kubelet - Hostname Override handling
An XCCDF Rule
Description
Normally, OpenShift lets the kubelet get the hostname from either the cloud provider itself, or from the node's hostname. This ensures that the PKI allocated by the deployment uses the appropriate values, is valid and keeps working throughout the lifecycle of the cluster. IP addresses are not used, and hence this makes it easier for security analysts to associate kubelet logs with the appropriate node.
Rationale
Allowing hostnames to be overridden creates issues around resolving nodes in addition to TLS configuration, certificate validation, and log correlation and validation.
- ID
- xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override
- Severity
- Low
- References
- Updated