Ensure that the --anonymous-auth argument is set to false (Kubelet)
Disable anonymous requests to the Kubelet server. When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.
Risk Level: High
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.IAM.02
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
KubernetesNode where not kubeletData isEmpty() should have kubeletData.kubeletconfig.authentication.anonymous.enabled = 'false'
REMEDIATION
- If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
- If using the api configz endpoint consider searching for the status of authentication...
anonymous.enabled.false} by extracting the live configuration from the nodes running
kubelet.
**See detailed step-by-step configmap procedures in
https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
References
- https://kubernetes.io/docs/admin/kubelet/
- https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication
- https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ (EKS)
Node
A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.
Compliance Frameworks
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
- CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
- CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
- CIS Kubernetes Benchmark v1.20
- CIS Kubernetes Benchmark v1.23
- CIS Kubernetes Benchmark v1.24
- CIS Kubernetes Benchmark v1.4.0
- CIS Kubernetes Benchmark v1.5.1
- CIS Kubernetes Benchmark v1.6.1
- CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
- CIS OpenShift Container Platform v4 Benchmark v1.1.0
- CIS OpenShift Container Platform v4 Benchmark v1.4.0
- Kubernetes NIST.SP.800-190
- Kubernetes v.1.13 CloudGuard Best Practices
- Kubernetes v.1.14 CloudGuard Best Practices
- OpenShift Container Platform v3
Updated 7 months ago