Note: to enable this control run Kubescape with host sensor (see here)
The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.
Disable the read-only port.
Run the following command on each node:
ps -ef | grep kubelet
Verify that the
--read-only-port argument exists and is set to
--read-only-port argument is not present, check that there is a Kubelet config file specified by
--config. Check that if there is a
readOnlyPort entry in the file, it is set to
If using a Kubelet config file, edit the file to set
If using command line arguments, edit the kubelet service file
/etc/kubernetes/kubelet.conf on each worker node and set the below parameter in
Based on your system, restart the
kubelet service. For example:
systemctl daemon-reload systemctl restart kubelet.service
Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.
--read-only-port is set to
10255/TCP. However, if a config file is specified by
--config the default value for
readOnlyPort is 0.
Updated 21 days ago