Kubelet should use TLS certificate client authentication

kubernetes
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Kubelet authentication should use certificates. The connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint.

Remediation

  1. If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to the location of the client CA file.
  2. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in the KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
  1. Restart the kubelet service.