Ensure that the –client-ca-file argument is set as appropriate
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is not configured with the –client-ca-file argument, meaning it does not validate client certificates for incoming connections. This leaves the API server open to unauthenticated or unauthorized access attempts.
Impact#
Without client certificate verification, malicious actors could connect to the API server without proper authentication, potentially gaining access to sensitive cluster operations and data, increasing the risk of unauthorized actions or compromise of the Kubernetes environment.
Resolution#
Follow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the client certificate authority file.