Profile Applicability:
Level 1
Description:
Ensure that the --root-ca-file argument is set to the correct certificate authority (CA) file in the Kubernetes API server configuration. This argument specifies the location of the root certificate used to verify the authenticity of the API server’s certificates, as well as the certificates for any clients that connect to the server.
Rationale:
Setting the --root-ca-file argument ensures that the Kubernetes API server uses the appropriate CA to authenticate clients and other Kubernetes components. This is critical for maintaining secure, trusted communication between the API server, kubelets, and other components. Properly specifying this CA file helps prevent unauthorized access and man-in-the-middle attacks by ensuring that only certificates signed by a trusted root CA are accepted.
Impact:
Pros:
Ensures that Kubernetes API server communication is secure by using a trusted certificate authority.
Helps prevent unauthorized clients from accessing the API server.
Cons:
Misconfiguration could result in the inability to establish trusted connections between the API server and clients or components, potentially causing cluster communication issues.
Requires proper management of certificate files.
Default Value:
By default, the --root-ca-file argument may not be set, and the Kubernetes API server may use the system's default CA file. The argument must be manually configured to specify the correct CA file.
Pre-Requisites:
Access to the Kubernetes API server configuration.
A valid root certificate authority (CA) file.
Sufficient privileges (root or administrator access) to modify the API server flags.
A Kubernetes environment with proper certificate management.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the Amazon Elastic Kubernetes Service (EKS) console.
Navigate to the "Clusters" section and locate your cluster.
Review the settings for the --root-ca-file argument in the API server configuration.
Ensure that the --root-ca-file argument is set to the correct CA file path.
Using AWS CLI:
Retrieve the configuration for the Kubernetes API server:
kubectl get deployment -n kube-system kube-apiserver -o yaml
Check for the presence of the --root-ca-file argument in the API server arguments section:
- --root-ca-file=/etc/kubernetes/pki/ca.crt
Ensure that the --root-ca-file argument is set to the appropriate file path. If it is not, update the configuration to point to the correct CA file.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the EKS service and navigate to your cluster.
Review the cluster's configuration for the --root-ca-file argument.
If the argument is missing or set incorrectly, update the API server configuration to set the correct path to the CA file:
--root-ca-file=/etc/kubernetes/pki/ca.crt
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
Modify the API server deployment by adding or updating the --root-ca-file argument:
kubectl edit deployment -n kube-system kube-apiserver
In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
Add or update the following line to specify the root CA file:
- --root-ca-file=/etc/kubernetes/pki/ca.crt
Save and exit the editor to apply the changes.
Backout Plan:
Using AWS Console:
Sign in to the AWS Console.
Open the EKS service and navigate to your cluster.
Locate the API server configuration.
If necessary, revert the change by setting the --root-ca-file argument to the previous value or removing it if it was misconfigured.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
To revert the change, edit the API server deployment to set the --root-ca-file argument back to its previous value:
kubectl edit deployment -n kube-system kube-apiserver
Update the deployment YAML to include the previous value for the --root-ca-file argument.
Save and exit the editor to apply the changes.
References:
Kubernetes API Server Configuration