Kubelet read-only port is not set to zero

Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

Id: 2940d48a-dc5e-4178-a3f8-bfbd80720b41

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Medium

Category: Networking and Firewall

Learn More

Description

When running kubelet, the read-only port should be set to 0 by specifying --read-only-port=0. This rule detects containers that invoke kubelet with a --read-only-port flag not set to 0, and KubeletConfiguration resources whose readOnlyPort attribute is not 0. Disabling the read-only port prevents exposure of the unauthenticated read-only HTTP endpoint.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: kubelet-demo
  labels:
    purpose: kubelet-demo
spec:
  containers:
    - name: kubelet-demo-container
      image: foo/bar
      command: ["kubelet"]
      args: ["--read-only-port=0"]
  restartPolicy: OnFailure

{
    "kind": "KubeletConfiguration",
    "apiVersion": "kubelet.config.k8s.io/v1beta1",
    "address": "192.168.0.8"
  }

{
    "kind": "KubeletConfiguration",
    "apiVersion": "kubelet.config.k8s.io/v1beta1",
    "address": "192.168.0.8",
    "readOnlyPort": 0
  }

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: foo/bar
      command: ["kubelet", "--read-only-port=1"]
  restartPolicy: OnFailure

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
serializeImagePulls: false
evictionHard:
  memory.available: "200Mi"
readOnlyPort: 1

{
    "kind": "KubeletConfiguration",
    "apiVersion": "kubelet.config.k8s.io/v1beta1",
    "address": "192.168.0.8",
    "readOnlyPort": 1
  }