Pods should use `root-ca-file` to pass serving certificates to the API server

Documentos > Datadog Security > OOTB Rules > Pods should use `root-ca-file` to pass serving certificates to the API server

Set up the kubernetes integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

Pods should be allowed to verify the API server’s serving certificate before establishing connections. Processes running in pods that need to contact the API server must verify the API server’s serving certificate. Failure to do so could result in the pod being subject to man-in-the-middle attacks.

Remediation

Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the master node and set the --root-ca-file parameter to the certificate bundle file: --root-ca-file=<path/to/file>