Ensure That The kubelet Client Certificate Is Correctly Set

An XCCDF Rule

Description

To ensure the kubelet TLS client certificate is configured, edit the kubelet configuration file /etc/kubernetes/kubelet.conf and configure the kubelet certificate file.

tlsCertFile: /path/to/TLS/cert.key

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("/etc/kubernetes/certs/kubelet/tls.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("{{.var_apiserver_kubelet_client_cert}}"))]{{end}} and persist it to the local /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#e5500055b4aa2fcf00dc09ad0e66e44b6b42d67f8d53d1e72ff81b32f0e09865 file.

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

ID: xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert
Severity: Medium
References: CIP-003-8 R4.2 CIP-007-3 R5.1

SC-8 SC-8(1) SC-8(2)

Req-2.2 Req-2.2.3 Req-2.3

SRG-APP-000441-CTR-001090 SRG-APP-000442-CTR-001095

4.2.9

CCE-83396-2
Updated: about 1 year ago