C-0116 - Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate

Framework

cis-v1.23-t1.0.1

Severity

High

Description of the the issue

The apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.

Related resources

Pod

What does this control test

Enable certificate based kubelet authentication.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Verify that the --kubelet-client-certificate and --kubelet-client-key arguments exist and they are set as appropriate.

Remediation

Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the kubelet client certificate and key parameters as below.

--kubelet-client-certificate=<path/to/client-certificate-file>
--kubelet-client-key=<path/to/client-key-file>

Impact Statement

You require TLS to be configured on apiserver as well as kubelets.

Default Value

By default, certificate-based kubelet authentication is not set.

Example

No example