Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)

Setup TLS connection on the Kubelets. Kubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.

Suggest Edits

Risk Level: High
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.CRY.01
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesNode where not kubeletData isEmpty() should have (kubeletData.kubeletconfig.tlsCertFile ) and (kubeletData.kubeletconfig.tlsPrivateKeyFile )

REMEDIATION

  • If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
    file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
    corresponding private key file.

  • If using command line arguments, edit the kubelet service file
    $kubeletsvc on each worker node and
    set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
    --tls-cert-file=<path/to/tls-certificate-file>
    file=<path/to/tls-key-file>
    Based on your system, restart the kubelet service. For example:
    systemctl daemon-reload
    systemctl restart kubelet.service

  • If using the api configz endpoint consider searching for the status of tlsCertFile and
    tlsPrivateKeyFile by extracting the live configuration from the nodes running kubelet.
    **See detailed step-by-step configmap procedures in
    https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/

References

  1. https://kubernetes.io/docs/admin/kubelet/
  2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/
  3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide
  4. https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/

Node

A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.

Compliance Frameworks

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices

Updated 7 months ago