Kubelet connections should use HTTPS for enhanced security
Set up the kubernetes integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
Use https for kubelet connections.
Rationale
Connections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.
Audit
Run the following command on the master node:
ps -ef | grep kube-apiserver
Verify that the --kubelet-https argument either does not exist or is set to true.
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --kubelet-https parameter.
Impact
You require TLS to be configured on apiserver as well as kubelets.
Default value
By default, kubelet connections are over https.
References
- https://kubernetes.io/docs/admin/kube-apiserver/
- https://kubernetes.io/docs/admin/kubelet-authentication-authorization/
CIS controls
Version 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.
Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.
