CIS-1.2.26 - Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate

Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate

Framework

CIS

Severity

High

Description of the the issue

API server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.

Related resources

Pod

What does this control test

Setup TLS connection on the API server.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Verify that the --tls-cert-file and --tls-private-key-file arguments exist and they are set as appropriate.

Remediation

Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the TLS certificate and private key file parameters.

--tls-cert-file=<path/to/tls-certificate-file> 
--tls-private-key-file=<path/to/tls-key-file>

Impact Statement

TLS and client certificate authentication must be configured for your Kubernetes cluster deployment.

Default Value

By default, --tls-cert-file and --tls-private-key-file arguments are not set.

Example

No example