2.1.4 Ensure that the --client-ca-file argument is set as appropriate

Information

Enable Kubelet authentication using certificates.

Rationale:

The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the apiserver does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests.

Solution

Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the `/etc/kubernetes/kubelet` file on each node and set the `KUBELET_ARGS` parameter to `'--client-ca-file='`: `KUBELET_ARGS='--client-ca-file='`

Based on your system, restart the `kubelet` service. For example: `systemctl restart kubelet.service`

Impact:

You require TLS to be configured on apiserver as well as kubelets.

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2), CSCv6|14.2

Plugin: Unix

Control ID: adc769ce250f26b03b595b151323404a5b49c32aa1f97aff0757ba226e0ebfc1