---
title: An EKS Cluster's Kubelet's read-only port should be disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > An EKS Cluster's Kubelet's read-only
  port should be disabled
---

# An EKS Cluster's Kubelet's read-only port should be disabled
 
## Description{% #description %}

EKS worker node kubelets should disable the unauthenticated read-only port by resolving `readOnlyPort` to `0` in the effective kubelet configuration, so unauthenticated clients cannot retrieve potentially sensitive cluster information from the kubelet. A nonzero value such as `10255` means the read-only service is serving without authentication or authorization; an absent value commonly resolves to the disabled default of `0`.

## Remediation{% #remediation %}

1. Set `readOnlyPort: 0` in the effective kubelet configuration through a supported node bootstrap path — [launch template](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) user data, `NodeConfig`, or a custom AMI — instead of editing the kubelet config file on the host.
1. Apply the updated launch template version to the managed node group so EKS replaces the running nodes, then re-audit the live kubelet configuration through the API server `configz` endpoint to confirm `readOnlyPort` is `0`.

## References{% #references %}

- [Amazon EKS managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html)
- [Kubelet configuration (v1beta1)](https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/)
- [CIS Amazon EKS Benchmark](https://www.cisecurity.org/benchmark/kubernetes)
