1.2.4 Ensure that the --kubelet-https argument is set to true

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Use https for kubelet connections.

Rationale:

Connections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --kubelet-https parameter.

Impact:

You require TLS to be configured on apiserver as well as kubelets.

Default Value:

By default, kubelet connections are over https.

References:

https://kubernetes.io/docs/admin/kube-apiserver/

https://kubernetes.io/docs/admin/kubelet-authentication-authorization/

See Also

https://workbench.cisecurity.org/files/2662

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8(1), CSCv6|14.2, CSCv7|14.4

Plugin: Unix

Control ID: 9b09b74f96a3f4ac0dbf5042da937564a2184dc3616988f3fa4e5586110dcd8c