Ensure that the RotateKubeletServerCertificate argument is set
An XCCDF Rule
Description
To enforce kubelet server certificate rotation on the Controller Manager,
set the RotateKubeletServerCertificate option to true
in the openshift-kube-controller-manager configmap on the master
node(s):
"extendedArguments": {
...
"feature-gates": [
...
"RotateKubeletServerCertificate=true",
...
...
warning alert: Warning
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-
{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}}API endpoint, filter with with thejqutility using the following filter{{if ne .hypershift_cluster "None"}}.items[0].spec.containers[0].args{{else}}.data."config.yaml" | fromjson | .extendedArguments["feature-gates"]{{end}}and persist it to the local
warning alert: Functionality Warning
This recommendation only applies if you let kubelets get their
certificates from the API Server. In case your certificates come from an
outside Certificate Authority/tool (e.g. Vault) then you need to take care
of rotation yourself
Rationale
Enabling kubelet certificate rotation causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that there are no downtimes due to expired certificates and thus addressing the availability in the C/I/A security triad.
- ID
- xccdf_org.ssgproject.content_rule_controller_rotate_kubelet_server_certs
- Severity
- Medium
- References
- Updated