HTTPS not enabled between apiserver and kubelets

ID

api_server_kubelet_https

Severity

high

Vendor

Kubernetes

Resource

kube-apiserver

Tags

reachable

Description

The Kubernetes API Server validates and configures data for the api objects which include pods, services, replicationcontrollers, and others.

Connections from API Server to kubelets could potentially carry sensitive data such as secrets and keys. To avoid attacks like man-in-the-middle, in-transit encryption for any communication between the API Server and kubelet must be used.

Thus, setting --kubelet-https is mandatory to keep connections safe to man-in-the-middle attacks.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: bad
spec:
  containers:
  - command:
    - kube-apiserver
    - --kubelet-https=false (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: bad-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
yml
1 Command argument --kubelet-https set to false means communications between API Server and kubelets is not performed over HTTPS.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good
spec:
  containers:
  - command:
    - kube-apiserver
    - --kubelet-https=true (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: good-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
yml
1 Command argument --kubelet-https set to true command argument means communications between API Server and kubelets is performed over HTTPS.