CIS 1.2.5
ID | Text | Remediation |
---|
1.2.5 | Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated) | Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file $apiserverconf on the control plane node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. --kubelet-certificate-authority=<ca-string> |
DKP Explanation
The --kubelet-certificate-authority
flag needs to be set on each API Server after the cluster has been fully provisioned, adding it earlier causes issues with the creation and adding of worker nodes via CAPI and kubeadm.