Logo

Kube-hunter hunts for security weaknesses in Kubernetes clusters

View the Project on GitHub aquasecurity/kube-hunter

Lookup Vulnerability
All vulnerabilies

KHV036 - Anonymous Authentication

Issue description

The kubelet is configured to allow anonymous (unauthenticated) requests to it’s HTTP api. This may expose certein information, and capabilities to an attacker with access to the kubelet API.

Remediation

Ensure kubelet is protected using --anonymous-auth=false kubelet flag. Allow only legitimate users using --client-ca-file or --authentication-token-webhook kubelet flags. This is usually done by the installer or cloud provider.

References