C-0138 - Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate
Framework
cis-v1.23-t1.0.1
Severity
High
Description of the the issue
API server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.
Related resources
Pod
What does this control test
Setup TLS connection on the API server.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --tls-cert-file
and --tls-private-key-file
arguments exist and they are set as appropriate.
Remediation
Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the TLS certificate and private key file parameters.
--tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file>
Impact Statement
TLS and client certificate authentication must be configured for your Kubernetes cluster deployment.
Default Value
By default, --tls-cert-file
and --tls-private-key-file
arguments are not set.
Example
No example
Updated 11 days ago