KHV040 - Exposed Run Inside Container

Issue description

An attacker could run arbitrary commands on a container via the kubelet’s /run endpoint. This endpoint is exposed as part of the kubelet’s debug handlers.

Remediation

Disable --enable-debugging-handlers kubelet flag.

References

kubelet server code
Kubelet - options