Description:
Disable the read-only port.
Rationale:
The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.
Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.
If modifying the Kubelet config file, edit the kubelet-config.json file '/etc/kubernetes/kubelet/kubelet-config.json' and set the below parameter to false
readOnlyPort to 0
If using executable arguments, edit the kubelet service file '/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf' on each worker node and add the below parameter at the end of the 'KUBELET_ARGS' variable string.
--read-only-port=0
For all three remediations:
Based on your system, restart the 'kubelet' service and check status
systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
.