Ensure that the --root-ca-file argument is set as appropriate (Controller Manager)
Allow pods to verify the API server's serving certificate before establishing connections. Processes running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks.
Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.14
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
KubernetesPod where labels contain [value='kube-controller-manager'] and namespace = 'kube-system' should have spec.containers with [parsedArgs contain [key like 'root-ca-file' ]]
REMEDIATION
Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --root-ca-file parameter to
the certificate bundle file.
--root-ca-file=<path/to/file>
References
- https://kubernetes.io/docs/admin/kube-controller-manager/
- https://github.com/kubernetes/kubernetes/issues/11000
Pods
Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.
Compliance Frameworks
- CIS Kubernetes Benchmark v1.20
- CIS Kubernetes Benchmark v1.23
- CIS Kubernetes Benchmark v1.24
- CIS Kubernetes Benchmark v1.4.0
- CIS Kubernetes Benchmark v1.5.1
- CIS Kubernetes Benchmark v1.6.1
- Kubernetes NIST.SP.800-190
- Kubernetes v.1.13 CloudGuard Best Practices
- Kubernetes v.1.14 CloudGuard Best Practices
Updated over 1 year ago