Profile Applicability:
Level 1
Description:
Ensure that the RotateKubeletServerCertificate argument is set to true in the Kubernetes API server configuration. This argument controls whether the Kubernetes API server automatically rotates the certificates for the kubelet server, ensuring that the certificates used for secure communication with the kubelets are periodically refreshed.
Rationale:
Setting RotateKubeletServerCertificate to true ensures that the certificates used by the kubelets are rotated regularly, reducing the risk of certificate-related security issues, such as expired certificates or unauthorized access. Automated rotation enhances the security and trustworthiness of the communication between the API server and the kubelet components.
Impact:
Pros:
Automatically ensures that kubelet certificates are rotated, reducing administrative overhead.
Increases security by preventing the use of expired or compromised certificates.
Helps maintain up-to-date cryptographic standards for communication between the API server and kubelets.
Cons:
Requires proper certificate management and monitoring to ensure smooth rotation.
If misconfigured or disabled, kubelets may continue using outdated certificates, leading to potential security vulnerabilities.
Default Value:
By default, RotateKubeletServerCertificate is set to false, and manual intervention is required to manage kubelet certificate rotation. This setting must be enabled manually for automatic rotation.
Pre-Requisites:
Access to the Kubernetes API server configuration.
Sufficient privileges (root or administrator access) to modify the API server flags.
A Kubernetes environment with appropriate certificate management practices in place.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the Amazon Elastic Kubernetes Service (EKS) console.
Navigate to the "Clusters" section and locate your cluster.
Review the settings for the RotateKubeletServerCertificate argument in the API server configuration.
Ensure that the RotateKubeletServerCertificate argument is set to true.
Using AWS CLI:
Retrieve the configuration for the Kubernetes API server:
kubectl get deployment -n kube-system kube-apiserver -o yaml
Check for the presence of the --rotate-kubelet-server-certificate argument in the API server arguments section:
- --rotate-kubelet-server-certificate=true
Ensure that the --rotate-kubelet-server-certificate argument is set to true. If it is not, update the configuration to enable automatic certificate rotation.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the EKS service and navigate to your cluster.
Review the cluster's configuration for the --rotate-kubelet-server-certificate argument.
If the argument is missing or set to false, update the API server configuration to set --rotate-kubelet-server-certificate=true.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
Modify the API server deployment by adding or updating the --rotate-kubelet-server-certificate=true argument:
kubectl edit deployment -n kube-system kube-apiserver
In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
Add or update the following line to set the argument:
- --rotate-kubelet-server-certificate=true
Save and exit the editor to apply the changes.
Backout Plan:
Using AWS Console:
Sign in to the AWS Console.
Open the EKS service and navigate to your cluster.
Locate the API server configuration.
If necessary, revert the change by setting the --rotate-kubelet-server-certificate argument to false or restoring the previous configuration.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
To revert the change, edit the API server deployment to set the --rotate-kubelet-server-certificate argument to false:
kubectl edit deployment -n kube-system kube-apiserver
Update the deployment YAML to include --rotate-kubelet-server-certificate=false if needed.
Save and exit the editor to apply the changes.
References:
Kubernetes API Server Configuration