Ensure the --kubelet-certificate-authority argument is set appropriately

Error: The --kubelet-certificate-authority argument is not set appropriately

Bridgecrew Policy ID: BC_K8S_51
Checkov Check ID: CKV_K8S_73
Severity: HIGH

The --kubelet-certificate-authority argument is not set appropriately


Verify kubelet's certificate before establishing connection.The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the apiserver does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.

Fix - Buildtime


  • Kind: Pod
apiVersion: v1
kind: Pod
  creationTimestamp: null
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
  - command:
+   - kube-apiserver
+   - --kubelet-certificate-authority=ca.file
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0