Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately for API servers

Error: The --tls-cert-file and --tls-private-key-file arguments are not set appropriately for API servers

Bridgecrew Policy ID: BC_K8S_75
Checkov Check ID: CKV_K8S_100
Severity: HIGH

The --tls-cert-file and --tls-private-key-file arguments are not set appropriately for API servers

Description

API server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic by setup TLS connection on the API server. By default, --tls-cert-file and --tls-private-key-file arguments are not set.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
  kind: Pod
  metadata:
    creationTimestamp: null
    labels:
      component: kube-apiserver
      tier: control-plane
    name: kube-apiserver
    namespace: kube-system
  spec:
    containers:
    - command:
       - kube-apiserver
+      - --tls-cert-file=/path/to/cert
+      - --tls-private-key-file=/path/to/key
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      livenessProbe:
        failureThreshold: 8
        httpGet:
          host: 127.0.0.1
          path: /healthz
          port: 6443
          scheme: HTTPS
        initialDelaySeconds: 15
        timeoutSeconds: 15
      name: kube-apiserver
      resources:
        requests:
          cpu: 250m
      volumeMounts:
      - mountPath: /etc/kubernetes/
        name: k8s
        readOnly: true
      - mountPath: /etc/ssl/certs
        name: certs
      - mountPath: /etc/pki
        name: pki
    hostNetwork: true
    volumes:
    - hostPath:
        path: /etc/kubernetes
      name: k8s
    - hostPath:
        path: /etc/ssl/certs
      name: certs
    - hostPath:
        path: /etc/pki
      name: pki