C-0069 - Disable anonymous access to Kubelet service
Prerequisites
Run Kubescape with host sensor (see here)
Framework
AllControls, ArmoBest, security, MITRE, NSA
Severity
Critical
Description of the the issue
By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.
Related resources
What does this control test
Reading the kubelet command lines and configuration file looking for anonymous-auth configuration. If this configuration is set on both, the command line values take precedence over it.
Remediation
Start the kubelet with the --anonymous-auth=false flag.
Example
No example
Updated about 2 months ago