Profile applicability: Level 1 - Master Node
Enable kubelet server certificate rotation on controller-manager.
RotateKubeletServerCertificate causes the kubelet to both request a serving certificate after bootstrapping its
client credentials and rotate the certificate as its existing credentials expire.
This automated periodic rotation ensures that the there are no downtimes due to expired
certificates and thus addressing availability in the CIA security triad. |
NoteThis recommendation only applies if you let kubelets get their certificates from the
API server. In case your kubelet certificates come from an outside authority/tool
(e.g. Vault) then you need to take care of rotation yourself.
|
|
NoteBy default,
RotateKubeletServerCertificate is set to True; this recommendation verifies that it has not been disabled. |
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-controller-manager
Verify that
RotateKubeletServerCertificate argument exists and is set to true.Remediation
Edit the Controller Manager pod specification file
/etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.--feature-gates=RotateKubeletServerCertificate=true