Profile Applicability:

  • Level 1

Description:

The --kubelet-certificate-authority argument defines the certificate authority file to validate the Kubelet’s certificate. The Kubelet is responsible for ensuring that nodes are properly configured and secured. By setting this parameter, we ensure the Kubelet connects to the Kubernetes API server using the correct CA file to verify the server’s identity.

Rationale:

Setting the correct certificate authority ensures that communications between the Kubelet and the API server are encrypted and authenticated using the appropriate certificate, mitigating potential man-in-the-middle attacks.

Impact:

Pros:

  • Ensures secure communication between the Kubelet and API server.

  • Prevents unauthorized access to the Kubelet.

Cons:

  • Incorrect certificate authority file can cause connection issues between the Kubelet and API server, impacting cluster operations.

Default Value:

Not set by default.

Pre-requisites:

  • The certificate authority (CA) file should be available on all Kubelet nodes.

  • The certificate must be valid and trusted by the Kubernetes API server.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to your EKS Cluster.

  3. Check the Kubelet configuration in the node group.

  4. Verify the correct --kubelet-certificate-authority argument is configured in the node group's user data (either as part of the launch configuration or Kubernetes configuration file).

Using AWS CLI:

Run the following AWS CLI command to describe your EKS node group's configuration:

aws eks describe-nodegroup --cluster-name <cluster-name> --nodegroup-name <nodegroup-name>

  1. Check the --kubelet-certificate-authority setting in the output to ensure it is configured correctly.

Implementation Plan:

Using AWS Console:

  1. Navigate to the EKS cluster in the AWS Console.

  2. Go to the Node Group section and select the relevant node group.

  3. Modify the configuration to ensure that the --kubelet-certificate-authority argument is set correctly.

  4. Save the configuration and redeploy the node group if necessary.

Using AWS CLI:

Update the kubelet-certificate-authority argument in the EKS node group's configuration:

aws eks update-nodegroup-config --cluster-name <cluster-name> --nodegroup-name <nodegroup-name> --launch-template name=<launch-template-name>,version=<version-number> --config-file <path-to-config-file>

Backout Plan:

Using AWS Console:

  1. Navigate to the Node Group configuration in the AWS Console.

  2. Revert the --kubelet-certificate-authority argument to its previous value.

  3. Save and redeploy the node group to ensure the settings are reverted.

Using AWS CLI:

If issues occur, revert to the previous configuration using:

aws eks update-nodegroup-config --cluster-name <cluster-name> --nodegroup-name <nodegroup-name> --launch-template name=<launch-template-name>,version=<old-version-number>

References: