CIS benchmark issue for Kubernetes cluster

Question

I'm running the CIS kube-bench tool on the master node and trying to resolve this error

[FAIL] 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated). 

I understand that I need to update the API server manifest YAML file with this flag pointing to the right CA file --kubelet-certificate-authority however, I'm not sure which one is the right CA Certififace for Kubelet.

These are my files in the PKI directory:-

apiserver-etcd-client.crt
apiserver-etcd-client.key
apiserver-kubelet-client.crt
apiserver-kubelet-client.key
apiserver.crt
apiserver.key
ca.crt
ca.key
etcd
front-proxy-ca.crt
front-proxy-ca.key
front-proxy-client.crt
front-proxy-client.key
sa.key
sa.pub

Answer 1

3 very similar discussions on the same topic. I wont provide you all steps cause it well written in documentation and related questions on stack. Only high-level overview

1. How Do I Properly Set --kubelet-certificate-authority apiserver parameter?
2. Kubernetes kubelet-certificate-authority on premise with kubespray causes certificate validation error for master node
3. Kubernetes kubelet-certificate-authority on premise with kubespray causes certificate validation error for master node

Your actions:

• Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets .

These connections terminate at the kubelet's HTTPS endpoint. By default, the apiserver does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks and unsafe to run over untrusted and/or public networks.

• Enable Kubelet authentication and Kubelet authorization

Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority .

---

From @Matt answer

• Use /etc/kubernetes/ssl/ca.crt to sign new certificate for kubelet with valid IP SANs.
• Set --kubelet-certificate-authority=/etc/kubernetes/ssl/ca.crt (valid CA).
• In /var/lib/kubelet/config.yaml (kubelet config file) set tlsCertFile and tlsPrivateKeyFile to point to newly created kubelet crt and key files.

And from clarifications :

Yes you have to generate certificates for kubelets and sign sign them the provided certificate authority located here on the master /etc/kubernetes/ssl/ca.crt

Answer 2

By default in Kubernetes there are 3 different Parent CA (kubernetes-ca, etcd-ca, kubernetes-front-proxy-ca). You are looking for kubernetes-ca because kubelet using kubernetes-ca, and you can check the documentation . kubernetes-ca default path is /etc/kubernetes/pki/ca.crt But also you verify it via kubelet configmap with below commands

kubectl get configmap -n kube-system $(kubectl get configmaps -n kube-system | grep kubelet  | awk '{print $1}') -o yaml | grep -i clientca