Apply CIS benchmark to kubelet conf

Signed-off-by: Malte Poll <mp@edgeless.systems>
Co-authored-by: Moritz Eckert <me@edgeless.systems>

coordinator/kubernetes/k8sapi/kubeadm_config.go

@@ -81,6 +81,17 @@ func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool) Kube
 		},
 		// warning: this config is applied to every node in the cluster!
 		KubeletConfiguration: kubeletconf.KubeletConfiguration{
+			ProtectKernelDefaults: true, // CIS benchmark
+			TLSCipherSuites: []string{
+				"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+				"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+				"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+				"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+				"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+				"TLS_RSA_WITH_AES_256_GCM_SHA384",
+				"TLS_RSA_WITH_AES_128_GCM_SHA256",
+			}, // CIS benchmark
 			TypeMeta: v1.TypeMeta{
 				APIVersion: kubeletconf.SchemeGroupVersion.String(),
 				Kind:       "KubeletConfiguration",