API server should verify the kubelet's certificate before establishing connection

kubernetes

Set up the kubernetes integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

A kubelet’s certificate should be verified before establishing a connection. The connections from the API server to the kubelet are used for fetching logs from pods, attaching the kubelet (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality.

Remediation

  1. Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets.
  2. Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --kubelet-certificate-authority parameter to the path of the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>