Profile applicability: Level 1 - Master Node
Verify kubelet's certificate before establishing connection.
The connections from the apiserver to the kubelet are used for fetching logs for pods,
attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding
functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default,
the
apiserver does not verify the kubelet’s serving certificate, which makes the connection
subject
to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.
 |
NoteBy default,
--kubelet-certificate-authority argument is not set. |
Impact
You require TLS to be configured on apiserver as well as kubelets.
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the
--kubelet-certificate-authority argument exists and is set as
appropriate.Alternative Audit Method
kubectl get pod -nkube-system -lcomponent=kube-apiserver -o=jsonpath='{range
.items[]}{.spec.containers[].command} {"\n"}{end}' | grep '--kubelet-certificate-Authority' |
grep -i false
If the exit code is '1', then the control isn't present / failed.
Remediation
Follow the Kubernetes documentation and setup the TLS connection between the apiserver
and
kubelets. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and
set the --kubelet-certificate-authority parameter to the path to the cert file
for the certificate authority.--kubelet-certificate-authority=<ca-string>