.featureGates.RotateKubeletServerCertificate dropped from kubelet config in k8s 1.28 about bottlerocket HOT 2 CLOSED

This feature gate is actually enabled by default since Kubernetes 1.12. So there wasn't really a reason to ever have it present in the config file with any of the versions Bottlerocket supports.

Yes thanks - that was my suspicion

I was a bit confused though because this config seems to have appeared in bottlerocket for k8s 1.23 - then went away again now for 1.28 - and that didn't seem like it lined up with this feature gate becoming a default.

I think the correct thing in my case is probably to make a PR to kube-bench so it can understand this default correctly, just like bloodhound does here https://github.com/bottlerocket-os/bottlerocket/blob/develop/sources/bloodhound/src/bin/kubernetes-checks/checks.rs#L596-L599

from bottlerocket.

Hi @errm - sorry, that should maybe have been called out more clearly than just passing comments.

This feature gate is actually enabled by default since Kubernetes 1.12. So there wasn't really a reason to ever have it present in the config file with any of the versions Bottlerocket supports.

The reference you found in Bloodhound may actually be very interesting to you if you are trying to run the CIS Benchmarks. I'm sure you've seen a few other things that are just a little bit different in Bottlerocket that causes problems trying to use some of the tools designed for general purpose OSs. Bloodhound is an internal tool that was added and exposed through apiclient for running the Bottlerocket or Kubernetes CIS benchmarks. They provide either a nicely formatted human-readable format or a JSON formatted report that can be convenient for piping in to other programmatic reporting tools.

You can get a little more background context with the Bottlerocket CIS report and Kubernetes CIS report PRs.

Just let me know if you have any questions.

from bottlerocket.