lacework-global-733
Set the --anonymous-auth argument to false (Automated)
Description
Disable anonymous requests to the Kubelet server.
Remediation
Remediation Method 1:
If modifying the Kubelet config file, edit the kubelet-config.json
file /etc/kubernetes/kubelet/kubelet-config.json
and set the below parameter to false
"authentication": { "anonymous": { "enabled": false } }
Remediation Method 2:
If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf
on each worker node and add the below parameter at the end of the KUBELET_ARGS
variable string.
anonymous-auth=false
Remediation Method 3:
If using the api configz endpoint, consider searching for the status of "authentication.*anonymous":{"enabled":false}"
by extracting the live configuration from the nodes running kubelet.
See detailed step-by-step configmap procedures in https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/, and then look for kubelet configuration changes.
kubectl proxy --port=8001 &
export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")
curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
For all three remediations:
Based on the node's service manager (the example below is for systemctl), reload the daemon:
systemctl daemon-reload
Then restart the kubelet service:
systemctl restart kubelet.service
Finally, inspect the kubelet status to confirm the change:
systemctl status kubelet -l
References
https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/