Skip to content

Commit d429ec4

Browse files
dereknoladereknola
authored
Raise terminated-pod-gc-threshold to 100 for cis-hardening (#497)
Signed-off-by: Derek Nola <derek.nola@suse.com>
1 parent f8eeef0 commit d429ec4

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

docs/security/hardening-guide.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ kube-apiserver-arg:
5454
- 'audit-log-maxsize=100'
5555
- 'service-account-extend-token-expiration=false'
5656
kube-controller-manager-arg:
57-
- 'terminated-pod-gc-threshold=10'
57+
- 'terminated-pod-gc-threshold=100'
5858
kubelet-arg:
5959
- 'streaming-connection-idle-timeout=5m'
6060
- "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
@@ -681,4 +681,4 @@ kubectl patch serviceaccount --namespace kube-public default --patch '{"automoun
681681

682682
## Conclusion
683683

684-
If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the [CIS 1.8 Self-Assessment Guide](self-assessment-1.8.md) to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster.
684+
If you have followed this guide, your K3s cluster will be configured to comply with the CIS Kubernetes Benchmark. You can review the [CIS 1.11 Self-Assessment Guide](self-assessment-1.11.md) to understand the expectations of each of the benchmark's checks and how you can do the same on your cluster.

0 commit comments

Comments
 (0)