Host hardening on K3S-based integration

Each time you start K3S, a KUBECONFIG file is created. This file contains the credentials to access the K3S cluster as an administrator. The KUBECONFIG file is created by default under /etc/rancher/k3s/k3s.yaml. For security reasons, we recommend host hardening by making the KUBECONFIG file inaccessible for other users. As long as the host hardening is applied to Edge, you cannot connect to the K3S cluster using kubectl or the Edge tools.

In this article, you will learn how to enable and disable the host hardening.

Prerequisites

• Edge needs to be installed.
• You must install iptables-services package and enable iptables.
  How to install and deploy itables…

  Copy

  yum install iptables-services

• You need root privileges on the server that hosts the Edge site.

Enable host hardening

1. Sign into the server that hosts your Edge site with root privileges.
2. Open the file /etc/systemd/system/k3s.service.env for editing.
3. Add the following lines to the k3s.service.env file:
   • K3S_KUBECONFIG_OUTPUT=/dev/null.
   • K3S_KUBECONFIG_MODE=666

   Note If there are other lines, setting other environment variables do not remove them.

4. Restart the K3S service: systemctl restart k3s

5. Check if the KUBECONFIG file is empty: cat /etc/rancher/k3s/k3s.yaml

   Note K3S is actually making /etc/rancher/k3s/k3s.yaml a symlink to /dev/null.

To further increase the security of your server, you can prevent connections to K3S from other sources than localhost.

Limit the access to the following ports other than localhost:

Protocol	Port	Description
TCP	6443	Kubernetes API Server
TCP	10250	Kubelet metrics

The following configuration file prevents access to the ports mentioned in the table and, with iptables, provides persistence in the event of Edge upgrades and reboots. Please check with your security team for compliance and for the tools used to filter the traffic before applying these commands.

*filter
:INPUT ACCEPT [0:0]
:edge hardening - [0:0]
-A INPUT -j edge hardening
-A edge hardening -m state --state RELATED,ESTABLISHED -j ACCEPT
-A edge hardening -p tcp -m state --state NEW -m tcp --dport
22 -j ACCEPT
-A edge hardening -j ACCEPT -i lo -p tcp -m multiport --dports 6443,10250
-A edge hardening -j ACCEPT -i cni0 -p tcp -m multiport --dports 6443,10250
-A edge hardening -j DROP -p tcp -m multiport --dports 6443,10250
COMMIT

Disable host hardening

1. Sign into the server that hosts your Edge site with root privileges.
2. Open the file /etc/systemd/system/k3s.service.env for editing.
3. Remove the following lines from the k3s.service.env file:
   • K3S_KUBECONFIG_OUTPUT=/dev/null.
   • K3S_KUBECONFIG_MODE=666
4. Restart the K3S service:
   Copy

   systemctl restart k3s

5. Check if the KUBECONFIG file is empty:
   Copy

   cat /etc/rancher/k3s/k3s.yaml

6. Comment out any undesired restrictions in iptables.
7. Restart iptables.