-dir=/var/lib/rancher/k3s/server/tls/temporary-certs --client-ca-file=/var/lib/rancher/k3s/server/tls/client-ca.crt --egress-selector-config-file=/var/lib/rancher/k3s/server/etc/egress-selector-config.yaml --enable-admission-plugins=NodeRestriction --enable-aggregator-routing=true --enable-bootstrap-token-auth=true --encryption-provider-config=/var/lib/rancher/k3s/server/cred/encryption-config.json --encryption-provider-config-automatic-reload=true --etcd-cafile=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --etcd-certfile=/var/lib/rancher/k3s/server/tls/etcd/client.crt --etcd-keyfile=/var/lib/rancher/k3s/server/tls/etcd/client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-certificate-authority=/var/lib/rancher/k3s/server/tls/server-ca.crt --kubelet-client-certificate=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt --kubelet-client-key=/var/lib/rancher/k3s/server/tls/client-kube-apiserver.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --profiling=false --proxy-client-cert-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt --proxy-client-key-file=/var/lib/rancher/k3s/server/tls/client-auth-proxy.key --requestheader-allowed-names=system:auth-proxy --requestheader-client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6444 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.current.key --service-cluster-ip-range=10.43.0.0/16 --service-node-port-range=30000-32767 --storage-backend=etcd3 --tls-cert-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 --tls-private-key-file=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key"\nAug 09 19:06:17 server-0 k3s[2357]: time="2024-08-09T19:06:17Z" level=info msg="Running kube-scheduler --authentication-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --authorization-kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --bind-address=127.0.0.1 --kubeconfig=/var/lib/rancher/k3s/server/cred/scheduler.kubeconfig --profiling=false --secure-port=10259"\n'})})]}),"\n",(0,t.jsxs)(s,{children:[(0,t.jsx)("summary",{children:(0,t.jsx)("b",{children:"Remediation:"})}),(0,t.jsx)(r.p,{children:"By default, K3s automatically generates and provides the TLS certificate and private key for the apiserver.\nThey are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key\nIf this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below."}),(0,t.jsx)(r.pre,{children:(0,t.jsx)(r.code,{children:'kube-apiserver-arg:\n - "tls-cert-file="\n - "tls-private-key-file=