Profile Applicability: Level 1
Enable kubelet server certificate rotation.
RotateKubeletServerCertificate
causes the kubelet to both request a serving certificate after bootstrapping its
client credentials and rotate the certificate as its existing credentials expire.
This automated periodic rotation ensures that the there are no downtimes due to expired
certificates and thus addressing availability in the CIA security triad.This recommendation only applies if you let kubelets get their certificates from the
API server. In case your kubelet certificates come from an outside authority/tool
(e.g. Vault) then you need to take care of rotation yourself.
![]() |
NoteSee the Azure AKS documentation for the default value.
|
Audit
Audit Method 1:
If using a Kubelet configuration file, check that there is an entry for
RotateKubeletServerCertificate
is set to true
.-
SSH to the relevant node, and run the following command on each node to find the appropriate Kubelet config file:
ps -ef | grep kubelet
The output of the above command should return something similar to--config /etc/kubernetes/kubelet/kubelet-config.json
which is the location of the Kubelet config file. -
Open the Kubelet config file:
cat /etc/kubernetes/kubelet/kubelet-config.json
-
Verify that
RotateKubeletServerCertificate
argument exists and is set totrue
.
Audit Method 2:
If using the API configz endpoint, consider searching for the status of
"RotateKubeletServerCertificate":true
by extracting the live configuration from the nodes running Kubelet.-
Set the local proxy port and the following variables, and provide the proxy port number and node name:
HOSTNAME_PORT="localhost-and-port-number"
NODE_NAME="The-Name-Of-Node-To-Extract-Configuration" from the output of "kubectl get nodes"
kubectl proxy --port=8001 & export HOSTNAME_PORT=localhost:8001 (example host and port number) export NODE_NAME=ip-192.168.31.226.aks.internal (example node name from "kubectl get nodes") curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
Remediation
Remediation Method 1:
If modifying the Kubelet config file, edit
/etc/kubernetes/kubelet/kubelet-config.json
and ensure the below parameter is set to true:"RotateKubeletServerCertificate":true
Remediation Method 2:
If using a Kubelet config file, edit the file to set
RotateKubeletServerCertificate to true
. If using executable arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf
on each worker node and add the below parameter at the end of the KUBELET_ARGS
variable string:--rotate-kubelet-server-certificate=true
Remediation Method 3:
If using the API configz endpoint, consider searching for the status of
"RotateKubeletServerCertificate":
by extracting the live configuration from the nodes running kubelet.See step-by-step configmap procedures in the Kubernetes documentation, and rerun the curl command from the audit process to check for kubelet configuration
changes:
kubectl proxy --port=8001 & export HOSTNAME_PORT=localhost:8001 (example host and port number) export NODE_NAME=ip-192.168.31.226.aks.internal (example node name from "kubectl get nodes") curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
For all three remediations:
Restart the
kubelet
service and check the status:systemctl daemon-reload systemctl restart kubelet.service systemctl status kubelet -l