TF 0139 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --root-ca-file argument is set as appropriate
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The kube-controller-manager is not configured with the --root-ca-file argument, preventing pods from verifying the API server’s certificate before establishing connections. This disables proper certificate validation between pods and the API server.
Impact
Without certificate verification, pods may unknowingly connect to a malicious or compromised API server, increasing the risk of man-in-the-middle attacks, unauthorized access, and data breaches within the Kubernetes cluster.
Resolution
Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the --root-ca-file parameter to the certificate bundle file`.