Kubelet HTTPS Set To False

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-platform-001
  labels:
    severity: "critical"
    category: "platform"
  annotations:
    rules.spotter.dev/title: "Kubelet HTTPS Set To False"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-319"
    rules.spotter.dev/description: "The Kubelet should enforce HTTPS for its API to ensure secure communication."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
          - ""
        versions:
          - v1
        kinds:
          - Pod
  cel: |
    has(object.spec.containers) && object.spec.containers.exists(c, has(c.command) && c.command.exists(cmd, cmd == "kubelet") && has(c.args) && c.args.exists(arg, arg == "--https=false"))
  remediation:
    manual: "Ensure `--https` is not set to `false` or is omitted (defaults to `true`), and explicitly configure `--tls-cert-file` and `--tls-private-key-file`."
  references:
    - title: "Kubelet Command Line Reference"
      url: "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
    spec:
      containers:
        - name: command-demo-container
          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
          command: ["kube-apiserver"]
          args: ["--kubelet-https=false"]
      restartPolicy: OnFailure

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
    spec:
      containers:
        - name: command-demo-container
          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
          command: ["kube-apiserver"]
      restartPolicy: OnFailure

- name: secure sample 2 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
    spec:
      containers:
        - name: command-demo-container
          image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
          command: ["kube-apiserver"]
          args: ["--kubelet-https=true"]
      restartPolicy: OnFailure

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-platform-001
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-platform-001
spec:
  # Add your VAP configuration here

Rule Metadata

Kubelet HTTPS Set To False

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub