Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server)

Verify kubelet's certificate before establishing connection. The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet s port-forwarding functionality. These connections terminate at the kubelet s HTTPS endpoint. By default, the apiserver does not verify the kubelet s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.06
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod where labels contain [value='kube-apiserver'] and namespace = 'kube-system' should have spec.containers with [parsedArgs contain [key like 'kubelet-certificate-authority' ]]

REMEDIATION

Follow the Kubernetes documentation and setup the TLS connection between the
apiserver and kubelets. Then, edit the API server pod specification file
$apiserverconf on the master node and set the --kubelet-certificate-authority
parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>

References

  1. https://kubernetes.io/docs/admin/kube-apiserver/
  2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/
  3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices