C-0069 - Disable anonymous access to Kubelet service

Prerequisites

Run Kubescape with host sensor (see here)

Framework

security, ArmoBest, MITRE, NSA, AllControls

Severity

Critical

Description of the the issue

By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.

Related resources

What does this control test

Reading the kubelet command lines and configuration file looking for anonymous-auth configuration. If this configuration is set on both, the command line values take precedence over it.

Remediation

Start the kubelet with the --anonymous-auth=false flag.

Example

No example