Kube-hunter hunts for security weaknesses in Kubernetes clusters
View the Project on GitHub aquasecurity/kube-hunter
Lookup Vulnerability
KHV036 - Anonymous Authentication
Issue description
The kubelet is configured to allow anonymous (unauthenticated) requests to it’s HTTP api. This may expose certein information, and capabilities to an attacker with access to the kubelet API.
Remediation
Ensure kubelet is protected using --anonymous-auth=false kubelet flag. Allow only legitimate users using --client-ca-file or --authentication-token-webhook kubelet flags. This is usually done by the installer or cloud provider.