Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager)

Enable kubelet server certificate rotation on controller-manager. RotateKubeletServerCertificate causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.

Risk Level: Low
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.CRY.11
Covered by Spectral: No
Category: Compute


KubernetesPod where labels contain [value='kube-controller-manager'] and namespace = 'kube-system' should have spec.containers with [parsedArgs contain [key like 'feature-gates' and value = 'RotateKubeletServerCertificate=true']]


Edit the Controller Manager pod specification file $controllermanagerconf
controller-manager.yaml on the master node and set the --feature-gates parameter to
include RotateKubeletServerCertificate=true.


  1. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller
  2. https://github.com/kubernetes/features/issues/267
  3. https://github.com/kubernetes/kubernetes/pull/45059
  4. https://kubernetes.io/docs/admin/kube-controller-manager/


Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices