Ensure that the RotateKubeletServerCertificate argument is set to true
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The kube-controller-manager is not configured to enable automatic rotation of kubelet server certificates. Without this setting, kubelet certificates are not automatically renewed, which can lead to the use of outdated or compromised credentials.
Impact#
If certificate rotation is not enabled, expired or potentially compromised kubelet server certificates may remain in use, increasing the risk of unauthorized access or disruption of secure communication within the Kubernetes cluster.
Resolution#
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the –feature-gates parameter to include RotateKubeletServerCertificate=true .