Skip to content

kubelet - Configure the Client CA Certificate

An XCCDF Rule

Description

By default, the kubelet is not configured with a CA certificate which can subject the kubelet to man-in-the-middle attacks. To configure a client CA certificate, edit the kubelet configuration file /etc/kubernetes/kubelet/kubelet-config.json on the kubelet node(s) and set the below parameter:

authentication:
...
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.crt
...

Rationale

Not having a CA certificate for the kubelet will subject the kubelet to possible man-in-the-middle attacks especially on unsafe or untrusted networks. Certificate validation for the kubelet allows the API server to validate the kubelet's identity.

ID
xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
Severity
Medium
References
Updated