iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the --tls-cert-file and --tls-private-key-file arguments are configured properly in the Kubernetes API server. The --tls-cert-file specifies the location of the TLS certificate, and the --tls-private-key-file specifies the path to the corresponding private key. These arguments are used to enable encrypted communication (TLS) between the API server and clients.

Rationale:

Setting the --tls-cert-file and --tls-private-key-file arguments ensures that the Kubernetes API server uses the appropriate TLS certificate and private key for secure communication. Proper configuration of these files helps prevent unauthorized access to the API server by enabling encrypted communication with clients (e.g., kubectl, kubelet), thereby ensuring the confidentiality and integrity of data in transit.

Impact:

Pros:

• Enables encrypted communication between the Kubernetes API server and clients, enhancing the security of the cluster.
  

• Prevents unauthorized access or man-in-the-middle attacks during communication.
  

Cons:

• Misconfiguration of these arguments could lead to failed communication or operational issues in the cluster, particularly if the TLS certificate or key is incorrect or expired.
  

• Requires proper management of TLS certificates and private keys.
  

Default Value:

By default, the --tls-cert-file and --tls-private-key-file arguments may not be set, and the Kubernetes API server may generate its own certificates. For production environments, it is recommended to specify trusted certificates and keys manually.

Pre-Requisites:

• Access to the Kubernetes API server configuration.
  

• A valid and trusted TLS certificate and private key.
  

• Sufficient privileges (root or administrator access) to modify the API server flags.
  

• A Kubernetes environment with secure communication requirements.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Clusters" section and locate your cluster.
   

4. Review the settings for the --tls-cert-file and --tls-private-key-file arguments in the API server configuration.
   

5. Ensure that the --tls-cert-file and --tls-private-key-file arguments are set to the correct file paths for the TLS certificate and private key.
   

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check for the presence of the --tls-cert-file and --tls-private-key-file arguments in the API server arguments section:

- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

2. Ensure that the file paths for the certificate and private key are correct. If they are not, update the configuration to point to the appropriate files.
   

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Review the cluster's configuration for the --tls-cert-file and --tls-private-key-file arguments.
   

4. If the arguments are missing or misconfigured, update the API server configuration to set the correct file paths for the certificate and key:

    --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

   Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

Modify the API server deployment by adding or updating the --tls-cert-file and --tls-private-key-file arguments:

kubectl edit deployment -n kube-system kube-apiserver

1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
   

Add or update the following lines to specify the correct certificate and private key file paths:

- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

3. Save and exit the editor to apply the changes.
   

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Locate the API server configuration.
   

4. If necessary, revert the change by setting the --tls-cert-file and --tls-private-key-file arguments to the previous value or restoring the default configuration.
   

5. Save and apply the changes to the Kubernetes API server configuration.
   

Using AWS CLI:

To revert the change, edit the API server deployment to set the --tls-cert-file and --tls-private-key-file arguments back to their previous values:

kubectl edit deployment -n kube-system kube-apiserver

1. Update the deployment YAML to include the previous values for the --tls-cert-file and --tls-private-key-file arguments.
   

2. Save and exit the editor to apply the changes.
   

References:

• Kubernetes API Server TLS Configuration
  

• AWS EKS Documentation