Run Kubescape with host sensor (see here)
cis-aks-t1.2.0, cis-eks-t1.2.0, cis-v1.23-t1.0.1
When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.
Disable anonymous requests to the Kubelet server.
If using a Kubelet configuration file, check that there is an entry for
authentication: anonymous: enabled set to
Run the following command on each node:
ps -ef | grep kubelet
Verify that the
--anonymous-auth argument is set to
This executable argument may be omitted, provided there is a corresponding entry set to
false in the Kubelet config file.
If using a Kubelet config file, edit the file to set
authentication: anonymous: enabled to
If using executable arguments, edit the kubelet service file
/etc/kubernetes/kubelet.conf on each worker node and set the below parameter in
Based on your system, restart the
kubelet service. For example:
systemctl daemon-reload systemctl restart kubelet.service
Anonymous requests will be rejected.
By default, anonymous access is enabled.
Updated 6 days ago