Ensure that the --cadvisor-port argument is set to 0 (Kubelet)

Disable cAdvisor. cAdvisor provides potentially sensitive data and there's currently no way to block access to it using anything other than iptables. It does not require authentication/authorization to connect to the cAdvisor port. Hence, you should disable the port.

Risk Level: High
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.OPE.04
Covered by Spectral: No
Category: Compute

GSL LOGIC

KubernetesNode should have (kubeletData.kubeletconfig.--cadvisor-port= '0') or (kubeletData.kubeletconfig.--cadvisor-port isEmpty())

REMEDIATION

Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

Node

A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.

Compliance Frameworks

  • CIS Kubernetes Benchmark v1.4.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices