Ensure that the --cadvisor-port argument is set to 0 (Kubelet)
Disable cAdvisor. cAdvisor provides potentially sensitive data and there's currently no way to block access to it using anything other than iptables. It does not require authentication/authorization to connect to the cAdvisor port. Hence, you should disable the port.
Risk Level: High
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.OPE.04
Covered by Spectral: No
Category: Compute
GSL LOGIC
KubernetesNode should have (kubeletData.kubeletconfig.--cadvisor-port= '0') or (kubeletData.kubeletconfig.--cadvisor-port isEmpty())
REMEDIATION
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Node
A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.
Compliance Frameworks
- CIS Kubernetes Benchmark v1.4.0
- Kubernetes NIST.SP.800-190
- Kubernetes v.1.13 CloudGuard Best Practices
- Kubernetes v.1.14 CloudGuard Best Practices
Updated over 1 year ago