Profile Applicability:

  • Level 1

Description:

Ensure that the --client-cert-auth argument is set to true in the Kubernetes API server configuration. This argument enables the use of client certificates for authentication in the Kubernetes API server, ensuring that only clients with valid certificates can communicate with the API server.

Rationale:

Setting the --client-cert-auth argument to true ensures that Kubernetes API server authenticates client connections using client certificates. This provides a higher level of security for the API server by ensuring that only authorized clients with valid certificates are allowed to access the Kubernetes API.

Impact:

Pros:

  • Enhances the security of the Kubernetes API server by ensuring that only authorized clients can communicate with it.

  • Prevents unauthorized access and potential abuse by requiring a valid client certificate for authentication.

Cons:

  • Requires the management and distribution of client certificates, adding administrative overhead.

  • Misconfiguration or missing certificates may result in connectivity issues or inability to authenticate clients.

Default Value:

By default, the --client-cert-auth argument may be set to false, and this requires manual configuration to enable client certificate authentication.

Pre-Requisites:

  • Access to the Kubernetes API server configuration.

  • Properly issued and managed client certificates.

  • Sufficient privileges (root or administrator access) to modify the Kubernetes API server flags.

  • A Kubernetes environment where certificates can be managed securely.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Clusters" section and locate your cluster.

  4. Review the settings for the --client-cert-auth argument in the API server configuration.

  5. Ensure that the --client-cert-auth argument is set to true.

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check for the presence of the --client-cert-auth argument in the API server arguments section. It should look like:

- --client-cert-auth=true

  1. Ensure that the --client-cert-auth argument is set to true. If it is not, update the configuration to enable client certificate authentication.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to your cluster.

  3. Review the cluster's configuration for the --client-cert-auth argument.

  4. If the argument is not set to true, update the API server configuration to set --client-cert-auth=true.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

Modify the API server deployment by adding or updating the --client-cert-auth=true argument:

kubectl edit deployment -n kube-system kube-apiserver

  1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.

Add or update the following line to set the argument:

- --client-cert-auth=true

  1. Save and exit the editor to apply the changes.

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Open the EKS service and navigate to your cluster.

  3. Locate the API server configuration.

  4. If necessary, revert the change by setting the --client-cert-auth argument to false or removing it entirely.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

To revert the change, edit the API server deployment to set the --client-cert-auth argument to false:

kubectl edit deployment -n kube-system kube-apiserver

Update the deployment YAML to include --client-cert-auth=false if needed:

- --client-cert-auth=false

  1. Save and exit the editor to apply the changes.

References: