Profile Applicability:

  • Level 1

Description:

Ensure that the --cert-file and --key-file arguments in the Kubernetes API server configuration are set correctly. The --cert-file specifies the location of the API server's certificate, and the --key-file specifies the location of the API server's private key. These arguments ensure that the API server uses valid TLS certificates to establish secure communication with clients.

Rationale:

Setting the --cert-file and --key-file arguments correctly ensures that the Kubernetes API server uses the appropriate TLS certificates for secure communication. Misconfigured certificates or missing arguments could result in insecure communication or the API server being unable to communicate securely with clients.

Impact:

Pros:

  • Ensures secure communication between the Kubernetes API server and clients by using trusted TLS certificates.

  • Helps prevent unauthorized access and potential man-in-the-middle attacks by ensuring encryption for API server traffic.

Cons:

  • Requires proper certificate management and the need to ensure that the certificates are valid and trusted.

  • Misconfiguration could result in the API server failing to start or communicate securely.

Default Value:

By default, the --cert-file and --key-file arguments may not be set, or the API server might use a self-signed certificate. These settings should be configured to use valid, trusted certificates.

Pre-Requisites:

  • Access to the Kubernetes API server configuration.

  • Valid and trusted TLS certificates for use with the Kubernetes API server.

  • Sufficient privileges (root or administrator access) to modify the API server configuration.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Clusters" section and locate your cluster.

  4. Review the settings for the --cert-file and --key-file arguments in the API server configuration.

  5. Ensure that the paths for the certificate and key files are correctly set to valid certificates.

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check for the presence of the --cert-file and --key-file arguments in the API server arguments section:

- --cert-file=/etc/kubernetes/pki/apiserver.crt
- --key-file=/etc/kubernetes/pki/apiserver.key

  1. Ensure that the certificate and key file paths are correctly configured. If not, update the configuration to point to the correct files.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to your cluster.

  3. Review the cluster's configuration for the --cert-file and --key-file arguments.

  4. If the arguments are missing or misconfigured, update the API server configuration to set the correct paths for the certificate and key files.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

Modify the API server deployment by adding or updating the --cert-file and --key-file arguments:

kubectl edit deployment -n kube-system kube-apiserver

  1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.

Add or update the following lines to point to the correct certificate and key files:

- --cert-file=/etc/kubernetes/pki/apiserver.crt
- --key-file=/etc/kubernetes/pki/apiserver.key

  1. Save and exit the editor to apply the changes.

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Open the EKS service and navigate to your cluster.

  3. Locate the API server configuration.

  4. If necessary, revert the changes by updating the --cert-file and --key-file arguments to point to the previous certificate and key files.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

To revert the changes, edit the API server deployment to remove or set the --cert-file and --key-file arguments to their previous values:

kubectl edit deployment -n kube-system kube-apiserver

  1. Update the deployment YAML to point to the previous certificate and key file paths.

  2. Save and exit the editor to apply the changes.

References: