For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-00k-85e.md. A documentation index is available at /llms.txt.

API server should verify the kubelet's certificate before establishing connection

kubernetes

Description

A kubelet’s certificate should be verified before establishing a connection. The connections from the API server to the kubelet are used for fetching logs from pods, attaching the kubelet (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality.

Remediation

  1. Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets.
  2. Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --kubelet-certificate-authority parameter to the path of the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>