Skip to main content

lacework-global-742

Ensure that the --rotate-certificates argument is not set to false (Automated)

Description

Enable kubelet client certificate rotation.

Remediation

If using a Kubelet config file:

  1. Edit the file to add the line: "rotateCertificates: true".
  2. Remove the line: "rotateCertificates: false" if present.
  3. Ensure that the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf does not set the --rotate-certificates executable argument to false because this would override the Kubelet config file.

If using command line arguments:

  1. Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node.
  2. Add the "--rotate-certificates=true" argument to the KUBELET_CERTIFICATE_ARGS variable string.
  3. Remove the "--rotate-certificates=false" argument from the KUBELET_CERTIFICATE_ARGS variable string if present.

Reload the configuration to update it with the changes made using:

systemctl daemon-reload

Finally, restart the kubelet service using:

systemctl restart kubelet.service

References

https://github.com/kubernetes/kubernetes/pull/41912
https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/
https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/

Last updated on