Ensure that the --rotate-certificates argument is not set to false (Kubelet)

Enable kubelet client certificate rotation. The --rotate-certificates setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.

Risk Level: High
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.CRY.02
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.rotateCertificates = 'true'

REMEDIATION

-If using a Kubelet config file, edit the file to add the line rotateCertificates: true.

-If using command line arguments, edit the kubelet service file $kubeletsvc
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

-If using the api configz endpoint consider searching for the status of rotateCertificates
by extracting the live configuration from the nodes running kubelet.
**See detailed step-by-step configmap procedures in
https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/

References

  1. https://github.com/kubernetes/kubernetes/pull/41912
  2. https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration
  3. https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
  4. https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ (EKS)

Node

A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices