2.1.3 Ensure that the --client-ca-file argument is set as appropriate

Information

Enable Kubelet authentication using certificates.

Rationale:

The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests.

Solution

If using a Kubelet config file, edit the file to set 'authentication: x509: clientCAFile' to the location of the client CA file.

If using command line arguments, edit the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubeadm.conf' on each worker node and set the below parameter in 'KUBELET_AUTHZ_ARGS' variable.

--client-ca-file=

Based on your system, restart the 'kubelet' service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

See Also

https://workbench.cisecurity.org/files/2421

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: Unix

Control ID: 55fb5b17f8ac1f1cb50eb0c65daa548afe495778832152a0a31d225ecb7bf15a