Profile applicability: Level 1 - Master Node
Enable kubelet server certificate rotation on controller-manager.
RotateKubeletServerCertificate causes the kubelet to both request a serving
certificate after bootstrapping its client credentials and rotate the certificate
as its existing
credentials expire. This automated periodic rotation ensures that the there are no
downtimes due
to expired certificates and thus addressing availability in the CIA security triad. |
NoteThis recommendation only applies if you let kubelets get their certificates from the
API
server. In case your kubelet certificates come from an outside authority/tool (e.g.
Vault) then
you need to take care of rotation yourself.
|
|
NoteBy default,
RotateKubeletServerCertificate is set to True;
this recommendation verifies that it has not been disabled. |
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-controller-manager
Verify that
RotateKubeletServerCertificate argument exists and is set to
true.Remediation
Edit the Controller Manager pod specification file
/etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane
node and set the --feature-gates parameter to include
RotateKubeletServerCertificate=true.--feature-gates=RotateKubeletServerCertificate=true