Information
Verify kubelet's certificate before establishing connection.
Rationale:
The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.
Solution
Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--kubelet-certificate-authority' parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=
Impact:
You require TLS to be configured on apiserver as well as kubelets.