K
Q

Regarding GKE optimised image hardening

4/1/2020

We tried to harden the gke optimized image (gke-1.15.11) for our cluster. We took an ssh into the node instance and made the cis porposed changes in the /home/kubernetes/kubelet-config.yaml file and ran kubebench to check if all the conditions have passed around 8 condtions failed these where the exact conditions we changed in the file. But, then we made the exact argument changes in /etc/default/kubernetes and ran kubebench again the conditions passed. But, when we restarted the instance we all the changes we made in the /ect/default/kubernetes file where gone. Can someone let me know where we are going wrong or is there any other path where we have to make the cis benchmark suggested entries

-- Hariharan Chandrasekar
google-cloud-platform
google-kubernetes-engine
hardening
kubernetes

Similar Questions

In kubernetes can ```service.spec.sessionAffinityConfig.clientIP.timeoutSeconds``` be set to infinity?
Looking for a way to determine why a packet leaving my cluster would keep it's pod IP
Difference between zones and locations endpoints in GKE clusters API
How to include or exclude specific namespaces in cluster role kubernetes

1 Answer

4/5/2020

GKE doesn't support user-provided node images as of April 2020. Recommended option is to create your own DaemonSet with host filesystem writes and/or host services restart to propagate all the required changes.

-- Alex Vorona
Source: StackOverflow