Profile Applicability:
Level 1
Description:
The --rotate-certificates argument in Kubernetes ensures that certificates are automatically rotated, enhancing security by keeping certificates up to date. This check ensures that the --rotate-certificates argument is not set to false, thereby ensuring that certificate rotation is enabled to prevent certificate expiration and maintain secure communication between Kubernetes components.
Rationale:
By default, Kubernetes manages and rotates certificates for various components (such as the API server, Kubelet, etc.). Disabling certificate rotation could lead to certificate expiration, which would cause communication failures and security vulnerabilities. Ensuring that --rotate-certificates is not set to false helps automate certificate management and ensures that all components remain secure and operational.
Impact:
Pros:
Ensures that Kubernetes components’ certificates are automatically rotated and remain up to date.
Reduces the risk of expired certificates causing communication failures or security vulnerabilities.
Cons:
Requires proper configuration of certificate management and could require additional resources to monitor certificate expiration and rotation.
If misconfigured, it could lead to service disruptions, so careful testing is required before enabling or configuring certificate rotation.
Default Value:
By default, Kubernetes enables certificate rotation for most components. This check ensures that certificate rotation is not disabled by mistakenly setting --rotate-certificates to false.
Pre-requisites:
Ensure that Kubernetes certificate rotation is enabled and that proper monitoring is in place to check the status of certificate expiration.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Kubelet configuration to ensure that the --rotate-certificates argument is not set to false.
Verify that the certificate rotation mechanism is enabled and working by checking the configuration of the Kubelet and API server.
Using Azure CLI:
1. Run the following command to check the current Kubelet configuration for the --rotate-certificates argument:
kubectl describe pod kubelet -n kube-system | grep "--rotate-certificates"
2. Ensure that the --rotate-certificates argument is not set to false. If it is, the certificate rotation is disabled and needs to be enabled
3. Verify the Kubelet configuration file to check the setting for certificate rotation:
kubectl get configmap kubelet -n kube-system -o yaml | grep rotate-certificates
Implementation Plan:
Using Azure Console:
1. In the Azure portal, go to your AKS cluster and access the Kubelet configuration.
2. Ensure that the --rotate-certificates argument is not set to false. You can do this by modifying the Kubelet configuration to ensure it is enabled:
Using Azure CLI:
1. To enable certificate rotation for the Kubelet, modify the Kubelet configuration:
kubelet --rotate-certificates=true
2. Apply the change by restarting the Kubelet:
systemctl restart kubelet
3. Verify that --rotate-certificates is set correctly:
kubectl describe pod kubelet -n kube-system | grep "--rotate-certificates"
4. Ensure that the rotate-certificates argument is enabled and correctly configured in the Kubelet configuration file:
kubectl get configmap kubelet -n kube-system -o yaml | grep rotate-certificates
Backout Plan:
Using Azure Console:
If enabling the --rotate-certificates argument causes issues, revert the change in the Azure portal by setting --rotate-certificates back to false.
Test to ensure that the change does not impact the Kubelet or API server's communication.
Using Azure CLI:
1. Revert the Kubelet configuration by setting --rotate-certificates to false:
kubelet --rotate-certificates=false
2. Restart the Kubelet to apply the change:
systemctl restart kubelet
References:
Kubernetes Certificate Rotation Documentation