C-0069 - Disable anonymous access to Kubelet service

Disable anonymous access to Kubelet service

Note: to enable this control run Kubescape with host sensor (see here)


ArmoBest, NSA, MITRE, AllControls



Description of the the issue

By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.

Related resources

What does this control test

Reading the kubelet command lines and configuration file looking for anonymous-auth configuration. If this configuration is set on both, the command line values take precedence over it.


Start the kubelet with the --anonymous-auth=false flag.


No example