Guides
  1. kubernetes policies
  2. Node

Ensure that the --rotate-certificates argument is not present or is set to true (Kubelet)

Risk Level: High
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.CRY.46
Covered by Spectral: No
Category: Compute

GSL LOGIC

KubernetesNode where kubeletData.kubeletconfig.rotateCertificates should have 'true'

REMEDIATION

  • If modifying the Kubelet config file, edit the kubelet-config.json file
    /etc/kubernetes/kubelet/kubelet-config.json and set the below parameter to true
    'RotateCertificate':true
    Additionally, ensure that the kubelet service file
    /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf does not set the --
    RotateCertificate executable argument to false because this would override the Kubelet
    config file.

  • If using executable arguments, edit the kubelet service file
    /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf on each worker node
    and add the below parameter at the end of the KUBELET_ARGS variable string.
    --RotateCertificate=true
    References

  1. https://github.com/kubernetes/kubernetes/pull/41912
  2. https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration
  3. https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
  4. https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ (EKS)

Node

A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.

Compliance Frameworks

  • TBD

Updated 7 months ago