Ensure that the –encryption-provider-config argument is set as appropriate

Property
Languageterraform
Severitylow

Description

The Kubernetes API server is not configured with the –encryption-provider-config flag, meaning etcd data is stored unencrypted. This exposes sensitive cluster data at rest to potential unauthorized access.

Impact

If exploited, attackers with access to the etcd datastore can read sensitive information such as secrets, keys, and user data in plaintext, increasing the risk of data breaches and compromising cluster security.

Resolution

Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the –encryption-provider-config parameter to the path of that file

Ensure that the –etcd-cafile argument is set as appropriate

Property
Languageterraform
Severitylow

Description

The Kubernetes API server is not configured with the –etcd-cafile argument, meaning it may connect to etcd without verifying the server’s TLS certificate authority. This weakens the security of communication between the API server and etcd.

Impact

Without certificate authority verification, attackers could perform man-in-the-middle attacks, intercepting or tampering with sensitive data between the API server and etcd. This can lead to unauthorized access, data breaches, or compromise of the Kubernetes control plane.

Ensure that the –etcd-certfile and –etcd-keyfile arguments are set as appropriate

Property
Languageterraform
Severitylow

Description

The Kubernetes API server is not configured with the –etcd-certfile and –etcd-keyfile arguments, meaning it communicates with etcd without TLS encryption. This leaves the connection between the API server and etcd unprotected and susceptible to interception.

Impact

Without TLS, sensitive data transmitted between the API server and etcd can be intercepted or tampered with by an attacker on the network, potentially leading to unauthorized access to cluster secrets, data leakage, or modification of critical cluster state.

Ensure that the –hostname-override argument is not set

Property
Languageterraform
Severityhigh

Description

Do not override node hostnames.

Resolution

Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and remove the –hostname-override argument

Ensure that the –kubelet-certificate-authority argument is set as appropriate

Property
Languageterraform
Severitylow

Description

The Kubernetes API server is missing the –kubelet-certificate-authority argument, which means it does not verify the kubelet’s TLS certificate before connecting. This weakens the security of the communication channel between the API server and kubelets.

Impact

Without certificate verification, attackers could impersonate kubelets, potentially intercepting or manipulating communication between the API server and worker nodes. This could lead to unauthorized access, data leakage, or disruption of cluster operations.

Ensure that the –kubelet-https argument is set to true

Property
Languageterraform
Severitylow

Description

The Kubernetes API server is configured to connect to kubelets without HTTPS by setting the –kubelet-https flag to false. This results in unencrypted communication between the API server and kubelets, exposing sensitive data in transit.

Impact

Without HTTPS, data exchanged between the API server and kubelets can be intercepted or modified by attackers with network access, potentially leading to credential theft, command injection, or unauthorized control over cluster nodes.