C-0117 - Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate
Framework
cis-v1.23-t1.0.1
Severity
High
Description of the the issue
The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the apiserver does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.
Related resources
Pod
What does this control test
Verify kubelet's certificate before establishing connection.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --kubelet-certificate-authority
argument exists and is set as appropriate.
Remediation
Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the Control Plane node and set the --kubelet-certificate-authority
parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>
Impact Statement
You require TLS to be configured on apiserver as well as kubelets.
Default Value
By default, --kubelet-certificate-authority
argument is not set.
Example
No example
Updated 11 days ago