Skip to main content

lacework-global-320

3.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)

Profile Applicability

• Level 1

Description

Disable anonymous requests to the Kubelet server.

Rationale

When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.

Impact

Anonymous requests will be rejected.

Audit

Audit Method 1:

If using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false.

First, SSH to the relevant node:

Run the following command on each node to find the appropriate Kubelet config file:

ps -ef | grep kubelet

The output of the above command should return something similar to --config /etc/kubernetes/kubelet/kubelet-config.json which is the location of the Kubelet config file.

Open the Kubelet config file:

sudo more /etc/kubernetes/kubelet/kubelet-config.json

Verify that the "authentication": { "anonymous": { "enabled": false } argument is set to false.

Audit Method 2:

If using the api configz endpoint consider searching for the status of authentication... "anonymous.*{"enabled":false} by extracting the live configuration from the nodes running kubelet.

Set the local proxy port and the following variables and provide proxy port number and node name; HOSTNAME_PORT="localhost-and-port-number" NODE_NAME="The-Name-Of-Node-To-Extract-Configuration" from the output of "kubectl get nodes"

kubectl proxy --port=8001 &

export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")

curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"

Remediation

Remediation Method 1:

If modifying the Kubelet config file, edit the kubelet-config.json file /etc/kubernetes/kubelet/kubelet-config.json and set the below parameter to false:

"authentication": { "anonymous": { "enabled": false } }

Remediation Method 2:

If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf on each worker node and add the below parameter at the end of the KUBELET_ARGS variable string:

--anonymous-auth=false

Remediation Method 3:

If using the api configz endpoint consider searching for the status of "authentication.*anonymous":{"enabled":false}" by extracting the live configuration from the nodes running kubelet.

**See detailed step-by-step configmap procedures in Reconfigure a Node's Kubelet in a Live Cluster, and check for kubelet configuration changes

kubectl proxy --port=8001 &

export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")

curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"

For all three remediations: Based on the node's service manager (the example below is for systemctl), restart the kubelet service and check status:

systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l

References

https://kubernetes.io/docs/admin/kubelet/
https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication
https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/