amazon-eks-ami icon indicating copy to clipboard operation
amazon-eks-ami copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Ensure that the –read-only-port argument is set to 0 -CIS Kubernetes Benchmark in EKS

Open KR411-prog opened this issue 4 years ago • 1 comments

When running KubeBench for EKS cluster,I am getting below issue in Kubebench report.

Ensure that the --read-only-port argument is set to 0

Based on section 4.2.4 of the CIS Kubernetes Benchmark v1.5.1, the Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.

By default,looks like readonlyport is disabled in EKS cluster.I dont find 10255 listening in worker node.So not sure why this error is reported in CIS benchmark report.Please advice if I can ignore this or its necessary to set readonlyport to 0

netstat -anp|grep 10255 -->no output in worker node

ps -ef |grep kubelet
root      3760     1  2 May18 ?        01:32:08 /usr/bin/kubelet --node-ip=10.73.32.208 --node-labels=node.kubernetes.io/instancegroup=default,pool=default,alpha.eksctl.io/cluster-name=radeks4-project,alpha.eksctl.io/nodegroup-name=ng-default-amazon-eks-node-1-15-v20200507,alpha.eksctl.io/instance-id=i-0fcbec2066e1b64b8 --max-pods=64 --register-node=true --register-with-taints= --cloud-provider=aws --container-runtime=docker --network-plugin=cni --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d --pod-infra-container-image=602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/pause-amd64:3.1 --kubeconfig=/etc/eksctl/kubeconfig.yaml --config=/etc/eksctl/kubelet.yaml
root     20397  3340  0 04:32 ?        00:00:00 grep --color=auto kubelet
nfsnobo+ 31770 31719  0 May20 ?        00:00:14 /bin/operator --manage-crds=true --kubelet-service=kube-system/prometheus-operator-kubelet --logtostderr=true --localhost=127.0.0.1 --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.38.1 --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1 --config-reloader-cpu=100m --config-reloader-memory=25Mi

cat /etc/eksctl/kubelet.yaml
address: 0.0.0.0
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 2m0s
    enabled: true
  x509:
    clientCAFile: /etc/eksctl/ca.crt
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 5m0s
    cacheUnauthorizedTTL: 30s
cgroupDriver: cgroupfs
clusterDNS:
- 172.20.0.10

Environment: Test

  • AWS Region: us-west-2
  • Kubernetes version :1.15

KR411-prog avatar May 21 '20 05:05 KR411-prog