C-0175 - Verify that the --read-only-port argument is set to 0

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-v1.23-t1.0.1, cis-aks-t1.2.0, cis-eks-t1.2.0

Severity

Medium

Description of the the issue

The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.

Related resources

What does this control test

Disable the read-only port.

How to check it manually

Run the following command on each node:

ps -ef | grep kubelet

Verify that the --read-only-port argument exists and is set to 0.

If the --read-only-port argument is not present, check that there is a Kubelet config file specified by --config. Check that if there is a readOnlyPort entry in the file, it is set to 0.

Remediation

If using a Kubelet config file, edit the file to set readOnlyPort to 0.

If using command line arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.

--read-only-port=0

Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

Impact Statement

Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.

Default Value

By default, --read-only-port is set to 10255/TCP. However, if a config file is specified by --config the default value for readOnlyPort is 0.

Example

No example