1.3.4 Ensure that the --root-ca-file argument is set as appropriate

Information

Allow pods to verify the API server's serving certificate before establishing connections.

Rationale:

Processes running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks.

Providing the root certificate for the API server's serving certificate to the controller manager with the --root-ca-file argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.

Impact:

OpenShift clusters manage and maintain certificate authorities and certificates for cluster components.

Solution

None.

Default Value:

By default, OpenShift sets the Kubernetes Controller Manager root-ca-file to /etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt.

Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform.

See Also

https://workbench.cisecurity.org/benchmarks/14166

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(8), CSCv7|4.4

Plugin: OpenShift

Control ID: 76514a55d1fdbd1e50e30adbe31d8d8648d67238c973b083bc2fd08e555f1049