Controller Manager without RotateKubeletServerCertificate set

kube_controller_manager_rotate_server_certificate

Severity

low

Vendor

Kubernetes

Resource

kube-controller-manager

Description

The Kubernetes controller manager is a daemon that embeds the core control loops shipped with Kubernetes.

It is recommended to set RotateKubeletServerCertificate to true for automated certificate rotation before credentials expiration, to avoid downtimes compromising availability.

This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault), then you need to take care of rotation yourself. In that case this check could be disabled in your policy.

The check reports a flaw when the Control Manager is not setting RotateKubeletServerCertificate=true in the --feature-gates argument.

Learn more about this topic at Configure Certificate Rotation for the Kubelet.

Examples

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-controller-manager
    tier: control-plane
  name: weak
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-controller-manager (1)
    - --controllers=*,bootstrapsigner,tokencleaner
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0

1	When `--profiling` is not set, service account token couldn’t be ensure it is rotate.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-controller-manager
    tier: control-plane
  name: good
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-controller-manager
    - --controllers=*,bootstrapsigner,tokencleaner
    - --feature-gates=RotateKubeletServerCertificate=true,VolumePVCDataSource=True  (1)
    image: gcr.io/<image>

1	Verify `RotateKubeletServerCertificate=true` is set explicitly into feature-gates.