Kubelet client certificate rotation is disabled

ID

kubelet_rotate_certificates

Severity

high

Vendor

Kubernetes

Resource

kubelet

Tags

reachable

Description

The kubelet is the primary "node agent" that runs on each node.

When --rotate-certificates is enabled, the kubelet rotates its client certificates by creating new CSRs as its existing credentials expire.

This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.

Learn more about this topic at Configure Certificate Rotation for the Kubelet.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: bad
spec:
  containers:
  - command:
    - kubelet
    - --rotate-certificates=false (1)
    name: bad-container
    image: gcr.io/google_containers/kubelet-amd64:v1.6.0
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
yml
1 Command argument --rotate-certificates not set to true means kubelet client certificate rotation is disabled.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good
spec:
  containers:
  - command:
    - kubelet
    - --rotate-certificates=true (1)
    name: good-container
    image: gcr.io/google_containers/kubelet-amd64:v1.6.0
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
yml
1 Command argument --rotate-certificates set to true means kubelet client certificate rotation is enabled.