Ensure that the –root-ca-file argument is set as appropriate
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The kube-controller-manager is not configured with the –root-ca-file argument, preventing pods from verifying the API server’s certificate before establishing connections. This disables proper certificate validation between pods and the API server.
Impact#
Without certificate verification, pods may unknowingly connect to a malicious or compromised API server, increasing the risk of man-in-the-middle attacks, unauthorized access, and data breaches within the Kubernetes cluster.
Resolution#
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the –root-ca-file parameter to the certificate bundle file`.