3.2.3 Ensure that a Client CA File is Configured

Information

Enable Kubelet authentication using certificates.

The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the apiserver does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests.

Solution

Remediation Method 1:

If configuring via the Kubelet config file, you first need to locate the file.

To do this, SSH to each node and execute the following command to find the kubelet process:

ps -ef | grep kubelet

The output of the above command provides details of the active kubelet process, from which we can see the location of the configuration file provided to the kubelet service with the --config argument. The file can be viewed with a command such as more or less like so:

sudo less /path/to/kubelet-config.json

Configure the client certificate authority file by setting the following parameter appropriately:

"authentication": { "x509": {"clientCAFile": <path/to/client-ca-file> } }"

Remediation Method 2:

If using executable arguments, edit the kubelet service file on each worker node and ensure the below parameters are part of the KUBELET_ARGS variable string.

For systems using systemd such as the Amazon EKS Optimised Amazon Linux or Bottlerocket AMIs, then this file can be found at /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf Otherwise, you may need to look up documentation for your chosen operating system to determine which service manager is configured:

--client-ca-file=<path/to/client-ca-file>

For Both Remediation Steps:

Based on your system, restart the kubelet service and check the service status.

The following example is for operating systems using systemd such as the Amazon EKS Optimised Amazon Linux or Bottlerocket AMIs, and invokes the systemctl command. If systemctl is not available then you will need to look up documentation for your chosen operating system to determine which service manager is configured:

systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l

Impact:

You require TLS to be configured on apiserver as well as kubelets.

See Also

https://workbench.cisecurity.org/benchmarks/19166

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: beec2a122a7c504a46ab44c47e501b70a0f090be7df6a62f5b7c551c7121bd12