Cluster information:
Kubernetes version: Server Version: v1.26.3
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: Red Hat 8 (4.18.0-425)
CNI and version: Calico v3.25.0
CRI and version: containerd://1.6.18
Kubescape security scan advised to verify that the RotateKubeletServerCertificate argument should be set to true (CIS-4.2.12. )I have done the following steps to add this to kubelet configuration on each node:
kubeadm upgrade node phase kubelet-config
Added the line KUBELET_EXTRA_ARGS=“–feature-gates=RotateKubeletServerCertificate=true” to file /var/lib/kubelet/kubeadm-flags.env
HOW FILE LOOKS NOW
KUBELET_KUBEADM_ARGS=“–container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infra-container-image=registry.k8s.io/pause:3.9”
KUBELET_EXTRA_ARGS=“–feature-gates=RotateKubeletServerCertificate=true”
After edit started kubelet , Kubelet started as expected.
I assumed that changes would be seen in Kubelet’s parameters. ps -aux | grep kubelet doesnt show the added argument. Also rebooted all the nodes afterwards. Next step I did was to replace KUBELET_EXTRA_ARGS with KUBELET_CERTIFICATE_ARGS= and same result. Whether I edit the .env file or /var/lib/kubelet/config.yaml I am not seeing any changes done to kubelet. Also tested by editing /etc/kubernetes/kubelet.conf
kubelet points to correct files “–kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml”
I haven’t created any extra certs. Have spent a lot of time with this and would like to understand how to:
- Edit kubelet configuration the correct way
- How to get RotateKubeletServerCertificate=true to work
Kubernetes documentation: Reconfiguring a kubeadm cluster | Kubernetes
Kubescape: C-0183 - Verify that the RotateKubeletServerCertificate argument is set to true