TF 0478 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --kubelet-https argument is set to true
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The Kubernetes API server is configured to connect to kubelets without HTTPS by setting the --kubelet-https flag to false. This results in unencrypted communication between the API server and kubelets, exposing sensitive data in transit.
Impact
Without HTTPS, data exchanged between the API server and kubelets can be intercepted or modified by attackers with network access, potentially leading to credential theft, command injection, or unauthorized control over cluster nodes.
Resolution
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and remove the --kubelet-https parameter.