Client certificate / key for apiserver not set

ID

api_server_kubelet_client_cert_and_key

Severity

high

Vendor

Kubernetes

Resource

kube-apiserver

Tags

reachable

Description

The Kubernetes API Server validates and configures data for the api objects which include pods, services, replication controllers, and others.

Enable certificate based kubelet authentication. The apiserver, by default, does not authenticate itself to the kubelet HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.

Thus, setting a proper value for the arguments --kubelet-client-certificate and --kubelet-client-key is mandatory to keep connections safe against man-in-the-middle attacks.

Learn more about this topic at PKI certificates and requirements.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: bad (1)
spec:
  containers:
  - command:
    - kube-apiserver
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: bad-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Missing --kubelet-client-certificate and --kubelet-client-key command arguments means API Server does not authenticate itself when submitting requests.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good
spec:
  containers:
  - command:
    - kube-apiserver
    - --kubelet-client-certificate=/path/to/cert (1)
    - --kubelet-client-key=/path/to/key (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: good-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Provided --kubelet-client-certificate and --kubelet-client-key command arguments means API Server authenticates itself when submitting requests.