Changes to kubelet parameters ignored

Cluster information:

Kubernetes version: Server Version: v1.26.3
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: Red Hat 8 (4.18.0-425)
CNI and version: Calico v3.25.0
CRI and version: containerd://1.6.18

Kubescape security scan advised to verify that the RotateKubeletServerCertificate argument should be set to true (CIS-4.2.12. )I have done the following steps to add this to kubelet configuration on each node:

kubeadm upgrade node phase kubelet-config

Added the line KUBELET_EXTRA_ARGS=“–feature-gates=RotateKubeletServerCertificate=true” to file /var/lib/kubelet/kubeadm-flags.env




After edit started kubelet , Kubelet started as expected.

I assumed that changes would be seen in Kubelet’s parameters. ps -aux | grep kubelet doesnt show the added argument. Also rebooted all the nodes afterwards. Next step I did was to replace KUBELET_EXTRA_ARGS with KUBELET_CERTIFICATE_ARGS= and same result. Whether I edit the .env file or /var/lib/kubelet/config.yaml I am not seeing any changes done to kubelet. Also tested by editing /etc/kubernetes/kubelet.conf

kubelet points to correct files “–kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml”

I haven’t created any extra certs. Have spent a lot of time with this and would like to understand how to:

  1. Edit kubelet configuration the correct way
  2. How to get RotateKubeletServerCertificate=true to work

Kubernetes documentation: Reconfiguring a kubeadm cluster | Kubernetes
Kubescape: C-0183 - Verify that the RotateKubeletServerCertificate argument is set to true