Ensure that the --client-ca-file argument is set as appropriate (Kubelet)

Enable Kubelet authentication using certificates. The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet s port-forwarding functionality. These connections terminate at the kubelet s HTTPS endpoint. By default, the apiserver does not verify the kubelet s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests.

Risk Level: High
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.NET.01
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.authentication.x509.clientCAFile

REMEDIATION

  • If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
    the location of the client CA file.

  • If using command line arguments, edit the kubelet service file
    $kubeletsvc on each worker node and
    set the below parameter in KUBELET_AUTHZ_ARGS variable.
    --client-ca-file=<path/to/client-ca-file>
    Based on your system, restart the kubelet service. For example:
    systemctl daemon-reload
    systemctl restart kubelet.service

  • If using the api configz endpoint consider searching for the status of clientCAFile by
    extracting the live configuration from the nodes running kubelet.
    **See detailed step-by-step configmap procedures in
    https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/

References

  1. https://kubernetes.io/docs/admin/kubelet/
  2. https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/

Node

A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices
  • OpenShift Container Platform v3