--hostname-override argument is disabled
Set up the kubernetes integration.
Description
Do not override node hostnames.
Rationale
Overriding hostnames could potentially break TLS setup between the kubelet and the API server. Additionally, with overridden hostnames, it becomes increasingly difficult to associate logs with a particular node and process them for security analytics. Hence, you should setup your kubelet nodes with resolvable FQDNs and avoid overriding the hostnames with IPs.
Audit
Run the following command on each node: ps -ef | grep kubelet. Verify that --hostname-override argument does not exist. Note This setting is not configurable via the Kubelet config file.
Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service
Impact
Some cloud providers may require this flag to ensure that hostname matches names issued by the cloud provider. In these environments, this recommendation should not apply.
Default value
By default, --hostname-override argument is not set.
References
- https://kubernetes.io/docs/admin/kubelet/
- https://github.com/kubernetes/kubernetes/issues/22063
CIS controls
Version 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
