Hi everyone,
I’m running kube-bench on a Kubernetes cluster that was built and configured with kubeadm, and I’m getting a FAIL on the following CIS control:
1.2.5 Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the
--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
From what I understand, kubeadm does not explicitly set --kubelet-certificate-authority in the kube-apiserver manifest. Instead, it automatically configures:
--client-ca-file=/etc/kubernetes/pki/ca.crt
Since kubeadm uses the same internal CA to sign both API client certificates and kubelet certificates, this should effectively cover kubelet authentication as well.
To test this further, I replicated the steps described in the official documentation:
I manually added:
--kubelet-certificate-authority=/etc/kubernetes/pki/ca.crt
And I also manually approved the kubelet CSRs.
However, this felt like duplicating what kubeadm already manages automatically (bootstrap process, CA usage, and certificate rotation).
So my questions is:
Is this actually a security issue, or is it just a kube-bench false positive on clusters initialized with kubeadm?