CNTR-K8-000330 - The Kubernetes Kubelet must have the read-only port flag disabled.

Information

Kubelet serves a small REST API with read access to port 10255. The read-only port for Kubernetes provides no authentication or authorization security control. Providing unrestricted access on port 10255 exposes Kubernetes pods and containers to malicious attacks or compromise. Port 10255 is deprecated and should be disabled.

Close the read-only-port by setting the API server's read-only port flag to '0'.

Solution

Edit the Kubernetes Kubelet file in the --config directory on the Kubernetes Master Node. Set the argument --read-only-port to 0.

Reset Kubelet service using the following command:
service kubelet restart

If using worker node arguments, edit the kubelet service file /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf on each Worker Node: set the parameter in KUBELET_SYSTEM_PODS_ARGS variable to
'--read-only-port=0'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R5_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|I, CCI|CCI-000213, Rule-ID|SV-242387r717013_rule, STIG-ID|CNTR-K8-000330, Vuln-ID|V-242387

Plugin: Unix

Control ID: a364ddb472b810e5f946d91b8010202bddf7317ccd70f917313a17af68531678