You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
Enable kubelet server certificate rotation on controller-manager.
Rationale:
RotateKubeletServerCertificate causes the kubelet to both request a serving
certificate after bootstrapping its client credentials and rotate the certificate as its
existing credentials expire. This automated periodic rotation ensures that the there are
no downtimes due to expired certificates and thus addressing availability in the CIA
security triad.
Note: This recommendation only applies if you let kubelets get their certificates from the
API server. In case your kubelet certificates come from an outside authority/tool (e.g.
Vault) then you need to take care of rotation yourself.
Impact:
None
Audit:
Run the following command on the Control Plane node: ps -ef | grep kube-controller-manager
Verify that RotateKubeletServerCertificate argument exists and is set to true.
Default Value:
By default, RotateKubeletServerCertificate is set to "true" this recommendation
verifies that it has not been disabled.
Profile Applicability:
• Level 2 - Master Node
Description:
Enable kubelet server certificate rotation on controller-manager.
Rationale:
RotateKubeletServerCertificate causes the kubelet to both request a serving
certificate after bootstrapping its client credentials and rotate the certificate as its
existing credentials expire. This automated periodic rotation ensures that the there are
no downtimes due to expired certificates and thus addressing availability in the CIA
security triad.
Note: This recommendation only applies if you let kubelets get their certificates from the
API server. In case your kubelet certificates come from an outside authority/tool (e.g.
Vault) then you need to take care of rotation yourself.
Impact:
None
Audit:
Run the following command on the Control Plane node:
ps -ef | grep kube-controller-manager
Verify that RotateKubeletServerCertificate argument exists and is set to true.
Default Value:
By default, RotateKubeletServerCertificate is set to "true" this recommendation
verifies that it has not been disabled.
References:
The text was updated successfully, but these errors were encountered: