API server should verify the kubelet's certificate before establishing connection

kubernetes
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

A kubelet’s certificate should be verified before establishing a connection. The connections from the API server to the kubelet are used for fetching logs from pods, attaching the kubelet (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality.

Remediation

  1. Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets.
  2. Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --kubelet-certificate-authority parameter to the path of the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>