kubelet - Configure the Client CA Certificate
An XCCDF Rule
Description
By default, the kubelet is not configured with a CA certificate which
can subject the kubelet to man-in-the-middle attacks.
To configure a client CA certificate, edit the kubelet configuration
file /etc/kubernetes/kubelet/kubelet-config.json
on the kubelet node(s) and set the below parameter:
authentication: ... x509: clientCAFile: /etc/kubernetes/pki/ca.crt ...
Rationale
Not having a CA certificate for the kubelet will subject the kubelet to possible man-in-the-middle attacks especially on unsafe or untrusted networks. Certificate validation for the kubelet allows the API server to validate the kubelet's identity.
- ID
- xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
- Severity
- Medium
- Updated