lacework-global-735
Set the --client-ca-file argument as appropriate (Automated)
Description
Enable Kubelet authentication using certificates.
Remediation
If using a Kubelet config file:
Edit the file to set authentication: x509: clientCAFile
to the location of the client CA file.
If using command line arguments:
Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS
variable:
--client-ca-file=<path/to/client-ca-file>
Reload the configuration to update it with the changes made using:
systemctl daemon-reload
Then restart the kubelet service using:
systemctl restart kubelet.service
References
https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/
https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/