Ensure the --kubelet-client-certificate and --kubelet-client-key arguments are set appropriately

Error: The --kubelet-client-certificate and --kubelet-client-key arguments are not set appropriately

Bridgecrew Policy ID: BC_K8S_50
Checkov Check ID: CKV_K8S_72
Severity: HIGH

The --kubelet-client-certificate and --kubelet-client-key arguments are not set appropriately

Description

Enable certificate based kubelet authentication. The apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate- based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+   - kube-apiserver
+   - --kubelet-client-certificate=/path/to/cert
+   - --kubelet-client-key=/path/to/key
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...