Workload misconfigurations

Kubernetes node’s kubelet client-ca-file is not set

Risk Level

Informational (4)

  • N/A

Compliance Frameworks


The kubelet reads various parameters, including security settings, from a config file. The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the apiserver does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Orca has detected that in the clientCAFile is not set to a certificate file on {K8sNode.Vm}.
  • Recommended Mitigation

    Set {K8sNode}'s Kubelet's client-ca-file to a valid certificate file path.