C-0174 - Ensure that the --client-ca-file argument is set as appropriate
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-v1.23-t1.0.1, cis-aks-t1.2.0, cis-eks-t1.2.0
Severity
Medium
Description of the the issue
The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the apiserver does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests.
Related resources
What does this control test
Enable Kubelet authentication using certificates.
How to check it manually
Run the following command on each node:
ps -ef | grep kubelet
Verify that the --client-ca-file
argument exists and is set to the location of the client certificate authority file.
If the --client-ca-file
argument is not present, check that there is a Kubelet config file specified by --config
, and that the file sets authentication: x509: clientCAFile
to the location of the client certificate authority file.
Remediation
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile
to the location of the client CA file.
If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS
variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet
service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Impact Statement
You require TLS to be configured on apiserver as well as kubelets.
Default Value
By default, --client-ca-file
argument is not set.
Example
No example
Updated 11 days ago