Profile Applicability:
Level 1
Description:
The --tls-cert-file and --tls-private-key-file arguments in Kubernetes control the paths to the certificate and private key used for securing communication between Kubernetes components. This check ensures that these arguments are set correctly to appropriate paths, ensuring that Kubernetes components (such as the API server and Kubelet) communicate securely over TLS.
Rationale:
By setting the --tls-cert-file and --tls-private-key-file arguments correctly, you ensure that Kubernetes components communicate using valid certificates, which are essential for encrypted, secure communication. Improperly configured or missing certificates can lead to insecure connections, exposing the cluster to potential attacks or unauthorized access.
Impact:
Pros:
Ensures that Kubernetes components use strong encryption for communication.
Reduces the risk of MITM (Man-in-the-Middle) attacks and unauthorized access.
Cons:
Requires appropriate certificate and private key management.
If certificates are not properly configured, Kubernetes components might fail to start or function.
Default Value:
By default, Kubernetes expects these arguments to point to valid certificate and private key files, and they should be explicitly set to ensure that secure communication is established.
Pre-requisites:
Ensure that valid TLS certificates and private keys are available and properly stored in the specified paths.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Kubernetes configuration for the API server and Kubelet to ensure that the --tls-cert-file and --tls-private-key-file arguments are properly set to valid file paths for certificates.
Verify that these arguments point to valid certificates and keys for TLS encryption.
Using Azure CLI:
1. Run the following command to inspect the Kubelet configuration and verify the --tls-cert-file and --tls-private-key-file arguments
kubectl describe pod kubelet -n kube-system | grep --tls-cert-file kubectl describe pod kubelet -n kube-system | grep --tls-private-key-file
2. Ensure that the output shows valid paths for both the certificate and the private key.
Implementation Plan:
Using Azure Console:
1. In the Azure portal, navigate to Azure Kubernetes Service (AKS) and go to the Kubelet and API server configuration.
2. Modify the Kubelet and API server configurations to set the --tls-cert-file and --tls-private-key-file arguments to point to valid paths for the certificate and private key.
3. Ensure that the correct certificate and private key files are placed at these paths. Apply the changes by restarting the Kubelet and API server after modifying their configurations:
systemctl restart kubelet
systemctl restart kube-apiserver
Using Azure CLI:
1. Modify the Kubelet and API server start-up flags to set the --tls-cert-file and --tls-private-key-file arguments:
2. Set the paths to your kubelet.crt and kubelet.key files (or equivalent paths):
kubelet --tls-cert-file=/etc/kubernetes/pki/kubelet.crt --tls-private-key-file=/etc/kubernetes/pki/kubelet.key
3. Ensure that the API server is configured with the appropriate tls-cert-file and tls-private-key-file:
kube-apiserver --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
4. Apply the updated configuration by restarting the Kubelet and API server
systemctl restart kubelet systemctl restart kube-apiserver
Backout Plan:
Using Azure Console:
If setting the --tls-cert-file and --tls-private-key-file arguments causes issues, revert the changes by resetting the arguments to their default values or pointing to alternate certificate and key files.
Restart the Kubelet and API server to apply the changes.
Using Azure CLI:
1. Revert the --tls-cert-file and --tls-private-key-file settings to their previous configurations or remove them if required:
kubelet --tls-cert-file=<previous-path> --tls-private-key-file=<previous-path>
2. Restart the Kubelet and API server after reverting the configuration:
systemctl restart kubelet systemctl restart kube-apiserver
References:
Kubernetes API Server Configuration
TLS in Kubernetes