Best practices

K8S API server configuration allows all client certificate authorities

Risk Level

Informational (4)

  • N/A

Compliance Frameworks


API server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If --client-ca-file argument is set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. Orca has detected that the '--client-ca-file' is not set.
  • Recommended Mitigation

    It is recommended to set the '--client-ca-file' parameter in the configuration file to a valid file.