API server without certificate / private key

ID

kubelet_key_files_set

Severity

high

Vendor

Kubernetes

Resource

kubelet

Tags

asvs50-v11.3.1, asvs50-v14.2.2, reachable

Description

The kubelet is the primary "node agent" that runs on each node. It can register the node with the API Server using one of: the hostname; a flag to override the hostname; or specific logic for a cloud provider.

Kubelet communication contains sensitive parameters that should remain encrypted in transit.

Thus, the parameters --tls-cert-file and --tls-private-key-file must be set to enable encrypted communication.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: bad (1)
spec:
  containers:
  - command:
    - kubelet
    name: bad-container
    image: gcr.io/google_containers/kubelet-amd64:v1.6.0
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Missing --tls-cert-file and --tls-private-key-file command arguments means HTTPS only is not enabled.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good
spec:
  containers:
  - command:
    - kubelet
    - --tls-cert-file=/path/to/cert (1)
    - --tls-private-key-file=/path/to/key (1)
    name: good-container
    image: gcr.io/google_containers/kubelet-amd64:v1.6.0
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Provided --tls-cert-file and --tls-private-key-file command arguments means HTTPS only is enabled.