Apiserver does not set TLS key and certificate

ID

api_server_tls_cert_and_key

Severity

low

Vendor

Kubernetes

Resource

kube-apiserver

Tags

reachable

Description

The Kubernetes API Server validates and configures data for the api objects which include pods, services, replication controllers, and others.

By default, the apiserver does not verify the kubelet serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.

Thus, setting a proper value for the arguments --tls-cert-file and --tls-private-key-file is mandatory to keep connections safe to man-in-the-middle attacks.

Learn more about this topic at PKI certificates and requirements.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: bad (1)
spec:
  containers:
  - command:
    - kube-apiserver
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: bad-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Missing --tls-cert-file and --tls-private-key-file command arguments means HTTPS only is not enabled.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good
spec:
  containers:
  - command:
    - kube-apiserver
    - --tls-cert-file=/path/to/cert (1)
    - --tls-private-key-file=/path/to/key (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: good-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Provided --tls-cert-file and --tls-private-key-file command arguments means HTTPS only is enabled.