Profile Applicability:
Level 1
Description:
The --read-only-port argument in Kubernetes controls whether the Kubelet exposes a read-only HTTP server on a specified port. This check ensures that the --read-only-port argument is set to 0, which disables the read-only port and prevents unnecessary exposure of sensitive Kubelet information over HTTP.
Rationale:
The --read-only-port argument, if set to a non-zero value, exposes a read-only HTTP server that provides access to various Kubelet metrics and status information. This information can be useful for debugging and monitoring purposes, but it can also present a security risk if exposed to unauthorized users, as it could provide sensitive cluster information. Setting the --read-only-port argument to 0 ensures that this read-only HTTP server is disabled, improving the security posture of the cluster.
Impact:
Pros:
Reduces the attack surface by ensuring that sensitive Kubelet metrics and status information are not exposed over HTTP.
Prevents unauthorized access to potentially sensitive cluster information.
Enhances the overall security by disabling unnecessary services on the Kubelet.
Cons:
Might limit debugging or monitoring tools that rely on this read-only port for accessing Kubelet status information.
Default Value
By default, the --read-only-port argument is set to a non-zero value (e.g., 10255), exposing the read-only HTTP server. This check ensures it is set to 0, disabling the service.
Pre-requisites:
Ensure that the Kubelet configuration is properly set and that unnecessary read-only ports are disabled to prevent the exposure of sensitive data.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Kubelet configuration to ensure that the --read-only-port argument is set to 0.
Verify that the Kubelet is not exposing any unnecessary services over HTTP by confirming that the read-only port is disabled.
Using Azure CLI:
1. Run the following command to check if the --read-only-port argument is set in the Kubelet configuration:
kubectl describe pod kubelet -n kube-system | grep --read-only-port
2. Ensure that the --read-only-port argument is set to 0 or is absent to ensure the read-only HTTP server is disabled.
Implementation Plan:
Using Azure Console:
1. In the Azure portal, navigate to your AKS cluster and access the Kubelet configuration.
2. Ensure that the --read-only-port argument is set to 0 to disable the read-only HTTP server:
--read-only-port=0
3. Apply the updated configuration and restart the Kubelet to disable the read-only port:
systemctl restart kubelet
Using Azure CLI:
1. To disable the read-only-port, modify the Kubelet start-up flags:
kubelet --read-only-port=0
2. Apply the changes by restarting the Kubelet:
systemctl restart kubelet
3. Verify that the --read-only-port is correctly set to 0 by running:
kubectl describe pod kubelet -n kube-system | grep --read-only-port
Backout Plan:
Using Azure Console:
If disabling the --read-only-port causes issues with legitimate monitoring or debugging tools, revert the changes by setting the --read-only-port to a different port number (e.g., 10255) or re-enable the service.
Restart the Kubelet to apply the reverted configuration.
Using Azure CLI:
1. If disabling the --read-only-port causes issues, revert the change by setting it back to the default port:
kubelet --read-only-port=10255
2. Restart the Kubelet:
systemctl restart kubelet
References:
Kubernetes Kubelet Security Best Practices