iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are correctly configured in the Kubernetes API server. These arguments specify the TLS certificate and private key that the API server uses to authenticate to the kubelet. These certificates are crucial for ensuring secure, trusted communication between the API server and the kubelet.

Rationale:

The --kubelet-client-certificate and --kubelet-client-key arguments ensure that the Kubernetes API server authenticates itself to the kubelet with a trusted certificate and private key. By enabling proper mutual TLS authentication, the cluster improves security by preventing unauthorized or rogue components from interacting with the kubelet, which could otherwise be used to compromise the cluster.

Impact:

Pros:

• Ensures secure and authenticated communication between the API server and the kubelet.
  

• Prevents unauthorized access to the kubelet, reducing the risk of attacks that could compromise node management.
  

• Strengthens security by enforcing mutual TLS between the API server and the kubelet.
  

Cons:

• Misconfiguration of these arguments may prevent the Kubernetes API server from establishing communication with the kubelet, leading to node management failures.
  

• Requires careful management and secure storage of the client certificate and private key files to prevent unauthorized access.
  

Default Value:

• By default, the --kubelet-client-certificate and --kubelet-client-key arguments may not be set, relying on default certificate handling. Manual configuration is required to point to the correct certificate and private key files.
  

Pre-Requisites:

• Access to the Kubernetes API server configuration.
  

• A valid and trusted client certificate and private key for authenticating with the kubelet.
  

• Sufficient privileges (root or administrator access) to modify the API server flags.
  

• A Kubernetes environment where secure communication between the API server and kubelet is required.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Clusters" section and locate your cluster.
   

4. Review the settings for the --kubelet-client-certificate and --kubelet-client-key arguments in the API server configuration.
   

5. Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set to the correct certificate and private key file paths.
   

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check for the presence of the --kubelet-client-certificate and --kubelet-client-key arguments in the API server arguments section:

- --kubelet-client-certificate=/etc/kubernetes/pki/kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/kubelet-client.key

2. Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set to the appropriate file paths. If they are not, update the configuration to point to the correct files.
   

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Review the cluster's configuration for the --kubelet-client-certificate and --kubelet-client-key arguments.
   

4. If the arguments are missing or misconfigured, update the API server configuration to set the correct paths for the certificate and key:

    --kubelet-client-certificate=/etc/kubernetes/pki/kubelet-client.crt
    --kubelet-client-key=/etc/kubernetes/pki/kubelet-client.key

   Save and apply the changes to the Kubernetes API server configuration.
   

Using AWS CLI:

Modify the API server deployment by adding or updating the --kubelet-client-certificate and --kubelet-client-key arguments:

kubectl edit deployment -n kube-system kube-apiserver

1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
   

Add or update the following lines to specify the correct certificate and key file paths:

- --kubelet-client-certificate=/etc/kubernetes/pki/kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/kubelet-client.key

3. Save and exit the editor to apply the changes.
   

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Locate the API server configuration.
   

4. If necessary, revert the change by setting the --kubelet-client-certificate and --kubelet-client-key arguments to their previous values or removing them entirely.
   

5. Save and apply the changes to the Kubernetes API server configuration.
   

Using AWS CLI:

To revert the change, edit the API server deployment to set the --kubelet-client-certificate and --kubelet-client-key arguments back to their previous values:

kubectl edit deployment -n kube-system kube-apiserver

1. Update the deployment YAML to include the previous values for the --kubelet-client-certificate and --kubelet-client-key arguments.
   

2. Save and exit the editor to apply the changes.
   

References:

• Kubernetes API Server Configuration
  

• AWS EKS Documentation