1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriate

Information

Verify kubelet's certificate before establishing connection.

Rationale:

The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.

Solution

Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--kubelet-certificate-authority' parameter to the path to the cert file for the certificate authority.

--kubelet-certificate-authority=

Impact:

You require TLS to be configured on apiserver as well as kubelets.

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2), CSCv6|3.4

Plugin: Unix

Control ID: 4bad3aa3f5f9b3ed6c183f4c40489b335aabd66f9bb10111401e4b7ff8f0686f