Profile applicability: Level 1 - Master Node
Enable certificate based kubelet authentication.
The apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints.
The
requests from the apiserver are treated anonymously. You should set up certificate-
based kubelet
authentication to ensure that the apiserver authenticates itself to kubelets when
submitting
requests.
 |
NoteBy default, certificate-based kubelet authentication is not set.
|
Impact
You require TLS to be configured on apiserver as well as kubelets.
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the
--kubelet-client-certificate and
--kubelet-client-key arguments exist and they are set as appropriately.Alternative Audit Method
kubectl get pod -nkube-system -lcomponent=kube-apiserver -o=jsonpath='{range
.items[]}{.spec.containers[].command} {"\n"}{end}' | grep '--kubelet-client-certificate' |
grep -i false
If the exit code is '1', then the control isn't present / failed.
Remediation
Follow the Kubernetes documentation and set up the TLS connection between the apiserver
and
kubelets. Then, edit API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and
set the kubelet client certificate and key parameters as below.--kubelet-client-certificate=<path/to/client-certificate-file> --kubelet-client-key=<path/to/client-key-file>