1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriate

Information

Verify kubelet's certificate before establishing connection.

Rationale:

The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.

Solution

Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--kubelet-certificate-authority' parameter to the path to the cert file for the certificate authority.

--kubelet-certificate-authority=

See Also

https://workbench.cisecurity.org/files/2421

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv6|3.4, CSCv7|4.5

Plugin: Unix

Control ID: 04acbcb72ba85186d33b68bbdd0c04e6713e812e85613c2a424b3ab280b2eb0e