kubelet - Hostname Override handling

Description

Normally, OpenShift lets the kubelet get the hostname from either the cloud provider itself, or from the node's hostname. This ensures that the PKI allocated by the deployment uses the appropriate values, is valid and keeps working throughout the lifecycle of the cluster. IP addresses are not used, and hence this makes it easier for security analysts to associate kubelet logs with the appropriate node.

Rationale

Allowing hostnames to be overridden creates issues around resolving nodes in addition to TLS configuration, certificate validation, and log correlation and validation. However, in some cases explicit overriding this parameter is necessary to ensure that the appropriate node name stays as it is in case of certain upgrade conditions. e.g. as is the case in AWS and OpenStack when migrating to external cloud providers.

ID: xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override
Severity: Low
References: CIP-003-3 R6 CIP-004-3 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

4.2.8
Updated: about 1 year ago