Configure the kubelet Certificate Key for the API Server

An XCCDF Rule

Description

To enable certificate based kubelet authentication, edit the config configmap in the openshift-kube-apiserver namespace and set the below parameter in the config.yaml key if it is not already configured:

"apiServerArguments":{
...
  "kubelet-client-key":"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key",
...
}

Note that this particular rule is only valid for OCP releases up to and
including 4.8

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /api/v1/namespaces/openshift-kube-apiserver/configmaps/config API endpoint to the local /api/v1/namespaces/openshift-kube-apiserver/configmaps/config file.

Rationale

By default the API Server does not authenticate itself to the kubelet's HTTPS endpoints. Requests from the API Server are treated anonymously. Configuring certificate-based kubelet authentication ensures that the API Server authenticates itself to kubelets when submitting requests.

ID: xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key_pre_4_9
Severity: High
References: CM-6 CM-6(1) SC-8 SC-8(1)

1.2.5

CCE-90794-9
Updated: about 1 year ago