Detections
Analytics
Ensure that the --read-only-port is disabled
LOW
Description
Description:
Disable the read-only port.
Rationale:
The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.
Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.
Remediation
If modifying the Kubelet config file, edit the kubelet-config.json file '/etc/kubernetes/kubelet/kubelet-config.json' and set the below parameter to 0
"readOnlyPort": 0
If using executable arguments, edit the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf' on each worker node and add the below parameter at the end of the 'KUBELET_ARGS' variable string.
--read-only-port=0
For each remediation:
Based on your system, restart the 'kubelet' service and check status
systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
Policy Details
Frameworks
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA
CIS Kubernetes v1.4.0 Level 1
CIS Kubernetes v1.6.1 Level 1 - Worker Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 1 - Worker Node
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1