chore(CIS): add rotate kubelet certs flag

[andyzhangx]

Reason for Change:

[INFO] 2 Worker Node Security Configuration
[INFO] 2.1 Kubelet
[FAIL] 2.1.12 Ensure that the --rotate-certificates argument is not set to false (Scored)
[FAIL] 2.1.13 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)

2.1.12 If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

2.1.13 Edit the kubelet service file /etc/systemd/system/kubelet.service
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

Issue Fixed:

Current kubelet certs are under /var/lib/kubelet/pki/, and it has only one year of validity:

$ openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=k8s-master-22533604-0-ca@1553485044
        Validity
            Not Before: Mar 25 02:37:23 2019 GMT
            Not After : Mar 24 02:37:23 2020 GMT
        Subject: CN=k8s-master-22533604-0@1553485044

Requirements:

• uses conventional commit messages
• includes documentation
• adds unit tests
• tested upgrade from previous version

Notes:

[codecov]

Codecov Report

Merging #1052 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1052      +/-   ##
==========================================
+ Coverage   74.27%   74.27%   +<.01%     
==========================================
  Files         131      131              
  Lines       18246    18248       +2     
==========================================
+ Hits        13552    13554       +2     
  Misses       3912     3912              
  Partials      782      782

[andyzhangx]

/azp run pr-e2e

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[CecileRobertMichon]

lgtm

[jackfrancis]

/hold

[andyzhangx]

@jackfrancis Shall we merge this PR first? With this PR, at least we could do the cert rotation when cert is going to expire and manually approve it. There is no side effect since at that time since the cert is going to expire when time approaches.
You could find details about RotateKubeletServerCertificate here: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation

And how to manually approve cert rotation here:
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#approving-certificate-signing-requests

[jackfrancis]

/lgtm

[acs-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx, jackfrancis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jackfrancis]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[andyzhangx]

/hold cancel