Profile Applicability:
Level 1
Description:
Ensure that the --peer-client-cert-auth argument is set to true in the Kubernetes API server configuration. This argument enables client certificate authentication for peer-to-peer communication between components, enhancing security by ensuring that only authorized clients can communicate with each other.
Rationale:
Setting the --peer-client-cert-auth argument to true ensures that peer communication between Kubernetes components, such as the API server and etcd, is authenticated using client certificates. This enhances the security of inter-component communication by preventing unauthorized clients from interacting with the Kubernetes control plane.
Impact:
Pros:
Enhances security by requiring peer clients to authenticate using client certificates.
Helps prevent unauthorized access or man-in-the-middle attacks during communication between Kubernetes components.
Enforces strong authentication for internal Kubernetes communications.
Cons:
Requires management of client certificates, which may increase the complexity of the configuration.
If misconfigured, it could disrupt communication between components.
Default Value:
By default, this argument may not be set to true in the API server configuration. It requires manual configuration to enable client certificate authentication for peer-to-peer communication.
Pre-Requisites:
Access to the Kubernetes API server configuration.
Sufficient privileges (root or administrator access) to modify the Kubernetes API server flags.
A Kubernetes environment with proper certificate management for client authentication.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the Amazon Elastic Kubernetes Service (EKS) console.
Navigate to the "Clusters" section and locate the cluster configuration.
Verify the settings for the --peer-client-cert-auth argument in the API server configuration.
Ensure that the --peer-client-cert-auth argument is set to true.
Using AWS CLI:
Retrieve the configuration for the Kubernetes API server:
kubectl get deployment -n kube-system kube-apiserver -o yaml
Check for the presence of the --peer-client-cert-auth argument and ensure it is set to true in the API server arguments section.
If the argument is missing or incorrectly set, you can add or modify it in the Kubernetes API server configuration.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the EKS service and navigate to your cluster.
Review the cluster's configuration for the --peer-client-cert-auth argument.
If the argument is not set to true, edit the API server configuration to include the --peer-client-cert-auth=true argument.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
Modify the API server deployment by adding or updating the --peer-client-cert-auth=true argument:
kubectl edit deployment -n kube-system kube-apiserver
In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
Add or update the --peer-client-cert-auth=true argument:
- --peer-client-cert-auth=true
Save and exit the editor to apply the changes.
Backout Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the EKS service and navigate to your cluster.
Locate the API server configuration.
If needed, revert the changes by removing or setting the --peer-client-cert-auth argument to false.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
To revert the changes, edit the API server deployment to remove or set the --peer-client-cert-auth argument to false:
kubectl edit deployment -n kube-system kube-apiserver
Modify the deployment YAML to set --peer-client-cert-auth=false or remove the argument entirely.
References:
Kubernetes API Server Authentication
AWS EKS Documentation