kubelet - Configure the Client CA Certificate

Description

By default, the kubelet is not configured with a CA certificate which can subject the kubelet to man-in-the-middle attacks. To configure a client CA certificate, edit the kubelet configuration file /etc/kubernetes/kubelet.conf on the kubelet node(s) and set the below parameter:

authentication:
...
  x509:
    clientCAFile: /etc/kubernetes/kubelet-ca.crt
...

Rationale

Not having a CA certificate for the kubelet will subject the kubelet to possible man-in-the-middle attacks especially on unsafe or untrusted networks. Certificate validation for the kubelet allows the API server to validate the kubelet's identity.

ID: xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca_master
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

SRG-APP-000516-CTR-001325

4.2.3
Updated: about 1 year ago