lacework-global-330
3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
note
This rule has been changed to automated, see Automated Rules for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 1
Description
Enable kubelet server certificate rotation.
Rationale
RotateKubeletServerCertificate
causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA (Confidentiality, Integrity, and Availability) security triad.
note
This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to implement rotation yourself.
Impact
None
Audit
Audit Method 1:
First, SSH to each node:
Run the following command on each node to find the Kubelet process:
ps -ef | grep kubelet
If the output of the command above includes the --rotate-kubelet-server-certificate
executable argument verify that it is set to true.
If the process does not have the --rotate-kubelet-server-certificate
executable argument then check the Kubelet config file. The output of the above command should return something similar to --config /etc/kubernetes/kubelet/kubelet-config.json
which is the location of the Kubelet config file.
Open the Kubelet config file:
cat /etc/kubernetes/kubelet/kubelet-config.json
Verify that RotateKubeletServerCertificate
argument exists in the featureGates
section and is set to true.
Audit Method 2:
If using the api configz endpoint consider searching for the status of "RotateKubeletServerCertificate":true
by extracting the live configuration from the nodes running kubelet.
Set the local proxy port and the following variables and provide proxy port number and node name; HOSTNAME_PORT="localhost-and-port-number" NODE_NAME="The-Name-Of-Node-To-Extract-Configuration" from the output of "kubectl get nodes"
kubectl proxy --port=8001 &
export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")
curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
Remediation
Remediation Method 1:
If modifying the Kubelet config file, edit the kubelet-config.json file /etc/kubernetes/kubelet/kubelet-config.json
and set the below parameter to true:
"featureGates": {
"RotateKubeletServerCertificate":true
}
Additionally, ensure that the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf
does not set the --rotate-kubelet-server-certificate
executable argument to false
because this would override the Kubelet config file.
Remediation Method 2:
If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf
on each worker node and add the below parameter at the end of the KUBELET_ARGS
variable string:
--rotate-kubelet-server-certificate=true
Remediation Method 3:
If using the api configz endpoint consider searching for the status of "RotateKubeletServerCertificate":
by extracting the live configuration from the nodes running kubelet.
**See detailed step-by-step configmap procedures in Reconfigure a Node's Kubelet in a Live Cluster, and then rerun the curl statement from audit process to check for kubelet configuration changes:
kubectl proxy --port=8001 &
export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")
curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
For all three remediations: Based on the node's service manager (the example below is for systemctl), restart the kubelet service and check status:
systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
References
https://github.com/kubernetes/kubernetes/pull/45059
https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration