Theme

Ensure that the --read-only-port is secured

LOW

Description

Description:

Disable the read-only port.

Rationale:

The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.

Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.

Remediation

If modifying the Kubelet config file, edit the kubelet-config.json file '/etc/kubernetes/kubelet/kubelet-config.json' and set the below parameter to false

readOnlyPort to 0

If using executable arguments, edit the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf' on each worker node and add the below parameter at the end of the 'KUBELET_ARGS' variable string.

--read-only-port=0

For all three remediations:
Based on your system, restart the 'kubelet' service and check status

systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
.

Policy Details

Rule Reference ID: AC_K8S_0010

CSP: Kubernetes

Remediation Available: No

Domain: Identity and Access Management

Resource: kubernetes_kubelet_configuration

Resource Category: Management

Resource Type: Kublet Configuration

Frameworks

GDPR
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA
CIS Kubernetes v1.4.0 Level 1
CIS Kubernetes v1.6.1 Level 1 - Worker Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 1 - Worker Node