Enable certificate based kubelet authentication. Rationale: The apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests. Impact: Require TLS to be configured on the apiserver as well as kubelets.
Solution
No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable. Default Value: By default, kubelet authentication is managed with X.509 certificates.