Ensure that the --read-only-port is secured




Disable the read-only port.


The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.

Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.


If modifying the Kubelet config file, edit the kubelet-config.json file '/etc/kubernetes/kubelet/kubelet-config.json' and set the below parameter to false

readOnlyPort to 0

If using executable arguments, edit the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf' on each worker node and add the below parameter at the end of the 'KUBELET_ARGS' variable string.


For all three remediations:
Based on your system, restart the 'kubelet' service and check status

systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l