Profile Applicability:

  • Level 1

Description:
 The --read-only-port flag in Kubernetes specifies the port on which the API server exposes read-only endpoints. These endpoints provide access to the status and metrics of the cluster, and if not properly secured, could be exploited. Securing this port ensures that these endpoints are not publicly accessible or vulnerable to unauthorized access.

Rationale:
 Exposing the --read-only-port without proper security controls can allow attackers to gain insight into the cluster’s status and configuration, potentially compromising the security of the entire system. Disabling or properly securing this port minimizes the attack surface.

Impact:

  • Pros:

    • Reduces the risk of exposing sensitive cluster information through publicly accessible read-only endpoints.

    • Enhances the security posture of the Kubernetes API server.

  • Cons:

    • Disabling or restricting access to this port may require additional configuration for monitoring and troubleshooting.

Default Value:
 The default setting for the --read-only-port is typically 10255, which may be open and unprotected by default, making it a security concern.

Pre-requisites:
 Ensure that proper security policies are in place for monitoring and troubleshooting when the --read-only-port is disabled or restricted.

Remediation

Test Plan:

Using Azure Console:

  1. Access the Kubernetes cluster configuration settings.

  2. Review the kube-apiserver configuration to check if the --read-only-port flag is configured to be disabled or secured.

Using Azure CLI:

  1. Use the following command to check the current configuration of the --read-only-port:

     ps aux | grep kube-apiserver

  2. Ensure that the --read-only-port is either set to 0 (to disable it) or is configured with proper security controls (e.g., firewall rules).

Implementation Plan:

Using Azure Console:

  1. Access the kube-apiserver configuration.

  2. Set the --read-only-port argument to 0 to disable the port, or configure the appropriate security controls to restrict access.

Using Azure CLI:

  1. Update the --read-only-port flag by modifying the kube-apiserver configuration:

     kubectl -n kube-system edit deployment kube-apiserver

  2. Set the --read-only-port to 0 to disable the port:

     --read-only-port=0


Backout Plan:

Using Azure Console:

  1. If disabling or securing the --read-only-port causes issues, revert the configuration to the original state by re-enabling the port or adjusting security settings as needed.

Using Azure CLI:

  1. Revert the change by enabling the --read-only-port again:

     kubectl -n kube-system edit deployment kube-apiserver

  2. Set the port to the original value (typically 10255) or reconfigure the security settings accordingly.

References:

  1. Kubernetes API Server Security

  2. Kubernetes Authentication and Authorization