lacework-global-733

3.2.1 Set the --anonymous-auth argument to false (Automated)

Description

Disable anonymous requests to the Kubelet server.

Remediation

Remediation Method 1:

If modifying the Kubelet config file, edit the kubelet-config.json file /etc/kubernetes/kubelet/kubelet-config.json and set the below parameter to false

"authentication": { "anonymous": { "enabled": false } }

Remediation Method 2:

If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf on each worker node and add the below parameter at the end of the KUBELET_ARGS variable string.

anonymous-auth=false

Remediation Method 3:

If using the api configz endpoint, consider searching for the status of "authentication.*anonymous":{"enabled":false}" by extracting the live configuration from the nodes running kubelet.

See detailed step-by-step configmap procedures in https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/, and then look for kubelet configuration changes.

kubectl proxy --port=8001 &

export HOSTNAME_PORT=localhost:8001 (example host and port number)

export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")

curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"

For all three remediations:

Based on the node's service manager (the example below is for systemctl), reload the daemon:

systemctl daemon-reload

Then restart the kubelet service:

systemctl restart kubelet.service

Finally, inspect the kubelet status to confirm the change:

systemctl status kubelet -l

References

https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/