Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Kubelet) (Openshift)

Ensure that the Kubelet is configured to only use strong cryptographic ciphers.

Risk Level: High
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.CRY.44
Covered by Spectral: No
Category: Compute


KubernetesNode should have kubeletData.kubeletconfig.tlsCipherSuites isEmpty() or kubeletData.kubeletconfig.tlsCipherSuites contain-all ['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' and 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' and 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305' and 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' and 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305' and 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' and 'TLS_RSA_WITH_AES_256_GCM_SHA384' and 'TLS_RSA_WITH_AES_128_GCM_SHA256']


Follow the directions in the OpenShift documentation to configure the tlsSecurityProfile.


A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.

Compliance Frameworks

  • CIS Kubernetes Benchmark v1.24
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • OpenShift Container Platform v3