Ensure That The kubelet Client Certificate Is Correctly Set

An XCCDF Rule

Details
Profiles
Prose

Description

To ensure the kubelet TLS client certificate is configured, edit the kubelet configuration file /etc/kubernetes/kubelet.conf and configure the kubelet certificate file.

tlsCertFile: /path/to/TLS/cert.key

Note that this particular rule is only valid for OCP releases up to and
including 4.8

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /api/v1/namespaces/openshift-kube-apiserver/configmaps/config API endpoint to the local /api/v1/namespaces/openshift-kube-apiserver/configmaps/config file.

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

ID: xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert_pre_4_9
Severity: Medium
References: SC-8 SC-8(1) SC-8(2)

4.2.10

CCE-90615-6
Updated: about 1 year ago