Enable Kubelet authentication using certificates. Rationale: The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the apiserver does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests. Impact: You require TLS to be configured on apiserver as well as kubelets. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
None. Changing the clientCAFile value is unsupported. Default Value: By default, the clientCAFile is set to /etc/kubernetes/kubelet-ca.crt.