Ensure that the --kubelet-https argument is set to true

An XCCDF Rule

Description

The kube-apiserver ensures https to the kubelet by default. The apiserver flag "--kubelet-https" is deprecated and should be either set to "true" or omitted from the argument list.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

Rationale

Connections from the kube-apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.

ID: xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn
Severity: Medium
References: CIP-003-8 R4.2 CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R5.1 CIP-007-3 R6.1

CM-6 CM-6(1) SC-8 SC-8(1)

Req-2.2 Req-2.3

SRG-APP-000516-CTR-001325

1.2.4
Updated: about 1 year ago