Ensure the --read-only-port argument is set to 0

Error: The --read-only-port argument is not set to 0

Bridgecrew Policy ID: BC_K8S_98
Checkov Check ID: CKV_K8S_141
Severity: LOW

The --read-only-port argument is not set to 0

Description

Disable the read-only port. The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kubelet
    tier: control-plane
  name: kubelet
  namespace: kube-system
spec:
  containers:
  - command:
+   - kubelet
+   - --read-only-port=0
    image: gcr.io/google_containers/kubelet-amd64:v1.6.0
    ...