For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-kubelet-read-only-port-is-not-set-to-zero.md. A documentation index is available at /llms.txt.

Kubelet read-only port is not set to zero

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-kubelet-read-only-port-is-not-set-to-zero

Platform: Kubernetes

Severity: Medium

Category: Networking and Firewall

Learn More

Description

When running kubelet, the read-only port should be set to 0 by specifying --read-only-port=0. This rule detects containers that invoke kubelet with a --read-only-port flag not set to 0, and KubeletConfiguration resources whose readOnlyPort attribute is not 0. Disabling the read-only port prevents exposure of the unauthenticated read-only HTTP endpoint.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: kubelet-demo
  labels:
    purpose: kubelet-demo
spec:
  containers:
    - name: kubelet-demo-container
      image: foo/bar
      command: ["kubelet"]
      args: ["--read-only-port=0"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: foo/bar
      command: ["kubelet", "--read-only-port=0"]
  restartPolicy: OnFailure

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
serializeImagePulls: false
evictionHard:
  memory.available: "200Mi"
readOnlyPort: 0

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: foo/bar
      command: ["kubelet"]
      args: ["--read-only-port=1"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: foo/bar
      command: ["kubelet", "--read-only-port=1"]
  restartPolicy: OnFailure

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: "192.168.0.8"
port: 20250
serializeImagePulls: false
evictionHard:
  memory.available: "200Mi"
readOnlyPort: 1