Skip to content

The --kubelet-client-certificate and --kubelet-client-key arguments are not set appropriately

Description

Enable certificate based kubelet authentication. The apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate- based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+   - kube-apiserver
+   - --kubelet-client-certificate=/path/to/cert
+   - --kubelet-client-key=/path/to/key
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...