3.2.9 - Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)

Views:

Profile applicability: Level 1

Enable kubelet server certificate rotation.

RotateKubeletServerCertificate causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.

This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.

Note

See the AKS documentation for the default value.

Audit

Audit Method 1

If using a Kubelet configuration file, check that there is an entry for RotateKubeletServerCertificate set to true.

SSH to the relevant node.
Run the following command on each node to find the appropriate Kubelet config file:
```
ps -ef | grep kubelet
```
The output should return something similar to --config /etc/kubernetes/kubelet/kubelet-config.json, which is the location of the Kubelet config file.

Open the Kubelet config file:

cat /etc/kubernetes/kubelet/kubelet-config.json

Verify that RotateKubeletServerCertificate argument exists and is set to true.

Audit Method 2

If using the api configz endpoint, search for the status of "RotateKubeletServerCertificate":true by extracting the live configuration from the nodes running kubelet.

Set the local proxy port and the following variables and provide proxy port number and node name:

HOSTNAME_PORT="localhost-and-port-number" NODE_NAME="The- Name-Of-Node-To-Extract-Configuration"
                     from the output of "kubectl get nodes"

kubectl proxy --port=8001 &

export HOSTNAME_PORT=localhost:8001
export NODE_NAME=ip-192.168.31.226.aks.internal

curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"

Remediation

Remediation Method 1

If modifying the Kubelet config file, edit the kubelet-config.json file /etc/kubernetes/kubelet/kubelet-config.json and set the below parameter to true:

"RotateKubeletServerCertificate":true

Remediation Method 2

If using a Kubelet config file, edit the file to set RotateKubeletServerCertificate to true.

If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf on each worker node and add the below parameter at the end of the KUBELET_ARGS variable string:

--rotate-kubelet-server-certificate=true

Remediation Method 3

If using the api configz endpoint, search for the status of "RotateKubeletServerCertificate": by extracting the live configuration from the nodes running kubelet.

See detailed step-by-step configmap procedures in Reconfigure a Node's Kubelet in a Live Cluster, and then rerun the curl statement from audit process to check for kubelet configuration changes:

kubectl proxy --port=8001 &

export HOSTNAME_PORT=localhost:8001
export NODE_NAME=ip-192.168.31.226.aks.internal

curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"

For all three remediations: Based on your system, restart the kubelet service and check status:

systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l