Skip to content

kubelet - Hostname Override handling

An XCCDF Rule

Description

Normally, OpenShift lets the kubelet get the hostname from either the cloud provider itself, or from the node's hostname. This ensures that the PKI allocated by the deployment uses the appropriate values, is valid and keeps working throughout the lifecycle of the cluster. IP addresses are not used, and hence this makes it easier for security analysts to associate kubelet logs with the appropriate node.

Rationale

Allowing hostnames to be overridden creates issues around resolving nodes in addition to TLS configuration, certificate validation, and log correlation and validation.

ID
xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override
Severity
Low
References
Updated