Workload misconfigurations

Kubernetes node’s kubelet read-only-port is enabled

Platform(s)
  • Non-platform specific

Compliance Frameworks
  • AKS CIS
  • ,
  • CCPA
  • ,
  • CPRA
  • ,
  • EKS CIS
  • ,
  • GKE CIS
  • ,
  • iso_27001_2022
  • ,
  • iso_27002_2022
  • ,
  • K8s CIS
  • ,
  • K8s OWASP Top 10
  • ,
  • NIST 800-171
  • ,
  • NIST 800-190
  • ,
  • NIST 800-53
  • ,
  • PDPA
  • ,
  • UK Cyber Essentials

Description

The kubelet reads various parameters, including security settings, from a config file. The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster. Orca has detected that the readOnlyPort is not turned off (has a value different than 0) on {K8sNode.Vm}.