1.2.6 Verify that the kubelet certificate authority is set as appropriate

Information

Verify kubelet's certificate before establishing connection.

Rationale:

The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the apiserver does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.

Impact:

You require TLS to be configured on apiserver as well as kubelets.

Solution

No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable.

Default Value:

By default, kubelet authentication is managed with X.509 certificates.

See Also

https://workbench.cisecurity.org/benchmarks/16094

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-15, CSCv7|1.8

Plugin: OpenShift

Control ID: 884a27bf9f51dd6afd3fae284c554a97998a50ca694fea0b4690344b49d636ce