lacework-global-323
3.2.4 Ensure that the --read-only-port is secured (Automated)
note
This rule has been changed to automated, see Automated Rules for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 1
Description
Disable the read-only port.
Rationale
The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.
Impact
Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.
Audit
If using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled
set to 0
.
First, SSH to the relevant node:
Run the following command on each node to find the appropriate Kubelet config file:
ps -ef | grep kubelet
The output of the above command should return something similar to --config /etc/kubernetes/kubelet/kubelet-config.json
which is the location of the Kubelet config file.
Open the Kubelet config file:
cat /etc/kubernetes/kubelet/kubelet-config.json
Verify that the --read-only-port
argument exists and is set to 0
.
If the --read-only-port
argument is not present, check that there is a Kubelet config file specified by --config
. Check that if there is a readOnlyPort
entry in the file, it is set to 0
.
Remediation
If modifying the Kubelet config file, edit the kubelet-config.json file /etc/kubernetes/kubelet/kubelet-config.json and set the "readOnlyPort" parameter to 0.
If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf
on each worker node and add the below parameter at the end of the KUBELET_ARGS
variable string:
--read-only-port=0
For either remediation method: Based on the node's service manager (the example below is for systemctl), restart the kubelet service and check status:
systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l