Make 'kube-bench' happy.

Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com>

files/bootstrap.sh

@@ -331,3 +331,13 @@ fi
 systemctl daemon-reload
 systemctl enable kubelet
 systemctl start kubelet
+
+# Wait for the TLS certificate and private key to be present and add these to the config file so they are picked up the next time the kubelet starts.
+# These cannot be added upfront because they are not present when the kubelet first starts, and adding them would cause the kubelet to crash.
+TLS_CERT_FILE="/var/lib/kubelet/pki/kubelet-server-current.pem"
+while [[ ! -f $TLS_CERT_FILE ]]
+do
+  sleep 1
+done
+echo "$(jq ".tlsCertFile=\"$TLS_CERT_FILE\"" $KUBELET_CONFIG)" > $KUBELET_CONFIG
+echo "$(jq ".tlsPrivateKeyFile=\"$TLS_CERT_FILE\"" $KUBELET_CONFIG)" > $KUBELET_CONFIG

files/kubelet-config.json

@@ -25,9 +25,12 @@
   "hairpinMode": "hairpin-veth",
   "cgroupDriver": "cgroupfs",
   "cgroupRoot": "/",
+  "eventRecordQPS": 0,
   "featureGates": {
     "RotateKubeletServerCertificate": true
   },
+  "protectKernelDefaults": true,
+  "readOnlyPort": 0,
   "serializeImagePulls": false,
   "serverTLSBootstrap": true
 }

install-worker.sh

@@ -227,6 +227,16 @@ EOF
 sudo mv /tmp/release /etc/eks/release
 sudo chown root:root /etc/eks/*
 
+################################################################################
+### Stuff required by "protectKernelDefaults=true" #############################
+################################################################################
+
+cat <<EOF | sudo tee -a /etc/sysctl.d/99-amazon.conf
+vm.overcommit_memory=1
+kernel.panic=10
+kernel.panic_on_oops=1
+EOF
+
 ################################################################################
 ### Cleanup ####################################################################
 ################################################################################