Ensure the --kubelet-client-certificate and --kubelet-client-key arguments are set appropriately
Error: The --kubelet-client-certificate and --kubelet-client-key arguments are not set appropriately
Bridgecrew Policy ID: BC_K8S_50
Checkov Check ID: CKV_K8S_72
Severity: HIGH
The --kubelet-client-certificate and --kubelet-client-key arguments are not set appropriately
Description
Enable certificate based kubelet authentication. The apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate- based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.
Fix - Buildtime
Kubernetes
- Kind: Pod
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --kubelet-client-certificate=/path/to/cert
+ - --kubelet-client-key=/path/to/key
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
...
Updated 6 months ago