C-0175 - Verify that the --read-only-port argument is set to 0
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-v1.23-t1.0.1, cis-aks-t1.2.0, cis-eks-t1.2.0
Severity
Medium
Description of the the issue
The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.
Related resources
What does this control test
Disable the read-only port.
How to check it manually
Run the following command on each node:
ps -ef | grep kubelet
Verify that the --read-only-port
argument exists and is set to 0
.
If the --read-only-port
argument is not present, check that there is a Kubelet config file specified by --config
. Check that if there is a readOnlyPort
entry in the file, it is set to 0
.
Remediation
If using a Kubelet config file, edit the file to set readOnlyPort
to 0
.
If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS
variable.
--read-only-port=0
Based on your system, restart the kubelet
service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Impact Statement
Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.
Default Value
By default, --read-only-port
is set to 10255/TCP
. However, if a config file is specified by --config
the default value for readOnlyPort
is 0.
Example
No example
Updated 3 days ago