Run Kubescape with host sensor (see here)
cis-aks-t1.2.0, cis-eks-t1.2.0, cis-v1.23-t1.0.1
The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the apiserver does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests.
Enable Kubelet authentication using certificates.
Run the following command on each node:
ps -ef | grep kubelet
Verify that the
--client-ca-file argument exists and is set to the location of the client certificate authority file.
--client-ca-file argument is not present, check that there is a Kubelet config file specified by
--config, and that the file sets
authentication: x509: clientCAFile to the location of the client certificate authority file.
If using a Kubelet config file, edit the file to set
authentication: x509: clientCAFile to the location of the client CA file.
If using command line arguments, edit the kubelet service file
/etc/kubernetes/kubelet.conf on each worker node and set the below parameter in
Based on your system, restart the
kubelet service. For example:
systemctl daemon-reload systemctl restart kubelet.service
You require TLS to be configured on apiserver as well as kubelets.
--client-ca-file argument is not set.
Updated 6 days ago