For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-00k-b9s.md. A documentation index is available at /llms.txt.

The kubelet read-only port should be disabled

kubernetes

Description

The read-only port should be disabled. The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.

Remediation

  1. If using a Kubelet config file, edit the file to set readOnlyPort to 0.
  2. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
  1. Restart the kubelet service.