PlatformResourcesSign inSign Up

Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately for Kubelet

Error: The --tls-cert-file and --tls-private-key-file arguments are not set appropriately for Kubelet

Bridgecrew Policy ID: BC_K8S_104
Checkov Check ID: CKV_K8S_148
Severity: HIGH

Suggest Edits

The --tls-cert-file and --tls-private-key-file arguments are not set appropriately for Kubelety

Description

API server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic by setup TLS connection on the API server. By default, --tls-cert-file and --tls-private-key-file arguments are not set.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
  kind: Pod
  metadata:
    creationTimestamp: null
    labels:
      component: kube-apiserver
      tier: control-plane
    name: kube-apiserver
    namespace: kube-system
  spec:
    containers:
    - command:
       - kube-apiserver
+      - --tls-cert-file=/path/to/cert
+      - --tls-private-key-file=/path/to/key
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      ...

Updated 10 months ago