Profile Applicability:

  • Level 1

Description:
 The RotateKubeletServerCertificate argument controls whether the Kubelet should automatically rotate its server certificate. This is an important security measure to ensure that the Kubelet's server certificates are refreshed periodically and do not become outdated or compromised. Setting this argument to true ensures that the Kubelet certificates are rotated automatically.

Rationale:
 Automatically rotating Kubelet server certificates helps to maintain the security of the cluster by ensuring that certificates are kept up-to-date, reducing the risk of certificate expiration or compromise. It also reduces administrative overhead by automating the process of certificate management.

Impact:

  • Pros:

    • Ensures continuous security by rotating Kubelet server certificates.

    • Reduces the manual effort needed for certificate management.

    • Helps prevent downtime or security vulnerabilities due to expired certificates.

  • Cons:

    • Requires proper monitoring to ensure certificates are rotated correctly.

    • Improper configuration may lead to certificate rotation issues.

Default Value:
 By default, this argument may be set to false, and it should be enabled to ensure the security of the Kubelet certificates.

Pre-requisites:
 Ensure that certificate management and validation processes are properly configured to handle Kubelet certificate rotation.

Remediation

Test Plan:

Using Azure Console:

  1. Access the Kubernetes cluster configuration settings.

  2. Review the kube-apiserver configuration to check if the --RotateKubeletServerCertificate flag is set to true.

Using Azure CLI:

  1. Use the following command to check the current configuration of the --RotateKubeletServerCertificate:

     ps aux | grep kube-apiserver

  2. Ensure that the --RotateKubeletServerCertificate argument is set to true.

Implementation Plan:

Using Azure Console:

  1. Access the kube-apiserver configuration.

  2. Set the --RotateKubeletServerCertificate argument to true to ensure automatic certificate rotation for the Kubelet.

Using Azure CLI:

  1. Update the --RotateKubeletServerCertificate flag by modifying the kube-apiserver configuration:

     kubectl -n kube-system edit deployment kube-apiserver

  2. Set the --RotateKubeletServerCertificate to true.

Backout Plan:

Using Azure Console:

  1. If the change causes issues with certificate management, revert the --RotateKubeletServerCertificate setting to false.

Using Azure CLI:

  1. Revert the --RotateKubeletServerCertificate flag by modifying the configuration:

     kubectl -n kube-system edit deployment kube-apiserver

  2. Set the flag back to false if necessary.

References:

  1. Kubernetes API Server Configuration