C-0070 - Enforce Kubelet client TLS authentication

Enforce Kubelet client TLS authentication

Note: to enable this control run Kubescape with host scanner (see here)

Framework

MITRE, ArmoBest, NSA, AllControls

Severity

Critical

Description of the the issue

Kubelets are the node level orchestrator in Kubernetes control plane. They are publishing service port 10250 where they accept commands from API server. Operator must make sure that only API server is allowed to submit commands to Kubelet. This is done through client certificate verification, must configure Kubelet with client CA file to use for this purpose.

Related resources

What does this control test

Reading the kubelet command lines and configuration file looking for client TLS configuration.

Remediation

Start the kubelet with the --client-ca-file flag, providing a CA bundle to verify client certificates with.

Example

No example


Did this page help you?