Profile Applicability:
 • Level 1

Description:
 Disable the Kubelet’s read-only port to prevent unauthenticated access to potentially sensitive information about the cluster.

Rationale:
 The Kubelet exposes a read-only API that could be accessed without authentication, allowing attackers to retrieve potentially sensitive data. Disabling the read-only port helps mitigate the risk of exposure, ensuring that only authenticated requests can interact with the Kubelet.

Impact:
 Pros:

  • Prevents unauthorized access to Kubelet data through the read-only port.

  • Improves the security posture of the Kubernetes cluster by ensuring all API interactions are authenticated.

Cons:

  • Any services relying on the read-only port will need to be reconfigured to use the main Kubelet API.

Default Value:
 By default, the --read-only-port may be enabled, allowing unauthenticated access. This needs to be disabled for enhanced security.

Pre-requisites:

  • SSH or Session Manager access to the worker nodes.

  • Permissions to modify Kubelet configuration files or service arguments.

  • Kubernetes access to verify changes.

Remediation

Test Plan:

Using AWS Console:

  1. Navigate to Amazon EC2 > Instances, and connect to each worker node using Session Manager or EC2 Instance Connect.

  2. Run the following command to find the Kubelet process:
    ps -ef | grep kubelet

  1. Identify the configuration file path from the command output (look for --config).

  2. Open the Kubelet configuration file using:
    cat /etc/kubernetes/kubelet/kubelet-config.json

  1. Confirm the --read-only-port argument is set to 0.

    • If not present, check the readOnlyPort entry in the file and ensure it is set to 0.

Using AWS CLI:

  1. Get the list of nodes in your cluster:

    kubectl get nodes

  1. Start a proxy for the Kubernetes API:

    kubectl proxy --port=8080

  1. In a new terminal, for each node, run:

    export NODE_NAME=my-node-name
curl http://localhost:8080/api/v1/nodes/${NODE_NAME}/proxy/configz

  1. Verify that the readOnlyPort is set to 0 in the returned JSON.

Implementation Plan

Using AWS Console:

  1. SSH into each worker node and find the Kubelet configuration file via ps -ef | grep kubelet.

  2. Open the configuration file and add or modify the readOnlyPort entry to be 0.

  3. Save the changes and restart the Kubelet service.

Using AWS CLI:

  1. Locate and open the configuration file on the worker node.

  2. Set the readOnlyPort value to 0 in the configuration file.

  3. If using systemd, modify the Kubelet service file at /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf. Add the following line:

    --read-only-port=0

  1. Reload systemd and restart the Kubelet service:

    systemctl daemon-reload
 systemctl restart kubelet.service
systemctl status kubelet -l

Backout Plan

Using AWS Console:

  1. If issues arise after disabling the read-only port, revert the changes made to the Kubelet configuration or systemd service.

  2. Restart the Kubelet service.

Using AWS CLI:

  1. Re-enable the read-only port by removing --read-only-port=0 or changing the readOnlyPort entry back to its default value.

  2. Restart the Kubelet service:

    systemctl daemon-reload
systemctl restart kubelet.service

References: