# 第十二题 CIS Kube-bench ###### tags: `真题讲解` 切换集群kubectl config use-context k8s65 **Context** A CIS Benchmark tool was run against the kubeadm-created cluster and found multiple issues that must be addressed immediately. **Task** Fix all issues via configuration and restart theaffected components to ensure the new settings take effect. Fix all of the following violations that were found against the API server: ``` Ensure that the 1.2.7 --authorization-mode FAIL argument is not set to AlwaysAllow Ensure that the 1.2.8 --authorization-mode FAIL argument includes Node Ensure that the 1.2.9 --authorization-mode FAIL argument includes RBAC Ensure that the 1.2.18 --insecure-bind-address FAIL argument is not set Ensure that the 1.2.19 --insecure-port FAIL argument is set to 0 ``` Fix all of the following violations that were found against the kubelet: ``` Ensure that the 4.2.1 anonymous-auth FAIL argument is set to false Ensure that the 4.2.2 --authorization-mode FAIL argument is not set to AlwaysAllow ``` Use webhook authn/authz where possible. ## 解法 **Master Node** 修正APIServer, /etc/kubernetes/manifests# vim kube-apiserver.yaml, 记得最好备份一下. 如果见到--insecure-bind-address参数直接整行删掉  **Worker Node** Kubelet 参数位置在/var/lib/kubelet/config.yaml 按要求改成如下配置, 其实就是默认配置, 如果记不住其实可以直接复制Master Node上相同的文件 :wink: