是否可以在 Azure Kubernetes 服务等托管 Kubernetes 集群上应用和维护 CIS 基准合规性?
Is it possible to apply & maintain the CIS Benchmarks Compliance on Managed Kubernetes Clusters such as Azure Kubernetes Service?
我在 Azure Public 云上有一个托管的 Kubernetes 集群。我尝试对节点进行一些更改以满足 CIS Benchmark Guide for Kubernetes 提供的 1 Host Compliance。然后我升级了一个关于大小的节点。主机合规性再次失败。它已在该节点上重置。如何维护节点上的所有更改?
我在节点上执行了 ssh 并在那里进行了更改。但节点升级后合规失败。
您可以Reconfigure a Node's Kubelet in a Live Cluster,但它用于集群配置。
关于节点本身的变化,推荐阅读Security hardening in AKS virtual machine hosts。
AKS clusters are deployed on host virtual machines, which run a security optimized OS. This host OS is currently based on an Ubuntu 16.04.LTS image with a set of additional security hardening steps applied (see Security hardening details).
The goal of the security hardened host OS is to reduce the surface area of attack and allow the deployment of containers in a secure fashion.
Important
The security hardened OS is NOT CIS benchmarked. While there are overlaps with CIS benchmarks, the goal is not to be CIS-compliant. The goal for host OS hardening is to converge on a level of security consistent with Microsoft’s own internal host security standards.
如果您需要进行任何更改,那么我建议您使用 kubeadm 手动设置您自己的集群。只需让虚拟服务器按照您的方式配置它们并使用 Creating a single control-plane cluster with kubeadm 或任何其他适合您需要的指南。
我在 Azure Public 云上有一个托管的 Kubernetes 集群。我尝试对节点进行一些更改以满足 CIS Benchmark Guide for Kubernetes 提供的 1 Host Compliance。然后我升级了一个关于大小的节点。主机合规性再次失败。它已在该节点上重置。如何维护节点上的所有更改?
我在节点上执行了 ssh 并在那里进行了更改。但节点升级后合规失败。
您可以Reconfigure a Node's Kubelet in a Live Cluster,但它用于集群配置。
关于节点本身的变化,推荐阅读Security hardening in AKS virtual machine hosts。
AKS clusters are deployed on host virtual machines, which run a security optimized OS. This host OS is currently based on an Ubuntu 16.04.LTS image with a set of additional security hardening steps applied (see Security hardening details).
The goal of the security hardened host OS is to reduce the surface area of attack and allow the deployment of containers in a secure fashion.
Important
The security hardened OS is NOT CIS benchmarked. While there are overlaps with CIS benchmarks, the goal is not to be CIS-compliant. The goal for host OS hardening is to converge on a level of security consistent with Microsoft’s own internal host security standards.
如果您需要进行任何更改,那么我建议您使用 kubeadm 手动设置您自己的集群。只需让虚拟服务器按照您的方式配置它们并使用 Creating a single control-plane cluster with kubeadm 或任何其他适合您需要的指南。