1.1.5 Ensure that the --kubelet-https argument is set to true

Information

Use https for kubelet connections.

Rationale:

Connections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.

Solution

Edit the `/etc/kubernetes/apiserver` file on the master node and remove the `--kubelet-https` argument from the `KUBE_API_ARGS` parameter. Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`

Impact:

You require TLS to be configured on apiserver as well as kubelets.

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8(1), CSCv6|14.2

Plugin: Unix

Control ID: 070acf7b1d326419bdc3d8229a990448d9a0bc8698b0fa6340c243d5ea88e1a5