Enable hsts for kublet API

durairajasivam · February 17, 2022, 2:54am

Hello All,
Is there way to enable hsts for kublet API?. our scanner flagged “HSTS Missing From HTTPS Server” for port 10250 on each worker node.

Cluster information:

Kubernetes version: 1.21.3
Installation method: bare-metal
Host OS: RHEL 7
CNI and version: weave - 0.3.0
CRI and version:docker - 20.10.8

Parthasarathi_PM · April 18, 2022, 6:30am

Hi durairajasivam,

did you found any solution or workaround for this ?

Nick_Su · August 16, 2022, 2:42am

We hit the same warning from Nexus, does it make sense to have HSTS on API? I mean it is not browser call

durairajasivam · August 16, 2022, 3:20am

I’m not sure I get it right! It is possible to enable HSTS for the Kube-API server, but I can’t find the solution to enable HSTS for Kubelet-API. What I have done is, apply proper hardening for port 10250 in our environment. Since the ports need to be allowed between the nodes, it is easier to achieve.

durairajasivam · August 16, 2022, 3:22am

Hi Parthasarathi_PM,
Apologies for the late reply.
I can’t find the solution to enable HSTS for Kubelet-API. What I have done is, apply proper hardening for port 10250 in our environment. Since the ports need to be allowed between the nodes.

Parthasarathi_PM · August 16, 2022, 6:59am

@durairajasivam

thanks for the reply

i have raised a issue in github for the same
since the kubelet 10250 is not public facing endpoint HSTS is not required, kubelet endpoint is completely internal and non browser endpoint.

github.com/kubernetes/kubernetes

How to Add HSTS HTTP Header to Kubelet Agent

opened 09:07AM - 18 Apr 22 UTC

parthasarathi-pm

priority/awaiting-more-evidence sig/node kind/feature sig/auth triage/needs-information needs-triage

### What happened? I not able to Add HTTP Header to enable HSTS in Kubelet. … For Kubernetes Api Server, we have a flag to enable HSTS --strict-transport-security-directives. ### What did you expect to happen? Similar Flag to enable HSTS for Kubelet as well --strict-transport-security-directives. ### How can we reproduce it (as minimally and precisely as possible)? In plain vanilla installation you can identify the issue. curl -k https://localhost:10250 -s -D- Not able to find the below line strict-transport-security: max-age=31536000; includeSubDomains; preload ### Anything else we need to know? _No response_ ### Kubernetes version <details> ```console Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:58:47Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:52:18Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"linux/amd64"} ``` </details> ### Cloud provider <details> On Prem VM </details> ### OS version <details> ```console Ubuntu 18.04.6 LTS ``` </details> ### Install tools <details> ```console Cluster initialized using kubeadm init ``` </details> ### Container runtime (CRI) and version (if applicable) <details> ```console docker ``` </details> ### Related plugins (CNI, CSI, ...) and versions (if applicable) <details> ```console weave-net latest version ``` </details>

Topic		Replies	Views
How to enable HSTS (HTTP Strict Transport Security) on kubelet General Discussions	0	1054	June 22, 2022
Kubeadm: Additional SAN for kubelet-client certificate General Discussions	0	598	August 5, 2020
How to get metric-server work without setting --kubelet-insecure-tls=true General Discussions metrics-server	3	7816	November 20, 2023
[Security Advisory] CVE-2025-0426: Node Denial of Service via kubelet Checkpoint API Announcements	0	321	February 13, 2025
Kubelet Fails to Register with API Server After Replacing Manually Generated Kubeadm PKI Certificates General Discussions	0	191	January 3, 2025

Enable hsts for kublet API

Cluster information:

Related topics