Profile Applicability:

  • Level 2

Description:
 The --rotate-certificates flag in Kubernetes controls whether the certificates for the Kubernetes components should be automatically rotated. Setting this argument to false disables automatic certificate rotation, which could lead to expired certificates and cause service disruptions. This check ensures that certificate rotation is enabled to maintain the integrity and security of the cluster.

Rationale:
 Automatic certificate rotation ensures that Kubernetes components always use valid certificates, helping prevent security breaches and service failures due to expired certificates. By ensuring that --rotate-certificates is not set to false, the system remains secure and operational.

Impact:

  • Pros:

    • Ensures continuous security by automatically rotating certificates.

    • Prevents service disruptions caused by expired certificates.

  • Cons:

    • If not properly configured, it might cause unnecessary overhead in managing certificates.

    • Requires careful monitoring to ensure the certificates are rotated correctly and on time.

Default Value:
 The default value for the --rotate-certificates flag is typically true to ensure automatic certificate rotation, but it may be manually disabled in some environments.

Pre-requisites:
 Ensure that certificate management and validation processes are properly configured to handle certificate rotation within the cluster.

Remediation

Test Plan:

Using Azure Console:

  1. Access the Kubernetes cluster configuration settings.

  2. Review the kube-apiserver configuration to check if the --rotate-certificates flag is set to false.

Using Azure CLI:

  1. Use the following command to check the current configuration of the --rotate-certificates:

     ps aux | grep kube-apiserver

  2. Ensure that the --rotate-certificates argument is not set to false.

Implementation Plan:

Using Azure Console:

  1. Access the kube-apiserver configuration.

  2. Set the --rotate-certificates argument to true to ensure automatic certificate rotation is enabled.

Using Azure CLI:

  1. Update the --rotate-certificates flag by modifying the kube-apiserver configuration:

     kubectl -n kube-system edit deployment kube-apiserver

  2. Set the --rotate-certificates to true.

Backout Plan:

Using Azure Console:

  1. If the change causes issues or affects certificate management, revert the --rotate-certificates setting to false as a temporary solution.

Using Azure CLI:

  1. Revert the --rotate-certificates flag by modifying the configuration:

    kubectl -n kube-system edit deployment kube-apiserver

  2. Set the flag back to false if necessary, although this is not recommended for production environments.

References:

  1. Kubernetes API Server Configuration

  2. Kubernetes Certificate Management