Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API server:- a. Ensure the --authorization-mode argument includes RBAC b. Ensure the --authorization-mode argument includes Node c. Ensure that the --profiling argument is set to false Fix all of the following violations that were found against the Kubelet:- a. Ensure the --anonymous-auth argument is set to false. b. Ensure that the --authorization-mode argument is set to Webhook. Fix all of the following violations that were found against the ETCD:- a. Ensure that the --auto-tls argument is not set to true Hint: Take the use of Tool Kube-Bench
/etc/kubernetes/manifests/kube-apiserver.yaml for the API server and make sure -authorization-mode=Node,RBAC and -profiling=false are set. For kubelet, update /var/lib/kubelet/config.yaml so anonymous-auth: false and authorization-mode: Webhook, then restart kubelet service. With etcd, you need to remove or set -auto-tls=false in its manifest. Restarting static pods should trigger via file edit but for kubelet it's manual. Sometimes people miss that last one, pretty sure this covers all CIS bits unless the cluster is running a custom config.Edit the manifest YAMLs for api-server (add RBAC, Node to -authorization-mode, set -profiling=false), kubelet config (set anonymous-auth: false, authorization-mode: Webhook), and etcd (remove or set -auto-tls=false). Then restart affected pods or services. Pretty sure that's the CIS way, but open to correction if anyone sees a step missing.
Edit the static pod YAML for each component (api-server, etcd), plus the kubelet config, then restart affected pods or the kubelet service. I've seen similar in practice exams and official docs are a solid reference for syntax.
