lacework-global-742
Ensure that the --rotate-certificates argument is not set to false (Automated)
Description
Enable kubelet client certificate rotation.
Remediation
If using a Kubelet config file:
- Edit the file to add the line:
"rotateCertificates: true"
. - Remove the line:
"rotateCertificates: false"
if present. - Ensure that the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf
does not set the--rotate-certificates
executable argument to false because this would override the Kubelet config file.
If using command line arguments:
- Edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node. - Add the
"--rotate-certificates=true"
argument to theKUBELET_CERTIFICATE_ARGS
variable string. - Remove the
"--rotate-certificates=false"
argument from theKUBELET_CERTIFICATE_ARGS
variable string if present.
Reload the configuration to update it with the changes made using:
systemctl daemon-reload
Finally, restart the kubelet service using:
systemctl restart kubelet.service
References
https://github.com/kubernetes/kubernetes/pull/41912
https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/
https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/