Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true #45

Open
scfast opened this issue May 4, 2023 · 0 comments
Labels
Level 2 Level 2 hardness

Comments

@scfast
Copy link

scfast commented May 4, 2023

Profile Applicability:
• Level 2 - Master Node

Description:
Enable kubelet server certificate rotation on controller-manager.

Rationale:
RotateKubeletServerCertificate causes the kubelet to both request a serving
certificate after bootstrapping its client credentials and rotate the certificate as its
existing credentials expire. This automated periodic rotation ensures that the there are
no downtimes due to expired certificates and thus addressing availability in the CIA
security triad.
Note: This recommendation only applies if you let kubelets get their certificates from the
API server. In case your kubelet certificates come from an outside authority/tool (e.g.
Vault) then you need to take care of rotation yourself.

Impact:
None

Audit:
Run the following command on the Control Plane node:
ps -ef | grep kube-controller-manager
Verify that RotateKubeletServerCertificate argument exists and is set to true.

Default Value:
By default, RotateKubeletServerCertificate is set to "true" this recommendation
verifies that it has not been disabled.

References:

  1. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller
  2. Kubelet Server TLS Certificate Rotation kubernetes/enhancements#267
  3. Certificate rotation for kubelet server certs. kubernetes/kubernetes#45059
  4. https://kubernetes.io/docs/admin/kube-controller-manager/
@scfast scfast added the Level 2 Level 2 hardness label May 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Level 2 Level 2 hardness
Projects
None yet
Development

No branches or pull requests

1 participant