Profile Applicability:

  • Level 1

Description:

Ensure that the --auto-tls argument is not set to true in the Kubernetes API server configuration. This argument, when enabled, automatically provisions a TLS certificate for the API server, which can be a security risk in certain configurations, especially when strict control over certificates is required.

Rationale:

Disabling the --auto-tls argument ensures that the Kubernetes API server does not automatically generate and manage TLS certificates. Instead, it allows administrators to manage and control the TLS certificates manually, which provides better security and flexibility in certificate management.

Impact:

Pros:

  • Provides better control over the TLS certificates used by the Kubernetes API server.

  • Prevents the automatic generation of TLS certificates, allowing administrators to specify trusted certificate authorities and improve security posture.

Cons:

  • Requires manual management of certificates, which increases administrative overhead and the complexity of configuration.

Default Value:

By default, the --auto-tls argument is not enabled (false), but it may be inadvertently set to true. Manual configuration is required to ensure that it is not enabled.

Pre-Requisites:

  • Access to the Kubernetes API server configuration.

  • Sufficient privileges (root or administrator access) to modify the Kubernetes API server flags.

  • A Kubernetes environment where TLS certificates are managed manually or with custom certificate authorities.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Clusters" section and locate your cluster.

  4. Review the settings for the --auto-tls argument in the API server configuration.

  5. Ensure that the --auto-tls argument is not set to true.

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check the --auto-tls argument in the API server arguments section:

- --auto-tls=true

  1. Ensure that this argument is not set to true. If it is, the argument needs to be removed or set to false.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to your cluster.

  3. Review the cluster's configuration for the --auto-tls argument.

  4. If the argument is set to true, update the API server configuration to remove or set the argument to false.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

Modify the API server deployment by removing or setting the --auto-tls argument to false:

kubectl edit deployment -n kube-system kube-apiserver

  1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.

Remove or update the line with --auto-tls=true to ensure it is set to false or completely removed:

- --auto-tls=false

  1. Save and exit the editor to apply the changes.

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Open the EKS service and navigate to your cluster.

  3. Locate the API server configuration.

  4. If necessary, revert the change by setting the --auto-tls argument back to true or restoring the previous setting.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

To revert the change, edit the API server deployment to set the --auto-tls argument back to true:

kubectl edit deployment -n kube-system kube-apiserver

Update the deployment YAML to include --auto-tls=true if needed:

- --auto-tls=true

  1. Save and exit the editor to apply the changes.

References: