Property
Language
Severity

Description

The etcd pod is configured with the –peer-auto-tls option set to true, which causes it to automatically generate and trust self-signed TLS certificates for peer communication. This weakens the security of encrypted connections between etcd nodes by relying on untrusted, automatically created certificates.

Impact

If exploited, attackers could intercept or impersonate etcd peers due to the lack of proper certificate validation, potentially leading to unauthorized access, data tampering, or disruption of the Kubernetes cluster’s control plane.

Property
Language
Severity

Description

The etcd service is not configured with the –peer-cert-file and –peer-key-file arguments, meaning TLS encryption is not enforced for communication between etcd peers. This leaves peer traffic unencrypted and vulnerable to interception.

Impact

Without TLS encryption on peer connections, sensitive data and cluster operations can be exposed or tampered with by attackers on the network, potentially leading to data breaches, unauthorized cluster manipulation, or denial of service.

Property
Language
Severity

Description

The etcd service is not configured to require peer authentication using client certificates (–peer-client-cert-auth not set to true), allowing peers to connect without verifying their identity. This weakens the security of communications between etcd nodes in a Kubernetes cluster.

Impact

Without peer client certificate authentication, malicious or unauthorized nodes could join the etcd cluster, potentially leading to data compromise, cluster disruption, or unauthorized access to sensitive cluster information.

Property
Language
Severity

Description

The Kubernetes API server is running with the –profiling flag enabled, which exposes profiling endpoints not required for normal operation. Leaving profiling enabled unnecessarily increases the server’s attack surface.

Impact

If exploited, attackers could access sensitive performance data or abuse profiling endpoints to gather information about the API server and its resource usage, potentially aiding in further attacks or denial-of-service scenarios.

Resolution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the below parameter.

Property
Language
Severity

Description

Disable profiling, if not needed.

Resolution

Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the below parameter.

Property
Language
Severity

Description

Disable profiling, if not needed.

Resolution

Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the Control Plane node and set the below parameter.

Property
Language
Severity

Description

Protect tuned kernel parameters from overriding kubelet default kernel parameter values.

Resolution

If using a Kubelet config file, edit the file to set protectKernelDefaults: true

Property
Language
Severity

Description

The kube-controller-manager is not configured with the –root-ca-file argument, preventing pods from verifying the API server’s certificate before establishing connections. This disables proper certificate validation between pods and the API server.

Impact

Without certificate verification, pods may unknowingly connect to a malicious or compromised API server, increasing the risk of man-in-the-middle attacks, unauthorized access, and data breaches within the Kubernetes cluster.

Resolution

Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the –root-ca-file parameter to the certificate bundle file`.

Property
Language
Severity

Description

Enable kubelet client certificate rotation.

Resolution

If using a Kubelet config file, edit the file to add the line rotateCertificates: true or remove it altogether to use the default value.

Property
Language
Severity

Description

The Kubernetes API server is configured with the –secure-port argument set to 0, which disables secure (HTTPS) communication for the API server endpoint. This results in the API server only accepting insecure, unencrypted connections.

Impact

Disabling secure port exposes the API server to interception and tampering of sensitive Kubernetes traffic. Attackers could eavesdrop on or manipulate API requests, potentially gaining unauthorized access or control over the Kubernetes cluster.