iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the --peer-cert-file and --peer-key-file arguments are set appropriately in the Kubernetes API server configuration. These arguments specify the location of the certificate and key files used for authenticating peer communication between the Kubernetes API server and other components, such as etcd, using mutual TLS (mTLS).

Rationale:

Setting the --peer-cert-file and --peer-key-file arguments ensures that the Kubernetes API server uses the correct certificates and keys for authenticating communication with its peers. Proper configuration of these arguments helps protect the integrity of Kubernetes inter-component communication by enabling secure, encrypted communication with trusted peers.

Impact:

Pros:

• Ensures secure, encrypted communication between the Kubernetes API server and other components using mTLS.
  

• Provides an additional layer of security by verifying the identity of the peers communicating with the API server.
  

Cons:

• Misconfiguration of these arguments can break the peer-to-peer communication, potentially leading to cluster connectivity issues.
  

• Requires proper certificate management and storage for these files, which can increase administrative complexity.
  

Default Value:

By default, the --peer-cert-file and --peer-key-file arguments may not be set or could be set to incorrect paths. Manual configuration is required to ensure that they point to the correct certificate and key files for secure communication.

Pre-Requisites:

• Access to the Kubernetes API server configuration.
  

• Properly issued and managed certificates and keys for the peer-to-peer communication.
  

• Sufficient privileges (root or administrator access) to modify the API server configuration.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Clusters" section and locate your cluster.
   

4. Review the settings for the --peer-cert-file and --peer-key-file arguments in the API server configuration.
   

5. Ensure that the paths for the certificate and key files are correctly set to the appropriate files.
   

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

1. Check for the presence of the --peer-cert-file and --peer-key-file arguments in the API server arguments section.
   

Ensure that the certificate and key file paths are correctly configured. For example:

- --peer-cert-file=/etc/kubernetes/pki/peer.crt
- --peer-key-file=/etc/kubernetes/pki/peer.key

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Review the cluster's configuration for the --peer-cert-file and --peer-key-file arguments.
   

4. If the arguments are missing or misconfigured, update the API server configuration to set the correct paths for the certificate and key files.
   

Using AWS CLI:

Modify the API server deployment by adding or updating the --peer-cert-file and --peer-key-file arguments:

kubectl edit deployment -n kube-system kube-apiserver

1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
   

Add or update the following lines to point to the correct paths for the certificate and key files:

- --peer-cert-file=/etc/kubernetes/pki/peer.crt
- --peer-key-file=/etc/kubernetes/pki/peer.key

3. Save and exit the editor to apply the changes.
   

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Locate the API server configuration.
   

4. If necessary, revert the changes by updating the --peer-cert-file and --peer-key-file arguments to point to the previous (or default) certificate and key files.
   

5. Save and apply the changes to the Kubernetes API server configuration.
   

Using AWS CLI:

To revert the changes, edit the API server deployment to remove or set the --peer-cert-file and --peer-key-file arguments to their previous values:

kubectl edit deployment -n kube-system kube-apiserver

1. Modify the deployment YAML to point to the previous certificate and key file paths.
   

2. Save and exit the editor to apply the changes.
   

References:

• Kubernetes API Server Configuration
  AWS EKS Documentation