Profile applicability: Level 1
Enable Kubelet authentication using certificates.
The connections from the API server to the kubelet are used for fetching logs for
pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding
functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default,
the API server does not verify the kubelet’s serving certificate, which makes the
connection subject to man-in-the-middle attacks, and unsafe to run over untrusted
and/or public networks. Enabling Kubelet certificate authentication ensures that the
API server could authenticate the Kubelet before submitting any requests.
 |
NoteBy default, the
clientCAFile is set to /etc/kubernetes/kubelet-ca.crt. |
Impact
You require TLS to be configured on API server as well as kubelets.
Audit
OpenShift provides integrated management of certificates for internal cluster components.
OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure
that a platform CA will never accidentally sign a certificate that can be used for
the wrong purpose, increasing the security posture of the cluster.
You can verify the client CA file with the following command:
for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do
oc get --raw /api/v1/nodes/$node/proxy/configz | jq
'.kubeletconfig.authentication.x509.clientCAFile'
done
Verify all the nodes are using
/etc/kubernetes/kubelet-ca.crt as the clientCAFile value.Remediation
None. Changing the
clientCAFile value is unsupported.