Details

Disable the read-only port.

Rationale:

The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.

Impact:

Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.

Solution

If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.

–read-only-port=0

Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

Default Value:

By default, –read-only-port is set to 10255/TCP. However, if a config file is specified by –config the default value for readOnlyPort is 0.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3371https://workbench.cisecurity.org/files/3371https://workbench.cisecurity.org/files/3371

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-7b.
• CSCv6|9.1
• CSCv7|9.2

Source

• Tenable.com/audits