How to ensure that the kubelet read-only port is set to false

Question

During a recent penetration test of our Azure Kubernetes Service (AKS) cluster, it was identified that Kubelet's read-only API is exposed. This poses a security risk as unauthenticated access to the read-only API can reveal potentially sensitive information about the cluster. We need to know if disabling this read-only API is possible in AKS, and if so, how it can be done.

Here's what we've done thus far, on both the master and worker nodes, with no results.

launched a debug pod in AKS

opened /etc/systemd/system/kubelet.service

added --read-only-port=0 under ExecStart=/usr/local/bin/kubelet as an argument

save and exit

opened /var/lib/kubelet/kubeconfig

added readOnlyPort: 0

save and exit

sudo systemctl daemon-reload

sudo systemctl restart kubelet

How we tested

kubectl proxy

curl http://127.0.0.1:8001

Even after all the config changes above the curl command returned all the information that it should not.

We have a retest coming up and need to resolve this ASAP.

Kindly assist

Thank you

Answer 1

As AKS is a managed service, you don't have access to modify the master nodes. The changes you've attempted on the master nodes likely didn't take effect due to this.

The kubectl proxyproxies requests to the Kubernetes API server not kubelet API.

You can test this out to disable:

az aks update --resource-group <RG> --name <Cluster> --set agentPoolProfiles[0].kubeletConfig.readOnlyPort=0

You can also try custom Kubelet config

https://learn.microsoft.com/en-us/azure/aks/custom-node-configuration?tabs=linux-node-pools

If this does not work, I will recommend opening a support case for dedicated assistance.

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola