TLS connection certificate not set up

This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Medium

Category: Networking and Firewall

Learn More

Description

TLS certificate files for TLS connections should be set.

For API server containers, the rule verifies that the --tls-cert-file and --tls-private-key-file flags are included in their command. For KubeletConfiguration documents, the rule verifies that the tlsCertFile and tlsPrivateKeyFile fields are present. If any of these are absent, the rule reports a MissingAttribute issue with the expected and actual values.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--tls-cert-file=someFile.txt","--tls-private-key-file=someFile.txt"]
  restartPolicy: OnFailure

{
  "kind": "KubeletConfiguration",
  "apiVersion": "kubelet.config.k8s.io/v1beta1",
  "port": 10250,
  "readOnlyPort": 10255,
  "cgroupDriver": "cgroupfs",
  "hairpinMode": "promiscuous-bridge",
  "serializeImagePulls": false,
  "tlsCertFile": "someFile.txt",
  "tlsPrivateKeyFile": "someFile.txt",
  "featureGates": {
    "RotateKubeletClientCertificate": true,
    "RotateKubeletServerCertificate": true
  }
}

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
serializeImagePulls: false
tlsCertFile: "someFile.txt"
tlsPrivateKeyFile: "someFile.txt"
evictionHard:
    memory.available:  "200Mi"

Non-Compliant Code Examples

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
serializeImagePulls: false
evictionHard:
    memory.available:  "200Mi"

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: []
  restartPolicy: OnFailure