The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the apiserver does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.
Verify kubelet's certificate before establishing connection.
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the
--kubelet-certificate-authority argument exists and is set as appropriate.
Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the
--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
You require TLS to be configured on apiserver as well as kubelets.
--kubelet-certificate-authority argument is not set.
Updated 6 days ago