API server should verify the kubelet's certificate before establishing connection

kubernetes

Set up the kubernetes integration.

Description

A kubelet’s certificate should be verified before establishing a connection. The connections from the API server to the kubelet are used for fetching logs from pods, attaching the kubelet (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality.

Remediation

  1. Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets.
  2. Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --kubelet-certificate-authority parameter to the path of the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>