1.1.30 Ensure that the --client-ca-file argument is set as appropriate

Information

Setup TLS connection on the API server.

Rationale:

API server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.

Solution

Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the `/etc/kubernetes/apiserver` file on the master node and set the `KUBE_API_ARGS` parameter to include `'--client-ca-file='`: `KUBE_API_ARGS='--client-ca-file='`

Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`

Impact:

TLS and client certificate authentication must be configured for your Kubernetes cluster deployment.

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2), CSCv6|14.2

Plugin: Unix

Control ID: b8b861c25eddfaa6a1ee089f1a6e93afe97164925134920fe37f4630ff4118eb