4211-k8s-kubelet-rotate - Ensure the --rotate-certificates parameter is not set to false¶

Rule ID¶

• 4211-k8s-kubelet-rotate

Category¶

• Container

Level¶

• Info

Compatible Versions¶

• Linux

Description¶

• Enable kubelet client certificate rotation

Scan Frequency¶

• 0 */30 * * *

Theoretical Basis¶

• This ensures that kubelet replaces its client certificate by creating a new CSR when its existing certificate expires, ensuring cluster availability and solving certificate usability issues.

Risk Items¶

• Container Security

Audit Method¶

• Execute the following command to verify:

  ps -ef | grep kubelet | grep rotate-certificates
  

Remediation¶

• The kubelet version must be no lower than v1.16.0. Execute the following command:

  #> vim /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
  

  Set or add the parameter --rotate-certificates=true or remove --rotate-certificates=false

Impact¶

• You must reset the certificate parameters to ensure the security and availability of kubelet operation

Default Value¶

• By default: --rotate-certificates=true

References¶

• kubelet

• kubelet-configuration

CIS Controls¶

• None