CIS benchmark issue for Kubernetes cluster

Question

I'm running the CIS kube-bench tool on the master node and trying to resolve this error

[FAIL] 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated). 

I understand that I need to update the API server manifest YAML file with this flag pointing to the right CA file --kubelet-certificate-authority however, I'm not sure which one is the right CA Certififace for Kubelet.

These are my files in the PKI directory:-

apiserver-etcd-client.crt
apiserver-etcd-client.key
apiserver-kubelet-client.crt
apiserver-kubelet-client.key
apiserver.crt
apiserver.key
ca.crt
ca.key
etcd
front-proxy-ca.crt
front-proxy-ca.key
front-proxy-client.crt
front-proxy-client.key
sa.key
sa.pub

Answer 1

3 very similar discussions on the same topic. I wont provide you all steps cause it well written in documentation and related questions on stack. Only high-level overview

1. How Do I Properly Set --kubelet-certificate-authority apiserver parameter?
2. Kubernetes kubelet-certificate-authority on premise with kubespray causes certificate validation error for master node
3. Kubernetes kubelet-certificate-authority on premise with kubespray causes certificate validation error for master node

Your actions:

• Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets.

These connections terminate at the kubelet's HTTPS endpoint. By default, the apiserver does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks and unsafe to run over untrusted and/or public networks.

• Enable Kubelet authentication and Kubelet authorization

Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.

---

From @Matt answer

• Use /etc/kubernetes/ssl/ca.crt to sign new certificate for kubelet with valid IP SANs.
• Set --kubelet-certificate-authority=/etc/kubernetes/ssl/ca.crt (valid CA).
• In /var/lib/kubelet/config.yaml (kubelet config file) set tlsCertFile and tlsPrivateKeyFile to point to newly created kubelet crt and key files.

And from clarifications:

Yes you have to generate certificates for kubelets and sign sign them the provided certificate authority located here on the master /etc/kubernetes/ssl/ca.crt

Answer 2

By default in Kubernetes there are 3 different Parent CA (kubernetes-ca, etcd-ca, kubernetes-front-proxy-ca). You are looking for kubernetes-ca because kubelet using kubernetes-ca, and you can check the documentation. kubernetes-ca default path is /etc/kubernetes/pki/ca.crt But also you verify it via kubelet configmap with below commands

kubectl get configmap -n kube-system $(kubectl get configmaps -n kube-system | grep kubelet  | awk '{print $1}') -o yaml | grep -i clientca